Language selection


Analysis of Fault-Tolerant Design Methods and Architectures for Digital I&C Systems Using the Dynamic Flowgraph Methodology

Abstract of the technical paperpresentation presented at:
2nd International Seminar on Probabilistic Methodologies for Nuclear Applications
October 25–26, 2017

Prepared by:
Phillip McNelles, Zhao Chang Zeng, Guna Renganathan, Eric Lemoine and Yolande Akl
Canadian Nuclear Safety Commission
Lixuan Lu
University of Ontario Institute of Technology


Field-programmable gate arrays (FPGAs) are a form of digital hardware that can be programmed to carry out digital logic functions, and which have seen use in nuclear power plant (NPP) instrumentation and control (I&C) systems. For example, reactor trip systems, rod control systems, and neutron flux measurement systems have been developed using FPGAs to perform their logic functions.

As with all semiconductor devices, FPGAs could be vulnerable to radiation-induced failures, known as single-event effects (SEEs), especially during accident scenarios. Therefore, mitigation methods are required to ensure the reliable operation of FPGAs in nuclear power plant systems.

In this paper, the dynamic flowgraph methodology (DFM) was the selected reliability analysis methodology to analyze potential defences against SEEs in FPGA-based systems. DFM is a dynamic (time-dependent) methodology that was developed with the intention of modelling and analyzing digital I&C systems. This methodology was selected for use in this research program as it has been used in the nuclear field, and the results from a review of the technical literature indicated the potential applicability of DFM for modelling NPP I&C systems.

First, for this study, DFM was used to evaluate common SEE mitigation methods, such as cyclic redundancy checks and voting logic, as well as common safety architectures, such as 1oo2, 2oo2D and 2oo2. The analysis considered the top event failures of "missed trips" and "spurious trips" and was performed over multiple time steps, to determine the effects of the SEE failures on different systems/architectures as they evolved through time. A basic 1oo1 system from preliminary research was used as a baseline, and compared to 1oo1D architectures when SEE mitigation was added. Next, the 1oo1 and 1oo1D architectures were compared to the other safety architectures, based on examples of IEC 61131-6. Finally, the probabilistic data obtained from the DFM analyses was used to perform quantitative calculations to compute the dynamic probability of dangerous failure on demand (PFD) for each test system and architecture, including the calculation of dynamic dangerous failure rates, safe failure rates, diagnostic coverages (DC) and safe failure fractions (SFF), per International Electrotechnical Commission standards.

The analysis and calculation results provide evidence for the most effective mitigation methods and system architectures for SEEs, and it was seen that the values for DC, SFF and PFD may change over time in the dynamic analysis. Potential avenues of future work are also discussed.

To obtain a copy of the abstract’s document, please contact us at or call 613.995.5894 or 1.800.668.5284 (in Canada). When contacting us, please provide the title and date of the abstract.

Page details

Date modified: