The present invention relates to an electronic system operating under irradiation, particularly X or gamma radiation, a process for designing such a system intended to make said system function under irradiation whilst incorporating xe2x80x9cvulnerablexe2x80x9d components, i.e. intrinsically unfit to operate under said irradiation, and the application of said process to the control of a mobile robot.
Although the legal unit of measurement for radiation doses integrated by components is the Gray (Gy), the experts and most reference documents express this magnitude in the old unit, i.e. the Rad. Hereinafter use will consequently be made of said second unit. It is pointed out that 100 Rad=1 Gy.
The term xe2x80x9cvulnerablexe2x80x9d circuits is understood to mean electronic circuits only able to understand one or a few hundred kRad, typically in the form of gamma or neutron radiation, such as are encountered in nuclear engineering. In general, such circuits have a very large scale integration (VLSI) and are based on CMOS technology, although these features are not limitative.
These xe2x80x9cvulnerablexe2x80x9d circuits are the only ones able to implement very complex functions. Examples are microcontrollers, digital signal processors, application specific integrated circuits (ASICs) or bulk memories. They are particularly appropriate for the implementation of control systems carried by high technology remote manipulators or on mobile robots.
Thus, the invention is mainly directed at the design of control systems for a nuclear environment, which are at present the highest performance electronic systems working in such an environment. Consequently they are used as the example for the description of a preferred embodiment. However, it does not pass beyond the scope of the invention to apply same to any other electronic system, provided that its complexity makes it advantageous to use components which are xe2x80x9cvulnerablexe2x80x9d to ambient irradiation.
The term xe2x80x9ccontrol systemxe2x80x9d is not considered here in the very restricted sense often used in nuclear engineering, notably due to the very rudimentary performance characteristics authorized in the prior art and whereof a few examples will be given hereinafter. Subsequently the term control system is used in a broader sense in that its function is to collect informations on the system to be controlled, process them if necessary (e.g. by digital filtering/non-linearity correction), apply thereto one or more digital control laws which can include autonomous operating modes able to take decisions, manage the controls of power amplifiers associated with actuators, ensure safety functions and, in the case of a partial failure, manage degraded operating modes. Such a control may also be able to communicate with an information transmission device, as a function of the possibilities of various working configurations (multiplexing, microwave transmission or any other means).
In the prior art, electronic systems operating under such an irradiation and incorporating such vulnerable components are essentially control systems for mobile robots or teleoperated equipment or machines. They can be subdivided into two categories, as a function of the radiation dose which they are able to withstand.
A first category includes control systems which can correspond to the above definition, but which in practice are unable to withstand more than a few kRad and in exceptional cases a few dozen kRad.
Reference can e.g. be made to the Andros mobile intervention robot designed by Remotech, USA. The electronics carried consist of a standard controller constituted by a microcontroller card and variators available in commerce. The controls are transmitted by an umbilical cord. The control system is conventional, close to industrial-type controls, but its radiation resistance or hardness does not exceed 1 to 10 kRad.
A second category covers very simplified control systems unable to comply with the above definition, but able to withstand several dozen kRad or even several hundred kRad when containing virtually no electronics and when their control is displaced to the end of a wire-to-wire link.
An example is constituted by the Oscar mobile intervention robot for which all the control signals are transmitted wire-to-wire by an umbilical cord having a large diameter compared with the robot dimensions and whose length is necessarily limited.
Another example is constituted by the assisted RD 500 remote manipulator used on the La Hague site in the 1990""s. All the control signals are transmitted wire-to-wire by an umbilical cord and the actual control is displaced into a non-irradiated area.
More generally, this second category of highly simplified control systems is solely directed at:
acquiring one or several measurements,
optionally processing them in rudimentary manner by simple analog filtering (of the first order) or in the best possible case by digitization under 8 bits with long conversion times (exceeding 10 xcexcs),
transmitting said measurement or measurements in accordance with a fixed sequential protocol, when not directly wire-to-wire, which then raises the problem of an umbilical cord which is prejudicial as a result of its diameter, weight or its very existence (it makes it impossible to pass through an air lock),
supply directives to power amplifiers which do not really belong to the control system.
