experimental testing of a sag digital silt application

•f I 4 C-CTD Vk

STUK-YT0-TR91

Experimental testing of a SAGdigital SILT application

P. Haapanen, M. Maskuniitty,J. Heikkinen, J. Korhonen

OCTOBER 1995

SÄTEILYTURVAKESKUSSträlsäkerhetscentralenFinnish Centre for Radiation andNuclear Safety

2 7 fc 1 2

STUK-YTO-TR91OCTOBER 1995

Experimental testing of a SAGdigital SILT application

P. Haapanen, M. MaskuniittyVTT AutomationJ. Heikkinen, J. KorhonenVTT Electronics

In the Finnish Centre for Radiation and Nuclear Safetythe study was supervised byHarri Heimbiirger

This study was conducted at request ofthe Finnish Centre for Radiation and Nuclear Safety

FINNISH CENTRE FOR RADIATION AND NUCLEAR SAFETYP.O.BOX 14, FIN-00881 HELSINKI, FINLANDTel. +358-0-759881Fax +358-0-75988382

FINNISH CENTRE FOR RADIATIONSTUK-YTO-TR 91 AND NUCLEAR SAFETY

HAAPANEN, Pentti, MASKUN1IJTY, Matti, HEIKKINEN, Jouni, KORHONEN, Jukka.(Technical Research Centre of Finland). Experimental testing of a SAG digital SILT application.STUK-YTO-TR 91. Helsinki 1995. 26 pp. + Apps. 59 pp.

ISBN 951-712-063-XISSN 0785-9325

Keywords: Safety, safety analysis, reliability analysis, automation, programmable systems,reactor protection systems, nuclear reactor safety, testing

ABSTRACT

A prototype dynamic testing harness for programmable automation systems has been specified andimplemented at the Technical Research Centre of Finland (VTT). In order to get experience on themethodology and equipment for the testing of systems important to the safety of nuclear powerplants, where the safety and reliability requirements often are very high, two different pilot systemshave been tested. One system was an ABB Master application, which was loaned for testing fromABB Atom by Teollisuuden Voima Oy (TVO). Another system, loaned from Siemens AG (SAG) byIVO International Oy (IVO), was an application realized with SAG's digital SILT technology. TIJsreport describes the testing of the SAG application.

The testing of the pilot application took place in the SAG laboratory in Erlangen mainly in February1995 (a final check test was executed in 27.4.1995). The purpose of the testing was not to assess thepilot system, but to get experience in the testing methodology and find out the further developmentneeds and potentials of the test methodology and equipment.

The experience show that dynamic testing is one feasible way to get more confidence about thesafety and reliability of a programmable system that would be hard to achieve by other means. Italso shows that more development of the test harness is still needed, especially concerning thecomparison of the obtained test response to the expected response provided by the logical model ofthe system. Also the user interface of the on-line part of the test harness needs development. Methodsfor generation of the test cases also need further development eg. for achieving statistical significancefor the reliability estimates.

FINNISH CENTRE FOR RADIATIONAND NUCLEAR SAFETY STUK-YTO-TR 91

HAAPANEN, Pentti, MASKUNII7TY, Matti,(VTTAutomaatio) HEIKKINEN, Jouni,KORHONEN, Jukka. (VTT Elektroniikka). Siemens AG:n digitaalisen SILT-järjestelmän testaus.STUK-YTO-TR 91. Helsinki 1995. 26 s. + liitteet 59 s.

ISBN 951-712-063-XISSN 0785-9325

Avainsanat:: Turvallisuus, automaatio, ohjelmoitavat järjestelmät, reaktorin suojausjärjestelmät,reaktoriturvallisuus, testaus, turvallisuusanalyysit, luotettavuusanalyysit

TIIVISTELMÄ

Ohjelmoitavien automaatiojärjestelmien dynaamiseen testaukseen tarkoitettu testiympäristö onmääritelty ja toteutettu Valtion teknillisessä tutkimuskeskuksessa (VTT). VTT on testannut kahdenjärjestelmätoimittajan, ABB Atomin ja Siemens AG:n (SAG), koejärjestelmiä tässä ympäristössä.Koejärjestelmät VTT:n käyttöön ovat toimittajilta lainanneet Teollisuuden Voima Oy (TVO) ja IVOInternational Oy (IVO). Testausten tavoitteena on ollut kerätä kokemuksia testausmenetelmän ja-järjestelmän soveltuvuutta ydinvoimalaitosten turvallisuudelle tärkeiden järjestelmien (joidenturvallisuus- ja luotettavuusvaatimukset usein ovat hyvin tiukat) arviointiin. Tämä raportti kuvaaSAG:n digitaalisella SILT-tekniikalla toteutetun pilotjärjestelmän testausta.

Testaus suoritettiin SAG:n laboratoriossa Erlangenissa pääosin helmikuussa 1995 (viimeinentarkistustesti suoritettiin 27.4.1995). Testauksen tavoitteena ei ole ollut arvioida koelaitteistoja, vaankerätä kokemuksia testimenettelystä ja löytää menettelyn ja testilaitteiston kehitystarpeita ja-mahdollisuuksia.

Saadut kokemukset osoittavat, että dynaaminen testaus on eräs varteenotettava tapa lisätä uskottavuuttakohdejärjestelmän luotettvuuteen ja turvallisuuteen, mitä muilla keinoilla on vaikea saavuttaa. Nemyös osoittavat, että lisäkehitystä edelleen tarvitaan, erityisesti koskien mekanismeja, joillakohdejärjestelmän testitulosta verrataan sen loogisen mallin antamaan odotettuun vasteeseen.Testiponkin on-line osan käyttöliittymää tulisi kehittää käyttäjäystävällisemmäksi. Testitapaustengenerointi vaatii myös edelleenkehittelyä mm. testien perusteella laadittavan luotettavuusarviontilastollisen merkitsevyyden saavuttamista varten.

STUK-YTO-TR 91FINNISH CENTRE FOR RADIATION

AND NUCLEAR SAFETY

CONTENTS

1 INTRODUCTION

2 THE PILOT SYSTEM2.1 The pilot process2.2 The control system

3 TEST CASES

4 TEST ORACLE4.1 Validation of the logical model

4.1.1 Unit tests4.1.2 Integration tests

5 EXPECTED RESPONSE GENERATION

6 TESTING ARRANGEMENT6.1 Observations during the testing

7 TEST RESULTS7.1 Test easel7.2 Test cases 2, 3, 4 and 5

7.3 Test cases 6 and 7

8 CONCLUSIONS

9 REFERENCES

APPENDIX A The logical model

APPENDIX B Test data

APPENDIX C Test results

99

10

11

14141414

17

1920

22222323

24

26

27

51

65


TERMS AND ABBREVIATIONS

ADC

A/D

APROS

DAC

D/A

Dynamic testing

Excel™

Expected response

I/O

IVO

RT-SA

RT-SA/SD

Test Harness

Test Oracle

TVO

A/D Converter

Analog/Digital

Advanced Process Simulation System (IVO/VTT)

D/A Converter

Digital/Analog

Testing of a system by execution of its functioning

Spreadsheet program by Microsoft® Corporation

Correct response of the system to a specific test case

Input/Output

IVO International Oy

Real Time/Structured Analysis

Real Time-Structured Analysis/Structured Design

(Test environment, test bed, test bench) System or device used for runningand automation of tests

Logical model of the test object used for the calculation of the expected("correct") response

Teollisuuden Voima Oy


AND NUCLEAR SAFETY

1 INTRODUCTION

The safety assessment of programmable auto-mation systems can not totally be based onconventional probabilistic methods because of thedifficulties in quantification of the reliability ofthe software as well as the hardware. Additionalmeans shall therefore be used to gain more confi-dence on the system dependability.

One central confidence building measure is theindependent dynamic testing of the completedsystem. The testing is aimed at demonstratingthat the delivered system performs to its specifi-cation and meets customer requirements, thatthere are no functional errors in the software orthe hardware and that the system interactseffectively (Abbot 1992). The operation of thesystem is addressed in realistic situations, withrealistic operating conditions, with respect to therequired reliability. Testing is intended to demon-strate that in a realistic situation, with real inputs,the system will behave as required over aprolonged period of time. Although the testingcan not prove the system to be safe, eachsuccessful test case can increase the confidenceabout safety.

The ultimate goal of dynamic testing would beto reveal all possible faults and errors. If theknowledge about the system internal structuretogether with some continuity, majority etc.principle does not allow the extension of onesingle test to cover a wider range of test cases, a"complete" testing is required. This requires allpossible input and internal state combinations tobe covered. This is in practice not possible, sinceeven in systems with a limited number of inputsand internal states the combination explosionwould raise the required number of test cases farbeyond any practical limits.

Another important goal is to define a statistical-ly significant set of test cases for the estimationof the system reliability. When the requirementsare very high, as is the case eg. for the reactorprotection system, even this significance usuallyis hard if not impossible to fulfil.

In many cases only a limited time period is avail-able for the testing before the system start-up,and this time together with the performance ofthe testing system set the upper limit for the num-ber of test cases. Thus the practical goal wouldbe to define as many different test cases as canbe run during the limited time period availablefor testing.

In any case a large amount of test cases shouldbe executed in order to get any confidence on thesystem safety through testing. An automated testharness is needed to run the required amount oftest cases in a restricted time span. A prototypedynamic test harness was specified and im-plemented at VTT (Haapanen & Korhonen 1994).This system was used for experimental testing oftwo representative pilot systems developed byABB Atom and Siemens AG. The purpose of thetesting was not to assess the quality of the pilotsystem, but to get experience in the testingmethodology and find out the further de-velopment needs and potentials of the testmethodology and equipment. Based on ex-perience gathered the system can later beexpanded and completed to a full-scope testingenvironment and used for testing real safetycritical nuclear power plant applications whenthey eventually arise.


The basic configuration of the test harness ispresented in Fig. 1 The central part of the systemis the "Test Oracle", a logical model of the testobject used to form the expected, "correct"behaviour of the system output signals for thetest signals feeded to the test object. The test datagenerator is actually an input driver feeding inputsignal values from a predefined test data file tothe test object and the test oracle. The resultcomparator compares the outputs from the testoracle and tb*. test object. An EXCEL table hasbeen used to store the output signal time seriesfrom the test object and test oracle are and thecomparison is made eg. by drawing charts of the

time behaviours. In practice the system is divid-ed into two parts. The on-line part consists of anindustrial PC computer with proper I/O devicesto feed the input signals to the test object and toread the test object output signals to a data file.The generation of the expected output signals bythe test oracle and result comparison are madeoff-line on separate PC-level computers.

This report describes the testing of a pilot systemrealized with Siemens AG's (SAG) digital SILTtechnology. The testing took place in the SAGlaboratory in Erlangen mainly in February 1995(a final check test was executed in 27.4.1995).

TEST DATAGENERATION

XL

"TESTO R A C L E "

Expectedtest results

\z

-o

RESULTCOMPARISOfv < r

Systemresponse

<i

\LINPUT

TESTEDSYSTEM

OUTPUT

Figure 1. The principle of the test concept.


AND NUCLEAR SAFETY

2 THE PILOT SYSTEM

A pilot system for Siemens AG's own conceptual and type testing and validation effortsfor the digital SILT technology was established at SAG laboratory in Erlangen. Thesystem consists of a small physical laboratory process and a control and protectionsystem for that process implemented on the digital SILT technology based on SAG'sSIMICRO components. A detailed description of the pilot process and its control andprotection systems is presented in Seiter et. ai. 1991a, b and Abraham 1994.

