Integrated software safety analysis method for digital I&C systems

The digitalized Instrumentation and Control (I&C) system of Nuclear power plants can provide more powerful overall operation capability, and user friendly man-machine interface. The operator can obtain more information through digital I&C system. However, while I&C system being digitalized, three issues are encountered: (1) software common-cause failure, (2) the interaction failure between operator and digital instrumentation and control system interface, and (3) the non-detectability of software failure. These failures might defeat defense echelons, and make the Diversity and Defense-in-Depth (D3) analysis be more difficult. This work developed an integrated methodology to evaluate nuclear power plant safety effect by interactions between operator and digital I&C system, and then propose improvement recommendations. This integrated methodology includes component-level software fault tree, system-level sequence-tree method and nuclear power plant computer simulation analysis. Software fault tree can clarify the software failure structure in digital I&C systems. Sequence-tree method can identify the interaction process and relationship among operator and I&C systems in each D3 echelon in a design basis event. Nuclear power plant computer simulation analysis method can further analyze the available backup facilities and allowable manual action duration for the operator when the digital I&C fail to function. Applying this methodology to evaluate the performance of digital nuclear power plant D3 design, could promote the nuclear power plant operation safety. The operator can then trust the nuclear power plant than before, when operating the highly automatic digital I&C facilities.     

Reliability assessment method for NPP digital I&C systems considering the effect of automatic periodic tests

Since digital technologies have been improved, the analog systems in nuclear power plants (NPPs) have been replaced with digital systems. Recently, new NPPs have adapted various kinds of digital instrumentation and control (I&C) systems. Even though digital I&C systems have various fault-tolerant techniques for enhancing the system availability and safety compared to conventional analog I&C systems, the effects of these fault-tolerant techniques on system safety have not been properly considered yet in most probabilistic safety assessment models. Therefore, it is necessary to develop the safety evaluation method for digital I&C systems with consideration of fault-tolerant techniques. Among the various issues in the safety model for digital I&C systems, one of the important issues is how to exclude the duplicated effect of fault-tolerant techniques implemented at each hierarchy level of the system. The exact relation between faults and fault-tolerant techniques should be identified in order to exclude this duplicated effect. In this work, the relation between faults and fault-tolerant techniques are identified using fault injection experiments. As an application, the proposed method was applied to a module of a digital reactor protection system.     

Important factors affecting fault detection coverage in probabilistic safety assessment of digital instrumentation and control systems

As digital instrumentation and control (I&C) systems are gradually introduced into nuclear power plants (NPPs), concerns about the I&C systems’ reliability and safety are growing. Fault detection coverage is one of the most critical factors in the probabilistic safety assessment (PSA) of digital I&C systems. To correctly estimate the fault detection coverage, it is first necessary to identify important factors affecting it. From experimental results found in the literature and the authors’ experience in fault injection experiments on digital systems, four system-related factors and four fault-related factors are identified as important factors affecting the fault detection coverage. A fault injection experiment is performed to demonstrate the dependency of fault detection coverage on some of the identified important factors. The implications of the experimental results on the estimation of fault detection coverage for the PSA of digital I&C systems are also explained. The set of four system-related factors and four fault-related factors is expected to provide a framework for systematically comparing and analyzing various fault injection experiments and the resultant estimations on fault detection coverage of digital I&C systems in NPPs.     