The systems of said second category cannot implement high performance, evolved functions and cannot be autonomous and reliable, reliability assuming the existence of degraded modes or redundancies, as well as the capacity to operate autonomously.
At present there is no solution making it possible for such a control system to operate under irradiation. The proof is supplied by document [3], which mentions the project concerning a mobile robot intended to intervene on the Chernobyl site. The specification required a resistance or hardness to 1 MRad and the solution adopted corresponds to said second above category in its most rudimentary form, i.e. complete absence of carried electronics, all the electronics being effected wire-to-wire by an umbilical cord.
The response of the expert is described in document [4], chapter 4, devoted to the design strategy. It only offers four solutions:
Axe2x80x94the shielding of components or equipment,
Bxe2x80x94the choice of the location of the equipment,
Cxe2x80x94the use of equipment able to withstand radiation and already commercially available,
Dxe2x80x94the development of equipment able to withstand radiation.
In practice, it is usually limited to shielding or an offset location of the electronics. Each of the solutions will be examined below.
Solution A, regarding shielding:
Certain components have a box or case designed to resist ionizing radiation. However, it is a lightweight shield against single event upsets (SEUs) encountered by satellites, which are accidental collisions with extremely high energy particles, which can give rise to the local destruction of a microcomponent. They only have a very limited effectiveness against gamma radiation even when reinforced by a supplementary metal screen, because the cumulative gamma radiation dose which can be withstood by a satellite is relatively low (approximately 100 kRad for its entire life) and does not constitute an aim for the designer. The expert knows that despite the common reference made to xe2x80x9cionizing radiationxe2x80x9d, it is in fact a different problem to those encountered in the nuclear industry.
In the nuclear industry, the shield against ionizing radiation is constituted by a thick, heavy metal covering (e.g. of lead or Dxc3xa9nal for gamma radiation), because the attenuation provided by said shield is dependent on the atomic mass of the material. Attenuation curves show that the thickness must exceed several centimeters to ensure that the shield has any significance and this thickness increases very rapidly on increasing the admissible radiation dose. Thus, for lead shielding the controls of a gantry operating on a French industrial site (managed by an industrial controller), it was necessary to use an approximately one lead tonne shield, which required a costly overdimensioning of the gantry structure. This shield was designed to enable the controls to withstand 1 MRad. In addition, it was necessary to replace the controls every year, making it necessary to immobile the installation, which was so expensive that the operator decided to abandon this solution and install a control displaced into the non-irradiated area and with a wire-to-wire link.
This shielding solution, which appears too weighty for a heavy equipment, would suffer from this disadvantage to an even greater extent for a mobile equipment, whose weight is always critical, particularly if it is required to ascend a walkway staircase in order to intervene in a nuclear power station following a possible technical incident. Apart from its direct effect, the weight of a shield also represents a problem which cannot be circumvented on examining the potential energy involved during an impact, fall or descent of a step. Thus, e.g. for a shield weighing one tonne, which was shown hereinbefore to be inadequate, if the mobile equipment suddenly descends a 10 cm step and the corresponding energy mgh is absorbed by an elastic device of rigidity k, crushing 1 cm, it is possible to write: mgh=xc2xd Fx, where F=kx, with x=10xe2x88x922 m and h=10xe2x88x921 m, then: F=2.108 N, which corresponds to an acceleration of 2.105 g.
It is clear that the suspension of such a mass (control system and shield) placed on a moving equipment becomes an insoluble problem.
Solution B, concerning the offset location of the electronics:
By definition, it is in contradiction to the problem set, which consists of making a control system function under irradiation.
Solution C, using equipment able to withstand radiation and commercially available:
By definition, it is contrary to the set problem, which consists of making a true control system operate under irradiation, whereas commercially available systems are much too rudimentary to satisfy the set problem.
Solution D, aiming at designing a hardened control system:
Hardening essentially consists of replacing MOS circuits with their equivalents, when they exist, in hardened technology (SOS, SOI, DMILL, etc.). However, the SOS, SOI and DMILL technologies are not widely commercially used, so that there is only a limited range of available components, both with regards to diversity of products and with regards to performance characteristics. For example in the case of microcontrollers, the presently available hardened products have functionalities and performance characteristics corresponding to a technological time lag of roughly 20 years compared with unhardened products. They have no random access memory and their functionality and instruction sets are difficultly compatible with a control system of the type defined hereinbefore. Their irradiation resistance is approximately 300 kRad, namely an improvement by a factor of approximately 10 compared with a standard component and a little higher compared with a particularly vulnerable model. However, DMILL technology admittedly makes it possible to reach 10 MRad. However, it does not make it possible to implement rewritable memories. In addition, the commercial availability is extremely limited and, for its implementation, requires the development of ASICs, which imposes constraints incompatible in practice with the implementation of a mobile robot control.
