Development of Field Programmable Gate Array-based Reactor Trip Functions Using Systems Engineering Approach  by Jung, Jaecheon & Ahmed, Ibrahim
eDirect
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 7Available online at SciencNuclear Engineering and Technology
journal homepage: www.elsevier .com/locate/netTechnical NoteDevelopment of Field Programmable Gate
Array-based Reactor Trip Functions Using
Systems Engineering ApproachJaecheon Jung* and Ibrahim Ahmed
Nuclear Power Plant Engineering, KEPCO International Nuclear Graduate School, 1456-1 Shinam-ri,
Seosang-myeon, Ulju-gun, Ulsan 689-882, Republic of Koreaa r t i c l e i n f o
Article history:
Received 13 November 2015
Received in revised form
16 February 2016
Accepted 17 February 2016
Available online 21 March 2016
Keywords:
Field Programmable Gate Array
Finite State Machine with Data
Path
Reactor Trip Functions
Systems Engineering* Corresponding author.
E-mail address: jcjung@kings.ac.kr (J. Jun
http://dx.doi.org/10.1016/j.net.2016.02.011
1738-5733/Copyright © 2016, Published by El
the CC BY-NC-ND license (http://creativecoma b s t r a c t
Design engineering process for field programmable gate array (FPGA)-based reactor trip
functions are developed in this work. The process discussed in this work is based on the
systems engineering approach. The overall design process is effectively implemented by
combining with design and implementation processes. It transforms its overall develop-
ment process from traditional V-model to Y-model. This approach gives the benefit of
concurrent engineering of design work with software implementation. As a result, it re-
duces development time and effort. The design engineering process consisted of five ac-
tivities, which are performed and discussed: needs/systems analysis; requirement
analysis; functional analysis; design synthesis; and design verification and validation.
Those activities are used to develop FPGA-based reactor bistable trip functions that trigger
reactor trip when the process input value exceeds the setpoint. To implement design
synthesis effectively, a model-based design technique is implied. The finite-state machine
with data path structural modeling technique together with very high speed integrated
circuit hardware description language and the Aldec Active-HDL tool are used to design,
model, and verify the reactor bistable trip functions for nuclear power plants.
Copyright © 2016, Published by Elsevier Korea LLC on behalf of Korean Nuclear Society. This
is an open access article under the CC BY-NC-ND license (http://creativecommons.org/
licenses/by-nc-nd/4.0/).1. Introduction
In the nuclear domain, the field programmable gate array
(FPGA) is the most recent electronic device that is being
considered by stakeholders to replace the software-based
systems in performing the trip functions of the reactor pro-
tection system (RPS) of nuclear power plants (NPPs) because ofg).
sevier Korea LLC on beha
mons.org/licenses/by-ncits potentials such as simplicity, testability, long-term sup-
port, and being easier to qualify. The RPS is the most safety-
critical instrumentation and control (I&C) system in NPPs. It
safely trips the reactor whenever one or more of the moni-
tored plant processes exceed predefined limits.
Due to criticality of the RPS, the software used in pro-
grammable logic controllers (PLCs) is rated as high-integritylf of Korean Nuclear Society. This is an open access article under
-nd/4.0/).
Fig. 1 e Design process (DOD MIL-STD-499B [4]). FPGA, field programmable gate array.
Fig. 2 e Y-model transformed from traditional V-model for
field programmable gate array based trip function design.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 71048software, and therefore assigned the highest software integ-
rity level: 4. The higher the software integrity level the higher
the demand for verification and validation (V&V) activities. As
indicated by IEEE Std. 1012 [1], the high-integrity software
requires a larger set of V&V processes and a more rigorous
application of V&V tasks.
By replacing the PLC-based system with the FPGA-based
system, the use of OS and complex software applications
during plant operation can be minimized if not completely
eliminated. An FPGA is a digital semiconductor device that can
be used as a replacement for the current microprocessor-
based software systems. It is a digital programmable inte-
grated circuit (IC) that contains thousands or millions of logic
gates and interconnections that can be configured to imple-
ment desired functionality. Even though FPGA design process
involves the use of configuration/programing software, the
end product of the design can be regarded as a hardware-
based system [2,3].
However, to replace PLC functionalities with FPGA to
perform the trip functions, the development of FPGA-based
bistable trip algorithms is essential. Without the develop-
ment of proper algorithms for FPGA, the replacement is
completely impossible.