2.1 The pilot process

The pilot process simulates small break loss ofcoolant accidents (SBLOCA) in a PressurizedWater Reactor (PWR) system. The configurationof the process is presented in Fig. 2. RKL is apressure vessel corresponding to the primary loopof a PWR plant. In case of a loss of coolant

accident the pump PPE corresponding to theemergency cooling water pump is feeding waterto the pressure vessel from emergency coolingwater tank FB through magnetic valves AV2 andAV3. When the FB tank is going to become emptythe feeding to the pressure vessel is switched tothe tank RSB corresponding the sumps at thebottom of the reactor containment where the

Figure 2. Configuration of the pilot process.


leaked water is collected. Control valve RV isused to control the water level and pressure inthe pressure vessel after the initial transient.Finally after the RKL state is restored and theleak stopped the pump is used to restore the initialstate by pumping water from RSB tank to FBtank through the valves AVI and AV4. A relay isprovided to enforce the valveAV5 stay open afterit once has opened despite the control andprotection system commands and thus cause theloss of coolant accident to proceed. A manuallyoperated air pump DEP is provided to raise theRKL pressure to initiate the transient.

2.2 The control system

Nine (9) control and protection functions (LeFu's~ Leittechnik Funktion) have been defined tocontrol the system and protect its components.These are:

LeFu-Nr LeFu-Name Safety category

1 Preparation for RKL pressure protection B12 RKL pressure protection S33 RKL feeding from FB S14 RKL level control Bl5 RKL feeding from RSB SI6 RKL pressure control Bl7 Initial state restoration Bl8 FB flooding prevention S39 Pump protection Bl

Protection functions are classified in safetycategories S1—S3 and control functions in safetycategories B1—B2 (reliability requirements growwhen number decreases). Safety category definesthe priorities of the functions in cases where morethan one LeFu requires operation of the samecontrol object.

10


AND NUCLEAR SAFETY

3 TEST CASES

An advanced process simulation tool (APROS)developed by IVO and VTT was used to modelthe pilot process. This simulation model alsoincluded a model of the process control system,that is, a logical model for the pilot system. Thismodel, however, was not accurate enough — eg.it had be run in shorter time intervals with manualoperations between them since not all features ofthe SAG control system were available in APROS— to serve as the logical model to predict theactual behaviour of the control system to betested. However, it served well to produce theproper test cases. The modelling of the pilotprocess was quite straightforward with theAPROS tool and development of the model tookabout one man-month effort even the model wasthe developers first encountering with theAPROStool.

Seven different basic test transients weregenerated using the simulation model. Thesecorresponded the system behaviour during a smallbreak loss of coolant accident. The transient wasinitiated by rising the RKL pressure with themanual air pump DEP until first the valve RVwas opened by LeFu 1 and then valve AV5 byLeFu 2. The AV5 was then locked to open positioneven after the pressure reduction to cause theSBLOCA. Other LeFu's then started the pressureand water inventory restoration functions. Therate of the pressure rise by DEP was varied sothat the position of the control valve RV wasdifferent in each transient at the time instancewhen the RKL pressure surpassed the protectionlimit 2.8 bar and LeFu 2 opened the valve AV5.So also the rate of water leakage from the RKLand hence the rate change of the water level andpressure in RKL was different in each testtransient.

The APROS model provided input signals inASCII-tables where the input signals values aredefined at one second time intervals. The cycletime of the pilot system is much shorter (5 or 50ms), but since the process is rather slow (eg. thestroke time of the control valve RV is 120 s) thetest transients are long (15—30 min) and thesignal values change slow. If necessary, the inputdriver can interpolate between consecutive valuesand the input to the test object updated faster.This was the case in tests, where noise was addedto the signals (however, these test cases were lateron rejected).

The test data input table contained four analogsignals and five binary signals (plus a system resetsignal). These were:• Control valve RV position• RKL pressure• RKL water level• RKL water level set point• Pump on• FB level > maxl• FB level < mini• RSB level > max2• RS3 level > maxl.

An example of the APROS data is given in TableI.

These tables contained the time series of eachanalog and binary input signals for the test object.The number rows in the tables varied between884—1704 corresponding directly the durationof the transient in seconds, that is, between about15—8 minutes. The logical model required theanalog signal values in physical units when thetest object required the corresponding scaled

11


Table I. APROS-model data.

SIMULATION TIMELEFU4LC01XG01 BINARY_VALUELEFU7LC02XG01 BINARY_VALUELEFU4NO00XL01 BINARY_VALUELEFU5LC00XG01 BINARYJ/ALUELEFU3LC01XG01 BINARY_VALUERKLDIO1XJO1 ANALOG_VALUERKLDIOOXJO1 ANALOG_VALUERVME00XQ02 ANALOG_VALUERVDI00XJ01 ANALOG_VALUE

1.0 .0 .0 .0 .35740581.0 .0 .0 .0 .35740581.0 .0 .0 .0 .35740581.0 .0 .0 .0 .35740581.0 .0 .0 .0 .35740581.0 .0 .0 .0 .35740581.0 .0 .0 .0 .35740581.0 .0 .0 .0 .35740581.0 .0 .0 .0 .3574058

.0

.99999952.03.04.05.06.06.999997.99999

.0

.0

.0

.0

.0

.0

.0

.0

.0

Time [s]Pump OnFB level > max1 - FB fullFB level < mini - FB emptyRSB level > max2 - RSB fullRSB level > max1 ~ RSB not emptyRKL pressure [5bar]RKL level [0.50969m]RV position [1]RKL level set point [0.5m].4434185 .0 .3.4434185 .0 .3.4434185 .0 .3.4434185 .0 .3.4434185 .0 .3.4434185 .0 .3.4434185 .0 .3.4434185 .0 .3.4434185 .0 .3

Table

Time

M1

2

3

4

5

6

7

8

/ / . APROS-data EXCEL spreadsheet.

Pump On F

• 0 / 1 "

0

0

0

0

0

0

0

0

:B > max1

"0/1"

1

1

1

1

1

1

1

1

Binary Inputs

FB < mini

•0/1"

0

0

0

0

0

0

0

0

APROS-model data

RSB > max2

"0/1"

0

0

0

0

0

0

0

0

RSB>max1

•0/1"

0

0

0

0

0

0

0

0

RKL Pressure

15 bar]

C 357*06

0 357*06

0 357*06

0.357406

0 357406

0.357406

0.357406

0.357406

Analog Inputs

RKL Level

[0.50968m]

0.44342

0.44342

0.44342

0.44342

0.44342

0.44342

0.44342

0.44342

RV Position

[1]

0.00000

0.00000

0.00000

0.00000

0.00000

0.00000

0.00000

0.00000

RKL LevelSet point

[0.5m]

0.30000

0.30000

0.30000

0.30000

0.30000

0.30000

0.30000

0.30000

voltage values. The APROS data was thereforeread in an EXCEL spreadsheet where the properscaling was done. The APROS data was feededto the EXCEL spreadsheet presented in Table II.

The scaled analog signals were then converted toabsolute values for the logical model in anotherEXCEL spreadsheet (Table III).

Analog and binary signals were finally separatedto distinct EXCEL spreadsheets and the RVposition signal re-scaled to 2—10 V scalecorresponding the valve opening between 0—100 %. Columns in these two EXCEL tables(Tables IV and V) were finally ordered tocorrespond the physical order of signals in theinterface between the on-iine test harness and thetest object, for the input drivers.

12


AND NUCLEAR SAFETY

Table

Time

[s]

0

1

2

3

4

5

6

7

a

111. Data

Pump On

• 0 / 1 '

0

0

0

0

0

0

0

0

0

input table for the logical model

FB>max1

•0/1"

1

1

1

1

1

1

1

1

1

Binary Inputs

FB < mini

•0/1"

0

0

0

0

0

0

0

0

0

Data for logical mode!

RSB > max2

"0/1 •

0

0

0

0

0

0

0

0

0

RSB > max1

"0/1 •

0

0

0

0

0

0

0

0

0

RKL Pressure

[bar]

1.78703

1.7B703

1.78703

1.78703

1.78703

1.78703

1.78703

1.78703

1.78703

Analog Inputs

RXL Level RV Position

[m]

0.226

0.226

0.226

0.226

0.226

0.226

0.226

0.226

0.226

[%]

0

0

0

0

0

0

0

0

0

RKL LevelSet point

[m]

0.15

0.15

0.15

0.15

0.15

0.15

0.15

0.15

0.15

Table TV. Analog input signals to the pilot system..

Time

[s]

0

1

2

3

4

5

6

7

8

9

10

RKL Pressure

0-5 bar

0-10 V

0.357406

0.357406

0.357406

0.357406

0.357406

0.357406

0.357406

0.357406

0.357406

0.357406

0.357406

Analog inputs to SAG pilot

RKL Level RV Position

0-0.50968 m

0-10 V

0.443419

0.443419

0.443419

0.443419

0.443419

0.443419

0.443419

0.443419

0.443419

0.443419

0.443419

0-100%

2-10 V

0.2

0.2

0.2

0.2

0.2

0.2

0.2

0.2

0.2

0.2

0.2

RKL LevelSet point

0-0.5 m

0-10 V

0.3

0.3

0.3

0.3

0.3

0.3

0.3

0.3

0.3

0.3

0.3

Table

Time

[s]

1

2

3

4

5

6

7

8

V. Binary input signals to the pilot system.Binary inputs to SAG pilot

Pumpe FB>max1 FB<min1 RSB>max2 RSB>max1Ein0/1

0

0

0

0

0

0

0

0

0/1

1

1

1

1

1

1

1

1

0/1

0

0

0

0

0

0

0

0

0/1

0

0

0

0

0

0

0

0

0/1

0

0

0

0

0

0

0

0

The input signal tables were finally stored asASCII tables (text format, CSV) for input driverprograms.

Originally it was intended to expand the sevenbasic test cases by adding noise to the signalsand some test runs actually with noisy signalswere run. The deviations between model and pilotsystem behaviour with the basic data togetherwith limited project resources lead to the rejectionof these test cases.

The input data for the seven basic test cases ispresented in graphical form in Appendix B.

13


4 TEST ORACLE

The logical model of the target system is mainlydesigned according to the requirements speci-fication of the Siemens pilot system (Seiter et.al.1991a). However, the two control algorithms inthe model were checke... from the formalspecification to enable consistent function ofalgorithms. If the algorithms had been builtdirectly from the requirements the outputs wouldprobably have been fluctuating due to differentinterpretations of control rules. Also, some otherdetails of the system were derived from the formalspecification to make the comparison of resultsmeaningful. These include for example addingthe flip-flop reset signal to the system.

The logical model was designed using ReaGeniXdevelopment method and tools (ReaGeniXProgrammer 1994, ReAnimator 1994) and Prosastructured analysis drawing tool (Prosa 1989).The model consists of 13 dataflow diagrams and31 state machine diagrams plus some additionaldiagrams for testing. The testing module of thewhole system has been built on the top of themodel. Fig. 3 shows the context diagram of thesystem.

