Risk-Informed Design Issues of Digital Instrumentation and Control System in Nuclear Power Plant

Danying Gu, Ming Hu, Binbin Zhang, Shuhui Zhang

Shanghai Nuclear Engineering Research and Design Institute,

29 Hongcao Rd, Shanghai, P.R. China, 200233 gudanying@snerdi.com.cn; huming@snerdi.com.cn zhangbb@ snerdi.com.cn; zhangsh@ snerdi.com.cn

ABSTRACT
With the increasing use of digital instrumentation and control (I&C) technologies, the reliability and safety analysis of digital I&C systems in the nuclear power plants has been one of the most challenging issues. One significant reason is that digital systems have unique failure modes due to the combination of hardware components and software. The common cause failures (CCF) can propagate to multiple safety channels and divisionsthereby defeat the defense-indepth and diversity that was considered adequate for an analog I&C system. Furthermore, commonly used hardware redundancy techniques may not improve the software reliability. Probabilistic Safety Assessment (PSA) techniques are frequently used in the nuclear industry to assess the relative effects of contributing events on system reliability and plant risk. For the reliability and safety analysis of I&C systems, the introduction of the risk concept and application of PSA methodology deserve further investigation. China Nuclear Safety Administration also attaches importance to the application of riskinformed decision-making technology and PSA methods into the digital I&C system safety evaluation and risk regulation, especial for the new third-generation reactors under construction in China. As a key research and design institute in China, Shanghai Nuclear Engineering Research and Design Institute (SNERDI) has carried out PSA studies in many NPPs, and now is focusing on the research of the risk assessment method with application of PSA modeling of digital I&C systems for supporting the risk-informed regulatory activities and licensing application, and also on the research of risk-informed digital I&C system design method in NPP, such as system structure design, hardware or software reliability analysis and so on. This paper presents our research progress on digital I&C system risk assessment and discusses some key points and challenging issues of risk-informed digital I&C system design. Firstly, our insights into digital I&C system risk assessment are provided, including the concept and characteristics of risk-informed technology; the relationship between risk-informed technology and PSA. Secondly, a survey on the research of digital system failure modes, cause of failure, risk assessment and safety analysis is introduced. Thirdly, some key points and challenging issues of risk-informed digital I&C system design, especially for the implementation in China NPP, are discussed. Further investigation is still needed for facilitating the digital system reviews to be performed in a risk-informed manner in China NPPs. Key Words: probabilistic safety assessment (PSA), digital instrumentation and control (I&C) systems, risk-informed, common cause failure (CCF), failure mode

