A Behavior-preserving Translation from Fbd Design to C Implementation for Reactor Protection System Software

Safety [1] is an important property for nuclear power plants in order to obtain permission from government authorities for their operation and possible export of power plant construction technology. As the nuclear reactor protection system (RPS) makes decisions for emergent reactor shutdown, RPS software should be verified throughout the entire software development life cycle (SDLC). Recent commercial digital I&Cs (Instrumentation & Controls) use a safe-level PLC (Programmable Logic Controller) as a common hardware platform for RPS, e.g., Shin Ulchin 1/2 NPPs in Korea. The RPS software is first modeled with IEC61131-3 FBD (Function Block Diagram) [2] in the design phase. In implementation, the FBD programs are translated into C programs and then compiled into executable machine code for RPS hardware PLC. Compiler expert companies typically provide C compilers in which functional correctness is thoroughly verified and demonstrated. Translators from FBDs to C programs are usually developed by PLC vendors. They should sufficiently demonstrate correctness and functional safety [3] of the so-called 'FBD-to-C' translator. Vendors such as AREVA, invensys and POSCO ICT have provided PLCs and software engineering tool-sets. 'SPACE' [4] is a software engineering tool-set for AREVA's PLC 'TELEPERM XS' [5]. It stores FBD programs into a database 'INGRES' and generates ANSI C programs for code-based testing and simulation ('TXS SIVAT' [6]). ISTec GmbH has also developed a reverse engineering tool 'RETRANS' [7] for checking the consistency between FBD programs and generated C programs. The mechanical translator in 'SPACE' has been validated in such ways, and the software engineering tool-sets have been used successfully for more than a decade. It is worth noting that 'SPACE' does not use a common C translator for 'RETRANS' and executable PLC code generation. ('TXS SIVAT' uses two ones for different use.) PLCs of invensys have also been widely used. 'TriStation 1131' [8] is its software engineering tool-set. It provides enhanced emulation-based testing and real-time simulation of FBDs, but does not include a translator into C programs. KNICS (Korea Nuclear Instrumentation and Control System R&D Center) project [9] and POSCO ICT in Korea have recently developed a safety-level PLC 'POSAFE-Q' Software safety for nuclear reactor protection systems (RPSs) is the most important requirement for the obtainment of permission for operation and export from government authorities, which is why it should be managed with well-experienced software development processes. The RPS software is typically modeled with function block diagrams (FBDs) in the design phase, and then mechanically translated into C programs in the implementation phase, which is finally compiled into executable machine codes and loaded on RPS hardware PLC (Programmable Logic Controller). Whereas C Compilers are fully-verified COTS (Commercial Off-The-Shelf) software, translators from FBDs to C programs are provided by PLC vendors. Long-term experience, experiments and simulations have validated their correctness and function safety. This paper proposes a behavior-preserving translation from FBD design to C implementation for RPS software. It includes two sets of translation algorithms and rules as well as a prototype translator. We used an example of RPS software in a Korean nuclear power plant to demonstrate the correctness and effectiveness of the proposed translation.