The main function of the system is to keep theair pressure of the pressure vessel within certainlimits. This happens mainly by controlling thewater flow through the system. The flow iscontrolled by six valves and a pump whichcirculates the water in the system. Five of thevalves are on/off type whereas one can be openedand closed gradually. The system contains alsotwo v»ater containers for temporal water storage.

The next picture (Fig. 4) shows the main parts ofthe logical model. Check_lefu_states module

contains seven sub modules, each of whichimplements one out of the seven control functions(LeFu's). Because several signals from differentsub modules can affect the same output signalthere is a priority mechanism which handles thecontradictory controls. Priority mechanism fordifferent output signals is carried out by threeseparate functions. Controljv module opens andcloses the regulation valve whereasControl_valves module controls the five on/offvalves. Starting and stopping of the water pumpis done by Control_j?pe module.

4.1 Validation of the logicalmodel

4.1.1 Unit tests

The state machines of the model were tested usingReaGeniX, which provides an interface where thestate and flow values of each state machine caneasily be monitored (Fig. 3). Unit test plan andreport are described in the test specifications andtest result document (Heikkinen 1994).

4.1.2 Integration tests

The integration test of the logical model was doneby linking all the data flow diagrams and statemachines together and then testing the wholesystem. The C-file of the state machines and dataflow diagrams were derived using ReaGeniXgenerator. The integration test cases were derivedfrom Siemens pilot system test specifications(Warnecke 1994), which included two test casesfor integrated software/system. The plan andresults of integration tests are described in(Heikkinen 1994).

14


AND NUCLEAR SAFETY

dr_cloM_fv:flog

fejrtJylMog

Fb

ma_wU

rkL»L*ollaart:r>ol

Oparator

R U

-

ruaLflog

« '

drusk_hoati:flag

rkl-pnraal

—

Author JQH Slotm Prop | Titi» Dote 23-I2-ISS4.

Proiict AW I Vara 1.0 | Fie conUxt.dld Tima 11:4-9:46

Figure 3. Context diagram of the system.

r ^ l l

- ^

rM_»Lsoll>art:raal

y/ /

/ /

fb_»La

rab-pU

»tjr.flog

.-flog

-

/

og

- ^

\ -

rkLal:racl

pputcturncg

Author JOH

Protect AW

ung:reGi

7tf7-2«log

\>

— ^

— •

StDtU»

Appr

ControLrv

n\\ \\—>t-

*y

Prop

dr_clo3tLJv:f lag

s*—**•/ dr-op»n-iYrflog

\ \

\ \

\ IHBlfl

H2-1:nag

L • "

ChackJalu- | -

L BtOt» / _

V /5f

T\druck_hoch:flog

Title 1 Uainloifupress

Vom 1.0 1

* /

. —

— .

ure

n i B

J:1 LonlroLrahma

9

. ^ <

—-3If9:riag

.\aw1.dfd

av1:flag

- , » ^

v —)

If7.4:tlog

* l ControLpp*

V >\—-/

>*^ov3:flag

\

7/ -J PP«-o

/

1 Data

1 Timo

>ntml:flog

23-12-109*

11:3S:04

Figure 4. The main functions of the logical model.

15


g—

.Diagram

Requested

DDE

data:

ilSlView 'mmRun

§|f|ljfl|Data Breakpoint Settings

iliÄiiiiii i*^Help

Figure 5.

Die Edit View Settings Help

Figure 6. Testing a state diagram with ReaGeniX ReAnimator.

16


AND NUCLEAR SAFETY

5 EXPECTED RESPONSE GENERATION

Seven different test cases were introduced bothto the pilot system and logical model. To thelogical model the test data was fed by a simplestate machine (Fig. 7).

One test case consists of a limited number of testrows, between 884—1704 lines. Each rowcontains current values of the input signals of Tab.VI.

The rows of the input file looks like the following:49.1232; 0.2313; 0.1500; 1.7000; 0 ;0; 1; 0; 0; 149.1232; 0.2323; 0.1500; 1.7010; 0 ;0; 1; 0; 0; 149.1232; 0.2333; 0.1500; 1.7020; 0 ;0; 1; 0; 0; 1

Table VI. The input signals to the test object.

ab

cd

ef

ghi

j

Analog signals:

Stellung Regelventil

Fullstand RKL Istwert

Fullstand RKL SoHwert

Druck RKL

Binary signals:

Speicher Rucksetzen

Pumpe ein

Fullstand FB > max1

Fullstand FB < mini

Fullstand RSB > max2


(%)(m)(m)(bar)

(0or1)

(0or1)

(OoM)

(OoM)

(0or1)

(0oM)

I Idleiaignol

\ /

1 Input

> - <

// DofiBisignai

Author JOH

Project AW

/ rb-j»LJull:riog \

\ rkLj*Lsollwert:reol f

\\ p p t j talus:! log

rc_sct;t!ag

Status Prop

ApprTitle

Vera

/

\

MaintalruprcBiurc

V J

JRCXJmain

1.D 1 File

dr-operuviflag

S ov2:tlag

•^"^ av3:tlog

s» ,^ ov3:flag

•v ppi-contrakflag

^ ^ -öruckJioch:fla(i

.\njx_matn.dtd

NNs

Output I

* * * * *

Date 23-12-1994Time 11:17:21

Figure 7. Logical model together with input and output modules.

17


The output of the logical model was recorded alsoby a simple state machine which wrote the valuesof output signal values into a file. The output filecontains the signals in Tab. VII.

The update interval of the output signals wasdefined to be the same as the input feed timeinterval, that is 1 second. The output file lookslike the following:

0;0;0;0;l;0;l;0;l0;0;0;0;l;0;l;0;l0;0;0;0;l;0;l;0;l

where each row contains the binary signals inTab. VII.

The logical model response to the seven test casesare presented in graphical form together with thepilot system response in Appendix C.

Table VII. The output signals of the test object.

Ventil AV2 AUF

Ventil AV2 AUF

Ventil AV2 AUF

Ventil AV2 AUF

Ventil AV2 AUF

Regelventil AUF

Regeiventil AUF

Pumpe EIN

Druck hoch (Anzeige)

(0or1)

(0 or 1)

(0or1)

(0or1)

(0or1)

(0or1)

(0or1)

(0 or 1)

(0or1)

18


AND NUCLEAR SAFETY

6 TESTING ARRANGEMENT

Figure 8 gives an overview of the testingarrangement at the SAG laboratory in Erlangen.The analog test signals were fed from the testinput data files through the D/A converterchannels directly to the analog inputs of the testobject as voltage signals varying between 0—10V. Correspondingly, the binary signals wereconnected to binary inputs of the test object.Opto-isolatcrs were used for the binary signalsin order to adjust the different voltage levels inthe pilot system (24 V) and the test harness (5 V)and to protect the pilot system and test computerfrom electrical interferences. The input signalvalues were normally updated at one second time

intervals. If necessary, interpolation betweenconsecutive data table values could be used toshorten the updating interval.

The input consists of four (4) analog and six (6)binary signals as presented in Tab. VI. Thecolumns of the original ASCII data tablecontaining the test data was arranged off-line toseparate input files for each individual inputchannel. The test harness reads these input files,scales the analog signals to corresponding voltagevalues, makes the interpolation if needed, andwrites values to the output registers of the D/A-converters and binary output cards. The signal

OUTPUT

TEST HARNESS

VTT

INPUT

Stellung Regelventili i

Fullstand RKL Istwert

Fullstand RKL Sollwert

Druck RKL ! '.

Speicher Ruckseizen

Fullstand FB > maxl

Fullstand FB< mini


Fullstand RSB > maxl

Pumpe Ein

/ \

^

z

AN

ALO

G

z

BIN

AR

Y

PILOT

SYSTEM

SAG

OUT

«JAR

Y

CD

Ventil AVI AUF

Ventil AV2 AUF

Ventil AV3 AUF

Ventil AV4 AUF

Ventil AV5 AUF

Regelventil AUF

Regelventil ZU

Pumpe EIN

Druck hoch (Anzeige)

Figure 8. Test harness connections to the test object.

19


noise is added to the signals at this phase, if sodesired. Fig. 9 gives a presentation of theseprocedures.

The system response was recorded by observingcontinuously the status of the nine binary outputsignals of the system and storing the time ofoccurrence and the state of each signal to theoutput data file each time when some of thesignals changed its state. The system outputsignals are presented in Tab. VII.

An example of a output data file is given in Tab.VIII. Tab. VIII lists all the states of the sixteenbinary input channels of the test harness. The pilotsystem outputs are the nine last binary values inreverse order of the signal list Tab. VIII. The I/Ocard converts the polarity of the input signals so1 in table corresponds to logical "false" and 0 tological "true" values.

The output data file is read to an EXCELspreadsheet where it can be compared to thelogical model predictions. An example of EXCELsheet corresponding to Tab. VIII is given in Tab.IX (the logical values have been inverted).

ASCII datatable (CSV) •Nv

Arranging ofoutput

channets data

Off-line

Tu

cIu

On-line Scaling,interpolation,(adding noise),writ ing tooutput channels

D/A

Reading responseand saving toresult file M

Testobject

Figure 9. Preparing and feeding of the test datato the test object and reading the system response.

This EXCEL sheet is finally merged in theEXCEL sheet containing the logical modelprediction of the system behaviour for com-parison.

6.1 Observations during thetesting

The pilot system was tested with 7 separatetransients, the duration of which varied betweenabout 15 to 28 minutes (884—1704 rows). Theupdating time interval of the transient data wasusually 1 second, rather long compared to thecycle time of the target system processors 5 ms.

During the first experiments the pilot systemmemory was not reset between consecutive testruns. This caused an abnormal initial state of thesystem and the system responded not properly.After giving a 10 seconds lasting memory resetsignal (due to the 10 seconds time delays in somereset functions) at the beginning of each test runthe situation was corrected.

A 4 second black out of the pilot system outputcard was registered in one test case. That may bedue to the communication software fault. Afterthe black out the transient continued normallyfrom the previous state due to the missingexception handler. The phenomenon wasregistered only once in 51 tests of the sametransient.

Some odd phenomena were observed in thecontrol valve command signals. The close andopen commands of the control valve were true atthe same time during a 0.2 ms time interval. Thismay be caused by the time delays (due to theasynchronous operation) in the interface betweenthe test object and the test harness.

Also some additional rapid command signals foron/off valve 5 were observed.

The transient number 6 was run 51 times insequence with the target system cycle time of 5ms. The transient number 7 was run 5 times insequence with target system cycle time 50 ms.Some time delays bigger than the output cardcycle time (50 ms) were found in sequential testruns.

20


AND NUCLEAR SAFETY

Table VIII. Output data file.

Signal occurrences, initial digital inputIndexIndexIndexIndexIndexIndexIndexIndexIndexIndexIndexIndexIndexIndexIndexIndexIndexIndex

1 Total177 Total272 Total277 Total299 Total299 Total319 Total683 Total683 Total739 Total740 Total919 Total919 Total

1195 Total1220 Total1243 Total1317 Total1317 Total

timetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetimetime

(ms)(ms)(ms)(ms)(ms)(ms)(ms)(ms)(ms)(ms)(ms)(ms)(msj(ms)(ms)(ms)(ms)(ms)

0.11176183.97271036.34275886.63297836.22297836.41317686.88681247.56681247.75737299.69738349.63917405.94917406.13

1192613.751217814.501240715.381314817.881314818.00

digital input ;digital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital inputdigital input

1111111111110111111111111111011111111101011101111111110101010111111111111101011111111111110000011111111111001001111111101100100111111110110000011111111011000101111111111100010111111111010001011111111001000100111111101100010011111110110001011111110011000101111111101100010111111110110000011111111011001001

end of run

Table IX. Pilot system

Time[ms]

0,00

0,11

176183,97

271 036,34

275 BB6.63

297 836,22

297 836,41

317686,88

681 247,56

681 247,75

737299,69

738349,63

917405,94

917 406,13

1192 613,70

1217 814,50

1240715,30

1314817,80

1314818,00

Index

0

1

177

272

277

299

299

319

683

683

739

740

919

919

1195

1220

1243

1317

1317

output.

