Una educación emancipadora: educar para encontrar alternativas al desarrollo

In this work, CANDU SDS1 is used as an example to investigate the feasibility of realizing faster shutdown with FPGA technology. Research work here is focused on shortening the response time such that SDS1 can react faster.

2.3.1 Evolutions

In the early 1950s, the shutdown systems in CANDU reactors used very simple design. The prototypes of CANDU reactors, Nuclear Power Demonstration and Douglas Point, used a “dump tank” which drains the heavy water moderator and pumps it back to the PHT loop to provide negative reactivity [50]. The design of the gravity-drop mechanical shutoff rods (the prototype of the current SDS1) was first added into shutdown system in Pickering-A design [51]. The trip logic of SDS1 was firstly based on relay circuit and analog comparators [52]. After being in service for decades, all these designs are facing aging and digitization challenges. In the early 1980s, CANDU NPPs started replacing their conventional relay logic and analog devices in safety systems with digital computers [53]. The software-driven shutdown system in Canada was first developed and deployed in Darlington NPP [54]. The SDS1 trip logic was turned into digital computer based design (PDCs) in the CANDU 6 model (started in Pt. Lepreau and Gentilly-II in 1982) [55]. Recently, PLCs are also used to serve as shutdown system controller in a CANDU NPP refurbishment project [56]. All of these are a natural evolution with rapid development of computer technology and do bring performance enhancement to CANDU NPPs.

Whilst CANDU NPPs are now having fully computerized SDS1, digital computers are used mainly in two components of the system: trip logic processing unit and the display/monitoring unit [55]. The monitoring computer is a passive component not involved in the shutdown process. Thus, the trip computer, which executes the trip logic using software, is the only component that can be replaced by faster FPGA implementation to speed up SDS1.

2.3.2 Issues in software-based SDS1

When global computerization tide appeared, there was increasing ubiquity of computer systems in both everyday life and industries. CANDU was among the first reactors, in the early 1980s, to use digital computers for shutdown logic implementation. However, difficulties were encountered after these software-based safety systems had been deployed in NPPs for years.

The process of approving the license becomes difficult and time consuming, especially for software-based systems with complex control logic and algorithms. The reasons of this strait lie in the nature of software itself, such as discrete processing manner and inherent design faults [57].

When the control algorithms become more and more complex to adapt the increasing safety and function demands, system specifications are getting miscellaneous. It is basically impossible to demonstrate that the design of a software-based system for realistic control purpose is correct and that failure mechanisms are completely eliminated [58]. The reliability of software-based system is also argued due to the large number of discrete states without the repetitive structure found in computers. Problems can arise in

the use of software-based systems when their discrete nature is accompanied by great complexity which is a source of error and unreliability [57]. Canadian industry has put efforts to improving this aspect through learned lessons in NPP safety critical software applications [59]. It is also very difficult to provide realistic test conditions for the software-based system. Actual operating conditions often differ from test conditions. However, the software simulation process at the verification and validation (V&V) stage has to be performed based on assumptions and there is no way to guarantee that the simulation is accurate enough [60].

Due to above mentioned reasons, regulators are facing difficulties when approving a software-based system for safety application in NPPs [61]. When the system is about to be applied as safety critical components in an NPP, the approval work load can be burdened even further. Then the question arises for how one can take advantage of the digital system without suffering the burden of regulatory approval process, especially for safety critical systems. One option is given by advanced digital hardware platforms, e.g. FPGAs, which are pure hardware once implemented but capable of processing complex logic as software-based system do.

2.3.3 Speed of response of CANDU SDS1

Figure 2.5 shows the brief structure of one of the three CANDU SDS1 channels, which is composed of sensors for system variable measurement, trip computer for trip logic processing, relay logic for 2oo3 voting, and the shutoff rods for reactor trip [52].

Since this is basically a serial structure, the time consumed by a shutdown process is the summation of the time needed for each section. Theoretically, the shutdown process can

be speeded up by reducing the consumed time of any of these parts. However, the significance of these attempts can be totally different since the time spent by each section holds different portion of the total shutdown time. For instance, it takes up to two seconds for the shutoff rods to be fully inserted into the core while the maximum time consumed by the trip computer is 100 ms [47]. Furthermore, there has to be available techniques that are capable of effectively reducing the consumed time. Although SDS1 is equipped with compressed springs to provide extra driving force for shutoff rods insertion [16], the insertion still occupies the most length of the entire shutdown process. The decision- making time consumed in the trip computer is to be studied in this work since the trip logic is what to be implemented using an FPGA.

Figure 2.5 – Signal path of SDS1

The speed of response of CANDU SDS1 has been followed with interest and explored by developer and utility of CANDU, such as AECL and OPG. Through a plant test of SDS1 in Bruce-A NPP, AECL has proved that the faster insertion rate of shutoff rods can produce lower neutron flux transient during the shutdown process [62]. Shutdown system tests performed by OPG in Unit 8 of Pickering-B NPP indicate that it took 800 ms for reactor neutron power to start decreasing after the initiation of shutoff rods dropping [63], which implies that the speed of the shutdown system has to be fast enough to assure plant safety. It has to be pointed out that in both of the above two cases the shutdown process

was initiated from a normal operating status. Hence, during an accident in which the reactor safety is facing serious threat, a timely and fast shutdown process is of even greater significance.

Regulators take speed of response as a critical factor of achieving NPP safety. It is clearly stated in the CNSC regulations that the shutdown speed and the shutdown margin should be effective enough such that the predefined limits are not exceeded [41]. In the design of the computer-based CANDU SDS1, AECL gives a specification that the logic processing time for the trip computer should not exceed 100 ms. This is ensured by a system watchdog which issues a channel trip signal if it has not received any response from the trip computer after 100 ms [47]. Both the regulatory requirement and the design specification are to ensure an effective shutdown speed such that the plant safety is reserved even at the appearance of undesired accidents.

With a consideration of the safety significance that the shutdown speed means to NPPs, the emphasis of the current thesis is put on realizing faster speed of response of SDS1 and FPGA, with its demonstrated fast processing advantage, is chosen as an ideal platform for this purpose. Although what this approach shortens is only the decision-making time of the trip logic, which is not a significant portion of the entire shutdown process delay, it does prove the feasibility and advantage of fastening SDS1 speed by FPGA technology.