Developing architecture for upgrading I&C systems of an operating nuclear power plant using a quality attribute-driven design method

This paper presents the architecture for upgrading the instrumentation and control (I&C) systems of a Korean standard nuclear power plant (KSNP) as an operating nuclear power plant. This paper uses the analysis results of KSNP's I&C systems performed in a previous study. This paper proposes a Preparation–Decision–Design–Assessment (PDDA) process that focuses on quality oriented development, as a cyclical process to develop the architecture. The PDDA was motivated from the practice of architecture-based development used in software engineering fields. In the preparation step of the PDDA, the architecture of digital-based I&C systems was setup for an architectural goal. Single failure criterion and determinism were setup for architectural drivers. In the decision step, defense-in-depth, diversity, redundancy, and independence were determined as architectural tactics to satisfy the single failure criterion, and sequential execution was determined as a tactic to satisfy the determinism. After determining the tactics, the primitive digital-based I&C architecture was determined. In the design step, 17 systems were selected from the KSNP's I&C systems for the upgrade and functionally grouped based on the primitive architecture. The overall architecture was developed to show the deployment of the systems. The detailed architecture of the safety systems was developed by applying a 2-out-of-3 voting logic, and the detailed architecture of the non-safety systems was developed by hot-standby redundancy. While developing the detailed architecture, three ways of signal transmission were determined with proper rationales: hardwire, datalink, and network. In the assessment step, the required network performance, considering the worst-case of data transmission was calculated: the datalink was required by 120 kbps, the safety network by 5 Mbps, and the non-safety network by 60 Mbps. The architecture covered 17 systems out of 22 KSNP's I&C systems. The architecture is implementable with the equipment developed in South Korea. The architecture can be used as a model to upgrade the existing I&C systems in a planned, large-scale, and one-shot manner. A more detailed architecture down to software level will be developed in the future.     

Integrated software safety analysis method for digital I&C systems

The digitalized Instrumentation and Control (I&C) system of Nuclear power plants can provide more powerful overall operation capability, and user friendly man-machine interface. The operator can obtain more information through digital I&C system. However, while I&C system being digitalized, three issues are encountered: (1) software common-cause failure, (2) the interaction failure between operator and digital instrumentation and control system interface, and (3) the non-detectability of software failure. These failures might defeat defense echelons, and make the Diversity and Defense-in-Depth (D3) analysis be more difficult. This work developed an integrated methodology to evaluate nuclear power plant safety effect by interactions between operator and digital I&C system, and then propose improvement recommendations. This integrated methodology includes component-level software fault tree, system-level sequence-tree method and nuclear power plant computer simulation analysis. Software fault tree can clarify the software failure structure in digital I&C systems. Sequence-tree method can identify the interaction process and relationship among operator and I&C systems in each D3 echelon in a design basis event. Nuclear power plant computer simulation analysis method can further analyze the available backup facilities and allowable manual action duration for the operator when the digital I&C fail to function. Applying this methodology to evaluate the performance of digital nuclear power plant D3 design, could promote the nuclear power plant operation safety. The operator can then trust the nuclear power plant than before, when operating the highly automatic digital I&C facilities.     

Plant Risk Effect Analysis Focusing on Digital I&C Equipment Failures

Safety-critical digital systems have been installed in nuclear power plants and thus their safety effect evaluation has become an emerging issue. The multi-tasking feature of digital instrumentation and control (I&C) equipment could increase the risk factor because the I&C equipment affects the actuation of the safety functions in several mechanisms. In this study, we quantify the safety of the digital plant protection system in Korean nuclear power plants based on probabilistic safety assessment (PSA) technology. Fifteen fault-tree models for the digital reactor-trip system and seven for the safety-feature actuation system are constructed and integrated into the plant safety assessment model. The result of the sensitivity study shows the boundaries of a plant risk and the effect of the digital equipment failures on the total plant risk.     

System-level hazard analysis using the sequence-tree method

A system-level PHA using the sequence-tree method is presented to perform safety-related digital I&C system SSA. The conventional PHA involves brainstorming among experts on various portions of the system to identify hazards through discussions. However, since the conventional PHA is not a systematic technique, the analysis results depend strongly on the experts’ subjective opinions. The quality of analysis cannot be appropriately controlled. Therefore, this study presents a system-level sequence tree based PHA, which can clarify the relationship among the major digital I&C systems. This sequence-tree-based technique has two major phases. The first phase adopts a table to analyze each event in SAR Chapter 15 for a specific safety-related I&C system, such as RPS. The second phase adopts a sequence tree to recognize the I&C systems involved in the event, the working of the safety-related systems and how the backup systems can be activated to mitigate the consequence if the primary safety systems fail. The defense-in-depth echelons, namely the Control echelon, Reactor trip echelon, ESFAS echelon and Monitoring and indicator echelon, are arranged to build the sequence-tree structure. All the related I&C systems, including the digital systems and the analog back-up systems, are allocated in their specific echelons. This system-centric sequence-tree analysis not only systematically identifies preliminary hazards, but also vulnerabilities in a nuclear power plant. Hence, an effective simplified D3 evaluation can also be conducted.     