AV1Open

0

0

0

0

0

0

0

1

1

1

0

0

1

1

1

1

1

1

1

AV2Open

0

0

1

1

0

0

0

0

0

0

0

1

1

0

0

0

0

0

0

AV3Open

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

AV4Open

0

0

0

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

AV5Open

0

0

0

0

0

1

1

1

1

1

1

1

1

1

1

1

1

1

1

RVOpen

1

1

1

1

1

1

0

0

1

1

1

1

1

1

1

1

1

1

0

RVClose

0

0

0

0

0

1

1

1

1

0

0

0

0

0

0

0

0

1

1

PumpOn

0

0

0

0

0

1

1

1

1

1

1

1

1

1

1

1

1

1

1

Pressurehigh

0

0

0

0

0

0

0

0

0

0

0

0

1

1

0

0

0

0

0

There is a possibility to add noise to the transients. Transients 2—7 were driven with noise. TheseIn some test runs 4 percent noise was used. In tests have, however, been rejected from the resultnoise tests the cycle time of both the testing comparison due to the lack of project resources,system and the target system was 50 ms.

21


7 TEST RESULTS

The comparison of the pilot system response tothe logical model prediction was done manuallyby combining the results in an EXCEL spread-sheet and representing the time behaviour of thesignals in graphical form. Automatic comparison,of course, would be possible in the spreadsheetby a simple logical operation between cor-responding values, but this would merely pointout each single discrepancy. These discrepanciesmay be caused by the small inaccuracies in thepilot system and test harness interface (eg.quantification errors due to limited number ofbits used for discretization of analog signals) andnot be indications of severe errors. A morepowerful comparison algorithm would benecessary to distinguish the severity of thediscrepancies by their importance for the safebehaviour of the system. The development ofthese algorithms is a subject for furtherdevelopment of the test harness.

The tests showed originally some major differen-ces between the test results and logical modelpredictions. It turned out, that most of thesedifferences could be explained by missingpressure compensation of the RKL levelmeasurement in the logical model. This com-pensation was not defined in the requirementsspecification, which was used as the basis of theconstruction of the logical model in order to makeit possible to find out errors done in the designprocess. The requirements specifications arewritten by process specialists, who only specifiedthe level measurement In later phase of the designprocess, the I&C system specialists selected themeasurement transducers. In this special case apressure difference transducer was selected forthe RKL level measurement, which required aspecial pressure compensation. This was onlydefined in the formal specifications but not in

the original requirements specification. Thepressure compensation has such a stronginfluence on the system behaviour, that significantdeviations were found between model and actualsystem behaviour. When the pressure com-pensation was added to the model, most of thedifferences vanished.

The responses of the pilot system and the logicalmodel are presented graphically in Appendix C.Diagrams simplify the detection of cleardifferences of output signals. A closer look at thetimings of output signals can be done by checkingthe output files, that shows the response of thelogical model at one second intervals and theexact time moments when some of the pilotsystem output signals has changed its state.

After the correction of the logical model, the testsstill showed some differences in the outputs ofthe two systems. These are discussed in greaterdetail in the following.

7.1 Test case 1

In test case 1. the behaviour of av2, av3, av4 andPumpe signals differ in one point (See AppendixC, pp. 1 & 2). This situation is traced back tonear time 426 s, when in pilot system, condition

RSB_Fiillstand > maxl (in LeFu 3),

which becomes true (Fig 9.), seems to togglethese signals. However, neither of the otherconditions in LeFu 3 is true at that time, whichmeans that no triggering should happen.

Condition

RKL Druck < min3

22


AND NUCLEAR SAFETY

never becomes true in this test case. Condition 7,2 Test cases 2, 3 , 4 and 5

RKLJFullstand < mini

nearly becomes true at 466 s (Fig. 10) which ishowever 40 seconds later than the triggeringactually happens. It must be noted that in all othertest cases the LeFu 3 seems to trigger at righttime ie. when condition

RKLJFullstand < mini

becomes true.

To explain these differences a new test with thesame test data would be needed to exclude thepossibility of some error in the test arrangement.This was not possible since the difference cameout only after the tests were completed and thetest harness returned back to VTT.

The responses of both systems were identical inthese cases.

7.3 Test cases 6 and 7

In test cases 6 and 7 the responses also wereidentical except short spikes in the response ofthe pilot system. In test case 6 the signals avl,av2, av4, av5 and rvjai shortly went down tozero at the time point about 1 230 s andimmediately returned up. In test case 7,correspondingly, the signals av5 and n>_zu wentdown for a short time at about 710 s. Thesedisturbances were probably caused by a short lossof electrical power to the output cards of the pilotsystem (the pilot system was not a completeproduction application and did not include allnecessary protection mechanisms for casual lossand return of electrical power).

Figure 10. The behaviour of RSBJFullstand > maxl.

0,35-

0,30-

0,25-

0,20-

0,15-

0,10-

0,05-

n nn

c

Corrected Rkl_fullstand

/ ~

\ J

1

^!TT\

/ AA\

) 200 400 600 800 1000 1200 1400 1600

Figure 11. Behaviour of RKLJFullstand signal in test case 1.

23


8 CONCLUSIONS

Development of the logical model required areasonable amount of resources. The time usedfor modeling the pilot system and testing themodel was approximately 1,5 man-months. Theresulting model consisted some 50 diagrams thatin code generation produced roughly 90 kB ofcode. It seems that the ReaGeniX method andtools are applicable to modeling of fairly complexautomation systems.

The test cases could be executed in the logicalmodel with a speed that was ten times faster thanreal-time. The execution speed depends directlyon the complexity of the model and the capacityof the environment. In this case a 50 MHz Intel486 PC was used. As the duration of the test casesvaried between 15 and 30 minutes in the targetsystem, the time was cut down to 2 or 3 minutesin the logical model.

The actual testing of the pilot system took placein real time, so a single test run lasted between15 and 30 minutes. That means that only a fewtens of such test cases can be executed duringone working day. If thousands of test cases arerequired for reaching of statistical significanceof the results, a rather long test period will beneeded. On the other hand, one can with goodreason insist that each test run actually containsseveral individual tests depending on the updatinginterval of the test data and the length of theinternal memory in the tested system. It will be asubject for further research to define thesignificance of a long test run.

The APROS simulation tool proved to be anefficient means for production of the test data.The development of the pilot system modelrequired about one man-months effort by aninexperienced user. For a real testing project it

would be quite easy to augment the APROSmodel library with modules simulating thefunction modules of the tested system. Thus themodeling would be even easier and the APROSmodel also could serve to produce the expectedresponse of the test object.

The tests originally showed some major dif-ferences between the test results and logicalmodel predictions. It turned out that most of thesedifferences could be removed by adding a missingpressure compensation of the RKL levelmeasurement to the logical model. This compen-sation was specified in the formal specifications,but not in the requirements specification, whichwas used as the basis of the construction of thelogical model in order to make it possible to findout errors done during the whole design process.

In the first test case some differences betweenthe pilot system and the logical model stillremained. The test material is, however, solimited that a profound analysis for detecting thecause to different behaviour is not possible. Alist of potential reasons is shown below:

1. Filtering of the input signals. However,filtering should have no effect, as there wasno noise added to the input signals, and asthe change rates of signals were very lowcompared to the cut-off frequency of the inputfilters of the pilot system.

2. Inaccuracies in the D/A- and A/D-signalconversions. A 12-bit converter was usedwhich may have caused a slight error in signalconversions. However, the error caused byconverter is so small that it is in practiceinsignificant.

3. Other inconsistencies between the testharness and the pilot system. Lack of

24


AND NUCLEAR SAFETY

common grounding of the systems is apotential reason which can be included in thiscategory.

4. Inconsistencies between the system speci-fication and the formal specification of thepilot system. An example is the signalcorrection procedure which was not men-tioned in the specification.

An important lesson learned in this case is thatthe requirements specification does not show thetrue behaviour of the pilot system. Thisconclusion is based on two findings in thedocumentation of the system: correction of aninput signal and input signal filtering are notincluded in the specification. Both of theseactivities change thebehaviour of the system. Asthese functions have been added to the systemduring the formal specification phase and theoriginal specification has not been updated, theequivalence between the pilot system and itsspecification does no longer exist.

The consequence from the discrepancy is that inaddition to the specification, the formalspecification document has to be used as a sourcefor logical modeling. This prevents from findingall possible errors that may be introduced intothe software during the early phases of thedevelopment (i.e. all the phases before formaldesign, see Fig. 12). In other words, if therequirements specification could be used as thesource document for logical modeling, all theerrors brought into the software after systemspecification could be detected in dynamictesting. If the source is the formal specification,dynamic testing actually tests the compiler thatcompiles the formal design to executablesoftware.

As discussed, the selection of the basis for thelogical model construction is of great importance.Since the software errors in programmablesystems mainly stem from the design phases, thelogical model should be based on systemrequirements as early in the design process aspossible. Usually in a proper design process allrelevant data about system functionality isreturned to earlier phases of the developmentprocess in some suitable way and form. Thereshould be no obstacles to use this procedure withautomation systems, too.

The trial test of the SAG pilot showed that theselected methodology for the construction of thelogical model is quite feasible and allowed tomake the logical model with rather modest effort.The comparison of the test results to the logicalmodel predictions in EXCEL spreadsheet is ratherclumsy and time consuming and requiresdevelopment. In some cases the errors caused bythe limited accuracy of theAD- and DA-channelsmay cause considerable differences in the timebehaviour of the test object and logical modele.g. when an analog signal surpasses an actionlimit. In these cases one can not claim that thetest object errors in a dangerous way but that aharmless discrepancy is found. One should try tofind out comparison algorithm who couldautomatically exclude these kind of discrepanciesfrom the errors.

The user interface of the on-line system also needsmore development It would greatly ease the workif the behaviour of the test system as well as thepredicted response could be presented on thescreen of the system in real time so the differencescould be directly seen, cause analyzed andcorrected.

Requirements ofthe target system

Potential errors in transformations

Specification — Q — ^ Design solutionsof the system of the system

Implementation solutionsof the system

Logicalmodeling

Figure 12. Selecting the proper source for logical modelling.

25


9 REFERENCES

Abott 1992. The role of dynamic testing in thecertification of software based safety criticalsystems. In: IAEA-TECDOC-780, "Safetyassessment of computerized control and pro-tection system", 7 pp. Vienna, 12—16 October1992.

Abraham 1994. Formale Spezification der Leit-technik zum DEMO-Versuchsaufbau, KWU NL-R/1994/18. Erlangen 7.3.1994, 1 pp. + app. 35pp. ("Formal specification", confidential).

