Advanced Nuclear Instrumentation Design

using Programmable Logic Devices

Manoj Kumar Misra, L. Srivani and S. Ilango Sambasivan

(CPLDs) [1]. FPGAs offer abundant logic resources and high

performance. In comparison to FPGAs, CPLDs offer less
Abstract— The evolution of semiconductor technology resource. For time critical applications CPLDs are preferred
has made the application of Programmable Logic Devices
(PLD) inevitable in modern digital systems design but because of fixed routing resources. Depending upon the
when they are deployed in Safety Critical Systems (SCS), functional requirements, appropriate choice is made. Based on
their reliability and safety need to be proved beyond the requirement (For example purely logical operations or
doubt. PLDs are available as off-the-shelf parts that offer computational operations), a SCS can be either a pure
a wide range of logic capacity, various features, speed and hardware based or a combination of hardware and software.
voltage characteristics. These devices can be customized as The reliability of the hardware can be predicted and
per the user requirements. Re-programmable series of demonstrated, whereas the software reliability cannot be
PLDs allows designers to change the circuitry as often as quantified. However, it can be assessed based on the evidence
they want until the design operates to their satisfaction. To that the software is correct with respect to specifications and
describe the digital designs, IEEE standard Hardware meets all the requirements. For conventional software, already
Description Languages (HDL) such as VHDL and Verilog well defined Verification and Validation (V & V) standards
HDL are used. As designs grow more complex, the and tools are available. Even for a HDL based PLD design, V
verification problems increase exponentially. High level & V needs to be performed for the functional correctness. But
Verification Languages (HVL) have emerged to solve the the V & V methodologies for HDLs are still evolving and are
functional verification bottleneck. Using HVLs, directed- much different from software V&V.
random verification approach is adopted to achieve high
coverage. The purpose of this approach is to ensure that As part of the PLD design process, the HDL designs are
the system is verified for its functionality in all possible simulated at different abstraction levels, synthesized and
scenarios. programmed into the devices. For simple and small designs,
directed verification itself is sufficient to ensure that the design
A 500MWe Prototype Fast Breeder Reactor (PFBR) is meets all the functional requirements. As designs become
in the advanced stage of construction at Kalpakkam fairly complex, functional verification requirement also raises
(Tamilnadu), INDIA. PLDs are extensively utilized in exponentially. To verify these designs, a combination of
designing instrumentation systems like core monitoring function independent and function dependent verification
and safety logic functions of PFBR. This paper provides methodologies are adopted. Apart from functional verification
review of advanced digital design methodologies adopted of PLD designs, the formal verification is also performed to
in designing PLD based SCS. achieve high coverage. Formal verification on the other hand
attempts to prove the functional correctness of a system with
Index Terms— Digital design verification, Hardware
respect to a certain formal specification [2]. A design
description languages, Nuclear Reactor, Programmable logic
devices, Safety critical systems description at a higher level of abstraction is more formal than
a design description at a lower level. Generally, formal
I. INTRODUCTION verification is considered to be cost expensive process for the
involvement of computation time and man power. In spite of
that, to ensure safety and reliability of PLD based SCS
Advances in Integrated Circuit (IC) technology and the vast
designs, formal verification (is performed) becomes vital.
benefits of Programmable Logic Devices (PLDs), have lead to
their use in Safety Critical Systems (SCS) designs. There are
To enhance the reliability of the overall system, de-rating is
two major types of PLDs such as, Field Programmable Gate
applied for PLDs parameters such as logic utilization,
Arrays (FPGAs) and Complex Programmable Logic Devices
frequency of operation and power consumption. Power
supplies used for PLDs are protected against transient stresses,
Manoj Kumar Misra (email: [email protected]), L. Srivani (email: such as voltage spikes by providing suppression circuits.
[email protected])and S. Ilango Sambasivan (email: [email protected]) are Further board-level, signal integrity analysis and thermal
with the Electronics & Instrumentation Division, Indira Gandhi Centre for analysis are performed for proper functioning of the designs.
Atomic Research, Kalpakkam-603 102, INDIA.
SI analysis is carried out to address faster switching