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

268

INTRODUCTION

Instrumentation and control (I&C) system is one of the most important systems of a nuclear power plant (NPP). The I&C system collects and monitors instruments data, and controls the plant operations in compliance with the engineering designed functions of safety and protection. As a well developed technology since 1960s, NPP is continually improving nuclear technology to be more safe and economical because the reactor has mega amount of radioactive nuclear fuels and engineering complexity. Following the changes of the globe energy situation, nuclear power becomes the necessary and dependable while China decided to have nuclear power to be its energy solution. Then the safety concern is addressed to be the first priority and play an important role of Chinas energy structure distribution, environmental health protection, clean energy technology and power generation technology improvement. Compared with other industries, the safety requirements of NPP is quite different. As digital technologies are introduced to nuclear power plant recently, plant safety and reliability are improved, but many issues related to risk analysis of the digitalized safety-critical systems in NPPs arise, such as software reliability issues. As a state of art technology, the digital I&C system should at least have same capability of the analog system on safety and reliability. The core issue of how to find a proper quantitative method estimates and evaluates the safety and reliability becomes a worldwide issue when the factors of failure modes including hardware and the software are discovered. This issue is much tougher when multiple plant systems are all designed by software based digital system combining the statistical evaluation of computer fault dada and estimation and verification of common cause failure. Varies of safety analysis methods had been created for NPP in the past. The admitted solution is the Probabilistic Safety Assessment (PSA) which uses the probability and statistical methods quantitatively analyze and estimate the NPPs design basis accidents (DBA) for the possibility of accidents and its related results. It is also U.S. Nuclear Regulatory Commission (NRC) approved method which had already being used for NPP licensing. Therefore, NRC and industry all hope that a reasonable PSA solution would be used for current and further NPP digital I&C system reviews and licensing to help the decision making. But the difficulties are a viable regulatory guide by NRC which hasnt given yet and the recommended version based on the current digital I&C system PSA method is also not being widely accepted by the NPP industry. This risk-informed method defines a process which giving a mathematical analysis and numerical results of the risk variation at NPP design changes. All countries that have nuclear power plant are on the actions of self-checking the safety condition at the post accident scenarios after Japans Fukusima accident, the biggest nuclear accident in the nuclear history. As a key research and design institute in China, Shanghai Nuclear Engineering Research and Design Institute (SNERDI) has carried out PSA studies in many NPPs, and now is focusing on the research of the risk assessment method with application of PSA modeling of digital I&C systems for supporting the risk-informed regulatory activities and licensing application, and also on the research of risk-informed digital I&C system design method in NPP, such as system structure design, hardware or software reliability analysis and so on. This paper presents the research progress on digital I&C system risk assessment and discusses some key points and challenging issues of risk-informed digital I&C system design. Insights into digital I&C system risk assessment are provided. A survey on the research of digital system failure modes, cause of failure, risk assessment and safety analysis is introduced. Furthermore, some key points and challenging issues of risk-informed digital I&C system design are addressed. Further investigation is still needed for facilitating the digital system reviews to be performed in a risk-informed manner in China NPPs.

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

269

CURRENT RESEARCH ACTUALITY ANALYSIS

2.1 Digital I&C Key Technology Research of NRC

To regulate the application of digital I&C technology, and improve the developments and applications of digital I&C system of nuclear power plant ensuring the safety and economical operations, U.S., France and others have all established their own set of applicable design and verification laws, guides and standards. The publishing and implementation of these new laws, standards, and Utility Requirements Documents (URD) of USA and European Utility Requirements (EUR) of Europe, regulate the requirements and directions of the design, productivity, and reviews. Leading by the USA, NRCs researches of key issues identification and study of digital I&C applications in NPP usually give a forward-looking and valuable references at the study of key technologies of digital I&C systems. The U.S. Nuclear Regulatory Commission (NRC) has established digital instrumentation and control (I&C) steering committee to give management and guidance focusing on the NRC regulatory activities, industry key issues, technical challenges resolving in January, 2007. With a series of discussions, NRC pointed seven topics and formed task working groups responsible of each topic, as needed, to develop seven Interim Staff Guidance (ISG) for the review of digital I&C technology for new reactors, operating reactors, and fuel cycle facilities. These seven ISG are specific for Cyber Security, Diversity and Defensein-Depth, Risk-Informed Digital I&C, Highly-Integrated Control Room Communications, HighlyIntegrated Control Room - Human Factors, Licensing Process Issues, and Fuel Cycle Facilities provide a viable solution and related standards, and will continuously revise them with better solutions and technologies.