Haapanen, Heikkinen, Korhonen, Maskuniitty,Pulkkinen, Tuulari 1995: Feasibility studies ofsafety assessment methods for programmableautomation systems. Final Report of the A Wproject. STUK-YTO-TR 93. In press.

Heikkinen 1994. Unit & Integration test plan forlogical model of Siemens pilot system. VTTElectronics, 1994.

Prosa 1989. Prosa Structured Analysis DrawingTool. User's Manual. Insoft Ky. July 1989.

ReaGeniX Programmer 1994. User's Manual.VTT Electronics.

ReAnimator 1994. User's Manual. VTT Electro-nics.

Seiter, Krien, Abraham 1991a. Mengengeriist undfunktionelle Struktur der digitalen SILT fur dieDemonstrationsanlage (Stufe 1-3), KWU E 431-91-2031b. Erlangen 12.7.1991,13 pp. + app. 20pp. ("System requirement specification 1", confi-dential).

Seiter, Krien, Abraham 1991b. Verfahrenstech-nischeAufgabenstellung an der digitate SILTfurdie Demontrationsanlage (Stufe 4-5), KWU E431-91-2032b. Erlangen 12.7.1991,15 pp. + app.34 pp. ("System requirement specification 2",confidential).

Wernecke 1994. Testspezifikation. FunktionalerTest der Digitalen SILT der Demonstrati-onsanlage. KWU NL-R/1994/17. Erlangen7.3.1994. 88 pp. ("test specification", confiden-tial).

26


AND NUCLEAR SAFETY

THE LOGICAL MODEL APPENDIX A

I Idlriignol .

\ / /

1 Input J-

/ \/ Don>:iignol \

y \

Author JOH

Project AW

rv_itetlung:rrol

^

f ^ ^/ fb_»Uull:flag

/ n&-»LJull:lloq

^

^ " ^ ^ ^ rkLpnreal

XV ~

\ ppc-atatuj:flog

/

\ f\ // •' V

MointaitM>nB«aurv

-K Ä

J]' J• — '

rmjotflog

Status PropAppr

d r_Dto»tt_rv.l log

dr_oparufv:tlog ^ ^

/ ^ ^ \ \' o»l:flog ^ v \

< OYltlog > ^ \ 1

" ov4:flog ^ ^ * * l

^ - ^dmcWtoch.-flDg

ldta:Bignal

Title RCX_Wo<nV . n 1.0 | r,\% .VqLjnaln.dfd

Dot. 2 3 - 1 2 - 1 SB*

Tim* 11:17:21

rv^loll

~ — » » .

A//

) t > J . L . m t V n 0 ,

/

^ .

Hog

1 .

rkLprrAl

-_U—rkl_Rrl:rwl

ppe_itatus:riag

Author JOH

Prniect AW

ungtreal

H7jJ[log

\

— .

— • — -

Statui

Appr

dr_cloM

U \l:(log \ \

V \ \ \"6:l

7

_ « J J ChtckJrfu.

\

urv:flag

> •

dr-opciuv.-flag. » •

I 112.1 :f log ^ ^ ^ »

6——"" ^ * "

\///yC

1 -m—-

druck_hoch:riag

Prop T!tb 1 Uairitain-pnttur*

1.D | Hie

ovl:f!ag

»

<—"

//r

If8:llog

.\DW1 .did

\ \

\ ia:f lo»

^^\ ControLpp»

9

o»4:tlog

avSrflag

\

\

Dal»

Time

ruatflag

»»•

>ntrol:flog

23-12-19B4

11:38:04

Data Flow Diagrams

27


APPENDIX A THE LOGICAL MODEL

Author

ProKct

rkljrljol

mm—

rutal

JOM

AW

^ ^

If 4:1 log |

hwrtreal ^ ^ 0 , * S ^

pnnal ^ >^

Status Prop

Appr

-

\ " " — " "

^ •prxfrflog

Titto 1.1 ContxoLrv

Van 1.0 | Fife ow3-2.(ifd

»»•

Dot»

H I M

ZJ-I2-1M4

11:56- 5

rtd-MLaoll«rert:r«ol

Pot» 23-12-1»»»

Data Flow Diagrams

28


AND NUCLEAR SAFETY


pr_D:llog

nrjleltungtrwal

If6:ftog

Author JO H Status Prop Title 1.1.2 Patin •Ji.Lpncontrol Dot« 23-12-199»

Project AW Vtn 1.0 I File Apr-contrdfd Tim» 11:23:00

If7-1:flag

tf5J2:nog

lifting

115-1 :llog j^_

If7 *fla

"0<

Author JOM

Pmi.rt «IV

fS:llog

'Ay

• — •

\

(

StDtU*

APPT

/ ^ .1 ^v ,

Conb-oLvi

\ — '

Prop

r

Titla

V t n

oyl log /

IIZ.I:flag ,

^

If2_2:llog

1.2 ControLvuhraa

1.0 1 File \ar/i.tU6

t:llog

f ControL»2 1

v3:flag

I CantniUS I

— * •ov2:flag

, *c»5:nog

Data 2S-12-igg4

Timi 11:25:37

Data Flow Diagrams

29



Author JOH Stotua Prep Title 1.4.2 Cli«ckJ<rfuZ Pote 23-12-1S94

VCT 1.0 I file .Velu2.<fld Time 11:30:34

Data Flow Diagrams

30


AND NUCLEAR SAFETY


rfcLpnmt

If3:!lag

1.4-.3 CheckJefuS 23-12-193*

Project «W I Flic

Il5_2:ltog

Ibuwtemptyiflag

Prep l.t.5 ChecKJtfu5 23-12-199*Project AW

Data Flow Diagrams

31



re_sctfk>9

fb-wLamptyzfiog

1.«.7CheclLjefii7 Dole 23-12-193»

I Hie

| Dat* 23-12-193»

Tim» 11:37:03

Data Flow Diagrams

32


AND NUCLEAR SAFETY


l.*.7.3 CennmtcJf7-« 23-12-109*Project AW

Data Flow Diagrams

33



interface

in continuous rfcL-wl.-rvol:

in continuous rU-*L9oU«rert:rrQl;

in llog 114;

out Hag wLd:

v(rVLwL»ollwert) -v(rU.«l)

when(v(rttLwO -v(rtd-wL»ol Iwert)

< RKL-.WL-RV-UIN)> (RKUWLJWJON + RKLJULKV-HYS))

WLcknc^xnsiUc

•end(wLxl)- taend(vLxl) = lobe;

WLclo»e-enabted

> (RKLJIUJW-MIN 4- WU-ttL-KV-HTS))

•end(wljd) - foUe;

1.1.1.1 lmBl«fnefit_wLm«n_>Ty>t Z5— 12-1B94

Project AW J_St_ Time 11:21:40

w

Author

Prolect

/include

t>en((v(rU_wl)-v(rW_i.LJo1lw«rt))• RKt_WUKV_MAX)

JO M

AW

9«nd(wLa) =s tnw;

Statin PropAppr

1

9end(«Lo) = false;

v(rfcLwl) - ffUUkL-I;

Wl_optn_daoWccl

t

WLopen-pomtle

i

r

1

interfoce

in continuous rtLjtl:red;

in continuous rVLxLaollweiiircal;

in flag If4;

out fkyg wLo;

«

C (RKUWLJtV-MAX-RKLJWLJW-HYS))

»henf!v(H4^

9end[wLo) B fatsc;

WU>pen_enQblcd

Title 1.1.1.2 lmpl«ment_KLmVcr> 1.0 | File

< (RKLJM_KV_MAX-RKL_WLJna*YS))

aOiyst

.Vrv_hyst2.std

Dote

lime2J-1X-1994

11:22:18

State Transition Diagrams

34


AND NUCLEAR SAFETY


jinelude

coniLh

whenCCv(rw_3t»lluno)—v[kpic_oul))< RKUPjt-RV-MIN)

cna(pr_i>) = true;

intertaci

in continuous kp'id_cul:real;

in continuous rv_3tcllung:real;

in flog U6;

out Mag pr_o;

•cnd(pr_o) •• falic;

v{rv-3telljng) = INrTjv-slPllung:

Fr-op.î.

f

Pr_Dpen_pos

\

Prjoprn_e

,b,ed

sible

nabled

> (RKUPR-RVJÎN

>«hen(ivClfE))

send(pr^>) = false:

+ RKL-PIU!VJ<YS))

when((v(rv-3te1lung)-v(kpid-out})> (RKL.PRJ3V.MIN + RKL-PR-RV>nfS))

send(pr-o) = fabe:

Author JQH Stotm Prop Title 1.1.2.1 lmplemgnt-jr_min-hyat Dolg 23-12-1034-

Project AW Veni I.D Time 11:23:31

f include

interface

in continuous kpid_out:rval;

in continuous rvjtelluna:real:

in flog 116;

out flag pr-ci:

9end[pr-cl) s false;

Pr-close-disabled

Pr_c!ose-po33*ble

Pr-closcena bled

• ncn((>(cv_iteltung)-<(kpid-Djt))

«henC(vCrv-stellung)-vCkpiäôut)}

< [RKI—PR-RVJ^X-RKI—PRJWLHYS))

3enti(pr_cl)=tabje;

Author JQH Stotu» Prop Title 1.1.2.2 Irnple Dote 23-12-1994-

Project AW | File .\rv_hyit4.atd Time 11:Z»:D5


35



înclude

cerTst.h

when{timcout(update_ljmcr))

ov(kpidjn) = v(rkLpr)—1.5;

ov(yp) = ov[k&) • ov(kpidJn);

o.W)*ov(l*)-oy(to)/(2.«ttn))

•>(ov(kpfdJr>) +• ov(oldJcpidJn))+

else ov(yi)—v(rvjtellur>g);

v(kpid_DoO=«v(yp) + ov(r);

H(v(kpkLout)<-Z5) v<kp*_out) - - 2 5 ;

H(v<kp*)d-out)>-,00) v(kpid-out) = 100;

vm)t(kpid^>ut):

ov(oldî) » ov(yi);

ov(old-kptdJn) - ov(kpidJn):

ov<hp.d_in; » v(rki_pr) - . J ;

*jv(updateJim«r} •" "nU-KPlD^miiiratscond:

Author JOH

Prokct AW

vfrkLpr) « INIT-rkLpr,

vfrv-xtellunQ) - INfT-^v-jtellung;

ov(u»datcJtJmcr) = ttlUCP'O^mtlfecconci1;

ov(kpkUn) - v(rVLpr) - 1.5.

ov(o)d-kpKUn) - ovCkpidJn):

WaKingujpdatc_Umc

t

•nierToce

in flog HG;

in continuous rkLpnreol;

in continuous rv-arUllung:rcol;

out continuous kptdxiut^tol;

\

dadana

timer updatcJumen—THiLKPir>mill.second;

storv kptdJnrreot;

store o)dJtpklJn:rral;

srtorn yi:rcal;

storv old_yt:r«al:

,xtor« kp:nrat:=75-0;

>torw ta:real:- Tlli_KPlO-UPDATE*>0.001:

stor» ln:ns3l.~120;mtor ypirool;

Status Prop

Appr

Title 1.UJ5 ReaTizeJcpid

Vera 1.0 1 File .VÄOK)-HC

Dote Z3-12-1904

Time 11Ä4-J1

when(«(lf2-l) || (v(lfl) * * Mlf7-2))

II (>(pr-o) oik Wlf7_2J) ||

(<(«U) « 4 !vttf7-2) * *

Mprjd»)send(dr_pp«n_rv) — tnic;

9crxl(dr-clo3ejv) *= fdse;

\

wh«n(v{lf7J2j &&!v(rf Z-.1) ||

v{pf-_cl)ftil(w(H1)|tv(H2_l)

IWprj>))Hv(wU:|)*&

senfl(dr_cloaejv) = true;

*cnd(dr_open_rv) <• f Maat,

1

kling

t

« ,

» Openittg-rv 1

interface

in flog K1;

in flog H2_1;

in flog 1(7-3;

«ft flog pr_£j;

in ftag pr_o:

in flag wLd;

in flag wLo;

out flog dr-operuv;

out flog dudo>e-iv.

