Beruflich Dokumente
Kultur Dokumente
ABSTRACT
With the increasing use of digital instrumentation and control (I&C) technologies, the reliability and safety analysis of digital I&C systems in the nuclear power plants has been one of the most challenging issues. One significant reason is that digital systems have unique failure modes due to the combination of hardware components and software. The common cause failures (CCF) can propagate to multiple safety channels and divisionsthereby defeat the defense-indepth and diversity that was considered adequate for an analog I&C system. Furthermore, commonly used hardware redundancy techniques may not improve the software reliability. Probabilistic Safety Assessment (PSA) techniques are frequently used in the nuclear industry to assess the relative effects of contributing events on system reliability and plant risk. For the reliability and safety analysis of I&C systems, the introduction of the risk concept and application of PSA methodology deserve further investigation. China Nuclear Safety Administration also attaches importance to the application of riskinformed decision-making technology and PSA methods into the digital I&C system safety evaluation and risk regulation, especial for the new third-generation reactors under construction in China. As a key research and design institute in China, Shanghai Nuclear Engineering Research and Design Institute (SNERDI) has carried out PSA studies in many NPPs, and now is focusing on the research of the risk assessment method with application of PSA modeling of digital I&C systems for supporting the risk-informed regulatory activities and licensing application, and also on the research of risk-informed digital I&C system design method in NPP, such as system structure design, hardware or software reliability analysis and so on. This paper presents our research progress on digital I&C system risk assessment and discusses some key points and challenging issues of risk-informed digital I&C system design. Firstly, our insights into digital I&C system risk assessment are provided, including the concept and characteristics of risk-informed technology; the relationship between risk-informed technology and PSA. Secondly, a survey on the research of digital system failure modes, cause of failure, risk assessment and safety analysis is introduced. Thirdly, some key points and challenging issues of risk-informed digital I&C system design, especially for the implementation in China NPP, are discussed. Further investigation is still needed for facilitating the digital system reviews to be performed in a risk-informed manner in China NPPs. Key Words: probabilistic safety assessment (PSA), digital instrumentation and control (I&C) systems, risk-informed, common cause failure (CCF), failure mode
268
INTRODUCTION
Instrumentation and control (I&C) system is one of the most important systems of a nuclear power plant (NPP). The I&C system collects and monitors instruments data, and controls the plant operations in compliance with the engineering designed functions of safety and protection. As a well developed technology since 1960s, NPP is continually improving nuclear technology to be more safe and economical because the reactor has mega amount of radioactive nuclear fuels and engineering complexity. Following the changes of the globe energy situation, nuclear power becomes the necessary and dependable while China decided to have nuclear power to be its energy solution. Then the safety concern is addressed to be the first priority and play an important role of Chinas energy structure distribution, environmental health protection, clean energy technology and power generation technology improvement. Compared with other industries, the safety requirements of NPP is quite different. As digital technologies are introduced to nuclear power plant recently, plant safety and reliability are improved, but many issues related to risk analysis of the digitalized safety-critical systems in NPPs arise, such as software reliability issues. As a state of art technology, the digital I&C system should at least have same capability of the analog system on safety and reliability. The core issue of how to find a proper quantitative method estimates and evaluates the safety and reliability becomes a worldwide issue when the factors of failure modes including hardware and the software are discovered. This issue is much tougher when multiple plant systems are all designed by software based digital system combining the statistical evaluation of computer fault dada and estimation and verification of common cause failure. Varies of safety analysis methods had been created for NPP in the past. The admitted solution is the Probabilistic Safety Assessment (PSA) which uses the probability and statistical methods quantitatively analyze and estimate the NPPs design basis accidents (DBA) for the possibility of accidents and its related results. It is also U.S. Nuclear Regulatory Commission (NRC) approved method which had already being used for NPP licensing. Therefore, NRC and industry all hope that a reasonable PSA solution would be used for current and further NPP digital I&C system reviews and licensing to help the decision making. But the difficulties are a viable regulatory guide by NRC which hasnt given yet and the recommended version based on the current digital I&C system PSA method is also not being widely accepted by the NPP industry. This risk-informed