2.2 PSA/PRA research 2.2.1 History of PSA

Current operating plant and new reactors are mostly using a deterministic methodologies at safety evaluations of digital I&C system, which is ensuring the process of digital I&C development, test, deployment and maintenance to give a management of system failure. Different with these, DI&C-ISG03[3] is a guidance based on productivity and development which provides a design that can enhance the diversities and quality assurance of hardware and software to prevent system failures and common cause failures. ISG 03 guidance falls in the NRCs defense-in-depth and diversity regulatory guides through an identification of the weak key points that cause the safety failure and then aim on these points implement multi-solutions. But fully complying ISG 03 needs extra cost and man power to determine the sufficiency of diversity and defense-in-depth. In 1960s, following the deep development of the knowledge of dependability, risk assessment and probability, nuclear power plant started to use a comprehensive and objective technique doing a safety assessment, the probability safety assessment (PSA). The PSA, also called probability risk analysis (PRA) is a method quantitatively and qualitatively analyzed the NPP risk related of plant operation and maintenance activities. The PSA analysis estimates a numerical probability values based on the initiation frequency of events under the pre-defined scenarios. IAEA said that PSA method provides an integrated standardized solution to predict the situations of a NPP failure of design basis accident scenario, furthermore giving a calculation result of the risk to the plant operation staff and public when an accident was happened of a NPP. In more detail, the data being analyzed by PSA includes many information of NPP such as frequency of initiation event, NPP design characteristics, experiences and historical records of plant operations, the equipment reliability data, general human errors, effects of radioactive material from plant to public environment and more factors which werent being fully considered by other methods.

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

270

In 1995, the U.S. Nuclear Regulatory Commission (NRC) issued the Probabilistic Risk Assessment (PRA) Policy Statement, which encourages the increased use of PRA and associated analyses in all regulatory matters to the extent supported by the state-of-the-art in PRA and the data. This policy applies, in part, to the review of digital systems, which offer the potential to improve nuclear power plant safety and reliability through such features as increased hardware reliability and stability and improved failure detection capability. However, there are presently no universally accepted methods for modeling digital systems in current-generation nuclear power plant PRAs. Further, there are ongoing debates among the PRA technical community regarding the level of detail that any digital system reliability model should have to adequately model the complex system interactions that can contribute to digital system failure modes. Moreover, for PRA modeling of digital reactor protection and control systems, direct interactions between system components and indirect interactions through controlled/supervised plant processes may necessitate the use of dynamic PRA methodologies. In response to the Commission PRA policy statement, NRC has developed the related regulatory guides (RG 1.174, 1.175, 1.176 and 1.177) and the safety review plan (SRP) chapter 19. They are general guidance, inservice testing, graded quality assurance, and technical specifications, four areas of riskinformed decision-making of PSA applications. The purposes of this set of guidance are to describe a solution to reduce the unnecessary conservative management without any effectiveness of safety. All these manipulations lead the PSA solution on the track of the development of nuclear plant I&C system reliability analysis when the safety concerns of digital system becomes more and more significant to the overall plant safety.

2.2.2

NRCs PSA Research

The task working groups (TWGs) 3 of U.S. NRC digital I&C steering committee was formed in 2007. Its primary responsibility is to process and resolve the issues related with digital I&C systems riskinformed assessment claimed by NRCs PRA policy statement that the technology it supported is the state-of-the-art in digital system. It is also a replenishment of deterministic methodologies and the traditional defense-in-depth. The task working group 3 is addressing on the following key problems: PROBLEM 1: Modeling Digital Systems in PRA: Existing guidance does not provide sufficient clarity on how to use current methods to properly model digital systems in PRAs for design certificate applications or license applications (COL) under Part 52. The issue includes addressing common-cause failure modeling and uncertainty analysis associated with digital systems. PROBLEM 2: Risk Insights: Using current methods for PRAs, NRC has not determined how or if risk-insights can be used to assist in the resolution of specific key digital system issues. PROBLEM 3: State-of-the-Art: An acceptable state-of-the-art method for detailed modeling of digital systems has not been established. An advancement in the state-of-the-art is needed to permit a comprehensive risk-informed decision making framework in licensing reviews of digital systems. [9] After listing the above three problems, the task working groups 3 contribute its works on finding an acceptable solution. The published NRC Interim Staff Guidance ISG-03 only describes a potential safety related with digital I&C system PRA method. The main purpose of the interim staff guidance is to provide a specific guide for NRC review staff evaluate the technology of digital I&C PRA. ISG-03 is consistent with the newest NRC laws, 10 CFR Part 52 for the risk-informed of new reactor and the policy about the safety goal of PRA. There are no specific graded areas and the technique acceptability of digital I&C system. Therefore, it cannot be used to support the risk-informed decision-marking.

