AdaIC News Summer 1997

Ada Diversifies Westinghouse’s
Czech Nuclear Shutdown System

By Ann Eustice Brandon

| Why choose Ada? | The I&C architecture |
| Developing the software for the backup shutdown system |

When Westinghouse Electric Corp. started to develop software for a Czech nuclear reactor’s secondary shutdown system, they knew it had to be robust. The company needed to assure all interested parties – from the Czech Republic’s regulatory agencies, to its Western neighbors, to its own regulatory agency – that the system was accident-proof. To help them give that assurance, they chose Ada.

The stakes were high. Immediately after the 1993 break with Slovakia, the Czech Republic decided to continue construction and retrofitting of a Soviet-designed reactor, a VVER-1000, in the town of Temelin, 60 kilometers (36 miles) from the Austrian border.

Czech goals are to generate 50-percent of their national power through nuclear energy by the millennium, and to replace the high-sulfur domestic brown coal whose smoke has laid waste to a third of Bohemia’s forests. Nearby Austria has equally vital concerns. While in most of the world the specter of nuclear disaster is named “Chernobyl”, in Czechoslovakia it is called “Bohunice”.

For over a decade, the four-unit Soviet VVER-440 plant there suffered mishaps and accidents that culminated in April 1990 when the coolant level rose and caused the building to flood. Austria began handing out free potassium iodide (KI) tablets and lobbying internationally to stop the Soviet-designed plants from operating.

Bohunice is now part of western Slovakia, but the Czechs needed to earn Western European confidence in Temelin’s safety. Otherwise, obstacles to international licensing and financial backing could frustrate their efforts.

In 1994, Westinghouse signed a $419-million contract to provide new instrumentation and control (I&C), to design new fuel and a reactor core, and to supply U.S.-manufactured fuel. Despite Austrian opposition, the U.S. Export-Import Bank awarded the company a much-needed $317 million loan guarantee.

Although the Czech utility Skoda is in charge of testing and licensing the I&C system, the company has taken steps to assure neighboring countries that Temelin’s software can pass U.S. Nuclear Regulatory Commission (NRC) regulations. Most of the I&C system is already licensed in Europe. Westinghouse is reusing much of the software that it previously installed in a Sizewell, England, plant. Also, the NRC has trained Skoda technicians in licensing and testing reactor software.

While much of the Westinghouse software is reused, the secondary shutdown system is completely new. For the software, the Monroeville, Penna., division decided to program the backup shutdown system in Ada; the primary shutdown system is in PLM-86.

Why choose Ada?

Westinghouse came to its decision by conducting a survey of languages and narrowing the field to Ada and C. It chose Ada because of several factors. First, the Ada programming language is an international standard (ISO/IEC 8652). If Westinghouse wins a similar contract in Poland, for example, the Czech software should successfully compile on the different or newer computer system.

Second, Westinghouse chose Ada because the behavior of an Ada program can be deterministic at the lowest level through logical access of the target hardware’s basic elements, and through control over the visibility of types, operations, and data. Third, Ada features strong type and range checking. Fourth, those features and its modular construction have long made it attractive to other organizations for safety-critical applications. Ada is used extensively by international airplane manufacturers, the U.S. Federal Aviation Agency (FAA) and Department of Energy, and many nations’ organizations for air traffic control and aerospace exploration. As a result, government agencies had already subjected Ada software-development tools to stringent tests for safety.

Westinghouse found such a tool through the compiler manufacturer Thomson Software Products (now called Aonix). Thomson offered a run-time system, C-SMART, that had been used on several of the Boeing 777 aircraft’s systems, including the brakes and the power ignition, and had met FAA standards.

The I&C architecture

Westinghouse’s I&C system will control the Temelin reactor’s everyday operations as well as protect the plant from accidents. A Unit Information System (UIS) processes the data from Temelin’s control and protection systems via a WESTNET highway, which is a standard high-speed redundant Fiber Distributed Data Interface. Its redundancy ensures that one data highway can fail without crashing the system. The highway distributes the data to a technical support center, and to the main and emergency control rooms, which have switches that communicate directly to the two shutdown systems.

The secondary protection system monitors the sensors of various conditions in the plant, such as temperatures, flows, and pressures, to detect if they are below or above a set point. If an acceptable range is exceeded, then the Ada-driven system sends a signal to the non-logical programming (NPL) control room, where software is embedded in the hardware. The primary system also sends a signal to the NPL. If the two systems agree, then the NPL implements one or more of its nine reactor trip functions, which usually means closing or opening a valve or a pump. If they disagree, then the NPL decides which signal to obey according to a set of logical choices that cannot be changed since they have been burned into the hardware.

Developing the software for the backup shutdown system

A different architecture and a different language were not the only ways in which Westinghouse satisfied the ambiguous requirement that its secondary protection system be “diverse.” The software-development laboratory also hired a new staff of programmers who were unfamiliar not only with the other systems’ software design, but also with nuclear plants and with Ada. “We purposefully went after programmers with little or no experience in nuclear-reactor software,” said Jeff Pike, the diverse protection system’s lead engineer. “We wanted a completely clean slate.” All the new programmers had a core knowledge of nuclear physics and experience in other languages, such as C and PLM. After a week of in-house training in Ada, the programmers began designing the new system from scratch.

For the secondary backup system, developers decided to use a combination of object-oriented design (OOD) and structural analysis. Programmers currently equate OOD with clear and easily maintainable software; in safety-critical applications, however, it does have drawbacks. In order to control the complexity of a solution, for example, OOD programmers will conceal unnecessary details throughout an algorithm. Such information hiding is almost forbidden in many safety-critical software requirements. For instance, when a piece of software’s failure in a new airplane would be “catastrophic”, then the FAA requires that every line of code must be demonstrably executed. In other words, nothing can be hidden. For Westinghouse’s secondary shutdown system, the engineers used the design techniques that characterize Ada and OOD in order to facilitate the separately developed software’s integration. Some information is hidden, such as the I/O, so that other components cannot mistakenly corrupt the data.

The Westinghouse software developers further ensured that the Ada software would meet safety-critical criteria by choosing Thomson’s C-SMART library and its standard cross compiler, which translates the host’s code into Motorola 68040 executable software. When used together, the compiler and C-SMART library reject code that uses Ada features that are not generally accepted in safety-critical applications. Tasking, for example, can communicate data from a dozen sensors simultaneously; but it is forbidden because the timing of executed code is not set in granite.

After another round of editing the documentation and implementing any customer changes, Westinghouse hopes to ship its new I&C system in November 1997. In the fall of 1996, the company started to test, verify, and validate its new backup protection software, which will be fewer than 100,000 SLOC. Testing for the entire system should be completed in May 1997.

The Temelin power plant still has hurdles to overcome before final approval, and has drawn opposition from inside as well as outside the new Czech republic. Moreover, the requirements for the secondary shutdown system continue to change as the Czechs fit Western standards into a Soviet design.

Despite the moving baseline, the programmers are integrating the individual parts of the new modules into a complete system, which Ada’s strong typing has made easier than they expected. Pike said that, unlike his experience with C integration, he does not worry that another developer “was supposed to pass me three parameters and only passes me two and they’re of a different type.”

“At this point in the development, most people see that Ada has significantly cut down on the integration time,” Pike said. “Problems are in logic mistakes or requirements that are not lined up at the system level, more than mismatches that you would find if not using a strongly typed language.”

In time, Westinghouse expects that Skoda and the Austrians will share the programmers’ confidence in Ada’s strength and safety.

[A complete version of this article can be found on the AdaIC’s Web site:]

Previous Page Contents Next Page