115 57 46MB
English Pages 584 Year 2020
Lecture Notes in Electrical Engineering 595
Yang Xu · Yongbin Sun · Yanyang Liu · Yanjun Wang · Pengfei Gu · Zheming Liu Editors
Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems The Fourth International Symposium on Software Reliability, Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant (ISNPP)
Lecture Notes in Electrical Engineering Volume 595
Series Editors Leopoldo Angrisani, Department of Electrical and Information Technologies Engineering, University of Napoli Federico II, Naples, Italy Marco Arteaga, Departament de Control y Robótica, Universidad Nacional Autónoma de México, Coyoacán, Mexico Bijaya Ketan Panigrahi, Electrical Engineering, Indian Institute of Technology Delhi, New Delhi, Delhi, India Samarjit Chakraborty, Fakultät für Elektrotechnik und Informationstechnik, TU München, Munich, Germany Jiming Chen, Zhejiang University, Hangzhou, Zhejiang, China Shanben Chen, Materials Science and Engineering, Shanghai Jiao Tong University, Shanghai, China Tan Kay Chen, Department of Electrical and Computer Engineering, National University of Singapore, Singapore, Singapore Rüdiger Dillmann, Humanoids and Intelligent Systems Lab, Karlsruhe Institute for Technology, Karlsruhe, Baden-Württemberg, Germany Haibin Duan, Beijing University of Aeronautics and Astronautics, Beijing, China Gianluigi Ferrari, Università di Parma, Parma, Italy Manuel Ferre, Centre for Automation and Robotics CAR (UPM-CSIC), Universidad Politécnica de Madrid, Madrid, Spain Sandra Hirche, Department of Electrical Engineering and Information Science, Technische Universität München, Munich, Germany Faryar Jabbari, Department of Mechanical and Aerospace Engineering, University of California, Irvine, CA, USA Limin Jia, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China Janusz Kacprzyk, Systems Research Institute, Polish Academy of Sciences, Warsaw, Poland Alaa Khamis, German University in Egypt El Tagamoa El Khames, New Cairo City, Egypt Torsten Kroeger, Stanford University, Stanford, CA, USA Qilian Liang, Department of Electrical Engineering, University of Texas at Arlington, Arlington, TX, USA Ferran Martin, Departament d’Enginyeria Electrònica, Universitat Autònoma de Barcelona, Bellaterra, Barcelona, Spain Tan Cher Ming, College of Engineering, Nanyang Technological University, Singapore, Singapore Wolfgang Minker, Institute of Information Technology, University of Ulm, Ulm, Germany Pradeep Misra, Department of Electrical Engineering, Wright State University, Dayton, OH, USA Sebastian Möller, Quality and Usability Lab, TU Berlin, Berlin, Germany Subhas Mukhopadhyay, School of Engineering & Advanced Technology, Massey University, Palmerston North, Manawatu-Wanganui, New Zealand Cun-Zheng Ning, Electrical Engineering, Arizona State University, Tempe, AZ, USA Toyoaki Nishida, Graduate School of Informatics, Kyoto University, Kyoto, Japan Federica Pascucci, Dipartimento di Ingegneria, Università degli Studi “Roma Tre”, Rome, Italy Yong Qin, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China Gan Woon Seng, School of Electrical & Electronic Engineering, Nanyang Technological University, Singapore, Singapore Joachim Speidel, Institute of Telecommunications, Universität Stuttgart, Stuttgart, Baden-Württemberg, Germany Germano Veiga, Campus da FEUP, INESC Porto, Porto, Portugal Haitao Wu, Academy of Opto-electronics, Chinese Academy of Sciences, Beijing, China Junjie James Zhang, Charlotte, NC, USA
The book series Lecture Notes in Electrical Engineering (LNEE) publishes the latest developments in Electrical Engineering—quickly, informally and in high quality. While original research reported in proceedings and monographs has traditionally formed the core of LNEE, we also encourage authors to submit books devoted to supporting student education and professional training in the various fields and applications areas of electrical engineering. The series cover classical and emerging topics concerning:
• • • • • • • • • • • •
Communication Engineering, Information Theory and Networks Electronics Engineering and Microelectronics Signal, Image and Speech Processing Wireless and Mobile Communication Circuits and Systems Energy Systems, Power Electronics and Electrical Machines Electro-optical Engineering Instrumentation Engineering Avionics Engineering Control Systems Internet-of-Things and Cybersecurity Biomedical Devices, MEMS and NEMS
For general information about this book series, comments or suggestions, please contact leontina. [email protected]. To submit a proposal or request further information, please contact the Publishing Editor in your country: China Jasmine Dou, Associate Editor ([email protected]) India, Japan, Rest of Asia Swati Meherishi, Executive Editor ([email protected]) Southeast Asia, Australia, New Zealand Ramesh Nath Premnath, Editor ([email protected]) USA, Canada: Michael Luby, Senior Editor ([email protected]) All other Countries: Leontina Di Cecco, Senior Editor ([email protected]) ** Indexing: The books of this series are submitted to ISI Proceedings, EI-Compendex, SCOPUS, MetaPress, Web of Science and Springerlink **
More information about this series at http://www.springer.com/series/7818
Yang Xu Yongbin Sun Yanyang Liu Yanjun Wang Pengfei Gu Zheming Liu •
•
•
•
•
Editors
Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems The Fourth International Symposium on Software Reliability, Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant (ISNPP)
123
Editors Yang Xu Department of Engineering Physics Tsinghua University Beijing, China Yanyang Liu Nuclear Power Institute of China Chengdu, Sichuan, China Pengfei Gu China Nuclear Power Design Co., Ltd. Shenzhen, Guangdong, China
Yongbin Sun China Techenergy Co., Ltd. Beijing, China Yanjun Wang China Nuclear Power Engineering Co., Ltd. Beijing, China Zheming Liu Product Information Committee of China Instrument and Control Society Beijing, China
ISSN 1876-1100 ISSN 1876-1119 (electronic) Lecture Notes in Electrical Engineering ISBN 978-981-15-1875-1 ISBN 978-981-15-1876-8 (eBook) https://doi.org/10.1007/978-981-15-1876-8 © Springer Nature Singapore Pte Ltd. 2020 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd. The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore
Preface