Applying an FPGA to perform RPS functions requires
proper and accurate RPS bistable algorithms development. If a
proper and well-defined design process is applied to FPGA-
based RPS design, the V&V tasks can easily be achieved and
design error can beminimized. Therefore, themain focus area
of this work is to make the V&V of FPGA-based RPS functions
simpler using systems engineering approach in combination
with finite-state machine with data path (FSMD) structural
modeling techniques.
In order to develop anFPGA-based reactor trip functions, the
systems engineering approach defined by DOD MIL-STD-499B
[4] is applied (Fig. 1). The rectangular boxes represent the
stages for thedevelopmentprocess.Therearealso inputs toand
outputs from the design process. The inputs are needs from
need/system analysis to the requirement analysis phase, and
the output is the final design outcome from design synthesis.
The development life cycles recommended by IEC 62566 [5]
and EPRI TR1019181 [3] for FPGA development in NPP are based
on the traditional software V-model. The design of FPGA in-
volves both hardware and software design process. However,the classical software development life cycle is not suitable for
the FPGA design life cycle. The Y-model is known for a hard-
wareesoftware codesign. The suitability of Y-cycle for safety
critical software for I&C system in NPP was demonstrated by
Jung et al. [6] using the 3-Step software development process,
and concluded that around 50% of development time savings
is expected to be achieved by adopting Y-Cycle. This indicates
Y-model transformed from the traditional V-model for FPGA-
based trip function design (Fig. 2).
In the design and development of an FPGA system, the
code is compiled and mapped on the target architecture. The
resulting intermediate implementation is then tested and
evaluated with respect to timing, power consumption, cost,
etc., using simulation and analysis. Based on these metrics,
the designer decides about architecture and/or code adapta-
tions. This process is iteratively repeated until a satisfactory
design is found. Therefore, according to Hamann [7], the risk
that is linked to the design flow due to the Y-model is rela-
tively small, since the designer can react in each iterations to
performance problem and solve them.
The design synthesis phase, which comprises design and
implementation stages of FPGA-based RPS functions, is
Fig. 3 e Trend of reactor trip events in Korea since 2000. I&C, instrumentation and control.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 7 1049developed using FSMD architectural modeling techniques.
An FSMD is a structural design method used for designing
the digital circuits. It is a suitable architectural model for a
general purpose algorithm, especially the complex algo-
rithms. Using the FSMD approach appropriately can lead to
design optimization and reduction in device power con-
sumption [8,9]. This can also make V&V quickly and easily
achievable.
A data path performs all computational operations such as
data manipulations, calculations, comparison, data transfer,
and data storage, while the finite-state machine (FSM)
controller controls the operation of the data path. A typical
data path composes of three basic elements: (1) Communi-
cation: buses, multiplexers, de-multiplexers, and functional
units; (2) Operators: adder, comparator, multiplier, shifter,
etc.; and (3) Storage: flip-flops, registers, etc.
An FSM is used to model a system that transits among a
finite number of internal states. The block diagram of FSM
controller and its corresponding state transition diagram. The
transitions depend on the current state and external input. An
FSM consists of a state register (current-state logic), next-state
logic, and output logic. In practice, the main application of an
FSM is to act as the controller of a large digital system, which
examines the external commands and status and activates
proper control signals to control operation of a data path,
which is usually composed of regular sequential components
[10].
After modeling of the algorithms, with the aid of Aldec
Active-HDL design tool, the register transfer level (RTL) for the
model is developed using very high speed integrated circuit
hardware description language (VHDL). The design is then
verified to test for the functionality of the developed algo-
rithms using test bench and simulation.
In summary, the following steps are followed in designing,
modeling, implementing, and verifying of RPS trip algorithms:
(1) FSMD interface definition for trip algorithm; (2) Data path
design; (3) FSM design; (4) FSM state transition design; (5)
VHDL coding, and (6) Test-bench design and simulation.2. Need and system analysis
Fig. 3 depicts 249 reactor trip events reported since 2000 in
Korean NPP. Among those events, I&C failures take 25%which
is the highest source of events [11]. This means that the I&C
system induces around 25% of reactor trip events in Korean
NPPs for the past 16 years. Among 63 of 249 events, the digital
system takes around half, while the analog system takes
about one third of the total events.