Hardening of the electronics becomes increasingly difficult when the irradiation dose to be withstood increases. Moreover, as shown by document [5], on passing a threshold of approximately 1 kRad (low conventional electronics limit under irradiation), the cost of hardening increases with the dose rate in proportions not making it possible to reach or exceed 1 MRad.
To conclude, existing control systems only offer rudimentary functions, performed at low speed, without any possibility of significantly improving their performance characteristics or reliability. The acquisition rate for information from sensors is so low that it prevents any force return possibility, which would be indispensable for the performance of certain teleoperation tasks.
The autonomy level given by such controls is very low and really teleoperated systems are involved. However, nuclear applications cannot make do with teleoperation. A radiocontrolled machine must e.g. be able to take an autonomous decision in the case of a transmission problem (e.g. return to the position preceding communication loss). Another well known example consists of introducing via a lock a mobile robot into a nuclear power station following an incident which has led to a leak of nuclear material within the building. It is known how a robot can be introduced, but the respecting of the necessary sealing prevents transmitting controls to it by cable. Thus, it is vital that the robot can move autonomously to one of these points, which cannot be achieved at present.
This prior art can be summarized on the basis of the recent design project for a Pioneer mobile robot for intervention on the Chernobyl site. The specification required the withstanding of a cumulative dose of 1 MRad. No industry or research laboratory was able to propose a carried control system complying with this requirement. In the device at present being studied, all the directives are supplied wire-to-wire to an offset control station.
The present invention relates to an electronic system operating under irradiation, particularly X or gamma radiation, a process for designing such a system and its preferred application to a control system of a mobile robot operating under said irradiation.
The present invention relates to a process for designing electronic systems able to operate under irradiation and comprising the following stages:
I. Enumerating all the functions to be implemented by the system;
II. determining the electronic components able to physically implement these functions, whilst giving preference to models having the larger scale integration;
III. determining the volume of components which can be protected by protection means referred to as shielding, whilst taking account of the radiation dose to be withstood by the system, the maximum permitted weight of the material chosen for said shielding, as well as the distance at which components selectively protected by said shielding could be from other, unshielded components;
IV. establishing a list of the most vulnerable components, whilst firstly taking account of their technology, then their degree of integration, whilst associating with each of these components the components which have to be installed in their immediate vicinity, if existing, and whilst firstly positioning the most vulnerable component, then that whose vulnerability is slightly less high and so on, optionally placing several identical vulnerability circuits;
V. selecting on the basis of the list of the preceding stage, a group of components, commencing with the most vulnerable components and limiting said group to components which, by their very dimensions, can be installed in the volume defined in stage III;
VI. examining whether the components in said system can implement coherent functions and only communicate with the remainder of the system by a reasonable number of wires, which transmit signals able to pass through without deterioration the distance stipulated in stage III between the selectively protected components and the other components; if all these conditions are not simultaneously fulfilled, modifying by iteration the list of components in order to obtain this result, but without exceeding the volume defined in stage III; if all these conditions are simultaneously fulfilled pass to the following stage, the group of components obtained in this way being called the xe2x80x9cfirst group of first componentsxe2x80x9d and the other components being called the xe2x80x9csecond group of second componentsxe2x80x9d;
VII. designing the physical installation of the first group of first components, designing the shielding, constituted by at least one radiation-absorbing material, positioned around said first group of components, and designing between the first group of components and the second, connection means arranged so as not to form a penetration path for ambient radiation;
VIII. designing the physical installation of the second group of components, evaluating the radiation dose which they have to withstand and, if necessary, using a complimentary procedure for improving their suitability for operating under irradiation by a technique other than shielding;
IX. evaluating whether the solution to the problem set is or is not obtained: if it is not obtained, modifying the parameters of stage III (weight and nature of the shielding material, maximum acceptable irradiation dose, distance between the first group of components and the second) and repeating the procedure as from stage III; if it is obtained consider that the purely designed part is completed in a satisfactory manner and optionally start the experimental part of stage X;
X. validate the design by producing a prototype in accordance with the above design stages, at least with regards to the first group of components, put into place in the protection means (shielding thereof) and carry out irradiation tests; if said tests are not in accordance with the specifications, modify the parameters of stage III (weight and nature of the shielding material or optionally the maximum acceptable irradiation dose) and repeat the procedure as from stage III, stage X being optional.