In recently years, along with the development of domestic research and international communications, more digital instrumentation and control (I&C) technologies are used in China’s nuclear power plants, such as the microprocessor-based safety I&C system named FirmSys developed by China General Nuclear Power Corporation, and the safety DCS named NASPIC developed by China National Nuclear Corporation, etc. In order to solve problems in actual productions and applications, and to provide a platform for technical discussion, the 4th International Symposium on Software Reliability, Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant (ISNPP) which was focused on software and hardware verification and validation and licensing, intelligent maintenance management and digital update, advanced main control room and HFE, cybersecurity and other advanced technical issue concerned of nuclear power industry, was convened by relevant organizations and governmental divisions. Since 2016, this symposium has become an effective technical forum for nuclear power utilities, regulators, engineering company, contractors, research institutions, and equipment manufacturers annually. The 4th ISNPP was successfully held in Guiyang, China, from August 21 to 23, 2019. More than 100 experts, researchers, and senior engineers from 34 organizations, including National Nuclear Safety Authority, Tsinghua University, the Ministry of Ecological Environment, China Techenergy Co., LTD, State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Company Ltd., etc., as well as institutions and companies from the aerospace industry. The symposium served as a platform for exchanging ideas on every aspect of nuclear power plants’ instrumentation and control system, and also promoted the military-civilian integration in China. More than 100 conference papers were submitted for the symposium, covering topics including digital instrumentation and control technology, electromagnetic compatibility, main control room and human–machine interface design, software verification and validation, etc. After anonymous peer review and selection by the experts, 56 outstanding papers were finally accepted to the proceedings published in Lecture Notes in Electrical Engineering by Springer. During the conference, these v
vi
Preface
authors shared with the audience their latest and most important research progress. In fact, many topics discussed at the symposium provided important reference and strong support for the related works of nuclear power plant. We believe these papers could also benefit the entire nuclear instrumentation and control system industry. On the occasion of the publication of these papers, we would like to thank the organizers of the symposium for providing a good platform for the majority of nuclear power practitioners. We are also very grateful to the experts who provided support and guidance during the reviewing process. Finally, we would like to thank all the authors, and without whose efforts and studies, this volume would never have been published successfully. Yongbin Sun
Organization
Hosts Instrumentation Editorial Center Product Information Committee of China Instrument & Control Society (CIS-PIC) Nuclear Instrument and Control Technical Division of China Instrument & Control Society (CIS-NICT) Professional Committee of Nuclear Facility Cyber Security, Nuclear Safety Branch, Chinese Nuclear Society (CNS) Beijing BOGONGXINGYE Engineering Consulting Co., Ltd.
Organizers China Nuclear Power Engineering Co., Ltd. (State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment) (CNPEC) Gui Zhou Aerospace Electrical Appliances Co., Ltd.
Co-organizers China Techenergy Co., Ltd. (CTEC) Beijing ZHIZAOSHIDAI Exhibition Co., Ltd. China Nuclear Control Systems Engineering Co., Ltd. (CNCS) Hualong Pressurized Water Reactor Technology Corporation, Ltd. (HPR)
Editors Yang Xu Yongbin Sun Yanyang Liu Yanjun Wang
Department of Engineering Physics, Tsinghua University, Beijing, China China Techenergy Co., Ltd., Beijing, China Nuclear Power Institute of China, Chengdu, Sichuan, China China Nuclear Power Engineering Co., Ltd., Beijing, China
vii
viii
Pengfei Gu Zheming Liu
Organization
China Nuclear Power Design Co., Ltd., Shenzhen, Guangdong, China Product Information Committee of China Instrument and Control Society, Beijing, China
Secretary of Organizing Committee Xiaolian Wang
Product Information Committee of China Instrument & Control Society
Director of Executive Committee Yuzhou Yu
Product Information Committee of China Instrument & Control Society
Contents
Analysis and Countermeasures of Inconsistency for Acoustic Design and Lighting Design Regulations and Standards in Main Control Room of Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . Zhang Gang, Zhao Jinbo, Qi Kai, Cheng Bo, Mei Shibo, and Wang Yan
1
Application of Mixed Reality Based on Hololens in Nuclear Power Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yi Zhang, Dan Li, Hao Wang, and Zheng-Hui Yang
9
Visualization of Geologic Engineering Data Based on Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hui Chang
21
Research on Defense-in-Depth Zone of Low-Altitude Security Area in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lin Ye, Jie Zhang, and Guang Meng
30
Research on Axial Power Deviation Safety Early Warning Technology Based on Online Simulation . . . . . . . . . . . . . . . . . . . . . . . . Hong-Yun Xie, Ke Tan, Wei-Jun Huang, Chao Zhang, and Zhen-Yu Shen
38
Integrated Digital Control Platform for Flywheel Systems with Active Magnetic Bearings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kai Zhang, Yang Xu, and Xing-Jian Dai
46
Off-Line Performance Calculating Software of the Secondary Loop Thermal System in AP1000 Nuclear Power Plant . . . . . . . . . . . . . . . . . Zhi-Gang Wu and Wen Chen
58
Monitoring and Analyzing of Wall Temperature Fluctuations for Thermal Fatigue in Elbow Pipe . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jun Ling, Hao Fu, Hong-Tao Liu, and Jing-Qi Yuan
69
ix
x
Contents
Discussions on Information Security Test Strategy for Digital Industrial Control System in Nuclear Power Plant . . . . . . . . . . . . . . . . Wang Xi, Peng-Fei Gu, and Wei Liu
83
Study and Implementation on General Operating Procedure of CPR1000 Main Control Room in China . . . . . . . . . . . . . . . . . . . . . . Ji Shi, Qing-Wu Huang, Chuang-Bin Zhou, Liang-Jun Xu, and Hui Jiang
90