I&C failure increases unavailability and causes either
unplanned trip or technical specification violation. The most
serious problem is a trend that I&C-induced reactor trip
events is increasing. As shown in Fig. 3, I&C-induced events
have been increasing since 2004 and there were nine reactor
trip events in 2012 from 20 NPPs. This is the year when the
first digital safety critical I&C system (PLC-based) were in
operation. The statistics indicates that there are issues
regarding the introduction of the digital systems into the
NPPs. Therefore, to analyze those issues, we performed the
SWOT (strength, weakness, opportunity, and threat) anal-
ysis of the main I&C platform that is used in the current
systems.
Table 1 shows the SWOT analysis results of PLC-based and
FPGA-based systems. As indicated, complete verification and
validation is difficult in PLC-based systems. Since the
microprocessor-based software systems are safety-related,
they are required to be subjected to rigorous V&V in regula-
tions and standards. However, abundant functions and
resulting complexity of software make the V&V of
microprocessor-based software systems time-consuming and
expensive (see Table 2).
In addition, software systems implemented on PLC, use
microprocessors, which have shorter product life cycle
compared to some components in nuclear industry. The most
challenging aspect of all these problems in microprocessor-
based software systems is the potential for common cause
failure due to software errors. This is a condition that all the

















































































































































































































































































































































































































































































































































Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 71050when strongly demanded to safely shutdown the reactor. The
analysis performed by EPRI [12] on reactor trip system
concluded that the probability of digital failures and digital
common cause failures is driven by the likelihood of func-
tional specification faults in the application software. Also,
experience indicates that the independence of failure modes
may not be achieved in cases in which multiple versions of
software are developed from the same software requirements
[1,13,14].
Although the advantages of FPGA over PLC are
overwhelming, it also has some drawbacks. Limited expe-
rience of the nuclear industry is one of the disadvantages of
FPGA. Although FPGA has been used in some NPPs, its ap-
plications in RPS to perform the trip functions are still very
new. It is only recently that most NPP industries have paid
attention to the use of FPGA in safety-critical systems such
as RPS.
Another drawback of FPGA is the need for specialized
expertise on design team. Although a flat hardware logic so-
lution in an FPGA is relatively simple, the design process used
to create it is not. The design process of FPGA is quite similar
to the software design processes, including associated V&V
activities performed at successive stages of design develop-
ment. Therefore, the design team needs to have knowledge
about the electronic circuitry of FPGA, hardware description
language (HDL) coding expertise, and an understanding of
software-like development and V&V processes to ensure that
the design meets the application requirements. Limited
availability of products can also be seen as a drawback
because, due to little experience in the nuclear industry, there
are only a limited number of FPGA-based I&C platforms and
products that are available and ready to be used in NPP
applications.
Another disadvantage of FPGA inNPPs is its vulnerability to
radiation. Static RAM-based FPGA is vulnerable to radiation.