Important factors affecting fault detection coverage in probabilistic safety assessment of digital instrumentation and control systems

As digital instrumentation and control (I&C) systems are gradually introduced into nuclear power plants (NPPs), concerns about the I&C systems’ reliability and safety are growing. Fault detection coverage is one of the most critical factors in the probabilistic safety assessment (PSA) of digital I&C systems. To correctly estimate the fault detection coverage, it is first necessary to identify important factors affecting it. From experimental results found in the literature and the authors’ experience in fault injection experiments on digital systems, four system-related factors and four fault-related factors are identified as important factors affecting the fault detection coverage. A fault injection experiment is performed to demonstrate the dependency of fault detection coverage on some of the identified important factors. The implications of the experimental results on the estimation of fault detection coverage for the PSA of digital I&C systems are also explained. The set of four system-related factors and four fault-related factors is expected to provide a framework for systematically comparing and analyzing various fault injection experiments and the resultant estimations on fault detection coverage of digital I&C systems in NPPs.     

System assessment of an FPGA-based RPS for ABWR nuclear power plant

The instrumentation and control (I&C) systems for the Lungmen nuclear power plant (LMNPP) are fully digitized based on microprocessor and software technology, and extensively utilize multiplexing networks. That is, undetectable software faults and common cause failures due to software errors may occur, and that will defeat the redundancy of a nuclear power plant (NPP). A diverse backup implementation for the digital I&C systems is an important means to defense against undetectable software faults.This paper presents system assessment of a quad-redundant reactor protection system (RPS) design for an Advanced Boiling Water Reactor (ABWR) by utilizing the field programmable gate array (FPGA) technology. The FPGA-based RPS has been assessed by using a full-scope engineering simulator for the LMNPP. Accident scenarios and abnormal conditions are inserted into the engineering simulator in order to activate the function of the FPGA-based RPS. In this study, conceptual design of the proposed quad-redundant FPGA-based RPS, including preliminary hardware architecture, software design and system assessment will be presented. The results demonstrate that the FPGA-based RPS system is a practical approach to implement a diverse backup for the digital I&C system of nuclear power plant applications.Also, the sensitivity study of probabilistic risk assessment (PRA) shows that RPS combined with ARI (Alternative Rod Insertion) contributes significant influence on the core damage frequency (CDF) calculation of LMNPP. The PRA sensitivity study is independent of the RPS technology.     

Model extension and improvement for simulator-based software safety analysis

One of the major concerns when employing digital I&C system in nuclear power plant is digital system may introduce new failure mode, which differs with previous analog I&C system. Various techniques are under developing to analyze the hazard originated from software faults in digital systems. Preliminary hazard analysis, failure modes and effects analysis, and fault tree analysis are the most extensive used techniques. However, these techniques are static analysis methods, cannot perform dynamic analysis and the interactions among systems. This research utilizes “simulator/plant model testing” technique classified in (IEEE Std 7-4.3.2-2003, 2003. IEEE Standard for Digital Computers in Safety Systems of Nuclear Power Generating Stations) to identify hazards which might be induced by nuclear I&C software defects. The recirculation flow system, control rod system, feedwater system, steam line model, dynamic power-core flow map, and related control systems of PCTran–ABWR model were successfully extended and improved. The benchmark against ABWR SAR proves this modified model is capable to accomplish dynamic system level software safety analysis and better than the static methods. This improved plant simulation can then futher be applied to hazard analysis for operator/digital I&C interface interaction failure study, and the hardware-in-the-loop fault injection study.     

核电站仪控系统数字化开发仿真测试技术研究

在核电站应用数字化仪表与控制 (I&C)取代模拟 I&C 系统,已成为必然的发展趋势。本文分析了核电站全范围模拟机的蒸汽发生器数学模型,研制开发独立的核电站蒸汽发生器实时仿真系统,并与控制系统形成能够相互作用的闭环系统,用于数字化仪控系统改造提供仿真对象及进一步控制方案研究。在仿真过程中,除了仿真模型之外,其他的硬件和软件由真实的控制系统构成。不但为核电站仪表与控制 (I&C)系统数字化开发提供理论分析,也为今后现场调试工作创造有利条件。     

A model for estimation of reactor spurious shutdown rate considering maintenance human errors in reactor protection system of nuclear power plants