Inductive Displacement Sensors Based on the Integrated Demodulation Chip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Ya-Ting Liu, Kai Zhang, and Yang Xu The Development of TMSR-SF0 Simulation Protection System . . . . . . . 112 Guo-Qing Huang, Jie Hou, Ye Liu, Wei Lai, and Bing-Ying Li Assessment of Operating Safety State of Nuclear Power Plant Based on Improved CAE Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Chao Lu, Jia-Lin Ping, Wei-Jun Huang, Ke Tan, and Hong-Yun Xie Analysis and Solution of Design Difficulties of HMI with Scale Increase in Limited Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Bo Cheng, Ting Mao, Shi-Bo Mei, Xue-Gang Zhang, Yi-Qian Wu, and Zhen-Hua Luan Application Analysis of Wireless Sensor Networks in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Zhiguang Deng, Qian Wu, Xin Lv, Biwei Zhu, Sijie Xu, and Xuemei Wang Development and Application of Intelligent Platform for Collaborative Electrical Design of Nuclear Power . . . . . . . . . . . . . . 149 Chao Guo, Yu Zhang, Xin-Wei Xu, Jia-Kun Hu, and Xiao-Fen He Research on Stewardship-Intensive Digital Procedure System . . . . . . . . 162 Hao Qin Study and Optimization of Load Fluctuation of the Turbine Generator After Connected to the Grid in Nuclear Power Plant . . . . . . 169 Xiao-Lei Zhan, Yan Liu, and Gang Yin Study for Design and Application of Procedure-Based Automation in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Xue-Gang Zhang, Fang-Fang Gao, Yan-Tong Luo, and Zhi-Yao Liu Research on KDA System Reliability Model Based on Total Probability Formula . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Ying-Jie Lin, Ze-Yu Xie, and Jie Lin
Contents
xi
The Research and Application of Test Method for 1E I&C System Platform’s Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Hu-Jun Jia, Yao Wu, Xiao-Sheng Dong, Min Qi, Xiu-Hong Lv, and Hong-Yan Chen Research and Application of a User Interface Automatic Testing Method Based on Data Driven . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Tai-Xin Huang, Jian-Wei Ji, Yun-Xu Shou, and Yan Kong Research on a Certainty Data Link Layer Protocol for the Communication Network in Nuclear Safety DCS . . . . . . . . . . . . . . . . . . 212 Le Li, Chun-Lei Zhang, Kang Cheng, Xing-Xing Sun, and Wen-Yu Yang A Design of FPGA-Based Self-healing System for Communication Networks in Nuclear Safety DCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Chun-Lei Zhang, Le Li, Kang Cheng, Wen-Yu Yang, and Xing-Xing Sun A Formal Method for Verifying the Ability of a Protocol to Resist Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Ru-Mei Shi, Yun-Bo Zhang, Ya-Dong Zhang, Qiao-Rui Du, Xiao-Bo Zhou, and Xian-Zhu Xu Design and Analysis of Safety DCS Cabinet for Small Marine Reactor Based on the FirmSys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Zhao-Feng Liu, Zhi-Rui Jiang, Xin Zuo, Wei Chen, and Zhao-Long Li The Design of Safety Control Display Device of Small Modular Offshore Floating Reactor Protection System Based on FirmSys . . . . . . 258 Chun-Lei Zhang, Yu-Nan Fan, Xin Zuo, Ji-Kun Wang, and Yi-Qin Xie Research on Maintenance Network Design Based on Nuclear Power Station Safety DCS System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Chun-Lei Zhang, Da-Peng Liu, Li Peng, Bao-Hua Ren, and Song Liu Research and Application of RPN Detector Positioning Technologies in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Tian-You Li, Rui Zhang, Ya-Jie Tian, Hua-Qing Peng, Jun Tian, Li Zeng, and Jing Shang A Safety Level DCS Symbol Execution Test Optimization Method . . . . 294 Yan-Jun Dai, Zhi-Qiang Wu, Jie Liu, Zhi Chen, An-Hong Xiao, and Hui Zeng Application Research of Fault Diagnosis in Conventional Island of Nuclear Power Plant Based on Support Vector Machine . . . . . . . . . . 304 Heng Li, Nian-Wu Lan, and Xin-nian Huang Software Verification and Validation of Digital Nuclear Instrumentation System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Mi Zhang, Ju-Zhi Wang, Wei-Jie Huang, and Bing-Chen Huang
xii
Contents
Research on the Human Factors Integration in Some Third Generation NPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Zhong-Ping Yin, Yan-Zi Liu, Xue-Gang Zhang, Jian-Bo Zhang, and Xiao-Mei Xu Development and Application of Closed-Loop Control Performance Evaluation System for Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . 335 Zhen-Hua Luan, Zong-Wei Yang, Peng Liu, and Jun Liang Research on Typical Fault Diagnosis of Nuclear Power Plant Based on Weighted Logical Inference Arithmetic . . . . . . . . . . . . . . . . . . . . . . . 345 Yi-Peng Fan, Hong-Yun Xie, and Chao Lu Information Security Risk Analysis and Countermeasures of Digital Instrumentation Control System in NPP . . . . . . . . . . . . . . . . . 356 Jian-Zhong Tang, Zi-Yin Liu, Hui-Hui Liang, Peng-Fei Gu, and Wei-Jun Huang The Research and Development of Digital General Operating Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Chuang-Bin Zhou, Qing-Wu Huang, Ji Shi, Wei-Hong Cui, Xian-Min Li, Wen-Bin Liu, Yi-Xiong Luo, and Shao-Shuai Qiu Research on Hybrid Communication System for Nuclear Power Plants Safety-DCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Zhi-Qiang Chen, Qi Chen, Min-Jie Lei, and Yan-Qun Wu Analysis of Analog Circuit Error in Reactor Control System . . . . . . . . . 387 Qi-Chang Huang, Shun Wang, Xu-Feng Tian, and Zhi-Qiang Wu Reliability Analysis of Safety Class Analog Output Module Based on FFTA in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 Xu-Feng Tian, Cheng Yang, Qi-Chang Huang, and Xu Zhang Research on Instrument Channel Uncertainty of Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Shun Wang, Qi-Chang Huang, Zhi-Qiang Wu, and Ming-Xing Liu Research and Analysis on 1E Distributed Control System Priority Logic Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Zong-Hao Yang, Quan Ma, Ming-Ming Liu, Zi-Peng Zhang, and Kai Wang Design and Optimization of Communication in Nuclear Safety Class Emulation System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 Xu Zhang, Quan Ma, Qi Chen, Kai Wang, Hao Peng, and Guo-Hai Liu Reliability Allocation Based on Importance Measures . . . . . . . . . . . . . . 441 Ming Xu, Duo Li, Shu-Qiao Zhou, and Xiao-Jin Huang
Contents
xiii
Discussion on Traceability Analysis Method of Safety Software in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 Peng-Fei Gu, Ya-Nan He, Jian-Zhong Tang, and Wang-Ping Ye The Application of LSTM Model to the Prediction of Abnormal Condition in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Jing-Ke She, Shi-Yu Xue, Pei-Wei Sun, and Hua-Song Cao Development and Application of Undisturbed Online Downloads in the FirmSys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Gui-Lian Shi, Bao-Hua Ren, Zhi-Hui Zhang, Xing-Xing Sun, and Le Li The Study on Automatic Control of Pressure and Temperature for the Pressure Water Reactor Nuclear Power Plant . . . . . . . . . . . . . . 492 Jia-Lin Ping, Hong-Yun Xie, Chao Lu, Lin Tian, and Chun-Bing Wang A Hierarchical Task Analysis Approach for Static Human Factors Engineering Verification and Validation of Human-System Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Xin-Yu Dai, Ming Jia, Ting Mao, Ming Yang, Jun Yang, Yu-Xin Zhang, and Hong-Xing Lu Research on Static Testing Technology of Nuclear Safety-Critical Software Based on FPGA Technology . