1. Field of the Invention
The present invention relates to a method for verifying a safety apparatus and a safety apparatus verified by the method and, in particular, to a method for verifying a safety apparatus that is used to control a nuclear power plant, a thermal power plant, a chemical plant or the like and that is required to ensure high reliability and the safety apparatus verified by the method.
2. Description of the Related Art
A nuclear power plant includes a-safety apparatus to prevent the occurrence of an abnormal event or reduce the possibility of the occurrence of an abnormal event that might endanger the safety of the plant when the abnormal event is anticipated or the abnormal event occurs.
A radiation counting apparatus (safety apparatus) associated with a safety protection system is provided to count the amount of radiation. If the amount of radiation increases in a plant due to some reason, the radiation counting apparatus delivers, to operating circuits, information indicating a condition to shut down the area where the amount of radiation is increasing or a condition to activate an emergency gas processing apparatus.
In recent nuclear power plants, such a radiation counting apparatus (safety apparatus) associated with safety protection system carries out a digital signal process in which one central processing unit (CPU) executes digital filtering or digital calculation of a plurality of signals (refer to, for example, Japanese Patent No. 2653522).
In contrast, U.S. Pat. No. 5,859,884 discloses a system using a hardware logic circuit known as an application specific integrated circuit (ASIC) or a field-programmable gate array (FPGA) in place of a CPU. In the technology described in U.S. Pat. No. 5,859,884, a circuit is configured using an ASIC in place of a CPU to control the procedure of the process. This technology simplifies the process flow.
Since the safety apparatus is important, failure of one unit must not result in loss of the total control of the apparatus. Accordingly, a multiplex configuration that provides redundancy of the system is employed or each component of the apparatus is configured to be independent.
However, in a digital system in which a CPU executes software, if the same software is used for the redundant system and the main system, there is a possibility that a defect of the software impairs the functionality of the redundant system.
In addition, since digital processing including the software processing is basically discrete-value processing, there is a higher possibility that an unexpected operation could be executed due to software and hardware defects than for an analog device. For example, in digital processing, an abnormal output might occur when some specific condition is satisfied.
Accordingly, in digital processing using software, a quality assurance activity is required to be carried out to assure the high quality of the digital processing through the design phase to manufacturing phase. Also, an appropriate protection is required against a common malfunction factor caused by a software defect or an uncontrolled design change.
In particular, to protect against a common malfunction factor caused by a software defect, “verification & validation” activities (hereinafter referred to as “V & V”) are practiced. “V & V” are quality assurance activities that include the following two processes: a verification process to verify that the functional requirement for a digital safety apparatus is correctly realized from a higher level step to a lower level step through the software design process to manufacturing process; and a soundness determination process to determine that the requirement is correctly realized in the system manufactured through the verification process.
In contrast, in a system using an ASIC or an FPGA in place of a CPU, a hard-wired digital logic circuit is provided. Unlike the software process performed by a CPU, this process has a fixed process flow. Also, processing time can be determined by the design. Accordingly, the system using an ASIC or an FPGA can be regarded as semiconductor hardware of the digital logic circuit.
As a result, although the FPGA or the like uses some software in the manufacturing process, the FPGA can be verified assuming that the process carried out is the same as the process of the hardware actually installed. For example, by comparing the outputs of a semiconductor device corresponding to all the inputs and all the internal states with the estimated values computed from its specification, the input and output properties of the static function can be completely verified except for the dynamic defects caused by a timing issue. Such a verification method is referred to as “exhaustive testing”.
However, in an actual ASIC or FPGA, the sum of the number of all the input bit patterns and the number of all the internal state patterns of the device is huge. Accordingly, in general, it is recognized that it is impractical to compare output patterns corresponding to all the input and internal state patterns with the estimated values.
Therefore, evaluation of an input pattern string capable of efficiently detecting a defect is critical. For example, by evaluating the logic patterns inside the device, an input pattern group that causes internal registers to activate at least one time is computed or an input pattern group that can detect specific fault pattern modes is computed by fault simulation.
However, since only some of the patterns are verified in the above-described technique, this technique cannot detect a defect caused by a combination of the internal logics and a defect that is not taken into account in the fault simulation.
Furthermore, to implement a logic circuit (digital circuit) in hardware, such as an FPGA, a utility software tool is needed, which includes software for creating the hardware configuration description and a logic synthesis tool for converting the hardware configuration description to an actual logic circuit on the FPGA. However, this utility software tool itself might have a defect if, in particular, this utility software tool is newly developed. Accordingly, total reliability starting from the design phase must be assured including the reliability of the utility software tool.
If the above-described exhaustive testing can be carried out in the performance verification, the static logic error can be found. However, if the above-described exhaustive testing cannot be carried out, the V & V verification is needed as for the known software.
However, unlike the software process performed by a CPU, the process of the system using an FPGA is fixed, and therefore, in general, the process time can be determined. Additionally, a single loop can execute only a single process. Therefore, design conditions for realizing a highly reliable system can be easily satisfied.
As described above, implementing a safety apparatus using a hardware logic circuit, such as an FPGA, provides a strong advantage from the viewpoint of verification. However, functional verification must be efficiently carried out virtually at the same level as the above-described exhaustive testing. That is, it is required that a verification method be developed that can reliably and quickly verify whether the output property of the safety apparatus with respect to an input is the same as that defined by the design.
In addition to the static error, a dynamic error may occur that is caused by a timing issue between internal operations. For example, if the delay time between internal logics varies due to the environmental condition (e.g., temperature) or the power supply condition, there is a possibility that the apparatus erroneously operates due to the atmospheric conditions. To prevent an error caused by a timing issue, a sufficient margin should be provided in the design phase using timing simulation. Furthermore, a verification method is required that can highly reliably carry out verification as needed in an actual environment which is anticipated to appear.
While the foregoing problems have been described with reference to a nuclear power plant, it is also important, in a field that requires a highly reliable control system, such as an oil plant or a chemical plant, to develop a design system that can assure the reliability of a similar digital apparatus in the design and manufacturing phases and, in particular, a design system that can detect a hidden defect.