method defines a process which giving a mathematical analysis and numerical results of the risk variation at NPP design changes. All countries that have nuclear power plant are on the actions of self-checking the safety condition at the post accident scenarios after Japans Fukusima accident, the biggest nuclear accident in the nuclear history. As a key research and design institute in China, Shanghai Nuclear Engineering Research and Design Institute (SNERDI) has carried out PSA studies in many NPPs, and now is focusing on the research of the risk assessment method with application of PSA modeling of digital I&C systems for supporting the risk-informed regulatory activities and licensing application, and also on the research of risk-informed digital I&C system design method in NPP, such as system structure design, hardware or software reliability analysis and so on. This paper presents the research progress on digital I&C system risk assessment and discusses some key points and challenging issues of risk-informed digital I&C system design. Insights into digital I&C system risk assessment are provided. A survey on the research of digital system failure modes, cause of failure, risk assessment and safety analysis is introduced. Furthermore, some key points and challenging issues of risk-informed digital I&C system design are addressed. Further investigation is still needed for facilitating the digital system reviews to be performed in a risk-informed manner in China NPPs.
269
Current operating plant and new reactors are mostly using a deterministic methodologies at safety evaluations of digital I&C system, which is ensuring the process of digital I&C development, test, deployment and maintenance to give a management of system failure. Different with these, DI&C-ISG03[3] is a guidance based on productivity and development which provides a design that can enhance the diversities and quality assurance of hardware and software to prevent system failures and common cause failures. ISG 03 guidance falls in the NRCs defense-in-depth and diversity regulatory guides through an identification of the weak key points that cause the safety failure and then aim on these points implement multi-solutions. But fully complying ISG 03 needs extra cost and man power to determine the sufficiency of diversity and defense-in-depth. In 1960s, following the deep development of the knowledge of dependability, risk assessment and probability, nuclear power plant started to use a comprehensive and objective technique doing a safety assessment, the probability safety assessment (PSA). The PSA, also called probability risk analysis (PRA) is a method quantitatively and qualitatively analyzed the NPP risk related of plant operation and maintenance activities. The PSA analysis estimates a numerical probability values based on the initiation frequency of events under the pre-defined scenarios. IAEA said that PSA method provides an integrated standardized solution to predict the situations of a NPP failure of design basis accident scenario, furthermore giving a calculation result of the risk to the plant operation staff and public when an accident was happened of a NPP. In more detail, the data being analyzed by PSA includes many information of NPP such as frequency of initiation event, NPP design characteristics, experiences and historical records of plant operations, the equipment reliability data, general human errors, effects of radioactive material from plant to public environment and more factors which werent being fully considered by other methods.
270
In 1995, the U.S. Nuclear Regulatory Commission (NRC) issued the Probabilistic Risk Assessment (PRA) Policy Statement, which encourages the increased use of PRA and associated analyses in all regulatory matters to the extent supported by the state-of-the-art in PRA and the data. This policy applies, in part, to the review of digital systems, which offer the potential to improve nuclear power plant safety and reliability through such features as increased hardware reliability and stability and improved failure detection capability. However, there are presently no universally accepted methods for modeling digital systems in current-generation nuclear power plant PRAs. Further, there are ongoing debates among the PRA technical community regarding the level of detail that any digital system reliability model should have to adequately model the complex system interactions that can contribute to digital system failure modes. Moreover, for PRA modeling of digital reactor protection and control systems, direct interactions between system components and indirect interactions through controlled/supervised plant processes may necessitate the use of dynamic PRA methodologies. In response to the Commission PRA policy statement, NRC has developed the related regulatory guides (RG 1.174, 1.175, 1.176 and 1.177) and the safety review plan (SRP) chapter 19. They are general guidance, inservice testing, graded quality assurance, and technical specifications, four areas of riskinformed decision-making of PSA applications. The purposes of this set of guidance are to describe a solution to reduce the unnecessary conservative management without any effectiveness of safety. All these manipulations lead the PSA solution on the track of the development of nuclear plant I&C system reliability analysis when the safety concerns of digital system becomes more and more significant to the overall plant safety.
