M. S. Farias<sup>1</sup>, P.V. R Carvalho<sup>3</sup>, I. J. A. L. Santos<sup>2</sup>

e-mail: msantana@ien.gov.br, paulov@ien.gov.br, luquetti@ien.gov.br

<sup>1</sup>SEINS, <sup>2</sup>SEESC, <sup>3</sup>DENN

Keywords: FPGA, I&C Systems, Nuclear Reactor.

Conventional electrical and electronic components, including relays. analog electronics, and digital electronic component technologies are rapidly becoming obsolete. Programmable logic devices (PLDs) which fit into the overall landscape of electronic hardware technologies, including conventional technologies, ASICs and microprocessors. FPGAs can also be considered PLDs, but they have a different internal architecture which includes a set of configurable logic blocks (CLBs). A CLB can be configured to implement any logic functions (AND, OR, XOR, NOT, etc.). Multiple CLBs can be interconnected to generate more complex functions. In this report we examine circuit design techniques (TMR) in FPGA to help mitigate failures and provide redundancy. There are three main technologies applied for storing (memorizing) the configuration of the CLBs and I/O blocks in an FPGA [1]:

• SRAM – the static random access memory or SRAM is re-writable, which means that the implemented functionality can be modified without physically replacing the FPGA component.

• Flash and EPROM - the erasable programmable read-only memory (EPROM) and flash technologies are re-writable and non-volatile.

• Antifuse - this technology is non re-writable and non-volatile.

The majority of FPGA families are SRAMbased. This option are volatile. Thus, at powerup they must be reloaded from an external conguration system. In addition, most SRAMs are susceptible to random, radiation-induced hardware alterations (so-called Single-Event Upsets, or SEUs). SEU is a soft error that changes the state of a bistable element. A SEU affecting a combination part makes a transient error in logic gates. This can be propagated to the sequential part and make a bit-ip error. Figure 1 illustrates how a SEU makes a bit-flip error in a flip-flop. This susceptibility should be addressed as required in the design, based on the expected environment and the risks associated with the impact of SEUs [1].



Figure 1: Bit-flip error caused by SEU.

Among all SEU mitigation techniques, Triple Modular Redundancy (TMR) has become the most common practice because of its straightforward implementation and reliable results. The TMR mitigation scheme uses three identical logic circuits to perform the same task in parallel with the corresponding output being compared through voter by the majority. Figure 2 shows a representation of the TMR with a single majority voter.



Figure 2: TMR with a single majority voter.

Another flexible fault mitigation method is the triple device redundancy (TDR) in which a single FPGA design is replicated three times in redundant FPGA devices. These devices could be from different technologies (SRAM, Antifuse).

These methods keep the design simple while addressing regulation requirements such as diversity and redundancy [2]. The demands arising from new projects in Brazil, as the I&C modernization projects and the RMB (Brazilian Multipurpose Reactor), will bring the need for training new professionals in regulation and guidance regarding the use of FPGA technology in the nuclear industry. A practical application of the study results will allow for the development of a specification for a new FPGA-based instrumentation to the Argonauta Reactor.

## References

[1] ELETRIC POWER RESEARCH INSTITUTE. Guidelines on the use of field programmable gate arrays (FGPA) in nuclear power plant i&c systems. Palo Alto: EPRI, dec. 2009.

[2] FARIAS M. S.; CARVALHO, P. V. R.; SANTOS, I. J. A. L.; LACERDA, F. Design issues on using fpga-based i&c systems. In: INTERNATIONAL NUCLEAR ATLANTIC CONFERENCE, 04-09 oct. 2015, São Paulo. **Proceedings...** São Paulo: ABEN, 2015.