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Wei Xiong, Tao Bai, Peng-Fei Gu, Hui-Hui Liang, and Jian-Zhong Tang Features Extraction Based on Deep Analysis of Network Packets in Industrial Control Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 Wen Si, Jiang-Hai Li, and Xiao-Jin Huang An Optimum Solutions for Venturi Used for Main Feedwater Flowrate Measurement in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . 530 Zong-Jian Shangguan, Hua-Tong Wei, and Lin Guo Research and Application of Software Reliability Analysis Method for Safety I&C System in NPPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Sheng-Chao Wang, Jian-Zhong Tang, and Tao Bai Development of Closed-Circuit Television Inspection System for Steam Generators in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . 550 Chao-Rong Wu and Bo-Wen Lu Research on the Security Technology of the Internet of Things in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 Hui-Hui Liang, Xin-Xin Gao, Wang-Ping Ye, and Wei Liu A Study About Safety Technology of Control System and Information System in Nuclear Power Plant . . . . . . . . . . . . . . . . . . 563 Jing Zhao, Chao Zhang, Zhe-Ming Liu, and Xia Yan Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Analysis and Countermeasures of Inconsistency for Acoustic Design and Lighting Design Regulations and Standards in Main Control Room of Nuclear Power Plant Zhang Gang1(&), Zhao Jinbo2, Qi Kai3, Cheng Bo1, Mei Shibo1, and Wang Yan1 1
State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co. Ltd., Shenzhen of Guangdong Prov. 518172, China {zhanggang,chengbo,meishibo,wangyan}@cgnpc.com.cn 2 Hejiu Office, CGN Power Co. Ltd., 518000 Shenzhen, China [email protected] 3 Daya Bay Nuclear Power Operations and Management Co. Ltd., 518045 Shenzhen, China [email protected]
Abstract. Man-machine interface equipment in the MCR of NPP provides sufficient monitoring information and control means for operators, and is the control center. In order to ensure the safe and effective operation of NPP under all operating conditions, it is necessary to provide a favorable working environment for the staff of MCR to carry out the operation tasks of NPP. After studying and comparing the acoustic design and lighting design standard index and requirements of the main control room (MCR) of nuclear power plants (NPPs) at home and abroad, analyzing the rationality for the implementation requirements of the regulations and standards, analyzing the theoretical for the noise and lighting, studying relevant experience feedback from NPPs, the recommend index requirements has been put forward. Suggestions to modify the errors in some regulations and standards have been put forward according to the design experience. Keywords: Nuclear Power plant Main control room Acoustic design Lighting design Regulations and standards Experience review
1 Introduction Based on the basic research results of ergonomics, physiology and psychology in a certain working environment, the environmental design of the MCR of NPP mainly analyses the interaction of operators, equipment and environment of MCR. The
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 1–8, 2020. https://doi.org/10.1007/978-981-15-1876-8_1
2
Z. Gang et al.
environment, equipment and conditions of the MCR are comprehensively designed based on the factors of working efficiency, physical and mental health, human factors engineering, human safety and comfort of the operators and function realization of the MCR. Nuclear power regulation is a compulsory regulation formulated by the government to meet the minimum requirements of safety and environmental protection, and it has legal effect. Nuclear power standards are non-mandatory documents formulated by industry and approved by public organizations, which stipulate rules, guidelines and characteristics of nuclear power related work for the purpose of general use or reuse. This paper will analyze the inconsistencies of regulations and standards by comparing the acoustic design and lighting design standards of NPPs at home and abroad, combining with the actual operation of NPPs and the experience feedback of operators, and put forward the recommended requirements of environmental indicators of the MCR.
2 Standard System of Environmental Design Laws and Regulations for MCR The main objectives of the environmental design of the MCR are as follows: (1) to meet the requirements of the current applicable regulations, standards and norms; (2) to improve the working environment level of operators and reduce the probability of human error; (3) to improve the economic and safe operation level of NPPs; (4) to pay attention to the occupational health level of operators and maintain their physical and mental pleasure. In order to achieve the environmental design goal of the MCR, it is necessary to focus on the analysis and research of the important factors in the environmental design of the MCR. The environmental design elements of the MCR mainly include acoustic design, lighting design, ventilation design, interior design, color design and equipment layout design. The current standards for nuclear power in China are basically transformed from the standards of the Institute of Electrical and Electronics Engineers (IEEE) and the International Electro Technical Commission (IEC). Although the contents are basically complete, there are overlapping situations. These characteristics are also reflected in the environmental design standards of the NPP MCR. For the environmental design of NPP MCR, the general key reference standards are shown in Table 1.
Analysis and Countermeasures of Inconsistency for Acoustic Design
3
Table 1. Regulations and standards for the environmental design in MCR Standard number HAF J0055-1995 GB/T 13630-2015 GB/T 22188-2000 EJ/T 638-92 DL/T 575-1999 IEC 60964-2009 ISO 11064-6-2000 Nureg-0700 ANSI/IEEE std 567
Standard title Engineering principles for control room design of NPP The design of control room of NPP Ergonomic Design of Control Center Design criteria for control room complex of NPP Guidelines for ergonomic design of control centres Design for control rooms of NPPs Ergonomic design of control centres-Part 6: Environmental requirements for control centres Human-System Interface Design Review Guidelines Design criteria for control room complex of NPP
In the above regulations and standards, GB/T 13630-2015 is equivalent to IEC 60964-2009; EJ/T 638-92 refers to ANSI/IEC 567; GB/T 22188-2000 and DL/T 5751999 are equivalent or refer to ISO 11064-2000. Although a standard formulation strategy based on IEC standards has established in China, Nureg-0700 have been widely used in the audit of nuclear safety review departments. So in the actual engineering design, Nureg-0700 also refers to frequently.