2.2.2
The task working groups (TWGs) 3 of U.S. NRC digital I&C steering committee was formed in 2007. Its primary responsibility is to process and resolve the issues related with digital I&C systems riskinformed assessment claimed by NRCs PRA policy statement that the technology it supported is the state-of-the-art in digital system. It is also a replenishment of deterministic methodologies and the traditional defense-in-depth. The task working group 3 is addressing on the following key problems: PROBLEM 1: Modeling Digital Systems in PRA: Existing guidance does not provide sufficient clarity on how to use current methods to properly model digital systems in PRAs for design certificate applications or license applications (COL) under Part 52. The issue includes addressing common-cause failure modeling and uncertainty analysis associated with digital systems. PROBLEM 2: Risk Insights: Using current methods for PRAs, NRC has not determined how or if risk-insights can be used to assist in the resolution of specific key digital system issues. PROBLEM 3: State-of-the-Art: An acceptable state-of-the-art method for detailed modeling of digital systems has not been established. An advancement in the state-of-the-art is needed to permit a comprehensive risk-informed decision making framework in licensing reviews of digital systems. [9] After listing the above three problems, the task working groups 3 contribute its works on finding an acceptable solution. The published NRC Interim Staff Guidance ISG-03 only describes a potential safety related with digital I&C system PRA method. The main purpose of the interim staff guidance is to provide a specific guide for NRC review staff evaluate the technology of digital I&C PRA. ISG-03 is consistent with the newest NRC laws, 10 CFR Part 52 for the risk-informed of new reactor and the policy about the safety goal of PRA. There are no specific graded areas and the technique acceptability of digital I&C system. Therefore, it cannot be used to support the risk-informed decision-marking.
271
NRC review staffs consider that the time and basis of applying the risk-informed methodology werent mature. The traditional solution of using diversity, defense-in-depth and redundancy technologies are still working fine and only needs to enhance the requirements to keep the deterministic method to solve the issue of the uncertainty of the digital I&C system. The replacement of using the new riskinformed decision-making technology to the new reactor review just has not had yet. Thus, the long term goal is to conduct group 3 to have a viable regulatory guide of risk insight and risk informed.
Engineering reliability can provide an understanding of system condition to a plant engineer when the equipments and hardware are at the situation of failures. China has a national standard, GB 9225, the nuclear power plant safety related system reliability analysis general principle. It defines that the system reliability qualitatively analysis is used to estimate a possible path that the system would have a failure and the method of how to prevent it in order to eliminated the frequency and effective results. The most common reliability technologies are Failure Mode and Effect Analysis (FMEA), Fault Tree Analysis, and Markov analysis method. Because of the simplicity of FMEA and Fault Tree Analysis requiring unnecessary mathematics knowledge, these combination has used in the most of case of analysis for NPP licensing.
272
It is the most used method of reliability analysis Can provide a document consistent with failure characteristics of the design.
In China, the PSA study for digital I&C system in NPPs has started since short time ago, thus the technology is still under research and development. Many potential problems havent been solved yet. Based on current technology basis and engineering project requirements, this paper summarizes the following key issues and research points.
273
as strong reference for risk-informed decision-making. Which of the method is better or can be comprehensively accepted? What is the best balance of accuracy and complexity? They are always being the challenge questions.