System assessment of an FPGA-based RPS for ABWR nuclear power plant

The instrumentation and control (I&C) systems for the Lungmen nuclear power plant (LMNPP) are fully digitized based on microprocessor and software technology, and extensively utilize multiplexing networks. That is, undetectable software faults and common cause failures due to software errors may occur, and that will defeat the redundancy of a nuclear power plant (NPP). A diverse backup implementation for the digital I&C systems is an important means to defense against undetectable software faults.This paper presents system assessment of a quad-redundant reactor protection system (RPS) design for an Advanced Boiling Water Reactor (ABWR) by utilizing the field programmable gate array (FPGA) technology. The FPGA-based RPS has been assessed by using a full-scope engineering simulator for the LMNPP. Accident scenarios and abnormal conditions are inserted into the engineering simulator in order to activate the function of the FPGA-based RPS. In this study, conceptual design of the proposed quad-redundant FPGA-based RPS, including preliminary hardware architecture, software design and system assessment will be presented. The results demonstrate that the FPGA-based RPS system is a practical approach to implement a diverse backup for the digital I&C system of nuclear power plant applications.Also, the sensitivity study of probabilistic risk assessment (PRA) shows that RPS combined with ARI (Alternative Rod Insertion) contributes significant influence on the core damage frequency (CDF) calculation of LMNPP. The PRA sensitivity study is independent of the RPS technology.     

核电厂数字化安全系统人机接口设计研究

核电厂安全系统人机接口分别与电厂安全系统和整个仪表与控制(I&C)系统人机接口相关。本文对核电厂控制室中数字化安全系统人机接口的设计进行了描述,同时也论述了作为安全系统重要组成部分的反应堆保护系统人机接口的有关设计内容以及在安全系统人机接口设计中应关注的有关要求,并展望了未来在新技术方面的应用发展趋势。     

A human–machine interaction design and evaluation method by combination of scenario simulation and knowledge base

A method of designing and evaluating HMI (human–machine interaction) is proposed for the design in supervisory control of fully digitalized I&C (instrumentation and control) and digitalized human–machine interface system, which is a large-scale complex system in the NPPs (nuclear power plants). The proposed method consists of plant accident scenario simulation, knowledge base establishment, and interaction simulation. The plant accident scenario simulation is to analyze the plant behavior and system sequences under the predefined conditions; the knowledge base is modeled based on the simulation results as human and machine roles; and the interaction simulation is to simulate the interactions such as between operator and plant, operator and technical advisor. The proposed method utilizes the object-oriented software named plant DiD (defense-in-depth) risk monitor with the combination of accident simulation by an advanced nuclear safety analysis code such as RELAP5/MOD4. The practical developments for the details are demonstrated using an example practice for the SBLOCA (small break loss of coolant accident) case of passive safety PWR (pressurized water reactor) AP1000.     

核电站仪控系统数字化开发仿真测试技术研究

在核电站应用数字化仪表与控制 (I&C)取代模拟 I&C 系统,已成为必然的发展趋势。本文分析了核电站全范围模拟机的蒸汽发生器数学模型,研制开发独立的核电站蒸汽发生器实时仿真系统,并与控制系统形成能够相互作用的闭环系统,用于数字化仪控系统改造提供仿真对象及进一步控制方案研究。在仿真过程中,除了仿真模型之外,其他的硬件和软件由真实的控制系统构成。不但为核电站仪表与控制 (I&C)系统数字化开发提供理论分析,也为今后现场调试工作创造有利条件。     

Developing architecture for upgrading I&C systems of an operating nuclear power plant using a quality attribute-driven design method

This paper presents the architecture for upgrading the instrumentation and control (I&C) systems of a Korean standard nuclear power plant (KSNP) as an operating nuclear power plant. This paper uses the analysis results of KSNP's I&C systems performed in a previous study. This paper proposes a Preparation–Decision–Design–Assessment (PDDA) process that focuses on quality oriented development, as a cyclical process to develop the architecture. The PDDA was motivated from the practice of architecture-based development used in software engineering fields. In the preparation step of the PDDA, the architecture of digital-based I&C systems was setup for an architectural goal. Single failure criterion and determinism were setup for architectural drivers. In the decision step, defense-in-depth, diversity, redundancy, and independence were determined as architectural tactics to satisfy the single failure criterion, and sequential execution was determined as a tactic to satisfy the determinism. After determining the tactics, the primitive digital-based I&C architecture was determined. In the design step, 17 systems were selected from the KSNP's I&C systems for the upgrade and functionally grouped based on the primitive architecture. The overall architecture was developed to show the deployment of the systems. The detailed architecture of the safety systems was developed by applying a 2-out-of-3 voting logic, and the detailed architecture of the non-safety systems was developed by hot-standby redundancy. While developing the detailed architecture, three ways of signal transmission were determined with proper rationales: hardwire, datalink, and network. In the assessment step, the required network performance, considering the worst-case of data transmission was calculated: the datalink was required by 120 kbps, the safety network by 5 Mbps, and the non-safety network by 60 Mbps. The architecture covered 17 systems out of 22 KSNP's I&C systems. The architecture is implementable with the equipment developed in South Korea. The architecture can be used as a model to upgrade the existing I&C systems in a planned, large-scale, and one-shot manner. A more detailed architecture down to software level will be developed in the future.     