Such devices in NPPs, being in a radiation environment,
cannot survive. However, antifuse FPGA is more robust in
terms of radiation resistance, and therefore should be used for
NPP applications.3. Requirements analysis
Analyzing the specific requirements for proper conversion of
the identified needs into the requirements for the design is
paramount. However, to avoid ambiguous and conflicting
requirements during the conversion process, reference was
made to the regulatory requirements. The specific regulatory
requirements for the design of FPGA applications for safety
critical systems of NPP have not been developed yet. How-
ever, to develop the FPGA-based bistable trip functions, we
referred to the existing regulatory requirements and
endorsed standards that are specifically applicable to PLC,
because the FPGA design process also involves software
development even though the final design output is
described as hardware. In addition to the existing regulatory
requirements, for the purpose of this work we made refer-
ence to the one and only existing specific standard, IEC 62566,
for the application of FPGA to perform safety functions in
NPP.
Table 2 e Comparison between software-based and field programmable gate array (FPGA) systems.
Feature Microprocessor-based (software), e.g., PLC FPGA
Program execution Sequential Parallel
Memory access Required Not required
Interrupts Required Not required
Context switching Required Not required
Operating system Required Not required
Supportability Short-term support Long-term support
Radiation susceptibility Resistance (if the aging mechanisms are defined) Resistance (if antifuse solution is applied)
PLC, programmable logic controller.
Fig. 4 e Bistable with variable manual reset setpoint. Trip
on decreasing process (low pressurizer pressure trip
algorithm configurations).
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 7 10513.1. Regulatory requirements
USNRC 10 CFR 50 Appendix A (general design criteria and
regulatory guides) are used since the Korean NPP safety crit-
ical and safety related I&C systems are designed to satisfy
USNRC regulations. Therefore, it is required that the system
shall be designed in conformance with the requirements of
regulatory guides 1.152 and 1.153, and their endorsed IEEE
standards, respectively IEEE 7-4.3.2 [15] and IEEE 603 [16]. Also,
for the implementation of the bypass algorithm required for
variable setpoint parameters with manual reset, regulatory
guide 1.47 [17] is analyzed and complied with.
3.2. Performance requirements
During the requirement analysis, it is paramount to identify
measures of the performance of the system. Under this, the
technical, operation, and response time of the selected RPS
parameters are specified. The specific measures of perfor-
mance set for the RPS design in this work are tabulated as
shown in Table 3. The measures are picked from the Korean
APR1400 (Advanced Power Reactor 1400 Mwe) design specifi-
cation for plant protection system.4. Functional analysis
In this section, there is no further study to define and develop
the functional allocation. Instead, the functional re-
quirements are the baseline for FPGA-based hardware and
software allocation. The description below is identical to the
function already developed for APR1400.
It is required that the setpoint algorithm shall generate one
of three types of setpoints by its setpoint handling methods;
automatic rate limited variable, fixed, and manual reset vari-
able. The variable over power trip (VOPT) function uses anTable 3 e Performance requirement measures.
Requirements Value
Uncertainty < 0.2% < 0.2%
envi
Variable over power trip 225 ms PPS ca
Low pressurizer pressure trip 225 ms PPS ca
High steam generator water level trip 225 ms PPS ca
BP; PPS.automatic rate-limited variable setpoint, while low pressur-
izer pressure trip (LPPT) and low steam generator pressure trip
functions use a manual reset variable setpoint. The utilized
type shall be determined by the desired setpoint control
method and shall provide both pretrip and trip setpoints. All
the trip logics shall have hysteresis capability for both trip and
pretrip setpoints. The logics shall generate both trip and pre-
trip signal when the monitored process parameter deviates
from setpoint. Fig. 4 indicates bistable with variable manual
reset setpoint of the LPPT algorithm.5. Design synthesis
As stated above, there are three types of setpoint in APR1400.
Upon this assumption, the design synthesis phase is
explained centering around VOPT trip function because it is
the most complex algorithm to be establish the reactor trip
function.Applicability
of the selected full range value for a period of 39 d across the range of
ronmental conditions
binet response time from the input of the BP
binet response time from the input of the BP
binet response time from the input of the BP
Fig. 5 e Finite state machine with data path (FSMD) block diagram for variable over power trip (VOPT) setpoint bistable trip
function. FPGA, field programmable gate array.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 710525.1. VOPT algorithm design
5.1.1. Rate implementation analysis for VOPT
For effective implementation of VOPT rate limiting require-
ment on the design of FPGA-based system, we performed the
following analysis.