Modeling of spurious activations in safety instrumented systems has been studied for over a decade. The spurious activation of a plant protection system in nuclear power plants (NPPs) leads to increased electricity generation cost. An in-depth view on spurious activation of digital plant protection systems of NPPs for human errors in maintenance tasks is presented in this paper. A new model which considers human errors in maintenance and periodic tests to predict component failure rates is presented. The model has been applied to OPR-1000 reactor protection system for quantification of spurious trip frequency by fault-tree analysis. The major causes of spurious activation in a nuclear reactor protection system are identified. A set of case studies has been performed with the variation of magnitudes of human errors probability and maintenance strategies, in which, the human errors in maintenance are found to significantly influence reactor spurious trip frequency. This study is expected to provide a useful mean to designers as well as maintainers of the digital reactor protection system to improve plant availability and safety.     

Classification method of severe accident condition for the development of severe accident instrumentation and monitoring system in nuclear power plant

Instrumentation and monitoring systems in a nuclear power plant are very important to monitor plant conditions for safe operations and a plant shutdown. The severe accident at TOKYO ELECTRIC POWER COMPANY's Fukushima Daiichi Nuclear Power Station (hereinafter called as TF1) in March 2011 caused several severe situations such as core damage, hydrogen explosion, etc. Lessons learned from the severe accident at TF1 show that an appropriate operable instrumentation and monitoring system for a severe accident should be developed so that the system will deliver an appropriate performance for mitigation of severe accident condition in a nuclear power plant.

This paper proposes the classification method of severe accident condition for the development of an appropriate operable instrumentation and monitoring system for a severe accident based on the problem analysis of monitoring variables during the severe accident at TF1. The classification is formed on the basis of the integrity of boundary for plant safety and the successful (or unsuccessful) condition of the cooling water injection, and is used for an establishment of defining severe accident environmental conditions for the instrumentation and monitoring system. Examples of the establishment method are also shown in this paper.     

Design features and thermal margin assessment of core protection and monitoring systems of an integral reactor,SMART

The Korea Atomic Energy Research Institute has developed the SMART integral reactor, and SCOPS and SCOMS were also newly developed as advanced real-time core protection and monitoring systems for SMART. SCOPS calculates the minimum DNBR and maximum LPD based on several on-line measured core state parameters, and SCOMS calculates the limiting conditions for operation variables and assists the operator in implementing the technical specification requirements for monitoring. The design features and characteristics of SCOPS and SCOMS were described. The performance of the SCOMS power distribution synthesis method was evaluated and shows negligible power distribution synthesis errors. A technically reliable uncertainty analysis method was developed, and a preliminary uncertainty analysis was evaluated. The overall analysis results are similar or more improved compared to those of cycle 1 for Younggwang units 3&4 of Korea. In particular, uncertainty factors of SCOMS are much improved because of an improvement in the power distribution synthesis and DNBR calculation algorithm. Finally, thermal margins were estimated, and the DNB overpower margin of SCOMS is large enough to accommodate a 40% required overpower margin and 15% top-tier requirement thermal margin.     

Reliability assessment method for NPP digital I&C systems considering the effect of automatic periodic tests

Since digital technologies have been improved, the analog systems in nuclear power plants (NPPs) have been replaced with digital systems. Recently, new NPPs have adapted various kinds of digital instrumentation and control (I&C) systems. Even though digital I&C systems have various fault-tolerant techniques for enhancing the system availability and safety compared to conventional analog I&C systems, the effects of these fault-tolerant techniques on system safety have not been properly considered yet in most probabilistic safety assessment models. Therefore, it is necessary to develop the safety evaluation method for digital I&C systems with consideration of fault-tolerant techniques. Among the various issues in the safety model for digital I&C systems, one of the important issues is how to exclude the duplicated effect of fault-tolerant techniques implemented at each hierarchy level of the system. The exact relation between faults and fault-tolerant techniques should be identified in order to exclude this duplicated effect. In this work, the relation between faults and fault-tolerant techniques are identified using fault injection experiments. As an application, the proposed method was applied to a module of a digital reactor protection system.     