Quantitative modeling of digital reactor protection system using Markov state-transition model

Recently, digital instrumentation and control systems have been increasingly installed for important safety functions in nuclear power plants such as the reactor protection system (RPS) and the actuation system of the engineered safety features. Since digital devices consist of not only electronic hardware but also software that can control microprocessors, the functions specific to digital equipment such as self-diagnostic functions have been becoming available. These functions were not realized with conventional electric components. On the other hand, it has been found that it is difficult to model the digital equipment reliability in probabilistic risk assessment (PRA) using conventional fault tree analysis technique. OECD/NEA CSNI Working Group of Risk Assessment (WGRisk) set up the task group DIGREL to develop the basis of reliability analysis method of the digital safety system and is now discussing about several issues including quantitative dynamic modeling. This paper shows that, taking account of the relationship among the RPS failures, demand after the initiating event, detection of the RPS fault by self-diagnostic or surveillance tests, repair of the RPS components and plant shutdown operation by the plant operators as a stochastic process, the anticipated transient without scram (ATWS) event can be modeled by the event logic fault tree and Markov state-transition diagrams assuming the hypothetical 1-out-of-2 digital RPS.     

System-level hazard analysis using the sequence-tree method

A system-level PHA using the sequence-tree method is presented to perform safety-related digital I&C system SSA. The conventional PHA involves brainstorming among experts on various portions of the system to identify hazards through discussions. However, since the conventional PHA is not a systematic technique, the analysis results depend strongly on the experts’ subjective opinions. The quality of analysis cannot be appropriately controlled. Therefore, this study presents a system-level sequence tree based PHA, which can clarify the relationship among the major digital I&C systems. This sequence-tree-based technique has two major phases. The first phase adopts a table to analyze each event in SAR Chapter 15 for a specific safety-related I&C system, such as RPS. The second phase adopts a sequence tree to recognize the I&C systems involved in the event, the working of the safety-related systems and how the backup systems can be activated to mitigate the consequence if the primary safety systems fail. The defense-in-depth echelons, namely the Control echelon, Reactor trip echelon, ESFAS echelon and Monitoring and indicator echelon, are arranged to build the sequence-tree structure. All the related I&C systems, including the digital systems and the analog back-up systems, are allocated in their specific echelons. This system-centric sequence-tree analysis not only systematically identifies preliminary hazards, but also vulnerabilities in a nuclear power plant. Hence, an effective simplified D3 evaluation can also be conducted.     

An overview of instrumentation and control systems of a Korea standard nuclear power plant: A signal interface standpoint

This paper presents an overview of instrumentation and control (I&C) systems of a pressurized water reactor (PWR) type nuclear power plant (NPP) in Korea. Yonggwang unit 3, which was constructed as a basis model for a Korea standard nuclear power plant (KSNP), is selected as an example for the presentation. This overview is derived from analyzing the I&C systems based on a top-down approach. The I&C systems consist of 30 systems. The 183 I&C cabinets are also analyzed and mapped to the systems. The overview is focused on an interface between the systems and the cabinets. This information will be used to understand the implementation of the I&C systems and to group the systems for an upgrade.     