ESF"aond(dr_c

J l

>pcn_rv) = loisc

kracjv) = fabe

whcn(!(v(rf2_l) | (v<in) && tv(lf7--2))

II (*0""-o) * & nnjtf7_2)) [|(v(wU) Aflc MIT7-2) * *

acnaûr_jDpcn_rvj = laiae,

9end(drjdosc_rv) = fotoc;

Author JOH

Project AW

Status Prop

Appr

Trtl« 1.1.J Detem.ine_contR>l

Vers 1.0 1 FTte .\nbqeLv2.std

Date Z3-12-1B94-

Tim« 11125KJ5


36


AND NUCLEAR SAFETY


j _Avi closed

whcn[vClt7_i) BcSc !(v[lf3) |[

v[lf5_2) || vClffl) II » ( r twl j ) )

send tavl)=true;

Author JOH

Project AW

i

f

Avi-open

Statu» Prop

Appr

interfecm

In flag If3:

in flog 115-2;

in flag 1(7-1;

In flag K7-3:

in ftoo IfB:

out flog avi;in fag rc jc l ;

«henCv(if3) || *(K5LJ2) H v[|fB) II

(v(ir7_j) i * !vflf7_1)) || rfruet»

send[ov1)=fobe;

Till» 1.2.1 CantroLvl

V«r» 1.0 | File Aovt Jtct.atdDote 23-12-1094-

Time 11:26:08

when(.(lfj) i t '.(«(115.1) II

«(reJtt)))

Author JOH

Project AW

1

rW3j>pen

Statu* Prop

Appr

1

.b.n(.(l(S.l) || (.(1(7-4)

•end(ov3)-(als«:

interfoc»

in (lag 1(3;

in flag 115.1:

in (lag 1(7.4;

out (log ov3:in (log re^iet;

* » !v(lf3)) ||

Title 1.2.2 ControL.»3

Vers 1.0 1 File .Noyljlot.ld

Dote 2 3 - 1 2 - 1 0 9 *

Tine 11:27:09


37



when((v(ir3) It v(H5-i)) * *

send (ov2)=true;

Author JOH

Project AW

t

AVZ.open

Stulin Pf pAppr

1

•endfrvZMol».:

Interfacein flog H3;in flog HSui:in flog H7_4;out flog av24

' in nog reset:

Titta 1 2 J ContmLv2Ver» 1.0 fite .\OY2_«teL»td

Dote 23-12—1994Time 11:26:41

•hef>(v<irZ_i) &A. W(re-jct))

*cnd(ov5)-tnje;

, out f tog ov5;in flag rt-set;

MMH2.1) * * WM2J) 1 v(H7_4j) ||

Author JOH Proo 1.2-4 ConUoLvS 23-12-1994Profect AV7 Appr 1 File


38


AND NUCLEAR SAFETY


«hen(v(lfS-l) || (»(117.4) 4 4 !

vtrt-iet))iend(ov4)=true:

Author JDH

Project AW

i.iterfoce

»tin» II

> i

1

in flog 1(3;

in flog If5.1:

in flog H7.4:

in flog l u e t ;

' out flog ov4;

• ner<Mtf3) 4 4 !(»<IIS.1) II v ( r u t l ) »

l ,end to.

Status Prop

Apor

acnd(o>4)-folx:

Tit!» 1.3.3 Contra L*+

Ver« 1.0 | File .\ov4_9tat.itd

Dots 2 3 - 1 2 - i g g t

Time 11:27:49

llnclud.

nd(lfl) - ton»;

nd(drucV-hoch) - falie;

whenCv(rhLor) >

aend(druekjiach)—true;

>end(lfl)=tn.c:

1nt»rfoCB

In continuoui rkLpnrvat;

out flog 111:

out flog tiruclLJioch:

»henCvfrkLpr) < tRKL-PR-MAX2-RKUPR-HTS))

iDnd(druckJiDCh) — falae;

1.4.1 CheekJeful 2 3 - 1 2 - 1 9 9 *


39



»ncnMrtd_pr) > RK1_PR_UAX4)

send(tT2.1)t> false;v(rW_pr) - INIT_rt<Lpr.

Lefu-2-lJ>ff

t

f

lefu-2-1-on

Tn continuous rkLprcrcat;

oat flog lfZ.1;

»hcn(v(rhLnr)

Author JOH Stouj» Prx>p I Title 1.4.2.1 CheckJcfu-2-1 Dote 23-12-1BB4

Proi«ct «W \ V«n. l.O Timr 1U1;D2

Include

when(v(rt<Lor) < RKLPRJJINO

muutettu

UBa toiminnolla

mollirwloon syvtssmin

virtietoifnintoo.

on toteutettu myös

paaUna

1.4.2.2 Ctieckjefu^2_2 13-02-1995Pmicct AW 1 File sp\]efu2_2^td

State Transit' -,-agrams

40


AND NUCLEAR SAFETY


»hcnCv(rkLar) < R<I_PR_UIN3)

.cnd(H3-l)-foli«vCrkLpr) - INITjkLo

Author JOH Stntua Proa

Project AW

Title 1.4.3.1 ChegkJefu-3_l

V«r» 1.3 I File .\lefu3-l .»IdDole 2 3 - 1 2 - 1Time 11:32:2B

finelude

Interlace

in continuoui rkLwl:rcal;

out Flag 113-5;

send(lt3J3)-folie:v(rkL>l)

ihenMfkL.il) < RKL-WL-WINI) »hen(v[fkL»l) > (RKL-WL-MIN1 fRKLJH_HT5))

1.4.3.2 CheckJetu-3-I 23- i2- ieg4Tim» 11:33:30


41



>

include

when((v(HS-1) 4 * »(iraJ)) $

M l f J J j 4 4 v(r>o-»LnoUrnpty))))

Author JOH

Project AW

Stotus Prop

Appr

1 jend(H3) = foil.,;

1 v(r*bjrLnoL*irp1y)—INIT_r«b_.wLjiot_ETrip

•Ufui-olf

t

interface

in Hog If3.1;

in Hog lfX3;

In flog (-»b-wLnot-empty:

, out nog U2;

i

Cv(tf3J) 4dc v(rvtxj»Lnol^mpty)))})«ndCitJJ-fote:

Ufulon

Title 1.4.3.3 DctennlneJcfulVen 1.0 1 File .\Mu3-dt.std

Date 2J-12-1994

Time 11:57:29

in flog ppe-stotta;

in flag fb-aLempty;

out H-ig H4:

!y(fb-»L«mpty))

1.4.4 CrrcckJefu4 23-12-1994

1 File


42


AND NUCLEAR SAFETY


flncljde

send(lf3-1)-true:

Author JOH Status Prao Tit e 1.4.5.1 CheckJeru_&_1 Date 23-12-199» .

Project AW | File \lefu5,l.std Time ) ! :3t :37

linclude

cansLh

interfoee

in Hag 115-1:

out flog IfSJZ;

whon(!v(H5_l))

dec I o

timer

Author JOH Status Prap TUe 1.4.3.2 ChcclcJelii 5 7 Dote 23-12-1994

Pmiecl AW Vcn 1.0 | Hie .MefuS-2.itd Time 11:35:23


43



\

fincludc

oonstri

«hcnWOi

Author JOH

Proiect AW

..L^mpW)

Status Prop

Appr

>

send*(ff6) s folsi;

v(fb-sljempty)» INrUtLjrLempty;

UGjir

\

USjin

KndC»B)=fab«:

interface

out flag FfG:in flog fb-wLcmpty;

nptyj)

Till» 1.4.G OnckJcluG

Ven 1.0 1 FTIe McfuE.itd

Datr 2J-12-1S94

Time 11:35:55

in continuous rkLpnreol:

out flog lefu7_1-rVLhya:

whcnWrVLor) > RKLJR_MAX13

Stoiua Proo Date 23-12-1994Project AW 1 FJ«


44


AND NUCLEAR SAFETY


«end[lf7_l)=folie:

v(fb-.Unipty)- IMT_fb_wl_i:mpty;

whcn(v(le!u7_1_rid_hyi)

v(fb-wt-empty))ov(lf7_uimtr) = TIVU.F7«jecond;

wh«n(timeoul(lf7-1-timer))

>cnd(lf7_l) = true;

intcrfoci:

in flog lcfu7-1-rkLny3:

in flog fti_wL«mptr:

out flog If7_1;

timer If7_l_i!men~T1ULLF7*lBcond:

sena(lf7-l) = (olje;

Author JQH Stntm Prep Title 1.*.7.l.2 Implement-ond-dgloy Dote 23 -12 -1894

Protect AW I Re A)efu-7IZ.atd Time 11:37.53

• hen(«CII7.1) at* 1(<CH7.4) I

1.4.7.2 Cenerot«Jt7_2 23-12-1984Time 11:38:25


45



«(rfcLpr) - MIT-iU-pr.

out Hog tf7-4-riu-hy5;

»hcn(v(rt»Jf) > RKLJRJUUO)«hen(v(rtd-PO < (raq_PH-UA>O-RI0—PR-HYS))

Dote 23-1Z-193*Time H:3»:S6

whCTMppe-deloyed) * *

»enct{in

Author JOH

Prelect AW

U 7 . 4 J O H

y

i

3

LT7-4JK1

Status Prop

Appr

»hen(lC»<W»-»-umi) * J

>end(lf7-4) • lots*;

inttfrooex llog ll7-4jU_hy»;

In llog ppe-deloyed:

•ut flog If7_«;

k

Trtt» 1.4.7J2 ReoG/eJr7_4-

Vera 1.0 ( File .\letu_74Z.std

Date 2 J - 1 2 - i g 9 4

Time 11:40:20


46


AND NUCLEAR SAFETY


1

finclude

const.rt

when(v(fb.»Lfull) i *

vCppe-deloytd))«•nd(H7_!) - Inj»:

Author JOH

Project AW

5totui

•er,dCU7_5)-lo!.=:

U7Ja>ff

t

Lf7 J on

Prop

»ppr

interface

in flag fbuwLfull:

in flag ppe_de1oycd;

out flag IT7J:

senBtir7J) » folsc;

Titl» 1.4.7.4. C.mroltjr7J

Ven 1.0 I Re Mefu-731.itd

Date 2J-1Z-109+

Time 11:35:59

f include

•.nö(HB)=lcl.«:l)» lr;rT-lbj.Uull:

whenWfb-«Uull))

•endCfB)-truc;

interface

in flog tb-arLfull:

DUt flog IfB;

.rientl(«[fb-.Uull)))

>end(lfB)-fol9e;