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

271

NRC review staffs consider that the time and basis of applying the risk-informed methodology werent mature. The traditional solution of using diversity, defense-in-depth and redundancy technologies are still working fine and only needs to enhance the requirements to keep the deterministic method to solve the issue of the uncertainty of the digital I&C system. The replacement of using the new riskinformed decision-making technology to the new reactor review just has not had yet. Thus, the long term goal is to conduct group 3 to have a viable regulatory guide of risk insight and risk informed.

DIGITAL I&C SYSTEM RELIABILITY ANALYSIS TECHNOLOGY

Engineering reliability can provide an understanding of system condition to a plant engineer when the equipments and hardware are at the situation of failures. China has a national standard, GB 9225, the nuclear power plant safety related system reliability analysis general principle. It defines that the system reliability qualitatively analysis is used to estimate a possible path that the system would have a failure and the method of how to prevent it in order to eliminated the frequency and effective results. The most common reliability technologies are Failure Mode and Effect Analysis (FMEA), Fault Tree Analysis, and Markov analysis method. Because of the simplicity of FMEA and Fault Tree Analysis requiring unnecessary mathematics knowledge, these combination has used in the most of case of analysis for NPP licensing.

3.1 FMEA Technology

FMEA technology was first presented at 1950s. It was being used at the design analysis of U.S. fighter jets operating system, and gained very good results. During the system or equipment design, FMEA analyzed all potential failure modes and the effects to the functions of the product component unit. FMEA also classes the modes by the effective levels into different categories with a prevention action in order to improve the reliability of system or equipment. There are two basic analysis methods, the hardware method and the function method. There is a highly likely condition to have a combination of these two methods together for the complex case using features of FEMA: To ensure the consideration and list of all the potentials failures and effects to the systems; Helpful for selecting the high reliable and safe designs; Helpful for preparing the test plan; To provide a support for a reliability and availability quantitative analysis; To provide historical records for future analysis of local failure analysis and design change information.

3.2 Fault Tree Analysis Technology

Fault tree analysis is a method that connects the graphical displays of the information analyzed of the failure mode and results. The fault tree is a system failure module which organizing the Boer invalidation logic pictures representing the event which trigger a special top event systems. The advances are: Deductive method to look for failure event Intuitionistic and simple A mathematical model displays how the system failed;

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

272

 It is the most used method of reliability analysis Can provide a document consistent with failure characteristics of the design.

3.3 Dynamic PSA

Dynamic methodologies are defined as those that explicitly account for the time element in probabilistic system evolution. Dynamic methodologies are usually needed when the system has more than one failure mode, control loops and/or hardware/process/software/human interaction. The typical dynamic PSA approaches include Markov/CCMT approach, dynamic flowgraph methodology(DFM) and dynamic event tree approach, and so on. Among these approaches, Markov/CCMT approach is widely used by showing condition changes of the system from normal condition to fail conditions. This approach simulates the reliability and safety with a graphical condition picture. Markov/CCMT method can model all three of the none-maintainable system, partial-maintainable system and fully-maintainable systems, or as required, it can use multi-failure conditions to build the failure model.

KEY ISSUES OF THE RESEARCH IN RISK-INFORMED DIGITAL I&C DESIGN

In China, the PSA study for digital I&C system in NPPs has started since short time ago, thus the technology is still under research and development. Many potential problems havent been solved yet. Based on current technology basis and engineering project requirements, this paper summarizes the following key issues and research points.