978-1-4244-5208-8/09/$26.00 ©2009 IEEE

characteristics and reflection characteristics, eliminate safety and the example are Event Sequence Recorder, Process
overshoot, undershoot, crosstalk, ground bounce problems and Disturbance Analyzer etc.
will aid in routing signals on the printed circuit board.
Whereas thermal analysis is performed to have acceptable and The design of SCS shall meet the safety criteria such as
uniform temperature profile across the printed circuit board. It functional and physical independence, diversity, fail-safe,
also helps to analyze the electrical performance of the single failure criteria, testability, redundancy to satisfy the
components on the board and thermal boundary conditions. requirement of reliability as per safety standards [4] [5]. The
Results of thermal analysis are also used in the estimation of Safety Critical Systems are primarily responsible for the safety
failure rate value of the devices on the board. SCSs are finally of the reactor and have high targets of reliability. They are
subjected to environmental qualification, Electromagnetic generally hardwired, but computer based systems are also
Interference (EMI) / Electromagnetic Compatibility (EMC), deployed wherever it is inevitable. The reliability of the
vibration and seismic tests during which the PLDs of SCSs hardware can be predicted and demonstrated, whereas the
will also be exposed to those test scenarios. Under software reliability cannot be quantified. However, it can be
environmental qualification tests such as temperature cycling, assessed based on the evidence that the software is correct
dry heat, damp heat and dry cold are performed. During the with respect to specifications and meets all the requirements.
tests, the PLDs are subjected to various temperatures and This process is called V & V and well-defined standards and
humidity levels. To qualify for EMI/EMC, systems undergo guides are available. While the procedures for computer based
emission and susceptibility tests. To gain further confidence systems are well established, a question arises regarding the
for deploying PLDs in SCSs, MTBF values are being use of complex digital systems which are purely hardware
experimentally evaluated using accelerated reliability tests. based but are designed with software packages. For example,
the digital systems implemented in FPGA / CPLD logic with
As per Atomic Energy Regulatory Board (AERB) standard thousands of gates are designed using VLSI design tools and
[3], the Instrumentation & Control (I&C) systems of a Nuclear HDLs such as VHDL / Verilog HDL [6] [7].
Reactor are broadly classified as:
The need for highly reliable systems, which can meet the high
1. Safety Critical Systems - IA requirements of security and safety critical applications, is
2. Safety Related Systems - IB growing. Such systems are used in nuclear power plants,
3. Non-Nuclear Safety Systems - IC avionics, space, chemical plants, medical systems etc. This
paper focuses on the design methodology adopted for
Safety critical instrumentation systems play a principal role in designing PLD based SCS for the Nuclear Reactor.
implementation of nuclear power plant safety. These systems
prevent Postulated Initiating Events (PIE) from leading to a Section II of this paper describes the design methodology
significant sequence of events or mitigate the consequences of followed for designing PLD based SCS. Section III describes
PIE. This class also applies to those instrumentation systems various steps involved in designing PLDs. Section IV
whose failure could directly cause a significant sequence of describes the prototype testing. In Section V, the details about
events. Some of the important Safety Critical Instrumentations the qualification process of the safety system are provided. In
systems of PFBR are as follows: Section VI, a SCS involving PLDs is discussed as a case study.
Conclusion and Future course of work are furnished in section
• Neutronic Instrumentation system to measure & VII and section VIII respectively.
process reactor flux, power, period and reactivity
• Instrumentation of Safety Grade Decay heat removal
system. II. DESIGN METHODOLOGY
• Monitoring of outlet temperature of each fuel sub-
assembly to detect blockage of coolant flow. The following design methodology is adopted for designing a
• Reactor protection systems hardware based Safety critical and Safety related systems. The
• Supervision of reactor inlet temperature hardware design involves various stages of design
implementation, board fabrication, testing and qualification
Safety related instrumentation systems play a complementary process.
role to the Safety Critical Instrumentation Systems in the
achievement or maintenance of nuclear power plant safety. From the system requirements, first the conceptual design is
The operation of safety related instrumentation systems is to made on paper to analyze the various options for
avoid the need to initiate Safety Critical Instrumentation implementation and study the feasibility of implementation.
System. It may improve or complement the execution of Safety Choice is made based on the pros and cons of various schemes
Critical Instrumentation Systems in mitigating the effects of a of design implementation. In this paper, design of PLD based
postulated initiating event. Reactor Control Systems, Reactor systems alone is discussed.
Startup systems and Failed Fuel Localization Modules are
some of the important safety related systems. Systems not Once the system is fabricated and functionally tested, system
related to safety play an indirect role in the achievement of qualification like environmental, EMI/EMC and seismic are
carried out as per the various standards. The fabrication, and typically implement simple combinational logic operations
testing and qualification processes are discussed in separate like AND, OR, and NOT gates or simple sequential circuits
sections. The various steps in design methodology are shown such as flop-flops whereas MSI chips contain 10 to 100 gates
in Fig. 1. and can implement slightly more complex circuits such as
small adders, decoders, shift registers and counters. Therefore,
to design a fairly complex digital circuit large number of chips
System Requirements are required which creates practical difficulties like verifying
the correctness of the circuit, large board space requirement,
more power dissipation and increases the overall component
count for a given system, thereby affecting the overall
reliability of the system. Further, the availability of these chips
Conceptual design and finalizing the is also poor due to obsolescence.
implementation scheme
On the other hand due to the tremendous growth in Very Large
Scale Integration (VLSI) technology, PLDs have made digital
systems more reliable by reducing the number of external
Design Implementation using interconnections from one device to another. In PLDs the
Programmable Logic Devices connections across the logic blocks are internal to the
Integrated Circuits (ICs) where they are protected from poor
soldering, breaks or shorts in connecting paths on a circuit
board, and other physical problems. ICs have also drastically
reduced the amount of electrical power needed to perform a
Board Fabrication given function. A typical PLD based design process is shown
in Fig. 2.