Figure 1 Flow diagram of using the both DFM and Markov/CCMT Conventional ET/FT method has been universally used to develop full scope of PSA models for nuclear power plants. In fact, ET/FT method may yield satisfactory results for most of the systems which does not include dynamic interactions between the systems and plant physical processes and also between the components of the systems themselves. [11]For the systems that include dynamic interactions (e.g. digital I&C systems), it may be acceptable that the systems are modeled by dynamic methodologies and the results are integrated into conventional ET/FT model. However, issues listed below need further research and improvement. 1) Comparing with conventional methodologies, it is more difficult and time consuming for analysts to implement dynamic methodologies. Therefore, it is necessary to formulate guidance for the purpose of identification of scope and level of dynamic methodologies application. 2) No single dynamic method can solve all the problems in the digital I&C systems modeling process. Consequently, for those specific cases that are suitable for the use of dynamic methodologies, a widely accepted criteria is needed to help determine which dynamic method is more applicable. 3) Technical standards are then required to be developed in order to standardize the implementation details.
274
The combination system of software and hardware is not going to gain more software failures when the hardware was aging. If the failures were triggered by the common causes integrated inside the systems software itself, the redundant process sub-systems would not prevent the failures occurs. Thus, the general methods of designing a hardware system with redundant capability are not useful for software reliability improvement. NRC given file, the ISG-03 introduces the common cause failures of digital I&C system may affect system, communications, equipments and parts, and trains simultaneously. The effective solutions for software reliability improvement in this guidance are to increase the design quality of software and digital system development process in order to prevent, avoid and contain the failure effects. Because of these process and method havent had proved yet, to establish a digital I&C systems acceptable guidance needs to consider the overall system features.
Regulation, Standards,Guidelines Operational experience feedback Deterministic Design basis, Safety criteria Defense-in-depth and diversity (D3) Regulatory Issues Safety margin Probabilitstic Probability Goal Digital I&C system design Risk assessment PSA qualitative assessment & scope Organization Usability Management Training & proceduer Others Security Radiation level Economic Research application Integrated dicision-making Performance monitering
Modification
Design complementation
275
Although the risk-informed decision-making is not yet to be applied for the operating NPP and new built reactor and the arguments of the significances of dynamic PSA for digital I&C system is still going, to study the risk-informed method based on ISG-03 is our future work, most importantly, is going to find out the grade and technical acceptability of digital I&C system of NPP.
CONCLUSIONS
Because the software and hardware failure modes is very complicated of the digital instrumentation and control system of nuclear power plant, how to use PSA method modeling and evaluating the failures becomes the most challenge issue of the nuclear industry in the recent years. Especially when U.S. NRC was published the Interim Staff Guidance introduce the new technology of risk-informed decision-making method, it becomes the highly focused research topic. After the summarizing of digital I&C systems failure mode, failure cause, risk estimation and PSA modeling, and reliability evaluation, few important risk-informed digital I&C system design issues have been addressed. This will leads the digital I&C researches to a direction and areas, then will improve the digital system design in China.
ACKNOWLEDGMENTS
REFERENCES
1. NRC Policy Statement. Use of Probabilistic Risk Assessment Method in Nuclear Regulatory Activities. 60 Federal Register (FR) 42622, August 16,1995. 2. DI&C-ISG-01Interim Staff Guidance on Digital Instrumentation and ControlCyber Security[S]December 312007 3. DI&C-ISG-02Interim Staff Guidance on Diversity and Defense-in-Depth Issues[S]September 262007 4. DI&C-ISG-03Interim Staff Guidance on Review of New Reactor Digital Instrumentation and Control Probabilistic Risk Assessments[S]August 112008 5. DI&C-ISG-04Interim Staff Guidance on Highly-Integrated Control Rooms Communications Issues (HICRc) [S]September 282007 6. DI&C-ISG-05Interim Staff Guidance on Highly-Integrated Control RoomsHuman Factors Issues (HICR-HF)[S]September 282007 7. Yongzhong Ren, Cuifang Wang, Key Points of Digital Technology in Nuclear Power Plant Safety System, Instrument Standardization & Metrology, May 2009 8. John C. Knight and Nancy G. LevesonAn experimental evaluation of the assumption of independence in multi-version programmingIEEE Transactions on Software Engineering, SE12(1):96-109January 1996
276
9. ML071900253, Project Plan Digital Instrumentation and Control, Approved by the Digital
277