

#### FPGAs in Safety Related I&C Applications in Nordic NPPs

Energiforsk/ENSRIC Project

Sofia Guerra and Sam George 3 October 2016

PT/429/309/44

xmouth House 3–11 Pine Street London EC1R 0JH \* +44 20 7832 5850 F +44 20 7832 5853 E office@adelard.com W www.adelard.com



### Adelard

- Adelard LLP is an independent product and services company supporting its clients to achieve safe, dependable and secure systems.
- 29 years of consultancy and training
- Developer of numerous safety standards
- Author of many safety justifications- civil and defence sectors
- Assessed many safety cases defence and civil
- Developed and assessed critical software
- Research into safety and dependability
- Develops and markets the Assurance Safety Case Environment (ASCE) tool



## Outline

- Background
- Are FPGA-based systems feasible for future Nordic applications?
- Implications of FPGA-based solutions in terms of V&V





# Background to presentation

- Two projects funded by Energiforsk/ENSRIC on FPGAs
- 2014/2015
  - Investigate whether FPGA-based systems are feasible for future programs in Nordic NPPs
- 2015/2016
  - Implications of FPGA-based solutions (on V&V)



# **Project aims**

- Investigate whether FPGA-based systems are feasible for future programs in Nordic NPPs
- Three major aspects
  - Review of applications
    - Current and historical use of FPGAs across different licensing regimes
  - Market availability
    - Chip suppliers
    - Platform suppliers
  - Standards in the Nordic environment
    - Survey of standards relevant to FPGA use
    - Review and focus on Nordic standards



# Outline

- Background
- 1<sup>st</sup> Project
- 2<sup>nd</sup> Project





# 1<sup>st</sup> Project outline

- Intro: What are FPGAs?
- Task 1: Review of applications
- Task 2: Market availability
- Task 3: Standards in Nordic countries



#### What are FGPAs?

- Explanation what FPGAs are and their typical development process
- Types of FPGA (SRMA, Flash and Anti-fuse)
- Regulatory aspects
- FPGAs advantages and disadvantages



# Task 1: Review of installations

- Identified safety-related FPGA-based applications in nuclear and non-nuclear sectors
- Nuclear applications categorised by country / licensing regime
  - Identify history of implementation
  - Early experiences and lessons learnt
  - Other options considered
  - Includes
    - Sweden and Finland
    - US, UK, France, Czech Rep
    - Ukraine, and Bulgaria
    - Canada and Argentina
    - Japan, China, South Korea
    - Taiwan





# Task 2: Market availability and suppliers

- Two types of suppliers: chip suppliers and platform suppliers
- Chip suppliers provide FPGA circuits, also typically software tools for developing FPGA applications
  - Typically supply "families" of chips used for different purposes
- Platform suppliers provide entire platform to NPPs, including FPGA application, interfaces with other components
  - Typically focus on a single major platform, which may be customised to provide different functionality







# Task 3: Standards and Nordic environment

- Relevant standards can be divided into four major categories:
  - General nuclear standards — STUK Guide YVL B.1, IEEE Std 603
  - Digital I&C equipment in a safety-related role
    - STUK Guide YVL E.7, IEC 61508, IEC 61513
  - Software development methodologies
    - IEEE 1012, IEEE Std 1028
  - FPGA-specific standards
    - Until recently there was little in the way of specific FPGA guidance



### Nordic standards

- YVL B.1, YVL E.7 and SSM regulations SSMFS 2008:1
  - Assessed these clause-by-clause to identify areas of concern regarding FPGAs
  - No significant findings some minor terminology differentiation
  - Can reasonably be used in a framework of FPGA-specific guidance to incorporate FPGAs in nuclear power plants



#### FIELD PROGRAMMABLE GATE ARRAYS IN SAFETY RELA-TED INSTRUMENTATION AND CONTROL APPLICATIONS

REPORT 2015:112







# Workshop

#### FPGA-based Instrumentation and Control Systems in Nuclear Applications

- Participants from utilities, suppliers and SSM
- Presentation of project results
- Experiences with licensing FPGA based systems in Sweden and elsewhere
- Presentation from supplier of FPGA-based safety solutions from supplier



Venue: Energiforsk, Olof Palmes gata

Sign up at the latest by January 30 to

organizations, but no show is debited

The number of participants is limited.

31, 6th floor, Stockholm, Sweden.

monika.adsten@energiforsk.se.