Design Specifications

System Integration

Interpretation of
Specifications for Verification Plan
System Testing design implementation

Environmental Qualification Verify whether it

meets design
requirements?

EMI/EMC Qualification

PLD based Safety

Seismic Qualification Logic System for
Reactor Shutdown
System
Fig. 1. Design Methodology
Fig. 2. Typical PLD based design process
III. DESIGN IMPLEMENTATION USING PLDS
Currently, building digital circuits with small-scale integrated A. Why PLDs?
(SSI) and medium-scale integrated (MSI) logic is no longer a Modern Electronic Design Automation tools allow the design
preferred option. SSI chips contain approximately 10 gates [8], of complex digital circuits through graphical schematic or
through high level programming languages such as VHDL /
Verilog HDL. These designs can be downloaded into the PLD, Design Synthesis: Once the VHDL code is verified, the next
which then functions as specified. In case of re-programmable step is to synthesize the code for implementing in a particular
PLDs, design changes can be incorporated with in the device device. Synthesizer translates the VHDL code in to a gate-
without physically altering the wiring of the overall system. level netlist and optimizes the design for a target technology.
PLDs are widely used for designing complex digital systems. Logic synthesis is performed based on a set of user constraints
Re-programmability feature of these chips is extremely useful that optimize the RTL design into equivalent blocks consisting
for circumventing design defects. A generic architecture of
PLDs is shown in Fig. 3.
Design Specifications

Design Entry (Schematic or VHDL

/ Verilog HDL)

Functional Simulation

Synthesis

I/O Block
Post Synthesis Simulation
Logic Block

Programmable Interconnect

Place and Route

Fig. 3 Generic Architecture of PLDs

B. PLD Design Flow

The typical PLD design flow consists of the following Timing Simulation
important steps like design entry, design verification at
different stages of the design flow like functional simulation,
post-synthesis simulation and timing simulation, synthesis,
place & route and device programming. A typical PLD design
flow is explained in Fig. 4. Program the device
Design Entry: The design can be carried out either using
graphical / schematic or Register-Transfer-Level (RTL) coding
of the design specifications using VHDL / Verilog HDL.