From the functional requirement analysis, the rate of
change of reactor power increase should be < 11%/min. This
means that for every 1 minute, the increase in reactor power
should be < 11%. Onemay conclude that the system should be
designed with a time delay of 1minute and then the change in
reactor power after the time delay should be checked. How-
ever, this approachmay not give the effective design outcome.
For optimized design of FPGA-based system, the system
should be designed such that the reactor power increase is
constantly checked.Fig. 6 e Data path for variable oveMathematically, if the reactor power at unit time t1 (min) is
x1%, and the rector power at next unit time t2 (min) is x2% then
the rate at which the reactor power increases is given by:
Rateð%=minÞ ¼ x2  x1





where, Dx ¼ x2  x1 is the change in reactor power (%) and
Dt ¼ t2  t1 is the corresponding change in time (min).
Assuming the change in time is 1 minute (that is, Dt ¼ 1),
then Eq. (2) can be reduced to:
Dx<11% or ðx2  x1Þ< 11% (3)r power trip (VOPT) algorithm.
Fig. 7 e Finite state machine (FSM) controller block diagram for variable over power trip (VOPT) algorithm.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 7 1053Eq. (3) simply means that, at any point in time the increase
in reactor power is < 11%. Therefore, the requirement of
power increase rate can be expressed as: the trip setpoint at
any given time shall be equal to reactor power plus 15% if the
increase in reactor power is < 11%, or else the trip setpoint
shall be equal to the previous trip setpoint plus 11%.
Utilizing this analysis result, the VOPT is designed in such a
way that the system monitored the changes in reactor power
at any time and updates the trip setpoint as appropriate
without using timer or counter which might leads to any un-
necessary delay. This gives a more efficient, fast, and effective
design output than checking every minute.
5.1.2. Interface definition of FSMD for VOPT algorithm
Fig. 5 shows the interfacing definition of the VOPT algorithm
that indicates the inputs and outputs expected of the final
design to have. In this case, the setpoint is not fixed; it is
determined by the reactor power input. However, there is
need to input the setpoint range limit (floor and ceiling) aswell
as hysteresis value.Fig. 8 e Variable over power trip maximum rate
determination state transition diagram.5.2. VOPT data path design
The VOPT data path (Fig. 6) consists of the components of the
fixed setpoint algorithm. There are comparators ( 95%) and
( 5%), which are active high, used to determine the ceiling and
floor conditions, respectively. There are also some additional
adders (þ15%), (þ11%), and (6%) whose outputs go to 4-to-1
multiplexer, which are used to determine the value of trip
setpoint at the rate of process input< 11%/min, trip setpoint at
rate of process input  11%/min, and pretrip setpoint
respectively. The addition of 4-to-1 multiplexer is to select the
trip setpoint at a particular point in time depending on the
signal value of themultiplexer select line (t_SPmSel) from FSM
controller. For example, from the data path diagram (Fig. 6), if
the t_SPmSel ¼ 00 command is received from the FSM
controller; the 4-to-1 MUX select t_SPþ11% value for trip set-
point. The pretrip setpoint is calculated from trip setpoint
value at every value of trip setpoint by the addition of 6% to
the trip sepoint value.
To control the rate of change of reactor power effectively,
Eq. (3) is used to design the data path inside the red-dotted
rectangular box shown in Fig. 6.5.3. VOPT FSM controller design
The FSM controller block diagram for both trip and pretrip
showing the signal interfaces is depicted in Fig. 7. The diagram
is aMoore type FSM inwhich the output is only the function of
the current state of the machine.
In designing the state transition diagram for VOPT, it is
important to take note of the point within the setpoint limits
where the trip is expected to be asserted. Therefore, there are
two conditions in which the trip signal will be provided to trip
the reactor: (1) if the power increase rate is greater than the
predetermined value (11%/min) and the reactor power value is
greater than or equal to trip setpoint, the logic provides a trip
signal and (2) if the reactor power is equal to the ceiling of
110% (the maximum allowable power setpoint increase), the
trip signal is provided.
The FSM controller transition diagram for VOPT algorithm
has three state transition diagrams. One of the transition di-
agrams is to control the VOPT pretrip setpoint and pretrip
signal generation.
