Preprints of the 19th World Congress

The International Federation of Automatic Control

Cape Town, South Africa. August 24-29, 2014

Programmable Controller with Flexible

Redundancy for Safety Functions in a
Nuclear Power Plant
Kwang-Seop Son ∗ Dong-Hoon Kim ∗ Jinpyo Noh ∗∗
Jaehyun Park ∗∗
∗
Korea Atomic Energy Research Institute, Daejeon, Korea,
(email:[email protected], [email protected])
∗∗
Department of Information and Communication, Inha University,
Incheon, Korea, (email:[email protected],[email protected])

Abstract: This paper presents the redundancy architecture of the Programmable Logic
Controller called the Safety PLC(SPLC) for the safety functions such as reactor protection in
a nuclear power plant. The architecture of the SPLC is designed to switch flexibly redundancy
model between the Dual Modular Redundancy(DMR) and Triple Modular Redundancy(TMR).
Using this flexible redundancy architecture, the controller can be optimally configured to the
application area, and the reliability and availability of the overall system can be increased
because redundancy model varies as failures occur. The operating system of the SPLC is also
specially designed to guarantee the strict real-time operation using the non-preemptive state-
based scheduler and the supervisory task that manages timing violation of each task. The
data communication of the SPLC uses the deterministic state-based protocol based on the
Guaranteed Time Slot(GTS) protocol. The reliability analysis results show that MTTF of SPLC
is 41,630 hours, which is about 15% and 50% more reliable than the TMR or DMR architecture,
respectively.

Keywords: Nuclear plant, fault-tolerant systems, programmable controllers, reliability analysis,

redundancy control

1. INTRODUCTION protocols(Kim et al. (2000) and Sul et al. (2012)) have

been proposed. In Korea, the Ul-Jin 5 and 6 plant which
have started the commercial operations in 2005 were the
Control systems in a safety-critical environment such as first nuclear power plants that adopted the digital control
a nuclear power plant, a high speed train, or an aircraft, systems in the safety-related region. Since then, most of
are required to have the high-level of reliability because recently designed nuclear power plants including the Sin-
a single failure in such control systems may result in a Kori and Sin-Ul-Jin plants in Korea also use the digital
huge catastrophe. Hence, the controllers used in such a control systems in the safety-related region. For this mi-
safety-critical system are specially designed using a fault- gration, the requirements and characteristics for the digital
tolerant architecture with multiple redundancy to main- PLC in a nuclear power plant has been studied(Kwon
tain the high reliability. In a nuclear power plant, the and Lee (2009)). In order to use the digital controllers
control systems related to the reactor protection and safety in the safety-related regions, they must be specially de-
features are classified as safety-related region and are signed and verified to meet the standards and regulations.
required to have much more reliable architecture, which These qualified controllers are classified as the Q-Class
includes Reactor Protection System(RPS), Reactor Core controllers. There are only a few Q-class digital controllers
Protection System(RCOPS), Engineered Safety Features in the market. One of the Q-class digital controllers used
Component Control System(ESF-CCS), Qualified Indica- in a nuclear power plant is the Advant AC-160 model
tion, and Alarm System(QAIS-P). For this safety-related from ABB (2001). AC-160 was originally developed for the
control region, to the law and regulations, only specially commercial non-safety functions, but through the Com-
designed control systems can be used. To achieve this high mercial Grade Item Dedication(CGID) process, it was
standard of reliability, legacy control systems used in the approved to be used in the safety-critical region. The re-
old nuclear power plants were designed based on the analog dundancy of AC-160 is the dual redundancy model. It uses
circuits and electro-mechanical relays. However, since large two different networks: high-speed point-to-point network
number of analog components have been discontinued in with speed of 3.1 Mbps between safety controllers and
mass-production, Programmable Logic Controller(PLC)- MVB-based multi-drop network(1.5 Mbps) for control and
based digital control system have been introduced even monitoring purpose, respectively. Another Q-class digital
in the safety-related regions. For this, various redundant controller is the POSAFE-Q model from PonuTech that
architecture(Dwyer (2012) and Jiang and Yu (2012)), is also based on the dual redundancy structure(PonuTech
fault detection algorithm(Dorr et al. (1996)), and network

Copyright © 2014 IFAC 695

19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014

Fig. 1. Structure of Tricon controller

(2009), and Cha et al. (2006)). The network protocol used
in the POSAFE-Q model is ProfiBus. Both the AC-160
and POSAFE-Q controllers have dual redundancy with
hot-standby policy. This means that only one of the two
modules is in operation and the other module is ready to Fig. 2. Structure of SPLC
operate when a fault occurs in the operating module. In
this hot-standby policy, fault detection measured in the buffer logic in it. And for the safety purpose, the data
Fault Coverage Factor(FCF) and data coherency are very flow through the communication network should only be
important to ensure correct handover between the active uni-directional from the safety region to non-safety region,
and standby modules without data loss and control signal which means that no data flow from non-safety to safety
bumping. region is permitted.

