A safety grade PLC is an industrial digital computer used to develop safety-critical systems such as RPS (Reactor Protection System) for nuclear power plants. The software loaded into a PLC is designed using specific PLC programming languages  such as FBD (Function Block Diagram) and LD (Ladder Diagram), which are then translated and compiled into a C program and executable machine code of a specific target PLC.
Since the complexity of new RPSs and the maintenance cost of old RPSs have increased rapidly, we need to find an efficient alternative for the PLC-based RPS implementation. One solution [2,3] proposed is to replace PLC with FPGA, which can provide a powerful computation with lower hardware cost. However, it is a challenge for software engineers in the nuclear domain to abandoning all experience, knowledge and practice, based on PLC and start an FPGA-based development from scratch. Such change is also too risky from the viewpoint of safety. We need to transit to the new development approach safely and seamlessly, allowing all software engineers to become familiar with the processes and procedures required for a proper set up.
This paper proposes an RPS software development process with a change in the hardware platform from PLC to FPGA.
Itprovides the fundamentals for a seamless transition from PLC-based to FPGA-based development. We propose the use of FBD programs in the design phase of the existing PLC-based software development to produce the Verilog program, which is a starting point of typical FPGA developments. The '
The paper is organized as follows: Section 2 introduces the FBD and Verilog programming languages, which are pertinent to our discussion. It also includes a brief introduction to PLC and FPGA. Section 3 explains the PLCbased RPS development in comparison with the FPGAbased development. It also introduces a typical RPS architecture to aid understanding. Section 4 proposes an RPS development process with changed platform from PLC to FPGA. Section 5 shows a case study, pointing out how the requirements and FBD designs of the existing PLC-based RPS software development can be effectively transformed into a starting point of the FPGA-based development. Related researches are surveyed in Section 6, and Section 7 concludes the paper and gives remarks on future research.
A PLC (Programmable Logic Controller)  is a digital computer used in the automation of electromechanical processes. It is designed for multiple input and output arrangements, immunity to electrical noise and resistance to vibration. It is a good example of a hard real-time system, since output results must be produced in response to input conditions within a limited time, otherwise unintended operation will result.
A PLC has a relatively simple architecture, compared to naive computers and servers using state-of-the-art microprocessors and supporting hardware. Sensors and actuators are plugged in via input and output channels, respectively. The operating system, managing periodic execution of PLC applications, reads all input values at the beginning of each cycle, generates required outputs, and stores system variables. Software embedded in the PLC is programmed with the five PLC programming languages defined by IEC 61131-3 ,
A safety grade PLC is required for safety-critical systems by IEEE 7-4.3.2 , EPRI TR-107330  and etc. Several vendors provide safety-level PLCs for nuclear reactor protection systems, such as
An FPGA (Field-Programmable Gate Array) [7,8] is an integrated circuit, designed to be configured by a customer or a designer after being manufactured in field. The FPGA configuration (
An FBD, one of the widely used PLC programming languages, consists of an arbitrary number of function blocks, '
Fig.1 shows a part of preliminary FBD programs for the KNICS RPS BP (Bistable Processor) . It creates a signal '
Verilog is one of the most common HDLs (Hardware Description Languages) used by IC (Integrated Circuit) designers. Designs (
The Verilog program in Fig.2 has two inputs (
This section explains two RPS software development processes, a typical one using PLC and a new approach using FPGA. The new one, however, has not been fully implemented and verified yet [11,12,13]. This section also includes a brief introduction to the KNICS RPS to aid understanding of the RPS development processes.
The KNICS RPS (APR-1400 ) is a digital system in charge of safely shutting down a nuclear reactor in case of emergency. It has been approved for operational fitness evaluation tests in two nuclear power plants being built in Korea. As a safety-critical system, it has 4 redundant and physically isolated channels to provide defense in depth. A high-level architecture diagram1 for a single channel, shown in Fig.3, consists of two bistable processors (BPs), two coincidence processors (CPs), an automatic test and interface processor (ATIP) as well as a cabinet operator module (COM). The subsystems are interconnected with different networks. One BP is implemented into one PLC.
The case study in Section 5 uses 6 representative shutdown logics in use by the BPs.
A BP generates a trip signal to the CPs by comparing values of 18 process variables against predefined threshold values. There are four different trip logics built in the system: (1) fixed set-point trip (for 10 input variables); (2) variable set-point trip (3 variables); (3) manual reset trip (3 variables); and (4) digital trip (2 variables). The details of the logics will be explained in Section 5.1.2.
Upon receiving trip signals, CPs execute two-out-offour voting logic to determine if the trip signal should be sent to the hardware actuators. All RPS channels are duplicated, and each one has two independent BPs and CPs respectively. ATIP, primarily used for either manual or automated tests initiated by operators, interacts with BP or CP in a single channel or multiple channels as a whole through the common bus. The COM, located in a operator room and connected to other processors through the common bus, has two parts: (1) a computer-based unit which provides status information regarding the overall RPS equipment, and (2) a hardware unit which performs protectionrelated controls such as channel bypass and initiation circuit reset.