3 Requirements of Design Regulations and Standards for MCR and Analysis of Current Situation in Operating Power Plant This paper mainly analyses acoustic design and lighting design of the MCR,which are key elements in the environment design. 3.1
Acoustic Design in MCR
Noise is one of the important factors that endanger human physical and mental health. Excessive noise in the MCR will interfere with the normal communication of operators, damage the physical and mental health of operators, affect their work, life and rest, and even affect the normal and safe operation for NPPs. Regulations and Standards Requirements. In domestic regulations HAF J00551995 [1] and EJ/T 638-92 [2], it is directly required that the background noise of the control room should be no more than 45 dB(A), and the echo should be limited to less than 1 s. In GB/T 13630-2015 [3], it is required to refer to ISO 11064-6 [4], which is the international general industrial standard. ISO 11064-6 requires that the background noise of the MCR should not exceed 45 dB(A), and the intermediate frequency reverberation time should not exceed 0.75 s. In Nureg-0700 [5], the background noise of the MCR should not be higher than 65 dB(A), and the reverberation time should be limited to less than 1 s.
4
Z. Gang et al.
The requirement of noise and reverberation time in the MCR of NPP is basically the same as that in the control room of general industry, and the requirement is not more than 45 dB(A). Nuclear Regulatory Commission of the United States has relatively low requirements for background noise indicators in the MCR of NPPs. Current Situation in Operating Power Plants. According to the investigation, the average noise value of the MCR of the newer commercial N4 NPP in France is about 65 dB(A), the average noise value of Ling’ao Unit 1 is 55 dB(A), the average noise value of Tianwan Unit 1 is 50–60 dB(A), and the average noise value of CPR1000 NPP is 49 dB(A). The background noise of the MCR in the NPPs investigated in the above international scope does not meet the requirement of domestic laws and regulations that the background noise of the control room should be no more than 45 dB(A), and the gap is large. In the design process for MCR of CPR1000 projects, the engineers absorbed a lot of experience feedback from domestic nuclear power units in operation, and continuously optimized each project. By adding a number of active and passive noise reduction methods, the background noise was reduced to less than 50 dB(A). According to the current design experience, if the background noise design index continues to reduce below 45 dB(A), the requirements for technical, costs and schedule of the project will increase significantly or even be unacceptable. According to NUREG-0711 [6], the experience feedback of NPP operation is an important method to solve the problems related to human factor engineering in power plant. The experience feedback of the MCR operators from a NPP with an average noise value of 49 dB(A) in the MCR shows that the noise level of the MCR fully meets the operation requirements. Analysis of Acoustic Environment Requirements for MCR. According to the relevant information of NPPs in operation in China, the main source of noise in MCR is air conditioning system. The computer and electronic instruments in MCR have no obvious contribution to noise. Because of the requirement of radiation protection in NPP, the atmospheric pressure in MCR is higher than that in the entrance and exit rooms, so the air supply volume is relatively large, and the wind pressure and speed are relatively high, resulting in the larger noise in MCR. Compared with general industries such as thermal power and chemical industry, the noise of air conditioning system in MCR of NPP is greater. Background noise should not impair verbal communication between any two points in the main operating area. Verbal communications should be intelligible using normal or slightly raised voice levels. Figure 1 shows the voice levels needed for spoken communication over specified distances in the presence of different levels of background noise.
Analysis and Countermeasures of Inconsistency for Acoustic Design
5
Fig. 1. Voice level as a function of distance and ambient noise level
In the background noise level of 50 dB(A), the maximum distance of dialogue meeting the normal communication requirements is about 5.5 m. If the speaker’s voice is a little louder, the distance of dialogue can reach about 9 m. In normal operation of NPP, the distance between operators in the MCR will not exceed 5 m, so as long as the background noise in the MCR of NPP is controlled below 50 dB(A), the normal communication of operators will not be affected. After comparing domestic and foreign regulations and standards, and referring to the operational experience feedback of NPPs, combined with the actual needs of operators in the MCR, it is reasonable that the background noise in the MCR is not higher than 50 dB(A), which can meet the operational needs of the MCR of NPPs. 3.2
Lighting Design in MCR
The illumination levels of the MCR should meet the different illumination requirements of each area of the MCR. At the same time, the shadows in the room should be eliminated and the reflections and glares should be minimized so as to alleviate the fatigue and sleepiness of the operator and reduce the probability of the operator making mistakes due to the illumination defects. The MCR lighting system should include normal lighting system and emergency lighting system. When normal lighting fails, it should be automatically switched to emergency lighting, put into operation immediately, and must work continuously for a certain period of time. Regulations and Standards Requirements. In the domestic nuclear safety regulations HAF J0055-1995 [1], it is directly required that the average normal illumination of MCR should be 100–500 lx, the accident illumination should be 50–100 lx for the display screen, and the emergency lighting system illumination should be no less than 200 lx. The nuclear industry standard EJ/T 638-92 [2] requires that the normal illumination of the sitting workstation should be 500–1000 lx and the minimum
6
Z. Gang et al.
illumination of the emergency lighting system should be 200 lx. In the ISO 11064-6 [4], it is required that the illumination level of the working environment with written work should be maintained at 200–750 lx. Nureg-0700 [5] claims that the illumination level of the sitting workstation is 1000 lx, and the illumination of the control panel and the general operating area is 500 lx. In the regulations and standards, the illumination requirement is different for operators’ workstations. In combination with the above standards, the normal illumination 500 lx can meet most of the above standards. For emergency lighting, the claims of all standards are the same and no less than 200 lx. Current Situation in Operating Power Plants. Taking a NPP of CPR1000 project as an example, the MCR space is divided into five types of operation areas according to its functional characteristics: main control area, surveillance area, auxiliary control area, passageway area and maintenance area, and some areas are overlapped. These five types of regional functions are different, and the requirements of control degree are also different. Therefore, the MCR is divided into five illumination areas according to the nature and load intensity of different visual operations in different working areas of the MCR. The illumination in different areas is different. Detailed illumination zoning refers to Fig. 2.