On the contrary, the Tricon control system from Invensys Deterministic operation is another key feature for the
Inc. is based on the triple redundancy architecture as controllers to meet. From the IEEE standard, tasks of
shown in Fig. 1(Invensys Systems Inc. (2007)). There are safety-related functions should perform their own func-
three active processing modules in operation that calculate tions without any interruption to the pre-defined schedule.
control output simultaneously and determine output val- Following design criteria were selected for the SPLC with
ues using the majority voting algorithm. To help voting, consideration for the above mentioned requirements.
high speed serial bus, TriBus, is provided between three • The redundancy of the input/output module and
processing modules for high speed data exchange among processor module used in the SPLC should be flexible.
the processors. To provide the redundancy in I/O modules, • 2 out of 3 voting and hot-standby policy should
each I/O module has triple I/O legs through which input be used in the TMR(Triple Modular Redundancy)
values are distributed to three different processors and and DMR(Dual Modular Redundancy) configuration,
output values are again voted in the output module. The respectively.
triple redundancy in I/O module provides a very high level • The fault detection and fail-safe function should be
of reliability and lessens the probability of common cause performed by the data receiving module.
failure. • The Operating System(OS) of the SPLC should have
Since both dual and triple redundancy have their own the non-interruptable and deterministic task schedul-
advantage over each other, this paper introduces a new ing.
programmable controller for the safety-related functions in • The scan time of safety critical applications should
a nuclear power plant, called SPLC(PLC for safety func- be less than 25 msec.
tion), based on the flexible architecture that can switch • The data communication of the SPLC should be
dual or triple redundancy upon specific circumstances. deterministic and satisfy the independence among the
separated channels.
• The safety data communication should support upto
2. REQUIREMENT FOR NUCLEAR POWER PLANT 64 nodes with at least 20 Mbps of network bandwidth.
CONTROLLER
3. STRUCTURE OF SPLC
Since the controller for a safety-related function should be
strictly designed to meet industry standards and regula- To the design constraints described in the previous section,
tions including IEEE standard and US Regulatory Guide, SPLC is designed to have the dual and triple redundant
the requirement to design them should be clearly identi- architecture as shown in Fig. 2.
fied. Since IEEE standard recommends eliminating the risk
of Common Cause Failure(CCF) at the module and system
3.1 Flexible Redundancy
levels(IEEE (1994)), redundancy should be implemented
at the processing modules, I/O modules, and communica-
tion networks. The redundancy concept of SPLC is using the triple redun-
dancy in active module such as the processor module and
The other key feature is the independence that means each I/O module that needs independent decision and active
module or sub-system should independently operate from control functions and dual redundancy in passive compo-
each other and a failure in a part should not propagate nents including back-plane, communication network, and
to the other. For this, communication between safety- power supply that requires minimum redundancy to avoid
related controllers should be uni-directional and have a Common Cause Failure(CCF).

696
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014

Fig. 3. Output value decision algorithm

However, since not all safety-related functions require

TMR-level reliability, DMR configuration can be used in
active modules as well to reduce the complexity and cost.
In Fig. 2, output module is configured as DMR while input
and processing module are configured as TMR. Even in
the TMR configuration, if a failure occurs in a certain
module, the DMR configuration is automatically selected
and the control functions are reconfigured at the operating
system level. This reconfiguration increases the availability
and the reliability of the overall system as analyzed in
Section 4. In the DMR configuration, either the hot-
standby operation or parallel operation with voting logic
is used to select the primary module, while only the hot-
standby policy is applied in the passive modules. For the
input and output modules, voting logic can be used to get
the correct input and output values.
Fig. 4. Operating System
3.2 Output Value Decision Algorithm Fig. 3 shows the output value decision algorithm used in
the digital and analog output voters in detail.
The decision of output value depends on the number of
healthy modules in each redundant configuration. For the 3.3 Communication Network
digital output, if every module is working correctly in the
TMR configuration, 2-out-of-3(majority voting) is used. Communication network used in SPLC can be divided into
In the DMR configuration or in the TMR configuration two different purposes: inter-node and intra-node network.
with one malfunctioning module, if two values(states) are As for the inter-node network, a time-sharing deterministic
identical, it is used as the output value. However, two communication is implemented, which is based on the
values are different, safe action(safe state) is automatically Guaranteed Time Slot(GTS) mechanism that is originally
selected. If only one module is working correctly either in proposed in the IEEE 802.15.4 standard(IEEE (2011)).
the DMR or TMR configuration, the normal value from Since the performance of the GTS protocol was analyzed
the working module is used. in many literatures(Koubaa et al. (2006) and Yoo et al.
(2010)), it can be used as a inter-node network if sufficient
In analog case, the normal output value is defined as the network bandwidth is provided. In SPLC, upto 128 nodes
median value in the TMR configuration. However, in the can communicate over 100 Mbps Ethernet-based GTS
DMR configuration including the case of one module fails protocol. FPGA-based GTS controller showed that the
in the TMR configuration, if the difference between two effective communication speed is 20 Mbps and the end-
values is larger than the threshold value, both modules to-end transmission latency is less than 50 msec.
are ignored and the safe action is processed. Otherwise,
the average value is used as the output value. If only one Within a node, an intra-node network instead of a par-
module is working correctly either in the DMR or TMR allel bus is used among the processing modules and I/O
configuration, the value from working module is used as modules. Current design uses EtherCAT protocol with 10
the output value. msec cycle time over 100 Mbps Ethernet as an intra-node

