Instrumentation and control: simulators go bug-hunting

17 July 2015

Simulation has resulted in a whole new way of carrying out de-bugging during I&C design. Bugs can be detected  more cheaply, and spotted much earlier on; their root causes can be determined, and suggested solutions assessed. This revolution is especially relevant to the nuclear industry.

When it comes to Instrumentation & Control, catching bugs is essential. The amount of code to be processed runs to thousands of pages; during the design phase, there are constant changes; and each new power plant is a prototype.

Complete flexibility allows each line of code to be checked

“Debugging using conventional verification methods cannot begin until implementation of Instrumentation & Control, or even testing” explains Adrien Tenand, one of CORYS’ modellers. “This is a long, costly and difficult process: a nuclear unit is supposed to generate electricity, not simply be subjected to analysis.”

Conversely, simulating Instrumentation & Control offers complete flexibility to pore over each line of code, identify bugs, seek out the root causes, and test suggested solutions if the designers so request.

This means that the power plant can be made “functional”, virtually, in order to test I&C at various stages of operation. It’s worth bearing in mind that in real life, bringing a unit up to full power takes several days.

What is more, simulated I&C can be pushed right to limit conditions in order to test safety levels – something that is obviously out of the question in real life.

Assessing all the consequences of a design change

Simulation also allows all the effects of design changes on a power plant to be evaluated as work progresses; this is beyond the capabilities of a human brain relying solely on checks based on hardcopy documents.

Another fresh possibility now available is that of replaying a bug-generating sequence in order to track down its root cause; again, this is no simple matter in real life!

Still another option, in the event of simulated I&C freezing up, is to force values and thus allow the simulation to continue, so as not to have to halt the tests underway. There will always be an opportunity to come back later in order to find out the reason for the crash in question.

As Arnaud Rufray, another of CORYS’ specialists in the subject, sums up: “simulation enables all the possibilities arising from software, statuses, conditions, and system values to be calculated. There’s simply no way even the best designer can achieve the same results by hand.”

A brief guide to frequently occurring bugs

Here are just some examples of bugs revealed through simulation, several years before a unit is commissioned:

  • signals that are connected but with incompatible functions: the valve expects a difference in a value, whereas the control system sends a setpoint
  • function generator producing anomalous output values
  • cut-and-pasting that applies the same instruction to a command and to its redundancy sets: redundancy is no longer implemented
  • a signal that was supposed to arrive at the same time as a second signal actually arrived several steps later, preventing the command from being performed
  • an inverted command signal, resulting in a valve closing instead of opening
  • a value measured in one unit being recorded as another (degrees C or F, bar absolute or relative pressure, etc.) due to a change in the sensor being used
  • a sensor being replaced by another whose range (e.g. 80-120 bar) no longer corresponds to the physical magnitudes to be measured (e.g. 30-50 bar)
  • a control loop cycles indefinitely, waiting for a condition that the system cannot provide it with.

“Most designers specialize in one particular piece of hardware or a single system,” explains Adrien Tenand. “They code on the basis of technical and safety requirements of which we are unaware. They cannot be expected to anticipate every single impact at the level of an entire unit.”

Testing I&C: a model, an interface, and more

“Bug-hunters”, on the other hand, can use the full resources of the simulator:

  • testing an I&C block in isolation by activating inputs (does the “on” button actually start the pump?)
  • combining I&C with part of the model, for instance to test a control setting
  • incorporating I&C from several systems, some issuing instructions and others performing actions
  • testing I&C and models from several systems, in order to check primary circuit pressure and level control, for example
  • and at the top level, testing the entire unit, adding man-machine interfaces.

In the past, CORYS has worked on I&C for conventional power plants, as well as I&C for the modernized and extended Tengiz oil extraction field electricity network in Kazakhstan. “We debugged everything. In real life, when they plugged in the network and fired it up, it worked immediately,” reports Arnaud Ruffray with a smile.

STEPS is a blog eager to provide answers and to bring up new issues with simulation users.

Its information is based on 30 years of CORYS experience of simulation and on the feedback from our customers around the world, in the field of Transportation, Power and Hydrocarbons industries.

line blog@corys.frFollow us on Linkedin