The seminar is free of charge for

participants from relevant

with 1 000 SEK

Field Programmable Gate Arrays (FPGAs) have been gaining interest from the nuclear industry for a number of years. Their simplicity compared to microprocessor-based platforms is expected to simplify the licensing approach, and therefore reduce licensing risks compared to software-based solutions.

Energiforsk (formerly Elforsk) Nuclear Safety Related I&C research program, ENSRIC, are running a project to develop an overview and understanding of the position of safety related systems built on FPGA-technology for nuclear applications. The aim is to investigate if FPGA-based systems are a realistic alternative in future investment programs in the Nordic NPPs within the next 5 years, considering technological advancement, licensing, market situation etc.

The results from the study will be presented at this seminar, together with presentations from suppliers and experience from NPPs using FPGA-based applications. ENSRIC is financed by E.On, Fortum, Karlstads Energi, Skellefteå Kraft, The Swedish Radiation Safety Authority, TVO and Vattenfall.

#### PROGRAM

- 12.30 Registration and coffee
- 13.00 Welcome and introduction Monika Adsten, Energiforsk and Anders Johansson, Vattenfall
- 13.10 Presentation of results from the ENSRIC study FPGAs in safety related I&C applications in Nordic NPPs Sofia Guerra and Catherine Menon, Adelard, UK
- 14.10 Application of FPGA-based Safety Controller for Implementation of NPPs I&C Systems Anton Andrashov, Radiy, Ukraine

#### 14.40 Coffee

- 15.00 Possible uses of FPGAs in Nuclear I&C Nguyen Thuy EdF, France
- 15.30 Experiences from FPGA applications at Ringhals 2 Fredrik Bengtsson, Vattenfall Ringhals NPP, Sweden
- 15.45 Justifying an FPGA-based system performing a Cat C function Sofia Guerra, Adelard, UK
- 16.15 Discussion
- 17.00 End of seminar



Energiforsk

# **Conclusion of first project**

- FPGAs may play a role in future modernisation programs of I&C systems in Nordic NPPs
- What are the implications of FPGA-based systems in Nordic NPPs?
  - Focus on verification and validation
  - How do they compare to microprocessor based solutions?





# Outline

- Background
- 1<sup>st</sup> project
  - What are FPGAs?
  - Review of applications
  - Market availability
  - Standards in Nordic countries
  - Workshop
- 2<sup>nd</sup> project
  - Objectives
  - Approach
  - Conclusion





# Objective

- Review verification and validation activities needed to implement an application in an FPGA-based product
- Compare with what might be equivalent for a microprocessor based application
- What does equivalence mean?
  - Different activities have different objectives
  - Different levels of assurance
- Focus on their contribution to the safety demonstration
- Systems implementing safety functions (as Cat A in IEC 61226)



#### Strategy triangle of safety demonstration









#### Standards compliance

- Compare verification and validation required by comparable standards for FPGA-based and software-based systems
- IEC 62566 and IEC 60880



**BSI Standards Publication** Nuclear power plants — Instrumentation and control important to safety — Development of HDL-programmed integrated circuits for systems performing category A functions

DJI

BS IEC 62566:2012









Figure 3 - Development activities of the IEC 60880 software safety lifecycle



Figure 2 – Development life-cycle of HPD

#### Red – differences

#### Green – text required for clarity

IEC 62566

### Comparison

Black- common

| Coverage and types | Adequacy of design specification down to module level<br>Decomposition of design into modules wrt technical<br>feasibility, testability, readability, modifiability<br>Code verification to begin with source code analysis then<br>module testing<br>Full testing guidance given in Appendix E<br>Module verification to show that all modules perform<br>intended functions and not unintended functions                                         | Each module to be specifically tested, and all features mentioned in<br>the requirements spec<br>Adequacy of design specification down to module level<br>Decomposition of design into modules testability, understandability,<br>modifiability<br>Static verification to include type / syntax checking, parameter<br>checking, 00R checks, completeness of sensitivity list and cases,<br>detection of dead states and side effects, logical and physical Design<br>Rule Checks<br>Tests should be performed for worst case and best case, and test<br>results documented |
|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Criteria           | Test coverage criteria to be justified and documented                                                                                                                                                                                                                                                                                                                                                                                              | Criteria shall be documented and analysed to show sufficiency for<br>requirement spec<br>If a criteria isn't achieved then a justification must be provided                                                                                                                                                                                                                                                                                                                                                                                                                 |
| Tools              | Automated tools may be used for code verification<br>Tools shall be qualified as per requirements of the<br>standard                                                                                                                                                                                                                                                                                                                               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Documentation      | Verification plan, established before any verification<br>activities, documents all criteria, techniques and tools<br>Plan includes selection of verification strategies, selection<br>and utilisation of tools, execution of verification,<br>documentation, evaluation of verification results<br>Verification plan shall identify any evidence needed to<br>confirm extent of testing<br>Results of verification shall be documented, including | Verification plan, established before any verification activities,<br>documents all criteria, techniques and tools<br>Plan includes selection and justification of verification strategies,<br>selection and utilisation of tools, execution of verification,<br>documentation, evaluation of verification results<br>All verification strategies to be justified<br>Verification plan to document all tests including goals, criteria and<br>expected results                                                                                                              |