An RPS is a real-time embedded system implemented on a number of PLCs. The RPS software is designed in FBD/LD languages and then translated into C programs, which will be compiled and loaded on PLCs. Fig.4 explains a typical software development process for RPSs.
The SRS (Software Requirements Specification) is first written in natural languages or formal specification languages [16,17,18]. Experts on PLC programming languages then manually translate the requirements specification into design models programmed in FBD or LD. In case of the NuSCR  formal requirements specification , a CASE tool '
performed by software engineers, such as mapping of I/O and memory addresses.
PLC vendors provide their own automatic translators from the FBD/LD programs into ANSI C programs, while typically using the COTS (Commercial Off-the-Shelf) software such as '
Vendors such as
Fig.5 depicts a whole FPGA development process  from the viewpoint of software engineers. Software (
After programming the Verilog (or VHDL) programs, an FPGA is produced mechanically thorough several steps: synthesis, optimization, placement & routing, design verification, configuration and downloading. Software synthesis tools provided by FPGA vendors such as '
FPGA is not widely used for implementing safetycritical controllers in RPS, since software engineers in the nuclear domain are not familiar with its development process and techniques. Implementation of the whole RPS with a number of FPGAs also goes with an all-new architecture. Safety demonstration of FPGA up to the level of PLC is also an obstacle for easy-application of FPGA. Section 5.3 shares our further consideration on the FPGA as a means to implement RPSs.
1 Fig.3 represents a preliminary design. The certified design was modified.
This paper proposes a new process for the development of software for the use with protection systems designed for nuclear reactors. It aims for the seamless and safe transition from the PLC-based development to the FPGA-based one in case that the embedded hardware platform changes
from PLC to FPGA. The development process is introduced first and is followed by an explanation on '
Our goal is to replace the embedded hardware platform of RPS - PLC with FPGA, while maintaining all knowledge, experience and practice accumulated so far. Another goal of this research is to Prevent potential errors caused by software engineers who are not familiar with the new FPGAbased development. This paper proposes a new RPS software development process, as summarized in Fig.6. It can bridge the two RPS software development processes seamlessly and safely, while using all knowledge of the old PLC-based development and moving to the new FPGA-based development.
The proposed process first follows the PLC-based software development summarized in Fig.4, up to the design phase. Software requirements are analyzed and specified first, and then design specifications of FBD programs are produced manually, same as before. All V&V activities and safety analyses in the PLC-based development (e.g., those in ) are also performed and applied. The '
Our first work '
The next versions [10,32] aims to verify FBD programs with the VIS verification system . These also separate the so-called '
The former '
This paper, however, uses the translator for the purpose of development, not formal verification. We had to scale up the translation capability from an individual shutdown logic to a whole RPS BP, structuring with 18 logics. The scale-up accompanies refinement of the translator as follows:
Variable renaming : Systematic renaming of component FBDs and intermediate/external outputs, and restructuring of internal data structures are required to translate multiple depths of RPS hierarchy.
Explicit type conversion : With some cases, implicit type conversion does not word correctly. All type conversions now use explicitly function blocks of type conversion (e.g., integer-to-boolean or vise versa).
Eclipse plug-in : The new 'FBDtoVerilog' has been re-implemented as an independent Eclipse plug-in in order to be integrated intimately with other software engineering tools in the 'NuDE' environment .
This paper developed a new version of '
This section demonstrates the effectiveness of the proposed RPS software development process, which can seamlessly transit from the PLC-based to the FPGA-based development. Section 5.1 explains the whole process of performing the case study, according to the software development life-cycle (SDLC). Section 5.2 includes an explanation of the detailed features of the FPGA synthesis as well as its sources such as FBD and Verilog programs. Section 5.3 includes our further consideration on the proposed process in order to apply it to an actual RPS development.
Fig.8 describes the whole process of our case study. We applied the new RPS software development process to a preliminary version of the KNICS APR-1400 RPS BP in Korea . The RPS was developed by the KNICS  project consortium and several export contracts have been undergoing. The case study demonstrates that, proceeding with the software development life-cycle, the RPS software development allows for a smooth transition from the PLCbased development to the FPGA-based one.
5.1.1 Requirements Analysis
The case study starts from a formal requirements specification  written in NuSCR . The KNICS project consortium used the formal requirement specification to achieve diversity of software requirements specifications. It was developed for prototyping purpose, but modeled all shutdown logics of the RPS BP completely. Its supporting tool-sets ('
The mechanically generated FBD is structured with more function blocks than the one developed by experts manually, about 50%. However, it includes all important and fundamental shutdown logics for the RPS BP. This case study uses 6 shutdown logics as the directory information window at the left part of '
Fixed set-point logic : It has a fixed set-point of firing a shutdown signal. If an input value crosses the point in rising or falling manner, the shutdown signal is fired.