697
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014

Fig. 5. Fault-tree Analysis

network but the other serial buses can be used in the of overall controller should be analyzed with considering
implementation phase. this redundant mode changes. With reflecting this failure
mode change of the flexible TMR model, the Fault Tree
3.4 Operating System Analysis(FTA) chart of SPLC is shown in Fig. 5. In the
chart, system state are classified into four categories: Total
Even though there are a few commercial operating systems Success(TS), Minimum Anticipated Failure(MAF), Maxi-
that support hard real-time operations, most of the com- mum Tolerable Failure(MTF), and Complete Failure(CF).
mercial operating systems hardly guarantee very strict de- For example, since the processor module is configured as
terministic operation that complied to the regulations and the TMR, if one processor module fails, it goes to the
standards of the nuclear system. Hence, to meet the strict MAF state. If two processor modules fail, system state
determinism defined in regulations, a new real-time kernel falls into the MTF state because further failure causes the
for SPLC, Safety Real-time Kernel(SRK), was designed system failure(CF). The state transition in the FTA-tree
to ensure the deterministic operation of safety function is caused by a failure occurred in each module(processor,
without any interruption by other functions, including the I/O card, bus, etc). Assuming these failures are indepen-
system diagnostics and communications. Fig. 4 shows the dent, this state transition can be modeled as a Markov
internal blocks of SRK. process. Fig. 6 shows the state transition of SPLC to the
failure occurs and the probability of each state transition,
To guarantee the execution time of the safety function, the PM AF , PM T F 1 , PM T F 2 , and PCF , depends on the redun-
scheduler of SRK operates using a non-preemptive state- dancy structure and model. Using these probability values,
based scheduling policy. In addition to the non-preemptive the reliability of overall system is calculated as in (1).
scheduler, a special supervisory task module that takes
care of time management, security management, and sys- R(t) = (1 − PM AF − PM T F 1 )RT S (t)
tem diagnostics was used to guarantee the hard-real-time +(PM AF − PM T F 2 )RM AF (t)
operation. The maximum resolution of the context switch- (1)
ing time and the scan time of the application task are 5 +(PM T F 1 + PM T F 2 − PCF )RM T F (t)
msec and 25 msec, respectively. +PCF RCF (t)
Another key feature of SRK is to handle the redundancy Based on the actual failure rate of each component module,
structure according to the failure occurrence. Since SPLC such as the processor module, communication module, I/O
is based on the flexible TMR redundancy, when a compo- modules, and etc, the probability of state transition is
nent fails, it automatically reconfigures the redundancy calculated as in (2). The earlier author’s work showed the
structure and, accordingly, the voting policy of the in- details of the failure rate and the FTA analysis results(Noh
put/output and application tasks should be changed as et al. (2013)).
shown in Fig. 3.
R(t) = 0.999953 · RT S (t) − {3.92 · RM AF (t)
(2)
4. RELIABILITY OF SPLC +3.92 · RM T F (t) + 4.70 · RCF (t)} × 10−5
As described in the previous section, since the redun- By integrating (2), the Mean Time To Failure(MTTF) of
dancy of SPLC changes as a fault occurs, the reliability SPLC is calculated as 41,630 hours that is about 97%