Aging management of instrumentation & control sensors in nuclear power plants

Pressure to improve plant efficiency and maximize safety and the increasing age of existing NPPs are forcing the global nuclear power industry to confront the challenges of aging - caused by stressors such as temperature, humidity, radiation, electricity, and vibration - in key instrument & control (I&C) components like pressure transmitters, temperature sensors, neutron detectors, and cables. Traditional aging management methods, such as equipment replacement, required the process to be shut down. Recent aging management technologies, collectively known as online monitoring (OLM), enable plants to monitor the condition and aging of their installed I&C while the plant is operating. Developed through R&D initiatives worldwide, such OLM techniques include low- and high-frequency methods that use existing sensors, such as noise analysis; methods based on test or diagnostic sensors, such as for vibration-measuring accelerometers; and methods, such as the power interrupt (PI) test, based on active measurements made by injecting a test signal into the component under test. A review of these aging management methods, their effectiveness, and their interrelation provides a foundation for understanding the next stage in the evolution of OLM: truly integrated hybrid OLM systems capable of robust condition monitoring in both novel and familiar operating conditions.     

Model extension and improvement for simulator-based software safety analysis

One of the major concerns when employing digital I&C system in nuclear power plant is digital system may introduce new failure mode, which differs with previous analog I&C system. Various techniques are under developing to analyze the hazard originated from software faults in digital systems. Preliminary hazard analysis, failure modes and effects analysis, and fault tree analysis are the most extensive used techniques. However, these techniques are static analysis methods, cannot perform dynamic analysis and the interactions among systems. This research utilizes “simulator/plant model testing” technique classified in (IEEE Std 7-4.3.2-2003, 2003. IEEE Standard for Digital Computers in Safety Systems of Nuclear Power Generating Stations) to identify hazards which might be induced by nuclear I&C software defects. The recirculation flow system, control rod system, feedwater system, steam line model, dynamic power-core flow map, and related control systems of PCTran–ABWR model were successfully extended and improved. The benchmark against ABWR SAR proves this modified model is capable to accomplish dynamic system level software safety analysis and better than the static methods. This improved plant simulation can then futher be applied to hazard analysis for operator/digital I&C interface interaction failure study, and the hardware-in-the-loop fault injection study.     

Main control system verification and validation of NPP digital I&C system based on engineering simulator

Full-scope digital instrumentation and controls system (I&C) technique is being introduced in Chinese new constructed Nuclear Power Plant (NPP), which mainly includes three parts: control system, reactor protection system and engineered safety feature actuation system. For example, SIEMENS TELEPERM XP and XS distributed control system (DCS) have been used in Ling Ao Phase II NPP, which is located in Guangdong province, China. This is the first NPP project in China that Chinese engineers are fully responsible for all the configuration of actual analog and logic diagram, although experience in NPP full-scope digital I&C is very limited. For the safety, it has to be made sure that configuration is right and control functions can be accomplished before the phase of real plant testing on reactor. Therefore, primary verification and validation (V&V) of I&C needs to be carried out. Except the common and basic way, i.e. checking the diagram configuration one by one according to original design, NPP engineering simulator is applied as another effective approach of V&V. For this purpose, a virtual NPP thermal-hydraulic model is established as a basis according to Ling Ao Phase II NPP design, and the NPP simulation tools can provide plant operation parameters to DCS, accept control signal from I&C and give response. During the test, one set of data acquisition equipments are used to build a connection between the engineering simulator (software) and SIEMENS DCS I/O cabinet (hardware). In this emulation, original diagram configuration in DCS and field hardware structures are kept unchanged. In this way, firstly judging whether there are some problems by observing the input and output of DCS without knowing the internal configuration. Then secondly, problems can be found and corrected by understanding and checking the exact and complex configuration in detail. At last, the correctness and functionality of the control system are verified. This method is also very convenient for expansion to other type digital I&C V&V. This paper is mainly focused on V&V of closed-loop control systems in full-scope DCS and several detailed reactor control (RRC) systems, including pressurizer pressure and water level control, steam generator water level control. The V&V works were carried out by applying engineering simulator. This paper describes the structure and function of the simulator, V&V procedure, results analysis and problems identified. Through the actual on-line virtual closed-loop testing on Ling Ao Phase II NPP project, many problems of DCS configuration were found and solved. And it proved that V&V based on engineering simulator enables significant time saving, improves economics and safety in the phase of engineering debugging.     

