While in most of the world the specter of nuclear disaster is named "Chernobyl," in Czechoslovakia it is called "Bohunice." For over a decade, the four-unit VVER-440 plant in Bohunice suffered mishaps and accidents that culminated in April 1990 when the coolant level rose and caused the building to flood. Nearby Austria began handing out free potassium iodide (KI) tablets and lobbying internationally to stop the Soviet-designed plants from operating.

Ada diversifies Westinghouse's I&C system

Although the Czech utility Skoda is in charge of testing and licensing the I&C system, the company has taken steps to assure the neighboring countries that Temelin's software could pass U.S. Nuclear Regulatory Commission (NRC) standards. Most of the I&C system is already licensed in Europe: Westinghouse is reusing much of the software that it previously installed in a Sizewell, England, plant. Also, the NRC has trained Skoda technicians in licensing and testing reactor software.

While much of the Westinghouse software is reused, the secondary shutdown system is completely new. Both the primary and the backup protection system contain three redundant divisions as a safeguard against error. However, the same software bug could simultaneously bring down all three divisions. In order to raise the odds to impossible of that happening simultaneously in both the primary and secondary systems, Westinghouse redesigned the backup system's architecture with different software and hardware. For the software, the Monroeville, Penna., division decided to program the backup shutdown system in Ada; the primary shutdown system is in PLM-86.

Why choose Ada?

Second, Westinghouse chose Ada because the behavior of an Ada program can be deterministic at the lowest level through logical access of the target hardware's basic elements, and through control over the visibility of types, operations, and data. Third, Ada featured strong type and range checking. Fourth, those features and its modular construction had already made it attractive to other organizations for safety-critical applications. The language is used extensively by international airplane manufacturers, the U.S. Federal Aviation Agency (FAA) and Department of Energy, and many nations' organizations for air traffic control and aerospace exploration. As a result, government agencies had already subjected Ada software-development tools to stringent tests for safety.

Westinghouse found such a tool through the compiler manufacturer Thomson Software Products (now called Aonix). Thomson offered a run-time system, C-SMART, that was used on several of the Boeing 777 aircraft's systems, including the brakes and the power ignition. The system was therefore already documented for safety-critical applications in accordance with FAA standards.

The I&C architecture

The secondary protection system monitors the sensors of various conditions in the plant, such as temperatures, flows, and pressures, to detect if they are below or above a set point. If an acceptable range is exceeded, then the Ada-driven system sends a signal to the non-logical programming (NPL) control room, where software is embedded in the hardware. The primary system also sends a signal to the NPL. If the two systems agree, then the NPL implements one or more of its nine reactor trip functions, which usually means closing or opening a valve or a pump. If they disagree, then the NPL decides which signal to obey according to a set of logical choices that cannot be changed since they have been burned into the hardware.

The secondary protection system architecture

Each processor board has a 68040 microprocessor, three for each of the backup system's three protection divisions, which equals nine, plus one 68040 board for each of the two monitoring systems. The five cabinets in the system communicate via a fiber-optic network. The three processor boards in a protection cabinet communicate with each other via the VME bus. Two of the processor boards perform safety tasks, while the third board performs testing on the cabinet. This third board is used to communicate with the portable SPARC notebook.

Normally, an embedded system of this type has no graphical user interface (GUI). The SPARC laptop, however, provides a maintenance interface, through which it displays a graphical picture of the algorithms using the real data, as well as the calculated results. Text fields display the actual values, such as the analog inputs from the system. If the data goes through a comparitor, then the technician can check whether the system is operating correctly while the display shows the result.

The portable SPARC notebook's other maintenance features include the ability to change the set points at which the comparitors decide to take some action. For example, if the analog input reads a temperature at 500 degrees Celsius, which the comparitor has set as too high, then the technician can theoretically change the limit to 510 via the SPARC laptop. The interface is programmed in C using a GUI-builder.

Developing the software for the backup shutdown system

The secondary backup system developers decided to use a combination of object-oriented design (OOD) and structural analysis. While OOD is a current popular buzzword that programmers often equate with clear and easily maintainable software, in safety-critical applications it has drawbacks. In order to control the complexity of a solution, for example, OOD programmers will conceal unnecessary details throughout an algorithm. Such information hiding is almost forbidden in many safety-critical software requirements. When a piece of software's failure in a new airplane would be "catastrophic," for example, then the FAA requires that every line of code be demonstrably executed. In other words, do not hide anything. For Westinghouse's secondary shutdown system, the engineers used the design techniques that characterize Ada and OOD in order to facilitate the separately developed software's integration. Some information is hidden, such as the I/O, so that other components cannot mistakenly corrupt the data.

Safety-critical safeguards

C-SMART links in code to perform library functions and runtime software. It is drastically smaller than Thomson's standard library, for the company has stripped out anything that is not deterministic or cannot be verified for safety. The runtime software has the same documentation and level of testing as the Westinghouse I&C software. C-SMART's documentation for Lockheed's new Hercules aircraft, for example, ran to 68 kilograms (150 pounds) of paper for a runtime system of only 6800 source lines of code (SLOC). The documentation included tests, test results, source code, etc., and contained over 3,000 signatures.

Documentation same quality as for flying an airplane

After another round of editing the documentation and implementing any customer changes, Westinghouse will try to ship its new I&C system in November 1997. In the fall of 1996, the company started to test, verify, and validate its new backup protection software, which will be fewer than 100,000 SLOC. Testing for the entire system should be completed in May 1997.

The Temelin power plant still has hurdles ahead, and has drawn opposition from inside as well as outside the new Czech republic. Moreover, the requirements for the secondary shutdown system have been volatile, and continue to change as the Czechs fit Western standards into a Soviet design.

Strong typing helps keeps ahead of moving baseline

"At this point in the development, most people see that Ada has significantly cut down on the integration time," Pike said. "Problems are in logic mistakes or requirements that are not lined up at the system level, more than mismatches that you would find if not using a strongly typed language."

In time, Westinghouse expects that Skoda and the Austrians will share the programmers' confidence in Ada's strength and safety.