presentation of mr. h.w. bock, germany
TRANSCRIPT
Presentation of Mr. H.W. Bock, Germany
fer //fétsf//*/ iïufw/rfm œs/w/œs ßss///00мгt
• attbwiï//с см/yâ/
ШЯ tft#chiffe /iïfoffiœ (opewli«<j¿ ммМф)
едшрмец f/ow/e-cf/ptt ¡ /fyûû/acù /
ея r/roHMtenf а и / f r f e e f o i
* ф
far ^PP's Q^vaxcé/CPnfo/Sifsfevts yâs /F
m sxiMâ f&r s
fir Sct/ety 7e/emn/ /uncfims (reacfcr-/arrM'fi« f ~//bf/6//t*s
S ysíeHt § pwen jfar ^¿'сл/г'м ¡f pre # srifaé/e /precvrerf'/t'**
mfk aetíifmct/i • quct/ifïeo/ se/e-cf/м ////yttq/tfi'tofm
0 yuali/iet/ ¿qsfeto S t l / f û / e c m M b / Ш 8$0 )
ê fit UÛ // fll'fi// Л »Л f /> J^/o/ //0 Ля'//*'/ Ç/s/"
S I E M E N S
General System Properties of TELEPERM XP and XS
Q Extensive use of standards and quasi standards
. ISO/OS! -reference model tor communication .. Ethernet IEEE 802.3 .. Profibus DIN 19245
. Standardized user interface applied for the engineering system and the process control and information system
.. OSF/Mot¡v,UNIX, Windows
Q j Engineering system
. integrated system for engineering maintenance and documentation
. consequent forwards documentation assures consistence between functionality and documentation
. graphical user interface with standardized symbols
. consistent management of all l&C engineering data for the whole plant in a central INGRES database
. maintenance, management of modifications and diagnosis without software knowledge
Q| Equipment of a large scale serial production line (SIMATIC, SINEC) as a long-term reliable basis
Q Scalable architecture
. economic solution for very small applications as well as for complete power plants
. selectable degree of redundancy
T E L E P E R M X S Dereich KWU NL-R Datum 12.8.94 rtool g I CopyritiM S I E M E N S AG 1903 All Riqlils Rosorv«»!
S I E M E N S
Tasks of the Engineering System
Subrack allocation Cabinet allocation
Plant graphics Curves
Logic diagrams
/••• 4 • • П •
TELEPERM XS
Connection diagrams Sub-distr. board assig.
= — -
-
_ i
_ i
«Л
4>
Dereich KWU NL-R Dalum 14.07.94
Copyright " S I EMENS AG 1003 All Rights Rosorvn'f
SIEMENS
Advanced l&C Systems for Nuclear Power Plants TELEPERM XP (Operational l&C) TELEPERM XS (Safety l&C)
Process Control and Information
Engineering
Plant LAN
Automation
Safety Control and Information
SNAP LAN •
Reactor Protection
Bereich KWU NL-R Dalum 1
Гпп>»Йл < CICHCU"! ДГ! 1ВД ЛИ Rinhtc Рос
SIEMENS
Overview TELEPERM XP
Process Control Process Information Process Management
• J / 7 z j - e = » = = Í 3 V \
m s 5 l г m = i o | _ _ , •
Processing' " -Urnt:. v:
Processing 'HíÜnit;
Plant Management
Terminal LAN
Engineering Commissioning Maintenance
Processing Unit
f Ulssl ¿1 f Ills!