Fig. 9 e Variable over power trip setpoint calculation state
transition diagram.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 71054The second transition diagram (Fig. 8) is used to control the
operation of the design in the red-dotted rectangular box in-
side the data path for the determination of the rector power
increase rate, and it has six states: Start, Check1, Diff, Check2,
Rate_S, and Adjust. Start is the state at which the PI1 register
(PI1_reg) in the data path is initialized to store the reactor
power called PI1 when the reset signal is active high, and then
transits to Check1 state when the reset signal is active low.
Check1 is the state in which the state machine checks for the
change in reactor power input called PI2. At this state, the
state machine can transit to either Diff state or Adjust state if
PI2 > PI1 or PI2 < PI1 respectively. Diff is the state in which the
PI11 register (PI11_reg) is enabled (PI11_en ¼ ‘1’) in order to
allow the data path to compute the different (named diff_PI)
between PI2 and PI1, and then transits to Check2 state. Check2
is the state where the state machine checks if diff_PI is  11%
power. At this state, the state machine can transit to either
Rate_S state or Start state if diff_PI  11% or diff_PI < 11%
respectively. Rate_S is the state in which the maximum rate
condition is energized (Rate¼ ‘1’) and PI1_reg (the value of PI1)
is updated to the current reactor power input PI2, and then
transits to the Check1 state. Adjust is the state where the state
machine de-energized the maximum rate condition
(Rate ¼ ‘0’) and PI1_reg (the value of PI1) is updated to the
current reactor power input PI2, and then transit back to the
Check1 state.
The third transition diagram shown in Fig. 9 is used to
control the calculation of the trip setpoint as well as trip signal
determination, and it has seven states: Follow, Floor, MaxRate,
Update, Ceiling, trip_S, and Untrip_S states. The transition con-
ditions and the state outputs are shown in diagram.Fig. 10 e A section of very high speed integrated circuit
hardware description language code.5.4. VHDL coding
Having developed the trip function models using the FSMD
technique, it is time to implement the developed FSMDs bydeveloping HDL code for all the three types of algorithms. This
involves writing the RTL that will be implemented on FPGA
using any of the HDLs. The widely used HDL languages are
VHDL and Verilog. In this work, VHDL is used because of its
flexibility and unique features.
VHDL is a languagewidely used tomodel and design digital
hardware. Among its unique features is design reusability [34],
which allows procedures and functions to be placed in a
package so that they are available to any design unit that uses
them. This is impossible in Verilog because there is no concept
of packages in Verilog. VHDL also has some features, such as
configuration, generate and package statements, together
with the generic clause, which help the designer to manage
large designs; Verilog, there are no such statements.
The Active-HDL software tool developed by Aldec is used
for writing, simulating, and synthesizing of the VHDL code.
Active-HDL's Integrated Design Environment includes a full
HDL and graphical design tool suite and RTL/gate-level mixed-
language simulator for rapid deployment and verification of
FPGA designs [18]. Fig. 10 shows a section of VHDL code.6. Design verification and validation
In this section, the developed VHDL code for the trip algo-
rithms are verified and synthesized into Xilinx Spartan 3E
FPGA. The functional correctness of the design and timing
response of the FPGA is verified using VHDL simulator from
Active-HDL tool.
To do this, a re-useable test bench is developed andwritten
in VHDL to verify the design using VHDL simulators. VHDL
simulators normally offer some interactive stimuli capture
feature. In this work, the Active-HDL tool simulator environ-
ment is used to write the test-bench code for design
verification.
The test-bench configuration is setup with several steps
needed to verify the design. Fig. 11 contains three major test
bench components to fulfill the test tasks: the generator,
Fig. 11 e Test-bench setup configuration.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 7 1055design under test (DUT), and the monitor. The generator/
stimuli generator generates the stimuli/test vectors signals for
DUT. The DUT is the developed VHDL code to be verified; it
responds to the stimuli and provides the output to the
monitor. The monitor is the response analyzer that is used to
observe the output of DUT. Thus the test bench wraps around
the design, sending in stimulus generated and capturing the
design's response. In writing the test-bench, we ensured that
the setup and hold times of the registers are respected to avoid
metastability issues. Subsequently, after setting up the test-
bench, each of the three algorithms is verified.
For fixed setpoint algorithm developed, which is general-
ized for all the trip process parameters that uses the fixed
setpoint, the high steam generator water level trip (HSGWLT),
which is one of the parameters chosen for verification of the
designed fixed setpoint algorithm.
