於爾濱二蛇大學



The reliability model for the FPGA-based instrument and control system using Colored Petri Net

Zhanguo Ma, Hidekazu Yoshikawa, Ming Yang

Harbin Engineering University College of Nuclear Science and Technology

## Outline





#### **FPGA** applications in NPP



Fault tolerance techniques of I&C system



**Reliability model for FPGA based Module** 



Petri Net methodology and CPN models



**Future work** 



# FPGA based I&C platforms and applications in NPP



| FPGA<br>based<br>Platform | RadICS                                                                                                                                                                                                                                                                 | Advanced<br>Logic System<br>(ALS)                                                 | Nuclear Protection<br>and Control<br>(NuPAC)                                                             | Toshiba FPGA<br>based I&C<br>system                                                                                                                                                                                          |
|---------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Company                   | Radiy, Ukraine                                                                                                                                                                                                                                                         | Westinghouse,<br>USA                                                              | Lockheed Martin<br>(USA) &SNPAS<br>(China)                                                               | Toshiba,<br>Japan                                                                                                                                                                                                            |
| FPGA<br>Technology        | Flash                                                                                                                                                                                                                                                                  | Flash                                                                             | Flash                                                                                                    | Antifuse                                                                                                                                                                                                                     |
| Application               | <ul> <li>Reactor Trip System,</li> <li>Engineered Safety<br/>Features Actuation<br/>System,</li> <li>Rods Control System,</li> <li>Reactor Power<br/>Control &amp; Limitation<br/>System</li> <li>Other systems: Fire<br/>Alarm System,<br/>Seismic Sensor.</li> </ul> | <ul> <li>Main steam and feedwater isolation system</li> <li>AP1000 DAS</li> </ul> | <ul> <li>Reactor Trip<br/>System</li> <li>Engineered Safety<br/>Features Actuation<br/>System</li> </ul> | <ul> <li>Power Range<br/>Neutron Monitor<br/>system,</li> <li>Reactor Trip and<br/>Isolation system for<br/>the boiling water<br/>reactor.</li> <li>Primary safety I&amp;C<br/>system for ABWR<br/>in South Texas</li> </ul> |



# Other applications in NPP

- In Canada, FPGA was first designed as the emulator, then it was designed for the safety related system in the CANDU plant
- In France, EDF started to replace the rod control system and is supporting the research for the FPGA applications in the safety related systems
- Priority logic MALTAC platform and AP1000 NPP
- The FPGA is more and more extensive applied both for the new NPP I&C system design and the operating plants update
- The reliability evaluation of the FPGA based system is drawn the more and more concerns

### Comparison Microprocessor and FPGA



The microprocessor and the FPGA based are the two dominated technical solution for the NPP I&C design.

Micropro cessor Based on operation system, peripheral hardware and software associated drivers

Instruction are executed sequential

Difficult to separate as they based on the same operation system and other software service

Upgrade including the operation system and supporting software drives, take more time

Software process, software and hardware product

More experience and easy for the complicated HMI

Flat hardware logic

FPGA

6

Process separate functions independently and in parallel

Ancillary functions can be separated from the main I&C function

Directly upgraded the I&C logic functions

Software process, hardware product

Difficult for the complicated HMI





#### Fault tolerance & fault coverage

- The fault tolerance is the system's property that enables a system to correctly perform the specific required function in the event of failure of the components or sub-system.
- The fault coverage is the evaluation of the fault tolerance design and it is the ability to perform fault detection, fault isolation or fault recovery.

 $C = \Pr(fault \ detected \& recovery | fault \ existence)$ 



# Fault tolerance design for FPGA based system



- ➡ Fault tolerance design is equally applied both for the microprocessor and FPGA based I&C system.
- The main difference is the fault techniques can be designed in a separated FPGA chip.





## Fault tolerance techniques

#### ◆ Fault tolerance design:

- enhance the safety and reliability
- ◆ alleviate the maintenance for the digital I&C system

#### • Characters:

- There is may impact on the main control function when it failed. But there is less or no impact for the FPGA solution as they are designed in separated chip.
- The specific fault tolerance technique can detect and recover certain faults.
- Certain faults may be detected by several fault tolerance techniques, than some certain fault may not be detected by any fault tolerance techniques.
- For different fault tolerance technique, it takes different time to detect and recover the fault.



# Fault tolerance design of the FPGA based I&C system



Module Redundancy uses additional hardware to compare the logic result to determine the logic function is correctly calculated or not such Triple Modular Redundancy (TMR).

I.



Fault tolerance design of the FPGA based I&C system



II. Offline test methods perform any test when FPGA is not running operationally. When the test requires no further external test equipment, it is known as the Built-In-Self-Test (BIST).



# Fault tolerance design of the FPGA based I&C system



**Roving test methods** perform a progressive scan of the FPGA structure by swapping blocks of functionality with a block carrying out a test function.