1.».B CheckJefuB 23-12-1994Pnilect * W I nie


47



ffnctude

const, h

^ ^9end(lf9) = true:

Author JOH

Protect AW

Status Prop

Appr

1

v(rsn_wLnot-Bmpty] =* INn-ntuvLnoUampty;

f

US_alf

y

i

f

i

•etrtptS) - lahe:

USjon

inUftoc»

in flog ppe_dcJcyed;

In (loq rab-wLnotuempty;

out nag H9;

Title 1.4.0 CheckJefuS

Vers 1.0 1 rile .\Mu9_2 itdDate 2J-1Z-1S94

Time 12:00:22

\ i

- h ^ M p p ^ t a t u , » , _

when(timcout(ppe-limcr))9cnd[ppe_delaycd) — true:

Author JOH

Project AW

Status

v{pputatin) n nTT-ppotatua;

i

f

c

whcn(lv(Dpc^xttrtm))

waiting

(

Ppcjdciaycd-Bn

when(!v(ppe-stntua))

PropApor

>

interface

In flag ppe-xtatus;

out flog ppcjdelayed;

timer ppe-tImert=TIUJ*PE

•second;

t

Title 1.4.10 Delay-coe

Vers 1.D 1 Hlc .\Doe_Jiela.std

Date 23-12-1994

TifT>c 11:35^0


48


AND NUCLEAR SAFETY


!v Crue t ) )

send(ppe_control)«trut:

Author JDH 1 Stotus Prop

Project AW t Appr

[.,„.„PPEJ3FF

\

4

•henC[»(l(7.4) || »(IfO)II vCruet»

*end[ppe_control)-folsi

PPE^ON

t-itcrfccein flag If3:!n floj l'S.1:in flog If7_4;

>in flag If9;in flag ne_»t;out flag pps-control:

4 4 !C«-Clf3) || «(lf5L1))

Titl* 1,5 ControLoDe

Ven 1.0 | Hie .\ow4.ild

•at* 23-12-1B9*Timt 11:28:57

f.ncludc

const, h

•toVo.n

Author JDH

Protect AW

ovfmpuUirncr) == TIIUNPUT.TIWER »millisecond;

Idling

4

—

whcn(timeoirt(mout-l!mer))

Avfr kLwLaollMerO.&vCrkLpr), kv[rkl_* 1),&v(ppa.stoUjs), AWCrv-Mt)))

| v(rtd_j»l)=—0.04-179+0,01O7»v(rtl_pr)+v[rkLwl):

crnU(rv^tallung);«mit(fbuivLfull};cninCfh_«L«mpty);

emit(r>bJ*Lfull}:emltCrsb.wLnot_empty}:

cmit(rkL«Lsoll*frt):em>t(rkLpr):

ovCHput-timeO-TIUJNPLrr.TlMEFI-millivecond;•1else1

ov(inpuUtimer) a T1hUNPUT-T1MER*milliaecond;

i(Oont);

Status PropApor

Interface

tn signal IdJe;

out signal Dan*;

out flog fh i"Lftj|l'

out flag fb—wLjtmptjr;

out flag ppestatua;

out continuous rkLpnraal;

out contintious rkLwl:reol;

out flag rc-aet:

out contlnuoui rU_wLsollwert:reol;

, nut flag rah-wLfull;out flag rsb-wLjioLumpty;

out contlnuoui rv_»tcllung:reo:

drclars

timer Input-limer;

Title 2 Input

Vcrs 1.0 1 Flic Inpul4.atdDote 24-D4-1SB5Time 14:*B:D7


49



- 1ULOUIPUT-T1UER* niilli'racond:

Idling

m flog oi l;in (log ov2;in ftag o»3;in flag av4;in (lag a>3;iin flag dr_spen_rv;in flog dnjckJiach:

1 rin ftag ppe-cont/ol:

dechu»timer output-iimer;

JOulput Date 23-12-1984


50


AND NUCLEAR SAFETY

TEST DATA APPENDIX B

3 0-,

2,5-

2,0 -

1.5 •

1,0 -

0.5 •

0 D

C

RKL pressure [bar]

I i

i i

i ; l1 1

1 1

/

1

1 1

•

f

I

-

1

\

t

I

A1

1

1

1

(—*•

•

•

• — ^

i

i

) 200 400 600 800 1000 1200 1400 1600 1800

inn

75 -

50 -

25 •

n

RV position [%]

- - J

I//

/

/,

X\iVi

i

/ "V

r/

0 200 400 600 800 1000 1200 1400 1600 1800

n An

0,35 •

0,30 -

0,25 -

0,20 •

0,15 •

0,10 •

0,05 •

n nn

C

RKL level [m]

><1 •• i

I I

• i

• i

• i

t i

i t

•

t

<

<

1

i

t :l\ : : :1 V : ' •j \' ' ': \r. :i i i i

t i l i

t i i i

i i i i

) 200 400 600 800 1000 1200 1400 1600 1800

Time scale of the x-axis in [s]

51


APPENDIX B TEST DATA

1 -rPumpon

0 -I 1 1 1 1 M 1 1 1 1 1 1 1 H 1 —

0 200 400 600 800 1000 1200 1400-1 1 1

1600 1800

FB >max1

0 -I 1 1 1 1 H 1 1 1 1 1 1 1 H 1 M 1 1 1

0 200 400 600 800 10GJ 1200 1400 1600 1800

1 -r

0-J 1 1-

FB <min1

i ( 1 1 |-J—i H—i 1 1 1 1 1 1 1

200 400 600 800 1000 1200 1400 1600 1800

Flme scale of the x-axis in [s]

52


AND NUCLEAR SAFETY


3 0 -

2,5 -

2,0 •

1,0 -

0,5 -

0 0 -c

RKL pressure [bar]

- -y

/

r )

/

/

\

\

•

A

\

\ \Jfl

) 200 400 600 800 1000 1200 1400 1600 1800

100

75 •

50 •

25 -

0 •

c

RV position [%]

r//

I

•

\ ' /

V:i

r

*i

i

i

i

) 200 400 600 800 1000 1200 1400 1600 1800

0,25

0,20 . . - . ' - . : .

0,15

0,00

0 , 1 0 - . - - , - - - -

0 , 0 5 - . - - • - - i -

RKL level [m]

H 1 1 H200 400 600 800 1000 1200 1400 1600 1800


53



rime scale of the x-axis in [s]

54


AND NUCLEAR SAFETY


^ n

2.5-

2,0 -

1.5-

1,0-

0,5 -

n n -U.U

(

RKL pressure [bar]

j

A '•/

!:

\ r

>i

"• ~ " -j*~

r \V '

\ :\ •:\ : r*1 v ' I

1 1

t t

1 1

i i

i i

s - : :i i

i i

) 200 400 600 800 1000 1200 1400 1600 1800

inn

75 -

50 -

25 -

n

C

RV positbn [%]

I/

/

i—i

^

\\

V• H ^

[

1

r/:If '

) 200 400 600 800 1000 1200 1400 1600 1800

0,25

0 , 2 0 • - - - ' - -

0,15

0,00

0,10 ,- -

0,05 '- -

RKL level [m]

—I 1 1 1 1 1 1 1—

200 400 600 800 1000 1200 1400 1600 1800


55



I 1—«—) 1 1 1 1 1 1 1 1—H K 1 1 1 1 1

400 600 800 1000 1200 1400 1600 1800

H 1 M f

FB >max1

i 1 1 1 1 H 1 H 1 1 1 1 1

O 200 400 600 800 1000 1200 1400 1600 1800

1 TFB <min1

H 1 1 1 1

O 200 400 600 800 1000 1200 1400 1600 1800

RSB >max1

0 -I 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

0 200 400 600 800 1000 1200 1400 1600 1800

Ime scale of the x-axis in [s]

56


AND NUCLEAR SAFETY


3,0 i

2,5 -

2,0 •

1 5 -

1 nI,U

0,5 •

0,0 •

' " /

11 1

J1 1 1 1 1

/

/

I

RKL f

*~—

1 1

>ress

\\

I 1

ure [b

i '

ar]

•

\

\

. . . _

i 1 1

/

Vi

r

i i 1 i 1i

200 400 600 800 1000 1200 1400 1600 1800

100

7 5 -• -

50 -• -

25 -• -

H h

RV position [%]

H 1 1—1 1 1 H 1 1 1 1 1 H

200 400 600 800 1000 1200 1400 1600 1800

0,00

RKL level [m]

- i 1 -

i i i

H 1 1-

200 400 600 800 1000 1200 1400 1600 1800


57



1 TRSB >max1

200 400 600 800 1000 1200 1400 1600 1800


58


AND NUCLEAR SAFETY


• n

2,5 -

2,0 -

1,5 •

1,0-

0,5 -

0 0 •

c

RKL pressure [bar]

/

I\\- - //

) 200 400 600 800 1000 1200 1400 1600 1800

100

75

5 0 •• - - ' - -

25 •- - - - -

RV position [%]

-i M i 1 1 1 h H 1 1 1 1 1 1-

200 400 600 800 1000 1200 1400 1600 1800

0 25 -i

0,20 •

0,15 •

0,10 •

0,05 -

n no

C

RKL level [m]

I f

/

) 200 400 600 800 1000 1200 1400 1600 1800


59



1 TRSB>max1

200 400 600 800 1000 1200 1400 1600 1800

ime scale of the x-axis in [s]

60


AND NUCLEAR SAFETY


2.5 -

2 .0 •

1,5 •

1.0 •

0 ,5 -

0 0 -

RKL pressure [bar]

/

A

\;/"/I » I —

1

: /

i

i

i

r—11\

0 200 400 600 800 1000 1200 1400 1600 1800

100 -1

75 -

50 •

25 •

0 -

c

RV position [%]

1

ir\/V

'<\'\L

1

) 200 400 600 800 1000 1200 1400 1600 1800

0,25

0,20 -

0,15

0,00

0,10 -• - - , - -

0,05 • • -

RKL level [m]

-I 1-200 400 600 800 1000 1200 1400 1600 1800


61



1 -r

200

RSB >max2

400 600 800 1000 1200 1400 1600 1800

Ime scale of the x-axis in [s]

62


AND NUCLEAR SAFETY


1 n

a p

_»

__

». t

o

to

eD

"e

n

o

"en

"o

"e

n

"c

C

RKL pressure [bar]

\V

f '

i

i

t

J1

ft: ':V /

i \ . Jt

) 200 400 600 800 1000 1200 1400 1600 1800

i n n

75 •

50 •

25 -

n

C

RV position [%]

/

/

\ :

: \ /: vi

^ •

•s

rH/f

) 200 400 600 800 1000 1200 1400 1600 1800

0,20 • •

0.10 -

RKL level [m]

?r> •

15 •

1 0 •

05 •

00 • I

- - i

I

1 : : : ;