Simulation: In PLD design flow the HDL code from the design Debug and Testing
entry stage has to be verified at different stages for its
correctness. So Functional Simulation, Gate level simulation Fig. 4 PLD design Flow
and Timing Simulation are carried out. To check the code for
its functionality test vectors are generated through testbench. of flip flops, logic gates, etc. The results of logic synthesis
Both the design and testbench are fed to the simulator and produce a PLD netlist that can be passed to the appropriate
design is verified.
vendor's place and route tool. The default output for Logic These languages have constructs that simplify both the
synthesis tools is an EDIF netlist. generation of test vectors and observation of responses. No
explicit attention is paid to the inner details (or functions) of
Design Implementation: Synthesizer output is fed to the back how a circuit or a subsystem works.
end tool for place & route to a target device. Routing details
are generated and the timing information will be available. Function oriented test generation has been traditionally used to
verify designs at a gate-level. This mechanism understands the
Device Programming & Testing: Finally, the device is function of every gate. Input test vectors are generated
programmed using PLD programmer and tested for it's targeting specific portions in the circuit without paying
functionality with the real inputs. attention to the rest of the modules. In this technique, a
specific test vector can be attributed to testing a specific
C. Design Verification functionality in the circuit. Thus, a scenario for the circuit can
be provided and the test methodology will be able to provide a
test vector that can create such a scenario. Constraint solvers
As the average gate count for designs now approaches or
are typically used in function-oriented test generation.
exceeds one million, functional verification has become the
main bottleneck in the design process. As designs grow more
complex, the verification problems increase exponentially. To These two methods have their own advantages and
eliminate the verification bottleneck, verification engineers disadvantages. The function-independent methodology does
have tried incorporating new methodologies and technologies. not “understand” the design – the vectors created are random.
While various methodologies have evolved, including formal Though function-oriented generation “understands” the design,
methods, simulation is still the preferred method for the methodology does not scale very well to be used in RTL
verification. High level Verification Languages (HVLs) like e designs. Function oriented test generation can be used to catch
[9], VERA, System Verilog etc. have emerged to solve the design errors that arise from complex interactions between
functional verification bottlenecks. According to [10], around modules but can easily miss out on a corner case that was not
70% of the project development cycle is devoted to design thought of ahead of time. Such a case can hopefully be
verification. For complex designs simulation alone is not captured by a random vector in the function-independent
sufficient to ensure the functional correctness of the design. generation case. There are several other comparisons that are
possible. However, a methodology that combines the powers
If the design requirements are not clearly defined, it will of both the techniques is largely lacking in all modern tools.
introduce expensive errors in later stages. Thus, if there were
only one phase where the minimization of error emphasis The application of automatic verifier models [11] that verify
should be emphasized, it is the definition of the requirement compliance to requirements, and the reporting of design errors
specifications. An error in requirements will lead to a design are absolute MUST HAVE in any design. Coverage tools
that meets incorrect requirements (i.e., Wrong Input → Wrong provide an assessment of how well the design is exercised and
Output). It is more economical and safer to make changes at help measure the progress and completeness of the verification
initial stage of the design process rather than later in the design effort. Coverage metrics include functional, branch, condition
cycle. and expression, path, toggle, triggering, and signal-tracing
coverages. Many verification languages incorporate coverage
The verification plan [11] is a specification for the verification to help measure the progress and completeness of the
effort. It is used to define what is first time success, how a verification effort.
design is verified, and which test benches are written. The
process of writing a verification plan causes the design and Use of proper tools is also essential to help in the design and
requirement team to get a deeper understanding of the verification automation. Code Coverage is a program that
performance and holes in the specifications. Requirement allows users to determine how their source code is executed. It
issues often surface during the definition of the verification gives detailed information on statements that are executed
plan because it forces the revisit of the requirements and the during design simulation. Branch Coverage is a part of the
challenges of verifying correctness of the design. Poorly stated Code Coverage engine. It examines branches of the IF or
or ambiguous requirements become obvious in this exercise. CASE statement and checks how many times a true or false
condition was met by each branch during the simulation.
1) Functional Verification
2) Formal Verification
Verification is a process used to demonstrate that the intent of
a design is preserved in its implementation. Function Formal verification process mathematically [11] proves that
independent test generation is carried out by applying a large the origin and output are logically equivalent and that the
sequence of test vectors that are generated randomly. The transformation preserved its functionality. In its most common
functionality is verified by comparing the response of a design use, equivalence checking compares two netlists to ensure that
to some “known correct responses”. The random vectors are some netlist post-processing, such as scanchain insertion,
generated using High level Verification Languages (HVLs).
clock-tree synthesis or manual modification1, did not change of module level testing, fully integrated system is thoroughly
the functionality of the circuit. tested with computer based simulator for full functionality.
Any modifications (if required) are incorporated in the final
Another popular use of equivalence checking is to verify that design.
the netlist correctly implements the original RTL code. If one
trusted the synthesis tool completely, this verification would V. SYSTEM QUALIFICATION
not be necessary. However, synthesis tools are large software
systems that depend on the correctness of algorithms and A. Reliability Analysis
library information. History has shown that such systems are Various reliability analysis techniques like Failure Modes and
prone to error. Equivalence checking is used to keep the Effects Analysis (FMEA), Fault tree analysis (FTA) and
synthesis tool honest. In some rare instances, this form of Reliability prediction etc are performed for the safety critical
equivalence checking is used to verify that manually written systems. Performing qualitative analysis such as FMEA and
RTL code faithfully represents a legacy gatelevel design. FTA will help the PLD based SCS to improve the design and
enhance its diagnostic features. FMEA is a bottom up
Equivalence checking can also verify that two RTL approach where the failures of each component of the system
descriptions are logically identical. Proving their equivalence are identified along with their modes of failures. Effects of
avoids running lengthy regression simulations when only those failure modes on the system are analyzed. FTA is a Top
minor non functional changes are made to the source code to down approach, where the failure of system in a particular
obtain better synthesis results. Modern equivalence checkers mode is considered as top Event and the causes of that failure
can even deal with sequential differences between RTL along with the inter relation between the causes are analyzed
models, such as re-architected FSMs or data pipelines. Fig. 5 until basic events are reached. Apart from these qualitative
shows the formal equivalence checking flow. methods there are many quantitative reliability analysis
methods used to compare different topologies, and evaluate
the probability of failure on demand. One such is Reliability
Prediction.
Design Specifications
The term Reliability Prediction denotes the process of
applying mathematical modeling and data for the purpose of
estimating field Reliability of system before the empirical data
about the system is available. Reliability Prediction provides
the quantitative baseline needed to assess progress in
High Level Model RTL code
reliability design. In 1962 first version of US military
(VHDL / Verilog
Handbooks, “US MIL-217”, was published by US Navy which
HDL) or Netlist
became the standard for Reliability Prediction.
Calculation of Failure rate forms the basis for Quantitative
Synthesis reliability analysis. For electronic components, US MIL 217-F
Notice-2 [12] standard provides empirical formulae to find out
the failure rate. Reliability prediction of electronic components
is done by either Parts Stress method or Parts Count Method.
In case, for any component, if the failure rate is not available,
RTL code or Equivalence failure rate data given by the manufacturer is used in the
Netlist Checking calculations. While arriving at the failure rate, the derating of
the component, quality level, temperature, intended
environment etc are taken into consideration.