Fig. 2. MCR partition zoning for illumination
For the above NPP, under normal illumination, the average illumination of main control area, surveillance area and auxiliary control area can reach more than 500– 600 lx, the average illumination of channel area is about 400 lx, and the average illumination of maintenance area is about 250 lx. The average emergency illumination is over 200 lx. The experience feedback of the MCR operators from the above NPP
Analysis and Countermeasures of Inconsistency for Acoustic Design
7
shows that the illumination of the master control room fully meets the operation requirements. Analysis of Illumination Requirements for MCR. For the new nuclear power projects in China, the illumination adjustment switch is fixed in the MCR. Therefore, the lighting design of the MCR can only consider the maximum illumination, and the control of the actual illumination is left to the operators. Combined with the operation experience feedback of CPR1000 NPPs, the normal illumination of the MCR can be continuously adjusted, the maximum illumination of the main operating areas such as workstations is not be less than 500 lx, the maximum illumination of the non-operating operating areas such as the passageway area and the maintenance area is not be less than 200 lx, and the emergency illumination is not be less than 200 lx, which can fully meet the operation requirements of the MCR.
4 Correct and Error Analysis of Environmental Part Standard Description of MCR In the environmental design process of the MCR of NPP, some standard requirements have been confusing for designers. With the accumulation of design experience, it is gradually recognized that there are errors in the requirements of some standards. In HAF-J 0055 and EJ/T 638-92, the echo time of the MCR sound is required to be less than 1 s. In Nureg-0700, reverberation time in the MCR should be limited to less than 1 s. Echo is a single fixed reflection sound, its intensity and time difference are large enough to distinguish from direct sound, and can distinguish syllables. Reverberation refers to the gradual attenuation of mixed reflective sound, which includes multiple angles and arrivals at different times, after repeated diffuse reflection. The listener cannot distinguish any syllables. Echo is a kind of repetition of discontinuous sound, while reverberation is a kind of continuous fading out sound. Reverberation time refers to the time required after the reverberation attenuation of 60 dB(A). A certain reverberation is beneficial to the sound quality. If the reverberation time is too long, the sound will be ambiguous. Echoes can only destroy the sound quality and should be avoided absolutely. At the same time, we consulted the original Nureg-0700 standard text, “The acoustical treatment of the control room should limit reverberation time to 1 s or less”, in which reverberation is interpreted as “混响” in physics, but also means “回声”. In the process of compiling HAF-J 0055 and EJ/T 638-92, the editor refers to Nureg-0700, but translates “reverberation” into “回声” by mistake, which leads to standard description error. In HAF-J 0055, the accident illumination to the display screen of the MCR is 50– 100 lx. In IEC 60964-1989, the Incident illumination to the display screen of the MCR is required to be 50–100 lx. Incident means “入射” as well as “事故”. Incident illumination, especially as a phrase, means “入射照度”. In the process of compiling HAFJ0055, the editors may refer to IEC 60964-1989, but misinterpret “Incident” as “事故”.
8
Z. Gang et al.
5 Concluding Remarks The establishment of comfortable environment in the MCR, including acoustic design and lighting design, provides the operator with safe and comfortable working environment which meets the requirements of human factors engineering, ensures the human safety, physical and mental health and work comfort of the operator in the MCR, indirectly reduces the probability of the operator’s artificial misoperation, thus ensuring the safe operation of the unit. Among the domestic and foreign regulations and standards for the environmental design of the MCR of NPP, the problem of inconsistent index parameters is prominent, which leads to different reference standards for engineering design and engineering acceptance, and affects the optimization and upgrading of environmental related system equipment and overall design scheme of the MCR. In this paper, the main acoustic design and lighting design standards of the MCR are analyzed. Based on the experience feedback from the operation of NPP, the reasonable and feasible index requirements are recommended, and the description errors in some standards are pointed out. It has reference significance for the optimization and improvement of the environmental design of the MCR for the follow-up NPP project.
References 1. National Nuclear Safety Administration. Engineering principles for control room design of nuclear power plant: HAF.J0055, 3 [S] (1995) 2. China National Nuclear Corporation. Design criteria for control room complex of nuclear power plant, 3, 5–7 [S] (1992) 3. Standardization Administration of China. The design of control room of nuclear power plant: GB/T13630, 12 [S] (2015) 4. The International Organization for Standardization. Ergonomic design of control centres-Part 6: Environmental requirements for control centres: ISO 11064-6, 18–19 [S] (2005) 5. U.S. Nuclear Regulatory Commission. Human-System Interface Design Review Guidelines (NUREG-0700, Rev. 2), 480–503 [S] (2004) 6. U.S. Nuclear Regulatory Commission. Human Factors Engineering Program Review Model (NUREG-0711, Rev. 2), 15 [S] (2004)
Application of Mixed Reality Based on Hololens in Nuclear Power Engineering Yi Zhang(&), Dan Li, Hao Wang, and Zheng-Hui Yang State Key Laboratory of Nuclear Power Monitoring Technology and Equipment China Nuclear Power Engineering Co., Ltd., Shenzhen, China [email protected]
Abstract. With the continuous development of computer hardware and software technology, mixed reality has been emerged. It has been applied in many industries. However, the use in nuclear power engineering is little. The current design data of nuclear power mainly uses 2D drawings and 3D models, which is not conducive to collaborative design and design verification. In the maintenance process of Nuclear Power Plant, the staff has to carry the manual, and can’t get real-time guidance. Teaching methods of technology and skill for staffs are a little boring and inefficient. It is possible to solve these problems by using mixed reality with Hololens. The sharing feature of Hololens is helpful to collaborative design. Rich holographic images and easy interactions of Hololens help maintenance workers get tasks done faster. The training system of HPR1000 is developed, which provides the nuclear power staffs with the content of HPR1000 plant layout and key equipments in the form of holographic images. Keywords: Mixed reality
Nuclear power plant HPR1000 Hololens
1 Application of MR in Nuclear Power Engineering Virtual Reality (VR) is a computer simulation system that can create virtual worlds. It is an interactive system simulation of 3D dynamic vision and physical behavior making immersive experience [1]. Augmented Reality (AR) is a technology that integrates realworld information with virtual world information. It applies virtual information to the real world [2]. Mixed Reality Technology (MR), which includes augmented reality (AR) and virtual reality (VR), refers to a new visual environment created by the combination of real and virtual world. Physical and digital objects coexist and interact in real time in a new visualization environment [3]. The technology enhances the user’s realism by creating an interactive feedback loop between the virtual world, the real world and the user. MR has been applied in many industries, but it has almost little relevant applications in nuclear power plant. MR technology has great advantages in integrating virtual reality and reality. MR can bring virtual content into daily work, and it can solve the problems encountered by employees in nuclear power plant work. As technology continues to mature, MR has a wide range of applications in the field of nuclear power. © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 9–20, 2020. https://doi.org/10.1007/978-981-15-1876-8_2