**The coverage** for one of the technique *i* is  $C_i$ 



# Module Reliability



16



Fault information

For the module, the reliability can be calculated by:

$$R(t) = e^{(-\lambda t)} \qquad 3.1$$

- $\lambda$  is the failure probability at  $t + \Delta t$
- t is the hardware running time



3.2

17

$$R(t) = 1 - \prod_{i=1}^{n} (1 - R_i(t))$$
$$= 1 - \prod_{i=1}^{n} (1 - e^{(-\lambda_i t)})$$

 $\lambda_n$  is the failure probability for one tile and it is less than  $\lambda$ 

In the calculation model,  $\lambda_n = \lambda$ 

 $R(t) = 1 - (1 - e^{(-\lambda t)})^n$  3.3



3.4

### The reliability calculation

$$MTTF = \int_0^\infty R(t)dt = \int_0^\infty \left[1 - (1 - e^{(-\lambda t)})^n\right]dt = \frac{1}{\lambda} + \frac{1}{2\lambda} + \dots + \frac{1}{n\lambda}$$

The tile optimal number n=4

$$MTTF = \frac{1}{\lambda} + \frac{1}{2\lambda} + \frac{1}{3\lambda} + \frac{1}{4\lambda}$$
 3.5

$$MTTF = \frac{1}{\lambda}$$

$$\int_{M} 3.6$$

$$\int_{M} \frac{1}{MTTF} = \frac{12}{25}\lambda$$

$$3.7$$



### Parameter for each fault technique



is the failure probability for the fault tolerance technique *i* 

$$\lambda_i = C_i \cdot \lambda_M \qquad 3.8$$

After the fault is detected, the fault should be repaired. The reparation time follows the Erlang law.

$$F(t) = 1 - \sum_{k=0}^{n-1} \frac{1}{k!} e^{-\mu_c t} (\mu_c t)^k$$
 3.9

k means the number of modules

$$\mu_c = \frac{1}{MTTR_c}$$

 $\lambda_i$ 



# Methodology-WHY



- The traditional models and methods have their limitation, especially for the dynamic character and for the software part of the I&C system.
- The NRC Technical reference NUREG/CR-6901 reports that the Petri Net is one of the possible methodologies to model the D-I&C







# Methodology-Differences

| Type<br>Items | Petri Net                             | Colored Petri Net                                |  |
|---------------|---------------------------------------|--------------------------------------------------|--|
| Token         | Token;                                | Colored Token;                                   |  |
|               | Only the <b>nonnegative</b> integer.  | Arbitrary data type from simple to complex data  |  |
| 9             |                                       | and supporting the user defined data type.       |  |
| Transition    | Transferring the tokens that is       | Transferring the data.                           |  |
|               | removing the tokens from the input    | The transition can be programmed as the guard.   |  |
|               | and produce the tokens for the        | The guard determines whether the transition      |  |
|               | output.                               | can be fired.                                    |  |
|               | はないないのでも近日との言葉                        | The transition can be programmed as the action.  |  |
|               | になるしていていていたい                          | The action can be any user defined function that |  |
| 2-12-19-00    | シリティンシンティアシンテ                         | processes the data in the token.                 |  |
| Arc           | Labeled by the nonnegative integer    | Arc function re-processes the output value from  |  |
|               | defining the input and output weight. | the transition action processing the data.       |  |
| Marking       | The amount of token in each place.    | The data and information in each place defined   |  |
|               | ALS ALZ ALZ ALS ALS                   | as the color set.                                |  |
| Firing rule   | Meet the input arc labeled weight.    | Meet the input arc function.                     |  |
|               |                                       | Meet the transition guard condition.             |  |



## Methodology



There is port place and socket place used for the data exchanges of the different level of the model.

|                 | Petri Net                                                                                                                    | Colored Petri Net                                                                                                                                                                                                                                                                                                                                                 | Hierarchical<br>CPN                                                                 |
|-----------------|------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| Applic<br>ation | <b>Low Level</b> Petri net<br>Graphical notation and                                                                         | High Level Petri net<br>Petri Net and Programmed language suited for<br>the practice model as:                                                                                                                                                                                                                                                                    | High Level Petri net<br>Modeling the complex                                        |
|                 | suited for the theoretical<br>model<br>concurrency system<br>Hardware system<br>Relatively simple and<br>limited capability. | <ul> <li>compact model as:</li> <li>compact modeling</li> <li>parameterisable models</li> <li>Industrial application such as:</li> <li>communication protocols,</li> <li>data networks,</li> <li>distributed algorithms,</li> <li>embedded systems,</li> <li>business processes and workflows,</li> <li>manufacturing systems,</li> <li>agent systems.</li> </ul> | systems nearly the<br>same with the CPN.<br>Modeling in the<br>hierarchical manner. |



## Module level CPN model



27







### Future work



Currently, the module level CPN model is finished. The following work is:

- The detailed CCF model will be integrated using CPN;
- The system level model for the RPS hardware configuration will be model using CPN;
- The simulation and some reliability indicators will be calculated such as the MTTF.