Fig. 5 Formal Equivalence Checking IEC 61508, Standard for functional safety of electrical/
electronic/programmable electronic safety-related systems [13]
provides guidelines for the determination of probability of
All stages of the design process require thorough reviews by unsafe state of the system. Using these guidelines, the
the design and application community to ensure design probability of failure on demand is evaluated at different
accuracy. These stages include the requirement specification, scenarios.
implementation plan, verification plan, detailed design To improve the Mean Time Between Failure (MTBF) values,
(behavioral or RTL), synthesis, testbench, verification results, PLD manufacturers follow technology guidelines to closely
layout and timing, and documentation [11]. monitor every stage of the design and production process. Also
due to improved manufacturing processes, PLDs are already
IV. PROTOTYPE TESTING available with reasonable MTBF values. Quantitative
Initially functional testing is carried out for the individual accelerated life tests are designed to quantify the life of the
modules of the system with the help of test jigs. On completion product and produce the data required for accelerated life data
analysis [14]. This analysis method uses life data obtained VI. CASE STUDY
under accelerated conditions to extrapolate an estimated
probability density function for the product under normal use Safety Logic with Fine Impulse Test (SLFIT) System for
conditions. Reactor Shutdown System of PFBR
PFBR is provided with two independent fast acting and diverse
System reliability is determined by hardware and software shutdown systems namely SDS-1 & SDS-2 to detect any
architectures, development, qualification and verification abnormalities in reactor core and to initiate safety action. Each
processes and the level of design maintainability. system consists of sensors, signal processing systems, logic
systems, drive mechanism and absorber rods. The absorber
B. Hardware Fabrication Quality Assurance rods of the first system are Control and Safety Rods (CSR) and
that of the second system are Diverse Safety Rods (DSR).
During the fabrication of boards the following analysis have to
There are nine CSRs and three DSRs. While CSRs are used for
be done exhaustively.
start-up, control of the reactor power, controlled shutdown and
1. Signal Integrity Analysis to avoid terminations.
SCRAM. The DSRs are used only for SCRAM. The respective
• Post route cross talk, reflection and timing
drive mechanisms are called as CSRDM & DSRDM. For
analysis to be done on all interconnected
SDS-1, Safety Logic with Fine Impulse Test (SLFIT) system is
nets.
provided. For SDS-2, Pulse Coded Safety Logic (PCSL)
• Power Plane Analysis: Power plane system is provided.
fluctuations < ±0.3V
• EMI Analysis: The CAD shall be compatible
for FCC standard Class-B EMI SLFIT system receives trip parameters from neutron flux
specifications. monitoring, failed fuel detection, sodium flow monitoring,
2. Thermal Analysis to eliminate hotspots. reactor inlet temperature monitoring systems and performs
3. PCB Fabrication as per IPC 6012. logical operations to drive Electro-Magnet (EM) coils of
4. PCB Assembly as per IPC-610D. Control & Safety Rods (CSRs). SLFIT system de-energizes
5. Bare Boards Test (BBT) shall be carried out using the EM-Coils whenever a trip parameter crosses its threshold
automated process. limits or there is a demand for reactor shut down. The trip
6. Component Procurement from authorized distributors. parameters are triplicated in nature i.e. Triple Modular
7. Board Assembly done by automated process from Redundancy (TMR) concept is employed to achieve high
qualified assembly houses. reliability and availability. Being a safety critical system,
8. Conformal Coating applied on all the PCBs as per features like Design Diversity, Independence, Isolation, High
MIL-I-46058C specification. Reliability and Testability have been incorporated in to the
design and implementation of SLFIT System.
C. Environmental Qualification The main building blocks for SLFIT System are Signal
The system is qualified for environmental tests such as dry Conditioning Circuits, 2/3-Logic Circuits, Grouping Logic