(e.g., g_LO_SG1_LEVEL , g_HI_LOG_POWER)
Variable set-point logic : It has a variable set-point of firing a shutdown signal, varying with the same (rising or falling) rate of the change of input variable until a predefined fixed limit. If the varying rate of the input variable is more than the fixed limit, the shutdown signal is fired.
(e.g., g_VAR_OVER_PWR , g_SG1_LO_FLOW)
Manual reset logic : It has a fixed set-point of firing a shutdown signal, but an operator can delay the shutdown by moving the set-point to an upper point (in case of a rising input flow) by pushing a reset button. The operator can push the reset button several times for specific purposes.
Digital logic : It is called a 'digital trip.' It does not check whether it has to fire or not a shutdown signal, but just passes an input signal (0 or 1) to output. An input or output of 0 will lead to a shutdown signal. Different from other shutdown logics, other logic prior to the BP calculates the shutdown condition and just passes the result to it.
5.1.3 Between Design and Implementation
The actual software development of typical PLC-based approaches is nearly concluded in the design phase, since PLC vendors' software engineering tools translate those FBDs into C programs and compile them into executable machine codes for specific PLCs, mechanically. At the design phase of the PLC-based development, the new development process transits to the FPGA- based development seamlessly thorough the '
5.1.4 FPGA Implementation
The Verilog program translated from the FBD programs by the new '
A Feature of the FBD Program used
the 6 logics of the KNICS RPS BP. Detailed features of the FPGA synthesis are explained in the next section.
Table1 summarizes features of the FBD programs, translated from the formal requirements specification by '
Table 2 explains the features of the Verilog program translated from the FBD, which is summarized in Table 1 by the new '
The Verilog program analyzed in Table 2 is the starting point of the FPGA-based development. Two FPGA synthesis tools,
Table 4 is the synthesis result of the'
Table 5 summarizes important features of all outputs, from the PLC design phase to the FPGA implementation. It is not an exact analysis, but it is obvious that the FPGA implementation consists of fewer elements than the more abstract ones such as FBD and Verilog programs.
We are now considering the following issues carefully to apply the proposed RPS development process to an actual RPS development:
Radiation Resistance of FPGA : Recent research [44,45] has reported that a specific type of FPGA using
A Feature of the Verilog Program Translated by the New 'FBDtoVerilog'
A Feature of the FPGA Synthesized by 'Xilinx ISE Design Suite'
SRAM is vulnerable to radiation. It is obvious that this type of FPGA is inappropriate in the implementation of RPSs. The FPGA of 'Xilinx,' which the case study
used, is the type vulnerable to radiation, and we need to find an appropriate FPGA for RPS.
VHDL Generator : 'Mentor Graphics's HDL Designer Series'  is an example of VHDL generator, widely used to implement FPGA and ASIC mechanically. It models system behavior with various tools, such as FSM (Finite State Machine), flow-chart and block diagrams, and mechanically generates a behaviorallyequivalent VHDL program. It corresponds to 'FBDto Verilog' in our approach. However, it is the tool of hardware designers not of software engineers.
RTL Optimization : The optimization step of FPGA synthesis tools produced several warnings worth looking into carefully. For example, it warned that some wire variables in the Verilog program were not used and it deleted them, even if they were all used correctly. We need to analyze the optimization process and potential threats to the functional correctness of the RPS BP.
Functional Safety of FBDtoVerilog : Functional safety and correctness of the 'FBDtoVerilog' translator should be demonstrated thoroughly in various ways. Whereas it was a supporting CASE tool for formal verification using SMV, VIS and HW-CBMC, it is now a development tool bridging PLC-based and FPGA-based development. More rigorous demonstration of functional safety and correctness is highly required.
Functional Safety of FPGA Synthesis Tools : Functional safety and correctness of FPGA synthesis tools (e.g., 'Xilinx ISE Design Suite' and 'Altera Quartus II') is also one of key issues in overcoming the wide-spread commercialization of the FPGA-based RPS development.
A Feature of the FPGA Synthesized by 'Altera Quartus II'
Important Features of the FBD, Verilog and FPGA Program in a Sequence
Highly Integrated RPS Components : As depicted in Fig. 3, an RPS is structured with many components such as BPs and CPs, which were implemented in an individual PLC with a network-based communication. We are now going to implement a channel (consisting of 2 BPs, 2 CPs and communication networks) in an FPGA. Communication between components in a channel and with ones in other channels should be designed in an FPGA. I/O is also an issue to be resolved, since the PLC provides with convenient ways to interface with I/O devices.
There are several approaches to implement RPSs with Programmable logic device (PLD) such as an FPGA. PLD has been widely used by many industries such as aviation, space, chemical, military and other highly safety-critical industries. Nuclear industry has also been interested in the approach and technology [46,47]. The IAEA workshop on '
This paper proposes an RPS software development process with a platform change from PLC to FPGA, while retaining all outputs from the established development. The new '
This paper used an example of FBD programs, which were mechanically translated from a formal requirements specification and have different features from the ones programmed manually. We are planning to apply the proposed development process to an actual FBD program designed by FBD programmers. Rigorous demonstration of functional correctness and safety of '