A comparison of Fault Trees and the Dynamic Flowgraph Methodology for the analysis of FPGA-based safety systems Part 1: Reactor trip logic loop reliability analysis

Abstract

The use of Field Programmable Gate Arrays (FPGAs) in safety critical systems in nuclear power plants means that these systems must undergo a detailed reliability and safety analysis. Fault Tree Analysis (FTA) has seen extensive use in the nuclear power industry. However, FTA predates digital I&C systems, and only performs static analyses. Therefore, dynamic (time dependent) methodologies have been created to model and analyze digital I&C systems. One method is the Dynamic Flowgraph Methodology (DFM). DFM can model control loops and feedback, which are properties that FPGA-based systems include. This work presents a comparison of FTA and DFM analysis methods, for analyzing the reliability of a generic, one-parameter, one-channel FPGA-based reactor trip logic loop. The system was analyzed for two separate failure conditions, with the DFM and FTA results being compared. The DFM and FTA results were similar for simple systems using one time step, however the results were more different for multiple time steps and/or complex test systems. Issues with FTA were discovered pertaining to the oscillating clock states, leading to impossible MCS being returned by the FTA. Potential reasons for the different results returned by two methods are discussed, as is direction for future comparisons between these methods.