heat test, damp heat test, dry cold test, temperature cycling test Circuits, Timer & Latching Circuit, FIT Logic Circuit, FIT
and drop test as per IS 9000. Logic (Diagnostics) Circuit and EM-Coil Drive Circuit.
SLFIT system is built using PLDs. The design is implemented
D. EMI/EMC Qualification using VHDL. The EM-Coil drive circuit is built using
Insulated Gate Bipolar Transistors (IGBTs).
The system is qualified for EMI/EMC i.e. emission and
susceptibility tests as per IEC-61000. The probable faults in PLDs are stuck-at fault, which implies
the fault effect to be a line segment stuck at logic 0 or 1 (i.e.
stuck-at 0 or stuck-at 1). For SLFIT System, stuck-at 1 is an
E. Seismic Qualification unsafe fault, which needs to be detected on-line in a minimum
To ensure the availability of SCS during seismic event, the possible time. To prevent Safety Logic System failing in
safety classification and seismic categorization of the unsafe mode, an on-line test facility i.e. Fine Impulse Test
structures, systems and components is performed according to (FIT) logic is provided. FIT Logic monitors the healthiness of
AERB safety guide [3]. Safety of these SSC is to be assured Safety Logic System on-line and detects safe and unsafe
against. Safe Shutdown Earthquake (SSE) as well as failures. FIT logic injects short duration (1 ms) trip pulses
Operational Basis Earthquake (OBE) and hence these have to periodically at the input of Safety Logic in required
be designed for both OBE and SSE. combinations and verifies the propagation of these pulses at
the output of Safety Logic System. Each parameter is tested
with a periodicity of 3 minutes.
 VII. CONCLUSION [3] Atomic Energy Regulatory Board, Mumbai-400 094, India, “AERB
Safety Guide No. AERB/NPP-PHWR/SG/D-1 Safety Classification and
PLDs are appropriate to use in safety-critical systems Seismic Categorization for structures, Systems and Components of
design, provided, proper steps are taken to avoid failures. The Pressurized Heavy Water Reactors”, January 2003
selection of a particular programming technology has to be [4] Atomic Energy Regulatory Board, Mumbai-400 094, India, “AERB
Safety Guide No. AERB/NPP-PHWR/SG/D-10, Safety Systems for
made judiciously and proper design methodology has to be Pressurized Heavy Water Reactors” October 2005
followed to address design related problems. [5] Atomic Energy Regulatory Board, Mumbai-400 094, India, “AERB
Safety Guide No. AERB/NPP-PHWR/SG/D-20, “Safety Related
Random failures can be avoided by the selection of proper Instrumentation and Control for Pressurized Heavy Water Reactor based
Nuclear Power Plants” January 2003.
device technologies. Deterministic failures must be addressed [6] IEEE Std 1076-2000, IEEE Standard VHDL Language Reference
in the design process by assuring correctness and completeness Manual
of safety specifications, including specification of failure [7] IEEE P1364-2005, IEEE Standard Verilog Hardware Description
modes, assuring correctness of design with respect to safety Language
[8] Digital logic and Computer design, by Morris Mano
specifications by verification techniques, and verifying [9] Design Verification with e, by Samir Palnitkar
functional properties as well as timing properties to ensure [10] Hardware Design Verification: Simulation and formal method-based
freedom from intrinsic design faults. approaches, by William K. Lam
[11] Minimizing HDL design errors, Vhdl cohen Publishing,
http://www.vhdlcohen.com
PLDs are considered the economical alternatives compared
[12] US, Department of Defense, MIL-HDBK-217 Notice-2 “Military
to the ASICs. PLDs are typically used in building a prototype Handbook for Reliability Prediction of Electronic Equipment", February
system in place of a custom ASIC. It is significantly cheaper 1995.
and quicker to use PLDs when the alternative is a minimum [13] IEC-61508, Standard for functional safety of electrical/
production run of 5000 ASICs in a fabrication plant. To keep electronic/programmable electronic safety-related systems
[14] Quantitative Accelerated Life Testing Data Analysis,
pace with the requirement and necessity, either new standards http://www.weibull.com/basics/accelerated.htm
have to evolve or the existing standards has to be revised for
the programmable electronics in a safety system.