核电厂数字化仪表与控制系统的应用现状与发展趋势

１９９６年６月在广东阳江核电厂的推荐方案中，法马通，ＡＢＢ／ＣＥ，西屋三个公司都采用了数字仪表与控制系统，为进一步引起核电界人士的关注与思考，本文简要介绍了数字化仪表与控制系统的优点，在国外的应用和国内的研究现状，同时，提出了我国应采取的几点对策。供同行们研究。     

移动式堆芯中子注量率测量系统概述

堆芯中子注量率测量系统是压水堆核电站核测量系统的主要组成部分,用于测量反应堆堆芯的中子注量率水平,从而提供反应堆的功率分布情况。文章介绍了中核（北京）核仪器厂国产化的移动式堆芯中子注量率测量系统,并对测量系统的概况、系统组成、工作原理及功能等进行了描述。     

Development and diversity and defense-in-depth application of ABWR feedwater pump and controller model

This work developed an advanced boiling water reactor (ABWR) feedwater pump and controller model, which was incorporated into Personal Computer Transient Analyzer (PCTran)-ABWR, a nuclear power plant simulation code. The feedwater pump model includes three turbine-driven feedwater pumps and one motor-driven feedwater pump. The feedwater controller includes a one-element/three-element water level controller and a specific feedwater speed controller for each feedwater pump. The performance tests, including step change of dome pressure, feedwater pumps transfer, inadvertent closure of all turbine control valves, and one feedwater pump trip at 100% power, demonstrate the feasibility of dynamic response of stand-alone model and incorporated model. Furthermore, a diversity and defense-in-depth analysis is performed to demonstrate the feasibility for motor-driven feedwater pump as an emergency core cooling system (ECCS) automatic diverse back-up. In Lungmen nuclear power plant (NPP), a diverse manual initiation means for the high pressure core flooder (HPCF) loop C is designed as the back-up of digitalized engineered safety features actuation system (ESFAS). If the motor-driven feedwater pump (MDFWP) can be an automatic digital diverse back-up for ESFAS, Lungmen NPP would be more robust to defend against software common-cause failure (CCF).     

Aging management of instrumentation & control sensors in nuclear power plants

Pressure to improve plant efficiency and maximize safety and the increasing age of existing NPPs are forcing the global nuclear power industry to confront the challenges of aging - caused by stressors such as temperature, humidity, radiation, electricity, and vibration - in key instrument & control (I&C) components like pressure transmitters, temperature sensors, neutron detectors, and cables. Traditional aging management methods, such as equipment replacement, required the process to be shut down. Recent aging management technologies, collectively known as online monitoring (OLM), enable plants to monitor the condition and aging of their installed I&C while the plant is operating. Developed through R&D initiatives worldwide, such OLM techniques include low- and high-frequency methods that use existing sensors, such as noise analysis; methods based on test or diagnostic sensors, such as for vibration-measuring accelerometers; and methods, such as the power interrupt (PI) test, based on active measurements made by injecting a test signal into the component under test. A review of these aging management methods, their effectiveness, and their interrelation provides a foundation for understanding the next stage in the evolution of OLM: truly integrated hybrid OLM systems capable of robust condition monitoring in both novel and familiar operating conditions.     

An estimation of an operator's action time by using the MARS code in a small break LOCA without a HPSI for a PWR

To estimate the success criteria of an operator's action time for a probabilistic safety/risk assessment (PSA/PRA) of a nuclear power plant, the information from a safety analysis report (SAR) and/or that by using a simplified simulation code such as the MAAP code has been used in a conventional PSA. However, the information from these is often too conservative to perform a realistic PSA for a risk-informed application. To reduce the undue conservatism, the use of a best-estimate thermal hydraulic code has become an essential issue in the latest PSA and it is now recognized as a suitable tool. In the same context, the ‘ASME PRA standard’ also recommends the use of a best-estimate code to improve the quality of a PSA. In Korea, a platform to use a best-estimate thermal hydraulic code called the MARS code has been developed for the PSA of the Korea standard nuclear power plant (KSNP). This study has proposed an estimation method for an operator's action time by using the MARS platform. The typical example case is a small break loss of coolant accident without the high pressure safety injection system, which is one of the most important accident sequences in the PSA of the KSNP. Under the given accident sequence, the operator has to perform a recovery action known as a fast cooldown operation. This study focuses on two aspects regarding an operator's action; one is how they can operate it under some restrictions; the other is how much time is available to mitigate this accident sequence. To assess these aspects, this study considered: (1) the operator's action model and (2) the starting time of the operation. To show an effect due to an operator's action, three kinds of control models (the best-fitting, the conservative, and the proportional-integral) have been assessed. This study shows that the developed method and the platform are useful tools for this type of problem and they can provide a valuable insight related to an operator's actions.     

核电厂数字化安全系统人机接口设计研究

核电厂安全系统人机接口分别与电厂安全系统和整个仪表与控制(I&C)系统人机接口相关。本文对核电厂控制室中数字化安全系统人机接口的设计进行了描述,同时也论述了作为安全系统重要组成部分的反应堆保护系统人机接口的有关设计内容以及在安全系统人机接口设计中应关注的有关要求,并展望了未来在新技术方面的应用发展趋势。