4.1 Modeling and Evaluation method of Digital I&C

NRC and nuclear industry are all hope to have the risk-informed decision-making methods to be used to review the digital I&C system. According to the guidance of risk-informed, the current simulation models of digital system, common cause failure and the detail level, reliability data, and uncertainty and interface between other PSA portion are still have either the Interim Staff Guidance or the limited version. The key issues during a modeling of digital system may have the following problems that need to be addressed. Preparing a completed logical identification for the specific event by DFM deterministic model as the pre-computation for the Markov/CCMT simulation systems is the preliminary process of the dynamic PSA method. Figure 1 shows the process flow diagram of using the both DFM and Markov/CCMT methods. [10] To create a model with a high level of sensitivity and response to the factor of time element in PSA analysis, the model should including the interactive relationship that affects the failure mode of digital system. Additionally, dynamic PSA analysis model requires all control initiation times which are provided by other NPP simulation models. This changes the PSA analysis into a condition that is based on simulations probability affective elements. The results may decrease the independencies and accuracies of PSA model. Therefore, in order to have better mode of PSA, the functions of the system components and control/monitoring of the process of NPP with different time affected scenarios should be considered into the model, which must increase the complexity of the model. Obviously, there is also another influence according to the time element. The feedback of the closed loop control has significant effects of time factor. It makes difference with various event/accident scenarios integrated components availability and self-test responding time. Thus the control system with closed loop control logic would fit into the dynamic PSA method better than a safety related protection and monitoring system due to the PMSs control logic flow is one direction open loop. There is a gap between the digital system reliability analysis and other monitoring and control system. So once the PSA model hasnt included enough details, then the results would not be considered

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

273

as strong reference for risk-informed decision-making. Which of the method is better or can be comprehensively accepted? What is the best balance of accuracy and complexity? They are always being the challenge questions.

Figure 1 Flow diagram of using the both DFM and Markov/CCMT Conventional ET/FT method has been universally used to develop full scope of PSA models for nuclear power plants. In fact, ET/FT method may yield satisfactory results for most of the systems which does not include dynamic interactions between the systems and plant physical processes and also between the components of the systems themselves. [11]For the systems that include dynamic interactions (e.g. digital I&C systems), it may be acceptable that the systems are modeled by dynamic methodologies and the results are integrated into conventional ET/FT model. However, issues listed below need further research and improvement. 1) Comparing with conventional methodologies, it is more difficult and time consuming for analysts to implement dynamic methodologies. Therefore, it is necessary to formulate guidance for the purpose of identification of scope and level of dynamic methodologies application. 2) No single dynamic method can solve all the problems in the digital I&C systems modeling process. Consequently, for those specific cases that are suitable for the use of dynamic methodologies, a widely accepted criteria is needed to help determine which dynamic method is more applicable. 3) Technical standards are then required to be developed in order to standardize the implementation details.

4.2 Software Reliability Research

Knight and Leveon [8] demonstrated that to change the probability of failures are not possible no matter going to have a redundant software platform or to design a different type of software. The existing system operating experiences also proved that to eliminate all potential failure modes in a complex digital system is not possible. There is always a chance to cause a system to fail at over design conditions, or at the un-test/un-used environments. Thus we consider a system failure is very likely appeared when these off design conditions happened in the system with very large number of NPP I&C input and output data. Since the digital I&C system including software is very unique when trying to evaluate it, the method of using cross system data to estimate anther system is an activity with meaningless. Similarly, it shows no acceptable prediction results by using the same set of statistical data at two different environments and conditions.

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

274

The combination system of software and hardware is not going to gain more software failures when the hardware was aging. If the failures were triggered by the common causes integrated inside the systems software itself, the redundant process sub-systems would not prevent the failures occurs. Thus, the general methods of designing a hardware system with redundant capability are not useful for software reliability improvement. NRC given file, the ISG-03 introduces the common cause failures of digital I&C system may affect system, communications, equipments and parts, and trains simultaneously. The effective solutions for software reliability improvement in this guidance are to increase the design quality of software and digital system development process in order to prevent, avoid and contain the failure effects. Because of these process and method havent had proved yet, to establish a digital I&C systems acceptable guidance needs to consider the overall system features.