VIII. FUTURE WORK

PLDs meet all our functional requirements for designing SCS
and they are economically cost effective solutions also. But the
problem is obsolescence. Due to rapid changes in integrated
circuit technology and varying market requirements, presently
targeted devices may not be available at later point of time.
Whereas the Nuclear reactor’s I & C systems have to be
functional for few decades. So to address obsolescence,
Application Specific Integrated Circuits (ASIC) are preferred
as alternative. Since the existing designs are proven and
working as per the requirements, ASICs can be developed to
ensure the availability of I & C systems for the reactor’s life.
Risk factor is also less as ASICs are getting designed for the
proven designs. Therefore, developing ASICs for the existing
PLD based safety designs is in store for future.

ACKNOWLEDGMENT
The authors thank Dr. Baldev Raj, Director, Indira Gandhi
Centre for Atomic Research (IGCAR), Kalpakkam-603102,
INDIA for his encouragement and support for this work. The
authors also thank Dr. P. Swaminathan, Director, Electronics
and Instrumentation Group, IGCAR and Dr. V. Kamakoti,
Professor, Indian Institute of Technology Madras, Mr. N.
Sridhar, Scientific Officer-F & Mrs. Saritha P. Menon,
Scientific Officer-E, Electronics and Instrumentation Division,
IGCAR for their technical contribution.

REFERENCES
[1] Application-Specific Integrated Circuits By Michael John Sebastian
Smith
[2] Writing test benches, Functional verification of HDL models, Janick
Bergeron, Kluwer Academic Publishers 2000.