核电厂数字化仪表与控制系统的应用现状与发展趋势

１９９６年６月在广东阳江核电厂的推荐方案中，法马通，ＡＢＢ／ＣＥ，西屋三个公司都采用了数字仪表与控制系统，为进一步引起核电界人士的关注与思考，本文简要介绍了数字化仪表与控制系统的优点，在国外的应用和国内的研究现状，同时，提出了我国应采取的几点对策。供同行们研究。     

基于INPO AP-913框架的核电厂系统监督研究

对核电厂的重要系统实施健康状态监督,确保系统设备的性能能够可靠地满足电厂安全和发电的目标,落实核电厂的维修规则,提高核电厂设备的可靠性,是核电厂设备可靠性管理体系AP-913中的重要一环。为进一步推进核电厂设备管理优化工作,基于设备可靠性管理流程AP-913的指导思想,并结合中国核电目前正在开展的核电厂设备可靠性管理提升,本文对核电厂系统监督做了研究,阐述核电厂系统监督的概念及目的,给出适用于我国核电厂系统监督实施流程,并从核电厂系统设备实际出发,着重归纳了系统监督计划开发方法。助推行业内电厂设备可靠性管理的提升,优化WANO组织规定的有关核电厂设备可靠性的业绩目标,进而提高核电厂的运行业绩。     

核电厂仪控设备电磁干扰分析与定位

电磁干扰（EMI）对核电厂仪控设备的影响显著,某些核电厂发生EMI导致保护设备误报警、保护系统误动或拒动,从而造成误停机甚至停堆事故。因此,必须有针对性地对EMI各干扰源制定解决方案。本文以某核电厂温度测量元件受干扰为例,采用层层演进的方法,发现定位干扰源、分析干扰特性,直至提出解决方案,并采取完善重要保护信号接地、出台运行机组防EMI管理规定等措施,大大降低了EMI对于核电厂运行设备的影响。     

Software failure events derivation and analysis by frame-based technique

A frame-based technique, including physical frame, logical frame, and cognitive frame, was adopted to perform digital I&C failure events derivation and analysis for generic ABWR. The physical frame was structured with a modified PCTran-ABWR plant simulation code, which was extended and enhanced on the feedwater system, recirculation system, and steam line system. The logical model is structured with MATLAB, which was incorporated into PCTran-ABWR to improve the pressure control system, feedwater control system, recirculation control system, and automated power regulation control system. As a result, the software failure of these digital control systems can be properly simulated and analyzed. The cognitive frame was simulated by the operator awareness status in the scenarios. Moreover, via an internal characteristics tuning technique, the modified PCTran-ABWR can precisely reflect the characteristics of the power-core flow. Hence, in addition to the transient plots, the analysis results can then be demonstrated on the power-core flow map. A number of postulated I&C system software failure events were derived to achieve the dynamic analyses. The basis for event derivation includes the published classification for software anomalies, the digital I&C design data for ABWR, chapter 15 accident analysis of generic SAR, and the reported NPP I&C software failure events. The case study of this research includes: (1) the software CMF analysis for the major digital control systems; and (2) postulated ABWR digital I&C software failure events derivation from the actual happening of non-ABWR digital I&C software failure events, which were reported to LER of USNRC or IRS of IAEA. These events were analyzed by PCTran-ABWR. Conflicts among plant status, computer status, and human cognitive status are successfully identified. The operator might not easily recognize the abnormal condition, because the computer status seems to progress normally. However, a well trained operator can become aware of the abnormal condition with the inconsistent physical parameters; and then can take early corrective actions to avoid the system hazard. This paper also discusses the advantage of simulation-based method, which can investigate more in-depth dynamic behavior of digital I&C system than other approaches. Some unanticipated interactions can be observed by this method.