Processing Unit
»V
Plant LAN
TELEPERM XS Bereich KWU NL-R Dalum 14.07,94
Copyriqlil • • SIEMENS AG 10'tt All Пн||||г. Пог.огу"(1
SIEMENS
Process Control and Information
• 1
Operator Terminal
Operator Terminal
\ Л
Terminal LAN
V 4
Plant LAN
TELEPERM XS
^ fz
Operator Terminal
Server Unit
-ё \
Dereich KWU NL -R Dalum 14.07.94
Гпп.ггЫ.| : . 4IPMPMÇ AR ют ЛИ nullité Pi.cr.rvf.rl
SIEMENS
System Properties
Hardware and software components
. selected hardware components .. qualified for nuclear applications .. manufactured with extended factory tests
. small static operating system .. developed acc. to IEC 880 .. qualified for nuclear applications
. qualified library functions
Robust design
. energetic decoupling by fibre optics
. earthquake protected construction
. improved electromagnetic compatibility
. small failure rates
. extended design margins
Redundant structures
. support of high redundant structures
. highly reliable and available majority voter
. coordination and supervision of redundant equipment
TELEPERM XS
Application software
. qualified method and qualified tools to produce the application software
. no manual programming
. automatic code generation
. automatic code verification
. support of the licensing procedure
Deterministic system behavior
. cyclical processing of all tasks
. predefined failure behavior
. system behavior totally independent from the plant status
. predefined failure boundaries
Extended testability
. automatic detection of nearly all failures
. supervision of redundant equipment
. automatically processed recurrent tests
. detailed diagnosis
Bercich KWU NL Datum 15.8.94
SIEMENS
Scope of Application
a single failure does not cause a spurious actuation a single failure does not cause a loss of function
recurrent tests during power operation ; common cause failure ;
Design Requirements
TELEPERM XS Bereich KWU NL-R Datum 15.8.94 Fallg_g 1 Copvriqht <b S I E M E N S AG 1993 All Rights Reserved
SIEMENS
System Life Cycle acc. to I EC 880
Process Engineer
Control engineer
£ Hardware
requirements
Ï Realize
I Implement
Safety System Requirements
System Architecture
I Integration
Requirements
Integration^ Requirements
Verification
Increasing Refinement
System Integration
System Testing
T
Integration Test
ï Software
Requirements
Software Design
Í Coding
System Validation
Software Requirement Verification
Design Verification
Coding Verification
I
TELEPtRM XS Bereich KWU NL-R Datum 29.11.93 Ftool n 1 Copyright fJ S I E M E N S AG 1993 All Rights Roson/nd
SIEMENS
The system design process
Requirement specification System specification
Postulated initiating events «
l&C,functions , — ' -, / -г -f" <
:
' Time 1 1
requirements, ,¡
Rules, " i Conventions fc/vj
l&C functions"
Functional behavior \
• . и *
Design criteria:;
- О — Respons-: time
I Syntax-j'analyzer
o
О
17*
Code generation
n • I I—I • J I—J а —-
• в
Code Generator
Validation
1 1 1 i l l
О Code-
analyzer
Test-bed
f Ш
О
TELEPERM XS
SIEMENS
Plant Safety Analysis
Plant Safety Analysis
(0
с <D
E <D
СГ <D
£
a
w
U)
(0 CO
SW-Development according to IEC 880
ft 'ReqM Ä >
""•'¿¿¡ФЪ?-:-''-;
$ t-* ** & Co'ding-
System
Design:; — 1 • к > $ t-* ** &
Co'ding-Inte-
gration
/«Vërif.'i-, <1
íiVerifíá'í <1 Verif.
Qualified SW-Design Rules Qualified Code Generator Type-Tested SW-Modules
СП
'c о w to
£ E о О
oö с о
Ч—» 0 (D 1м 1
LU -t-» с _га
CL
Plant Operation, Backfittíng < • P S A
Computer : . /Safety System
in Operation
SW-ïooÎ
SW a HW Documenlalion
SVVSHW Diagnosis
Recurring Tests
1 Chanel each
Computer Safety System
: in Operation
Improved
(HW) Improved &
Safety S W System > Require-Reqire- ments ments
Comparison ; SP/ EnqineerihOj Process for Йрр/icaíioHSkf
KV/U ÍJLL Poltn xyz ©
SIEMENS
Typical Specification of an Automation Task
Qe
Xc
V
^ >\ „ к 1 -f* ri ' , i » s " « / j » "> * ч *
t if Л , .. .«.v., ^ . , V V*-
-X
System Specification
x(t) = xO + k(qe - qa) dx
Jo
qa = У * *
Automation Task
л/
y( 0 =y0 + c(x5 - x) dx
« 0
TELEPERM XS Bereich KWU NL-R Datum 29.11.93 Ftool g 1 onvrinM • ÇtPMFMÇ ЛП 1П1Ч ЛИ RidhK Ro'.orVGti
SIEMENS
Definition of a Formal Language
f, * "" î*» » t
'Vi A - »
X± x2
X± X 2
C b
y(t) = " , „ ^
Л* ClT + y O 0
y( 0 = X2(t) + * , ( / )
y(t) = A-,(/) * x2(0
y(t) = с JJ
Semantic
У x <=> x(t) = -y(t) Syntax
TELEPERM XS Bereich KWU NL-R Datum 29.11.93 Flnol g 1 Copyrifilil S I E M E N S AG 1903 All Rights RnsorvorJ
SIEMENS
Matched Task Specification
X _
с _
I / » Xs — « . 4 - У I / » У I /
Level control
i
I
M
T E L E P E R M X S Bereich W U NL-R Datum 29.11.93 Ftnol g 1 Г. .-.(r.r.l.i Г1П1РЦГ Дг; fl'l'! ЛИ Пвугус'Г
SIEMENS
Method of Software-Production
l & C - F u n c t i o n s
Hardware-Specification
a В ш шв
for Application Software
t = £ >
¥
for runtime environment
for procurement documents
TELEPERM XS
SIEMENS
Error sources
«wi«'Wi».4 iirmwvmr-jr.jçrw чип ЛЧ WHgmw'M. щ и.чирн M
n Error sources in the software development process have been systematically investigated together with the worldwide performed experiments to evaluate the vvortli of software diversity.