Finally, to validate the design, the verified algorithm is
synthesized and mapped into a Xilinx Spartan3E-100 CP132
FPGA on Digilent Basys2 Board for testing.7. Results
In VOPT simulation, the verification is performed for both the
rating trip and ceiling trip and the result is shown Fig. 12. The
rating trip is the trip that occurs when reactor power rate rises
beyond the allowable rate limit. It gets to a point that the
reactor power value overtakes the setpoint that exist at that
point and results in the trip. The ceiling trip is the trip that
occurs when the reactor power rises to the maximum allow-
able trip setpoint.
The LPPT algorithm simulation result is shown in Fig. 13.
The result shows the operator's action in resetting the set-
point. During plant shutdown, the pressurizer pressure
decreasing and when it is equal to or less than the pretrip
setpoint that exist at that point, the logic generates the pretrip
signal and the operator resets the setpoint in order not to
allow the generation of the trip signal. This allows the orderlyFig. 12 e Variable over power trip combinedshutdown of the plant without unnecessarily initiating the
emergency support functions. This manual reset leads to the
step reduction of the trip setpoint. As the trip setpoint ap-
proaches the minimum value, the logic issues the permission
of the operating bypass, which allows the operator to request
for the operating bypass condition by pressing a button from
the control roomormaintenance and test panel. By doing this,
the pressurizer pressure can be brought down to zero without
initiating the trip signal. During plant startup, the system
automatically removes the operating bypass condition and
then follows the pressurizer pressure with a constant value.
From the results, it is discovered that the FPGA can effectively
implement the algorithms. However, careful attention should
be given to the timing of the RTL value from one register to the
other within the data path.
The synthesized result of timing analysis during synthesis
of verified design for HSGWLT into Xilinx Spartan 3E FPGA is
shown in Table 4. During code synthesis, the design is opti-
mized for processing speed of FPGA. The total delay is found to
be 13.023 ns, which shows that Xilinx Spartan 3E, being the
low-end FPGA, has demonstrated that the trip algorithms can
be implemented with fast enough rate. This is because of the
concurrent operation advantages of FPGA that allows it to
process many operations at same time as regards to PLC that
executes instructions sequentially. Fig. 12 shows the config-
uration of the practical implantation of the verified HSGWLT
bistable logic for validation. It also indicates the applicability
of the hysteresis shown in the simulated results.
Subsequently, the verified FPGA-based RPS trip function is
validated using a Xilinx Spartan3E-100 CP132 FPGA on Digilent
Basys2 Board as shown in Fig. 14, which indicates FPGA-board
showing pretrip and trip signals with input (80) and trip set-
point (85) of HSGWLT by hexa-indicator.8. Conclusions
The reactor bistable trip functions are developed in this work
using the systems engineering approach. In this work, the
DOD MIL-STD-499B design process is modified and consistent
with the V-model to Y-model transformation. This simplifies
and speeds up the design process for FPGA-based system as
well asmaking V&V simpler and easily achievable. The design
process stagesdneeds analysis, requirements analysis, func-
tional analysis, design synthesis, and design V&Vdare
developed for reactor trip functions. The needs and system
analysis is first performed followed by the requirementrate and ceiling trip simulation result.
Fig. 13 e Low pressurizer pressure trip simulation result.
Table 4 e Synthesis result showing timing response of
Xilinx Spartan 3E field programmable gate array (FPGA).
Synthesized parameters Time (ns)
Delay (within FPGA) 4.009
Minimum input arrival time before clock 1.731
Maximum output required time after clock 7.283
Total processing delay 13.023
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 71056analysis. After requirement analysis, the functional analysis
is performed. During functional analysis, the functional re-
quirements of trip functions are summarized and presented
graphically.
In design synthesis, based on the functional requirements,
the reactor trip functions are designed, modeled, and devel-
oped using FSMD design techniques. Fixed setpoint, variable
over power trip, and pressurizer pressure trip algorithms are
developed. The data path is designed to perform all the
mathematical computations, data movement, data storage,
and data comparisons of the algorithms, while FSM controls
the activities of the data path. After the design and modeling,
the VHDL code is developed for each algorithm and the
developed VHDL codes are verified and tested using the
Active-HDL tool. To perform this verification, a VHDL test-
bench with test cases is developed, and the designed algo-
rithms are verified to satisfy the requirements.