It does not pass outside the scope of the present invention to perform certain stages implicitly and in a more or less simultaneous manner, but in fact fulfilling the same function. This is particularly the case with stages IV, V and VI which a skilled person can carry out xe2x80x9cat his discretionxe2x80x9d without necessarily breaking down his work into elementary steps, as has been done here for clarity reasons. It also does not involve passing outside the scope of the invention not to perform stage X.
Stage II, which leads to preferably choosing operationally very rich circuits, has the consequence of limiting the functionalities to be ensured by the other components of the system. This facilitates recourse to techniques other than shielding for ensuring their protection.
Stage III involves the parameters concerning the dimensioning of the protection. The actual shielding or shield is implemented in accordance with the prior art, particularly with regards to the material, which must be adapted to the nature of the considered radiation.
Stage IV mentions a list of the most vulnerable components, whilst taking account of their technology and then their degree of integration. A skilled person or a person making use of information from the designer can draw up a first hierarchy in the aptitude of the components to withstand a certain radiation dose. However, operating in a stringent manner and taking account of behavioural differences of the circuits as a function of the energy of the radiation, the intensity thereof and the distribution thereof in time, it is particularly advantageous to perform tests.
Stage V defines components which are to be selectively protected, namely high performance and function-rich components for which it is impossible to find in conventional industrial ranges radiation-resistant equivalents. The standard example is a VLSI CMOS technology microcontroller having on a single semiconductor chip a central processing unit, memories, inputs/outputs, watchdog, etc. Of the list of the preceding paragraph only those components are retained, starting with the most vulnerable, which can be installed in the volume defined in paragraph III. Components which have to be physically very close to these components, such as the watch quartz of a microcontroller or bypass capacitor or capacitors, are associated therewith and are a priori retained in the same way. However, it does not pass outside the scope of the invention to decide not to protect these auxiliary components.
If it is vital to protect more components than the shield can contain, two other possibilities exist which can be implemented in accordance with the invention:
combining these components by implantation or xe2x80x9chybridizationxe2x80x9d (compact fitting of electronic chips) in order to protect them by a single shield,
allocating to the radiation protection several shields containing selectively protected components.
Difficulties can arise in removing the heat generated by the operation of these components. In this case, it does not pass outside the scope of the invention to incorporate between said components and the shield an electrically insulating, but thermally conductive product in order to remove the heat through the shield.
Stage VI constitutes a validation of the components selected in the preceding stage, whilst envisaging the constraints linked with the operation of the electronics, particularly the number and passband of the signals which flow between the components to be selectively protected by shielding and those which are not protected. Nevertheless, the aim for said second components is to improve their tolerance to radiation by any procedure other than shielding (see stage VIII).
Stage VII involves the production of protection means or shielding. A preferred implementation of the shield is constituted by two half-shells joined together by screws arranged in such a way as to minimize the effect thereof on the protection of the components. The connections with the second group of components can advantageously take place by a flexible printed circuit, which follows a baffle equipping the shield at its input/output, in order to avoid radiation penetration.
In an advantageous embodiment said shield is connected to the remainder of the system:
mechanically by a cushioning suspension,
electrically by connections which are sufficiently flexible to take account of the displacements due to this mechanical suspension.
Stage VIII refers to protection methods other than shielding, e.g. processes for managing the operation of these components by redundancies and/or optimization of supply voltages as described in documents [1] and [2], making it possible to significantly extend their life. Another example is the use of action concatenation timing diagrams (particularly with respect to the logic system), whose time ranges are sufficiently wide to make their operation tolerant with respect to time drifts which can be caused by irradiation.