10
1.1
Y. Zhang et al.
Design of Nuclear Power Engineering
The design of nuclear power plant is the first step in nuclear power project, involving construction, civil engineering, machinery, electrical, instrument control, ventilation and fire protection. It has a wide variety of designs, complex tasks and high security requirements. The current common design method is still based on traditional 2D drawings, assisted with 3D data. It has the following disadvantages. The 2D drawings can tell people the structural composition and related dimensions of the device, but it is not possible to visually display the equipment. In the case of multiperson joint design, there are problems of understanding and communication difficulties. Ordinary 3D data, although is capable of presenting a 3D design sense. However, it is incapable of providing immersion because it must be run on a platform such as a computer. The verification of the design results requires the conversion of the design data into a physical device model. The rationality of the design is verified by testing the physical device. This method needs the construction of the physical equipment so that it increases the economic cost and construction period of the project. How to achieve what you see is what you get and what you get is the data is the problem during the nuclear power design stage. Using mixed reality technology, the design results are virtualized and projected into the real environment by holographic projection, as if the designs have been produced as real devices. The construction process of the equipment model during the design verification process is eliminated. Designers do not need to face the miniature model in reality or the 3D model on the computer. They can see the nuclear power equipment and adjust the design influence with different angles of view by wearing a HMD. According to results of the observation, the irrationality and imperfections in the design can be found, and the design can be optimized continuously. The use of mixed reality technology can reduce the time period of design. In the nuclear power project, the problem will be solved at the design stage, reducing the risk of engineering construction. 1.2
Equipment Maintenance
Scheduled or non-scheduled maintenance of equipment is necessary during nuclear power plant operation. In the maintenance process, the staff operates the nuclear power equipment according to the maintenance manual. But there are some problems: (1) Free of both hands In the actual maintenance, the staff needs to take the manual to check the operation steps, query the equipment data, and carry the tools to operate the equipment. This has very high requirements on the staff’s experience, operational proficiency and other skills. The efficiency is low, which is easy to cause human error. (2) Real-time guidance The operator can carry out the operation step by step through the manual, but the position of the work point needs the operator’s own judgment, which requires the staff’s experience. It is also impossible to view the internal structure of the device during the maintenance process, and it is easy to trigger the occurrence of an unknown
Application of Mixed Reality Based on Hololens
11
problem. When encountering difficult problems that cannot be solved on the spot, it is difficult to get help from the experts and obtain intuitive and clear guidance. Using the mixed reality technology, after a nuclear power worker arrives at the operation site, The worker can acquire 3D image of the device,enlarge the component, determine working point from multi-angle viewing by the MR device. The task list, security alerts, components of the device, manuals, operating procedures and processes of each component can be viewed through the virtual desktop. Nuclear power workers no longer need to carry any manuals and documents, freeing hands to perform operations on the equipment. When faced with problems that cannot be solved on site, the MR device can transmit the live image back to the expert system in the backstage in real time. The experts can view the situation on the spot, provide technical guidance, and provide remote support [4]. 1.3
Staff Training
Nuclear power plant work has high risk. When performing a task, the staff needs to be very familiar with the state of the equipment, the working principle of the system, and the steps of the operation to ensure the correctness of the operation. If the wrong operation is performed, the device may malfunction, and the system protection function may be activated by mistake, resulting in equipment damage, casualties, etc. Due to the importance of nuclear safety, the skill training of nuclear power workers is particularly important. Traditional document and video teaching can’t present stereoscopic effects. Teaching activities are mostly taught in training classrooms. There are many shortcomings. Mixed reality technology can provide a new teaching model to improve the learning efficiency of students [5]. It mainly has the following advantages: (1) Intuitive Mixed reality technology can present rich content in 2D and 3D. For the complex mechanical equipment of nuclear power, it is possible to establish 3D models to present it to the students intuitively, and perform virtual disassembly of related equipment to help the trainees understand the internal structure. (2) Reality Mixed Reality technology is capable of projecting virtual objects into real environments. The contents of teaching are virtual models that interact with real devices and environment. (3) Mobility The Mixed Reality Head-mounted Display is a stand-alone device that performs functions such as computing and image rendering and data storage independently, without connecting to other computers via cables. It is very convenient for students to study at anytime and anywhere.
12
Y. Zhang et al.
2 Solutions of MR Hololens is a MR head-mounted device developed by Microsoft Corporation. It is equipped with a holographic processing unit (HPU) to process real-time scanned data. Microsoft Hololens features holograms, high-definition lenses, stereo, and more, allowing you to see and hear holograms around you. In this article, Hololens is the hardware device in mixed reality solutions for nuclear power engineering. 2.1
Collaborative Design
At present, the Nuclear Power Design Institute has adopted some 3D layout design platforms such as PDMS to create and manage 3D data. After the preliminary design is completed, the designer cannot visually check the design results. It is not conducive to the continuous optimization of the design results. Hololens’ holographic images help designers view design results from a 360° angle giving designers the same experience as seeing real devices. In practical applications, the model remains consistent with the real model in terms of structure and appearance. The model exported by PDMS which has no texture needs be mapped according to the appearance of the real device. For a large plant layout design, the number of models is large. When these models are used directly, the amount of data is too large, resulting in long processing time and low efficiency on Hololens. In order to ensure that the system can run smoothly on Hololens, the model needs to be lightly processed. Since the models are usually composed of polygons, the model is optimized by reducing the number of polygons while ensuring that the model structure is unchanged [6]. The two functions can be realized by using 3Ds Max software. After the optimization of the model is completed, the model can be imported into Hololens for real-time viewing. Designers evaluate the design results through Hololens to identify deficiencies and make improvements in PDMS (see Fig. 1).