• i i t

• i i i

I I I I

1 1 ! 1 1 1

f

r - -

\

" ~ *i

1 1

- -

i

•

i—\ \

i 1 1

i

i

i

i 1

•

i

200 400 600 800 1000 1200 1400 1600 1800


63

FINNISH CENTRE FOR RADIATIONAND NUCLEAR SAFETY STUK-YTO-TR91


1 TRSB >max2

200 400 600 800 1000 1200 1400 1600 1800


64


AND NUCLEAR SAFETY

TEST RESULTS Out 1/1 APPENDIX C

I0 200 400 600

AV1m

800

Auf

1000 1200 1400 1600 1800

I0 200 400 600

AV1s

800

Auf

1000 1200 1400 1600 1800

I0 200 400 600

AV2m

800

Auf

1000 1200 1400 1600 1800

0 •

() 200 40C 600

AV2s

800

Auf

1000 1200 1400 1600 1800

I0 200 40C 600

AV3s

800

Auf

1000 1200 1400 1600 1800

0 -

c) 200 400 600

AV4m

800

Auf

1000 1200 1400 1600 1800

AV4s Auf

200 400 600 800 1000 1200 1400 1600 1800

Index m refers to the model • Index s refers to the pilot system • Time scale of the x-axis in [s]

65


APPENDIX C Out 1/2 TEST RESULTS

200

AV5m Auf

400 600 800 1000 1200 1400 1600 1800

:L200

AV5s Auf

•+- -+•

400 600 800 1000 1200 1400 1600 1800

200

RVm Auf

•+-

400 600 800 1000 1200 1400 1600 1800

:L200

RVs Auf

-t-400 600 800 1000 1200 1400 1600 1800

nRVm Zu

-f- -+- •4-

200 400 600 800 1000 1200 1400 1600 1800

1RVs Zu

•+• -+-200 400 600 800 1000 1200 1400 1600 1800

:i200

Pumpe En m

-+• -+- •+- -+•400 600

H

800 1000 1200 1400 1600 1800

:L200

Pumpe Bn s

-+- •+- -+-400 600 800

-+-1000 1200 1400 1600 1800


66

STUK-YTO-TR 91

TEST RESULTS

0 200 400 600

0 200 400 600

Out 1/3

Druck hoch m

800 1000

Druck hoch s

800 1000

FINNISH

1200

1200

CENTRE FOR RADIATIONAND NUCLEAR SAFETY

APPENDIX C

1400 1600 1800

1400 1600 1800


67



AV1m Auf

200 400 600 800 1000 1200 1400 1600 1800

AV1s Auf

200 400 600 800 1000 1200 1400 1600 1800

oJ—0

1

2001

4001

600

AV2m

1

800

Auf

1

1000

1

1200

1

14001

16001

1800

AV3m Auf

200 400 600 800 1000 1200 1400 1600 1800

AV3s Auf

200 400 600 800 1000 1200 1400 1600 1800

1 -

0-

t

1

) 200f

400

1

600

AV4m

1

800

Auf

1

1000

1

1200

i

1400

1

1600

1

1800


68


AND NUCLEAR SAFETY


I0 200 400 600

AV5m

800

Auf

1000 1200 1400 1600 1800

0 200 400 600

RVs

800

Auf

1000 1200 1400 1600 1800

1 •

0 -C) 200 400 600

RVm

800

Zu

1000 1200 1400 1600 1800

0 200 400 600

RVs Zu

800 1000 1200 1400 1600 1800

I0 200 400 600

Pumpe En m

800 1000 1200 1400 1600 1800

0 200

I400 600

Pumpe En s

800 1000 1200 1400 1600 1800


69



Druckhoch m

JL200 400 600 800 1000 1200 1400 1600 1800

Druck hoch s

1200 400 600 800 1000 1200 1400 1600 1800

• Index m refers to the model • Index s refers to the pilot system • Time scale of the x-axis in [s]

70


AND NUCLEAR SAFETY


•4

I0 200 400 600

AV1m

800

Auf

1000 1200 1400 1600 1800

•K

I0 200 400 600

AV2s

800

Auf

1000 1200 1400 1600 1800

•f

10 200 400 60C

AV3s

) 800

Auf

1000 1200 1400 1600 1800

<4

0 -

t) 200 400

AV4m

600 800

Auf

1000 1200 1400 1600 1800

1 -

0 -

c) 200 400

AV4s

600 800

Auf

1000 1200 1400 1600 1800


71



'Toi—

0 2C)01

4001

600

AV5m

1

800

Auf

1

10001

12001

14001

16001

1800

:L200

AV5s Auf

400 600 800 1000 1200 1400 1600 1800

RVm Auf

200 400 600 800 1000 1200 1400 1600 1800

RVs Auf

-+-200 400 600 800 1000 1200 1400 1600 1800

:LRVm Zu

200 400 600 800 1000 1200 1400 1600 1800

:L200

RVs Zu

400 600 800 1000 1200 1400 1600 1800

1ToJ—

0

1-

200

1

400

1

600

Pumpe

1

800

Bn m

1

1000

1

1200

1

1400

—:—I

1600

1

1800

:LPumpe Bn s

-+-200 400 600 800 1000 1200 1400 ' 1600 1800


72

STUK-YTO-TR 91

TEST RESULTS

11 n0 200 400

:i n0 200 400

Out 3/3

Druck hoch m

600 800 1000

D"ickhochs

600 800 1000

FINNISH CENTRE FOR RADIATIONAND NUCLEAR SAFETY

APPENDIX C

H1200 1400 1600 1800

01200 1400 1600 1800


73



200

AV1m Auf

400 600 800 1000 1200 1400 1600 1800

200

AV1s Auf

400 600 800 1000 1200 1400 1600 1800

AV2m Auf

- I

200 400 600 800 1000 1200 1400 1600 1800

AV2s Auf

-+- H

200 400 600 800 1000 1200 1400 1600 1800

:iAV3m Auf

200 400 600 800 1000 1200 1400 1600 1800

AV3s Auf

200 400 600 800 1000 1200 1400 1600 1800

AV4m Auf

200 400 600 800 1000 1200 1400 1600 1800

AV4s Auf

200 400 600 800 1000 1200 1400 1600 1800

• Index m refers to the model • Index s refers to the pilot system • Time scale of the x-axis in [s]

74

STUK-YTO-TR 91

TEST RESULTS

10

10

10

oL0

1 J

0

L0

A

L0

10

200

200

n,200

n200

200

200

200

200

400

400

400

400

1

400

400

400

400

600

600

600

600

H600

600

600

600

Out 4/2

AV5m Auf

800 1000

AV5s Auf

800 1000

RVm Auf

800 1000

RVs Auf

800 1000

1

80

RVm Zu

I 1

0 1000

RVs Zu

800 1000

Pumpe En m

800 1000

Pumpe En s

800 1000

FINNISH

1200

1200

1200

1200

1

1200

1200

1200

1200

CENTRE FOR RADIATIONAND NUCLEAR SAFETY

1400

1400

1400

1400

1

1400

1400

1400

1400

APPENDIX C

1600

1600

1600

1600

1

1600

1600

1600

1600

1800

1800

1800

1800

1

1800

1800

1800

1800


75

FINMSH CENTRE FOR RADIATIONAND NUCLEAR SAFETY STUK-YTO-TR 91


n200

Druckhoch m

I•+ -

400 600 800 1000 1200 1400 1600 1800

IL200

Druckhoch s

n400 600 800 1000 1200 1400 1600 1800


76


AND NUCLEAR SAFETY


AV1m Auf

-t-

200 400 600H

800 1000 1200 1400 1600 1800

1 -r

0

AV1s Auf

-4- -I200 400 600 800 1000 1200 1400 1600 1800

0 200 'too 600

AV2m

800

Auf

1000 1200 1400 1600 1800

0 200 400 600

AV2s

800

Auf

1000 1200 1400 1600 1800

AV3m Auf

200 400 600 800 1000 1200 1400 1600 1800

: T0 4-0

AV3s Auf

200 400 600 800 1000 1200 1400 1600 1800

AV4m Auf

200 400 600 800 1000 1200 1400 1600 1800

AV4s Auf

200 400 600 800 1000 1200 1400 1600 1800


77



200

AV5m Auf

400 600 800 1000 1200 1400 1600 1800

:L200

AV5s Auf

400 600 800 1000 1200 1400 1600 1800

200

RVm Auf

400 600 800 1000 1200 1400 1600 1800

RVs Auf

200 400 600 800 1000 1200 1400 1600 1800

:LRVm Zu

200 400 600 800 1000 1200 1400 1600 1800

:LRVs Zu

200 400 600 800 1000 1200 1400 1600 1800

200

Pumpe En m

400 600 800 1000 1200 1400 1600 1800

Pumpe En s

200 400 600 800 1000 1200 1400 1600 .1800


78


AND NUCLEAR SAFETY


0 200 400 600

Druck hoch m

800 1000 1200 1400 1600 1800


79



200

AV1m Auf

400 600 800 1000 1200 1400 1600 1800

0 4-200

AV1s Auf

400 600 800 1000 1200—I—1400 1600 1800

oJ0

1

200

1

400

1

600

AV2s

1

800

Auf

1

1000 1200

1

1400

1

16001

1800

10 200 400 600

AV3m

800

Auf

1000 1200 1400 1600 1800

AV4m Auf

200 400 600 800 1000 1200 1400 1600 1800

AV4s Auf

200 400 600 800 1000 1200 1400 1600 1800


80


AND NUCLEAR SAFETY


10 200 400 600

AV5m

800

Auf

1000 1200 1400 1600 1800

'I0

H '

200 4001 1

600

RVm

I 1 1

800

Auf

1000 1200 1400

1

1600

1

1800

0 200 400 600

RVm

800

Zu

1000 1200 1400 1600 1800

:i200

RVs Zu

400 600 800 1000 1200 1400 1600 1800

!

0 200 400 600

Pumpe

800

En s

1000 1200 1400 1600 1800


81



:L200

Druckhoch m

400 600 800 1000 1200 1400 1600 1800

:iDruckhoch s

200— i —

400—I—600 800 1000 1200 1400 1600 1800


82


AND NUCLEAR SAFETY


I0 200 400 600

AV1m

800

Auf

1000 1200 1400 1600 1800

0 200 400 600

AV1s

800

Auf

1000 1200 1400 1600 1800

0 200 400 600

AV2m

800

Auf

1000 1200 1400 1600 1800

1 —

I0 200 400 600

AV2s

800

Auf

1000 1200 1400 1600 1800

0 •

C 200 400 600

AV3m

800

Auf

1000 1200 1400 1600 1800

I0 200 400 600

AV3s

800

Auf

1000 1200 1400 1600 1800

0 •

() 200 400 600

AV4m

800

Auf

1000 1200 1400 1600 1800

200 400 600 800 1000 1200 1400 1600 1800


83



oi—0

1

200

1

400 600

AVSm

1

800

Auf

1

1000 1200

1

1400

1

1600

1

1800

200

RVm Auf

400 600 800 1000 1200 1400 1600 1800

200

RVs Auf

•+-

400 600 800 1000 1200 1400 1600 1800

0 200 400 600

RVm

800

Zu

1000 1200 1400 1600 1800

:LRVs Zu

•+-

200 400 600 800 1000 1200 1400 1600 1800

200

Pumpe Bn m

400 600 800 1000 1200 1400 1600 1800

:L200

Pumpe Bn s

-+- -+- -+-400 600 800

-+-1000 1200 1400 1600 1800


84


AND NUCLEAR SAFETY


0 • 200 40G 600

Druck hoch m

800 1000 1200

n.1400 1600 1800

0 200 400 600

Druck hoch s

800 1000 1200

II,1400 1600 1800


85

ISBN 951-712-063-XISSN 0785-9325Painatuskeskus OyHelsinki 1995

experimental testing of a sag digital silt application

Documents