#### IEC 60880

© ADELARD



# Standards comparison

- No significant differences
- IEC 62566 less prescriptive about specific documents than IEC 60880
- Some difference on specific requirements due to differences in technology, e.g., static timing analysis



### **Vulnerabilities**

- Vulnerabilities are weaknesses in a system
- They could lead to a hazardous situation, but are not strictly a hazard
- Consider different types of vulnerabilities for FGPA-based systems, and compare with vulnerabilities for microprocessor based systems, and how absence of these can be shown





# Format

| Vulnerability                              | FPGA        |     | Microprocessor |     |
|--------------------------------------------|-------------|-----|----------------|-----|
|                                            | Explanation | V&V | Explanation    | V&V |
| Timing errors                              |             |     |                |     |
| Initialisation<br>design errors            |             |     |                |     |
| Translation<br>errors                      |             |     |                |     |
| Incorporation of<br>third-party<br>designs |             |     |                |     |

- And technology-specific issues
  - SRAM, Antifuse, Flash

# FPGAs - vulnerabilities

- Assume constraints imposed by IEC 62566 hold, e.g.,
  - Synchronous design
  - Adherence to coding rules
- Mainly concern the tools used to refine an HDL specification into a deployed FPGA.
- IEC 62566 mandates that all RTL designs be fully synchronous, if maximum logic propagation times for combinatorial logic do not generate unsynthesisable timing constraints
  - FPGA-specific timing vulnerabilities can in principle be reduced to toolchain vulnerabilities.
- Some vulnerabilities of microprocessor-based solutions are not applicable to FPGAs
  - E.g. processor interrupts

# FPGAs – vulnerabilities (2)

- Closed source chip design and bitstream format
- Lack of vendor independence in post-place-and-route analysis
- Hidden state retention in cyclic structures
- Potential control/data flow problems if a sequential design paradigms are projected too literally into spatial realisation
- Multiple clock domains possible
- HDL assertion languages such as SVA/PSL may not be best suited to define application-level behaviour, leading to lack of V&V coverage of important properties
- SEUs and mitigation methods
- Built-in peripheral functions limit portability (AD and other hard IP cores)



# Behavioural properties

| Property |                                | Discussion                                                                                |  |  |
|----------|--------------------------------|-------------------------------------------------------------------------------------------|--|--|
| P1       | Functionality                  | The function performed by the system                                                      |  |  |
| P2       | Timing                         | Includes time response, permissible clock frequencies, propagation delays, etc.           |  |  |
| P3       | Accuracy                       | Affected by analogue/digital conversion, processing functions, IP cores                   |  |  |
| P4       | Availability                   | Readiness for correct service, a system-level attribute supported by component attributes |  |  |
| P5       | Fault detections and tolerance | Internal detection of faults                                                              |  |  |
| P6       | Robustness                     | Tolerance to out-of-normal inputs and stressful conditions                                |  |  |
| P7       | Failure recovery               | The ability to recover from failures                                                      |  |  |



# Behavioural properties (2)

- Functionality e.g. multithreaded/concurrent design difficult to achieve reliably in microprocessor-based systems
- Worst case execution time
- Spatial dimension to redundancy and availability
- Failure recovery
- Accuracy A/D conversion
- Fault tolerance on-chip strategies



# V&V of behavioural properties: example differences

## • Confidence levels

- Code review
- High and low level timing correctness
- Machine-level code correctness
- Cost
  - Verification effort
  - Tools
- Determinism and handling of external asynchronous processes



# Conclusions

- We compared V&V techniques for FPGAs and microprocessor based systems
  - Requirements from standards
  - Behaviour based analysis
  - Vulnerabilities associated with the different technologies
- Few significant differences identified as result of standards comparison
- Treatment of timing and concurrency different
- Typical vulnerabilities of microprocessors are absent from FPGAs, but possible issues with lack of transparency of code artefacts
- More comprehensive toolset for FPGAs