The most representative experiment in the field of nuclear applications was the was the so called PODS diversity (1985 GB).
Results of the "PODS Diversity experiment" (Project of Diverse Software, GB 1985)
Task: reactor over-power protection trip
Se*en residual errors have been found after verification and validation. Six of them resulted from the anibigous system re-quirement specification and one of them from an problem in
the X specification language.
TELEPERM XS Bereich KWU NL-fl Dalum29.It.93 Flool g 1 Convnriht e S I EMENS AG 1093 All Riqhls RaservrW
SIEMENS
Software CCFs
Facts
О Software does not age
О Environmental conditions can not trigger software failures
Q A cyclical system behavior assures independence from plant conditions
О Software failures in redundant channels are strongly corre-lated
E P R - Safety I&C
Consequence
Software failures are always initiated by triggering events
Software failures are always triggered by the processed data
Beta-iactor models cannot be applied
Concerning software failures sys-tem reliability cannot be improved by redundancy
Software failures determine the reliability of highly redundant systems
Bereich KWU NL-R Datum
Copyright ts S I EMENS AG (993 AH HigMIs M«
SIEMENS
HW CGF in the central I&C systems
1 Ш Ш Ш Ш Ш 1
Assumptions:
О All functional design requirements are stressed strongly cyclically during normal operation
Q Environmental conditions in different trains are changing independently
О Data triggered failures (crosstalk effects) affect all equipment processing same programs and data
Consequence
Failures caused by aging are spontaneously detectable
Failures triggered by environmental conditions affect only one train
Beta-factor model application can be restricted to this fraction (P2/4 = 1 2* io-4 )
Nearly no advantage by hardware diversity
«С N
E P R - Safety I&C
SIEMENS
Structure of Safety l&C
Type С Type A Type В ф е С
I I S A I r-«iwi» í'-i I U I S
1 m m
.-.г. шт-
Hardwired MMI
2 W
ш 'Ш 1
Ш Ш Operational i&C
Highl ights
four trains
three independent channels : within each train for signal
acquisition and accident •identification-
four independent channels .• within ¡each train for. ;.:'•.. : . subsystem control ' •''
use of functional diversity between independent channels
useof 2 - o u t - r o M voting between the four trains • л
SA Signal acquisition and preprocessing
Al Accident identification
SC Subsystem control
VO 2 -out -o f -4 voting
AV Priority module
TELEPERM XS Copyright © Siemens AG 1Q94 All Rights Reserved KV/U ML T/5 Fol 2..Ш 1503.94
S I E M E N S
Steps of the qualification procedure
Q Conceptual assessment of the whole system by G R S
Since 1988 continuous assessment of the development on behalf of the Bavarian licensing authority (BStM LU)
June 1992 acceptance of the concepts to realize I&C systems for safety functions of the highest category )
i [~J Typetesting of the hardware f
Since February 1994 contracted to TÜV-Nord Practical testing is delegated to the ISEB institute of the TÜV Rheinland
Q Typetesting of the software Since October 1992 contracted to GRS who is supported by the TÜV-Nord
[~| Quality verification of the tools
Verification of tool quality is contracted to GRS. The main difference be-tween the software typetesting and the quality verification is that in case of quality verification the task of the independent assessor is restricted to critical reviews of the development and test documentation.
TELEPERM XS Bereich KWU NL-R Dalum 12.8.94 F tool g 1 Cnnwiinht Я!ГМГМЧ An ют All RiritiR Rnsnryivl
SIEMENS
Basis of qualification
Typetesting
Hardware КТА 3501
0) I EEE 323 с IEC 987 о E О КТА 3503 V . '
3 О" E N 55011 о сс IEC 801
IEEE 344 IEC 68 IEC 1131
Software Req
uir
emen
ts КТА 3501
IEC 880
Req
uir
emen
ts
A N S - 1 0 . 4
Req
uir
emen
ts
I EEE 829 I EEE 1008
Req
uir
emen
ts
I SO 9 0 0 0 - 3
TELEPERM XS
Quality verification
Tools
Req
uir
emen
ts
A N S - 1 0 . 4
Req
uir
emen
ts
I EEE 829 IEEE 1008
Req
uir
emen
ts
I SO 9 0 0 0 - 3
oo
S \
Bereich KWU NL-R Datum 30.8.94 Ftool tf t Copyright SIEMENS ЛП irm All nif|lilr, Dnsorv""!
SIEMENS
Summary of the GRS Assessment
In the opinion of the assessor the concept submitted constitutes a new I&C system for critical and highly critical safety applications in nu-clear power plants. It is based on future-oriented technology which corresponds to the state of the art. The concept submitted goes into such depth that it's consistent implementation in line with the pertinent codes and standards will be possible and that no problems are to be ex-pected in the course of this.
TELEPERM XS