698
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014

Fig. 6. State Transition

Fig. 7. Reliability
longer than the commercially used controller with the REFERENCES
DMR architecture. Moreover, the reliability of SPLC is
0.84 as shown in Fig. 7 after 18 months(≈13,000 hours) ABB (2001). Product guide: Advant controller 160, ver.
that is the normal overhaul period to the regulations in 1.3.
the nuclear power industry. Compare to that of the TMR Cha, K., Kim, J., Lee, J., Cheon, S., and Kwon, K. (2006).
and DMR architectures, it is about 15% and 50% more Software qualification of a programmable logic controller
reliable, respectively. Detailed calculation can be found in for nuclear instrument and control applications. In
the author’s earlier work(Son et al. (2013)). Proceedings of the 6th WSEAS International Conference
on Applied Informatics and Communications, 353–358.
5. CONCLUSION WSEAS.
Dorr, R., Kratz, F., Ragot, J., Loisy, F., and Germain, J.L.
(1996). Detection, isolation, and identification of sensor
This paper presents the redundancy architecture of the
faults in nuclear power plants. IEEE Trans. Control
Programmable Logic Controller for safety functions in a
Syst. Technol., 5(1), 42–60.
nuclear power plant. The Safety PLC (SPLC) aims for
Dwyer, V.M. (2012). Reliability of various 2-out-of-4:g
the safety critical functions such as reactor protection in
redundant systems with minimal repair. IEEE Trans.
a Nuclear Power Plants. The architecture of the SPLC is
Rel., 61(1), 170–179.
designed to flexibly switch the redundancy model between
IEEE (1994). IEEE Std. 7.4.3.2: Standard Criteria for
the Dual Modular Redundancy(DMR) and Triple Mod-
Digital Computers in Safety Systems of Nuclear Power
ular Redundancy(TMR). Using this flexible redundancy
Generating Stations. IEEE, New York, USA.
architecture, the controller can be optimally configured
IEEE (2011). IEEE Std. 802.15.4: Standard for Local
to the application area and the reliability and availablity
and metropolitan area networks - Part 15.4: Low-Rate
of overall system can be increased because redundancy
Wireless Pernonal Area Networks (LR-WPANs). IEEE,
model varies as failures occur. The operating system of
New York, USA.
the SPLC is designed to have the non-preemptive state
Invensys Systems Inc. (2007). Tricon V10 hardware man-
based scheduler and the supervisory task managing the
ual.
sequential scheduling, timing of tasks, diagnostic, and se-
Jiang, J. and Yu, X. (2012). Fault-tolerant control sys-
curity to guarantee strict real-time operation. The relia-
tems: A comparative study between active and passive
bility analysis results show that MTTF of SPLC is 44,000
approaches. Annual Reviews in Control, 36, 60–72.
hours, that is about 15% and 50% more reliable compare
Kim, H.S., Lee, J.M., Park, T., and Kwon, W.H.
to the DMR and TMR architecture, respectively. Also to
(2000). Design of networks for distributed digital
ensure the deterministic and high transmission capacity
control systems in nuclear power plants. In Interna-
of the data communication, the network is designed to
tional Topical Meeting on Nuclear Plant Instrumenta-
have the deterministic state-based protocol and effective
tion, Controls, and Human-Machine Interface Technolo-
transmission capacity of 20Mbps using a high switching
gies (NPIC&HMIT 2000).
device.
Koubaa, A., Alves, M., and Tovar, E. (2006). GTS allo-
cation analysis in IEEE 802.15.4 for real-time wireless
ACKNOWLEDGEMENTS sensor networks. In 20th International Parallel and
Distributed Processing Symposium 2006, 1–8. IEEE.
This work was supported in part by the Nuclear Tech- Kwon, K.C. and Lee, M. (2009). Technical review on the
nology Development Program of the Korea Institute of localized digital instrumentation and control systems.
Energy Technology Evaluation and Planning(KETEP) Nuclear Engineering and Technology, 41(4), 447–454.
funded by the Korea government Ministry of Knowledge Noh, J., Park, J., Son, K.S., and Kim, D.H. (2013).
Economy(Grant no. 2010161010001G). Development of the high reliable safety PLC for the

699
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014

nuclear power plants. J. of Inst. of Control, Robotics,

and Systems(in Korean), 19(4), 328–333.
PonuTech (2009). Product guide: POSAFE-Q Controller,
ver. 1.0.
Son, G.S., Kim, D.H., Son, C.W., Kim J.K., and Park J.
(2013). Design of SPLC Architecture Used in Advanced
Nuclear Safety System and Reliability Analysis Using
Markov Model Nuclear Technology, 184(3), 297–309.
Sul, J., Kim, K., Kim, Y.S., and Park, J. (2012). Im-
plementation of high-reliable MVB network for safety
system of nuclear power plant. The Transactions of The
Korean Institute of Elecrical Engineers, 61(6), 859–864.
Yoo, S.E., Chong, P.K., Kim, D., Doh, Y., Pham, M.L.,
Choi, E., and Huh, J. (2010). Guaranteeing real-time
services for industrial wireless sensor networks with
IEEE 802.15.4. IEEE Trans. Ind. Electron., 57(11),
3868–3876.

700