4.3 PSA and Digital I&C structures

The actual purpose of digital I&C system PSA modeling and evaluation is to provide the support of I&C systems safety and reliability insights. It guides the special designs change measures on the variation of I&C system which may affect the risk of the nuclear power plant, indeed, guides the digital I&C system designs by using risk-informed decision-making. Figure 2 shows the risk-informed design process for digital I&C system.

Regulation, Standards,Guidelines Operational experience feedback Deterministic Design basis, Safety criteria Defense-in-depth and diversity (D3) Regulatory Issues Safety margin Probabilitstic Probability Goal Digital I&C system design Risk assessment PSA qualitative assessment & scope Organization Usability Management Training & proceduer Others Security Radiation level Economic Research application Integrated dicision-making Performance monitering

Modification

Design complementation

Figure 2. Risk-informed digital I&C system design process

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

275

Although the risk-informed decision-making is not yet to be applied for the operating NPP and new built reactor and the arguments of the significances of dynamic PSA for digital I&C system is still going, to study the risk-informed method based on ISG-03 is our future work, most importantly, is going to find out the grade and technical acceptability of digital I&C system of NPP.

CONCLUSIONS

Because the software and hardware failure modes is very complicated of the digital instrumentation and control system of nuclear power plant, how to use PSA method modeling and evaluating the failures becomes the most challenge issue of the nuclear industry in the recent years. Especially when U.S. NRC was published the Interim Staff Guidance introduce the new technology of risk-informed decision-making method, it becomes the highly focused research topic. After the summarizing of digital I&C systems failure mode, failure cause, risk estimation and PSA modeling, and reliability evaluation, few important risk-informed digital I&C system design issues have been addressed. This will leads the digital I&C researches to a direction and areas, then will improve the digital system design in China.

ACKNOWLEDGMENTS

This research is supported by SNPTC innovation project SNP-KJ-CX-2011-0006.

REFERENCES

1. NRC Policy Statement. Use of Probabilistic Risk Assessment Method in Nuclear Regulatory Activities. 60 Federal Register (FR) 42622, August 16,1995. 2. DI&C-ISG-01Interim Staff Guidance on Digital Instrumentation and ControlCyber Security[S]December 312007 3. DI&C-ISG-02Interim Staff Guidance on Diversity and Defense-in-Depth Issues[S]September 262007 4. DI&C-ISG-03Interim Staff Guidance on Review of New Reactor Digital Instrumentation and Control Probabilistic Risk Assessments[S]August 112008 5. DI&C-ISG-04Interim Staff Guidance on Highly-Integrated Control Rooms Communications Issues (HICRc) [S]September 282007 6. DI&C-ISG-05Interim Staff Guidance on Highly-Integrated Control RoomsHuman Factors Issues (HICR-HF)[S]September 282007 7. Yongzhong Ren, Cuifang Wang, Key Points of Digital Technology in Nuclear Power Plant Safety System, Instrument Standardization & Metrology, May 2009 8. John C. Knight and Nancy G. LevesonAn experimental evaluation of the assumption of independence in multi-version programmingIEEE Transactions on Software Engineering, SE12(1):96-109January 1996

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

276

9. ML071900253, Project Plan Digital Instrumentation and Control, Approved by the Digital

I&C Steering Committee, December 2007

10. T. AldemirS.Guarro b, D.Mandelli a, Probabilistic risk assessment modeling of digital instrumentation and control systems using two dynamic methodologiesElsevier, April 2010 11. NUREG6901Current State of Reliability Modeling Methodologies for Digital Systems and Their Acceptance Criteria for Nuclear Power Plant AssessmentsFebruary 2006

NPIC&HMIT 2012, San Diego, CA, July 22-26, 2012

277