Finally, the verified design is synthesized and mapped into
with Xilinx Spartan 3E FPGA for testing and validation. During
synthesis, the design is optimized for processing speed ofFig. 14 e Field programmable gate array board showing
pretrip and trip signals with input (80) and trip setpoint (85)
of high steam generator water level trip.FPGA and the total delay is found to be 13.023 ns, which is
small enough compared to the required response time.
Conclusively, the transformation of the systems engi-
neering V-model into Y-model in consistence with process
defined in DOD MIL-STD-499B, as well as the structural step-
by-step design modeling techniques utilized in this work
have shown how FPGA-based trip functions can be simply
designed and verified. Therefore, if this design approach is
employed in designing an FPGA-based I&C system, the design
can be verified easily and both the utility and regulator can
easily understand the system. With this, the development
time and effort can be minimized.Conflicts of interest
All authors have no conflicts of interest to declare.
Acknowledgments
This work was supported by the 2015 Research Fund of the
KEPCO International Nuclear Graduate School (KINGS), Re-
public of Korea.r e f e r e n c e s
[1] IEEE Std. 1012, IEEE Standard for Software Verification and
Validation, IEEE, 2004.
[2] EPRI, Recommended Approaches and Design Criteria for
Application of Field Programmable Gate Arrays in Nuclear
Power Plant Instrumentation and Control Systems, EPRI, Palo
Alto, CA, 1022983, 2011.
[3] EPRI, Guidelines on the Use of Field Programmable Gate
Arrays (FPGAs) in Nuclear Power Plant I&C Systems, EPRI,
Palo Alto (CA) 1019181, 2009.
[4] US DOD MIL-STD-499B, Military Standard Systems
Engineering, 1993.
[5] IEC Std. 62566, Nuclear Power Plants e Instrumentation and
Control Important to Safetyddevelopment of HDL-
programmed Integrated Circuits for Systems Performing
Category a Functions, IEC, 2012.
[6] J.C. Jung, H.S. Chang, H.B. Kim, “3þ3 process” for safety
critical software for I&C system in nuclear power plants,
Nucl. Eng. Technol. 41 (2009) 91e98.
[7] A. Hamann, Iterative Design Space Exploration and
Robustness Optimization for Embedded Systems, 2008.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 8 ( 2 0 1 6 ) 1 0 4 7e1 0 5 7 1057[8] E. Hwang, F. Vahid, Y.C. Hsu, FSMD functional partitioning
for low power, Des. Autom. Test Eur. Conf. Exhib. (1999)
22e28.
[9] A. Sudnitson, Finite state machines with datapath
partitioning for low power synthesis [Internet]. Available
from: http://www.pld.ttu.ee/decomposition/publications/
Sudnitson_MIXDES_01.pdf.
[10] P.C. Pong, FPGA Prototyping by VHDL Examples, JohnWiley &
Sons, Inc., Hoboken, NJ, 2008.
[11] KINS-OPIS, Nuclear event evaluation database: recent
nuclear events [Internet]. [cited 2015 Sep 13] Available from:
http://opis.kins.re.kr/opis?act¼KEOBA3100R.
[12] EPRI, Guideline for Performing Defense-in-depth and
Diversity Assessments for Digital Upgrades: Applying Risk-
informed and Deterministic Methods, EPRI, Palo Alto, CA,
1002835, 2004.[13] US NRC, Regulatory Guide 1.152dCriteria for the Use of
Computers in Safety Systems of Nuclear Power Plants, 2011.
[14] US NRC, Digital Instrumentation and Control Systems in
Nuclear Power Plants: Safety and Reliability Issues, National
Academies Press, 1997.
[15] IEEE Std. 7-4.3.2, IEEE Standard Criteria for Digital Computers
in Safety Systems of Nuclear Power Generating Stations,
IEEE, 2010.
[16] IEEE Std. 603, IEEE Standard Criteria for Safety Systems for
Nuclear Power Generating Stations, IEEE, 2009.
[17] US NRC, Regulatory Guide 1.47dBypassed and Inoperable
Status Indication for Nuclear Power Plant Safety Systems,
2010.
[18] Aldec, Active-HDLdFPGA simulationdproducts [Internet].
[cited 2015 Sep 13] Available from: https://www.aldec.com/
en/products/fpga_simulation/.