PDMS
Creating models Factory layouts
3Ds Max
Model texture Simplifing model
Fig. 1. Solution for design
HoloLens
Holographic image Collaborative design
Application of Mixed Reality Based on Hololens
13
When designers discuss a design, a Hololens device does not allow the designers to view the device model at the same time. There is a problem that information transmission is not timely, which is not conducive to mutual communication between members. Sharing feature of Hololens allows data sharing between multiple users wearing Hololens. It allows design team members to share design results. It enhances the communication between designers and improves the efficiency of the team. It is realized by Anchor Sharing. World Anchor provides a way to keep objects in their characteristic position and rotation, ensuring the stability of holographic objects. It also provides the ability to maintain the position of the holographic object in the real world. When you add a space anchor to a holographic object, you can accurately restore the hologram to its original position in the next steps. After Hololens scans the space environment, users can choose to create some space anchors manually or by programming. The information of the space anchors can be serialized and passed to other Hololens. Each Hololens can reserialize this information and locate this space anchor in space. Here is the anchor synchronization process (see Fig. 2). Start
Build server
Client Collect server Local initialization of anchor N
Load anchor
Room identification in server Y
Synchronize room information Download anchor data
End Fig. 2. Anchor synchronization process
14
2.2
Y. Zhang et al.
Intelligent Maintenance
The use of mixed reality technology in nuclear power maintenance mainly includes five aspects: room and equipment identification, prompting work points, interactive operations, document viewing, and remote assistance (see Fig. 3).
Room and equipment identification
prompting work points
Intelligent maintenance
Interaction
Preventing misalignment, loading virtual 3D models, viewing device structure
Scanning environment, positioning operation position
Gaze, voice, gestures
Document viewing
Obtaining maintenance manuals, equipment manuals
Remote Assistance
Video communication, remote expert guidance
Fig. 3. Structure of intelligent maintenance
(1) Room and equipment identification Nuclear power plants have many factories. Maintenance workers are easy to go wrong when performing equipment maintenance. In order to prevent workers from operating errors, the following measures can be taken. Room number is set at the entrance to each room. Hololens identifies the number when a maintenance person wears a Hololens into the room. Voice from Hololens prompts the worker the room number that he is going to enter. After the worker enters the room, Hololens can identify the equipment that needs to be repaired. The model of the equipment is loaded to facilitate the user to view the internal structure of the model. (2) Prompting work points Maintenance workers need to accurately determine the location of the operation and the correct tool when servicing the equipment. Hololens provides virtual prompt icons (such as arrows) to tell the operator the correct location. At the same time, the virtual model of tool is loaded to prompt the user the right tool. Hololens should determine the location of the device to achieve this function. Spatial mapping of Hololens can
Application of Mixed Reality Based on Hololens
15
identify the surrounding environment and surface, establish spatial coordinate data of the room, and locate the equipment in the room. Here is the spatial mapping workflow (see Fig. 4).
Start
Create surface viewer
Set spatial data range
Identify fixed areas
Identify movable areas
Create spatial surface information Poll spatial surface information
Handle surface changes (add, update, delete)
Grid cache Handle asynchronous grid requests Rendering
Create room data
End
Fig. 4. Spatial mapping workflow.
(3) Interaction Workers need to switch between various holographic images when using Hololens devices. Hololens provides three interactive means: gaze, gestures, and voice. Gaze is the first form of interaction which is used to locate objects. Its main function is to tell the user the current focus [7]. It is achieved by a forward ray from the eyes of the user’s head. The ray can identify the object it is colliding with. In the development process, the camera is used to indicate the position and orientation of the user’s head.
16
Y. Zhang et al.
Gestures are the most central way to interact. With gaze, gestures are used to select, activate, and drag virtual objects [8]. The steps include: creating a gesture recognition instance, registering a gesture type, subscribing to a gesture event, starting gesture recognition, and stopping gesture recognition. Voice commands can reduce the number of UIs and optimize the UI interface. By setting keywords and corresponding behaviors for the application, when the user speaks the keyword, the action of the budget is invoked [9]. The implementation steps include: initializing the speech recognition instance by registering the keyword, and registering the event as a response. (4) Document viewing When the maintenance workers are operating, they usually need to carry various operation manuals, which is not conducive to the liberation of hands. Hololens can store a variety of documents, pictures, videos and other files for users to view. It includes but not limited to the following: Equipment maintenance operation sheet, equipment maintenance procedure; System logic diagram, equipment manual, equipment maintenance manual; Historical maintenance record, relevant experience feedback; Equipment operating parameters; Operational video. (5) Remote assistance Video communication software can be installed on Hololens, such as skype. Workers can conduct real-time video communication with experts on site. Experts can view the status of the device through a remote system so that they can help identify problems, and guide personnel to operate. 2.3
Training System for HPR1000
HPR1000 is China’s third-generation nuclear power technology with independent intellectual property rights. The nuclear power plant using this technology is currently under construction. The HPR1000 design is guided by the defense in depth and the principle of reliability. For nuclear power workers, the technology needs to be relearned. In the current nuclear power related training system, there are many deficiencies. Firstly, the traditional 2D drawing and video teaching can’t give students an intuitive feeling. For complex mechanical equipment structures, it is impossible to cut through layers so that students can’t deeply understand the internal structure of key equipment. The learning time is long and the training effect is poor. Secondly, using VR virtual reality technology, students can be provided with an immersive virtual learning environment. However, the current high performance VR helmet needs to be used with a computer and has no mobility. Due to its opacity, it is impossible to combine the real environment and equipment on site, and the students are completely learning in the virtual world and can’t use VR system in the front of equipment in factory. The current 3D vertigo problem of VR helmets has severely shortened its use time and comfort. Thirdly, AR technology can superimpose virtual images onto real devices to achieve a
Application of Mixed Reality Based on Hololens
17
combination of virtualization and reality, and solve the opacity problem of VR. However, AR technology does not solve the problem of interaction between virtual objects and real environments and devices, and there is a problem of insufficient interactivity. The training system of the HPR1000 is developed based on the mixed reality technology. The development structure for this application (see Fig. 5):
Data model: plant layout, nuclear power primary circuit , reactor structure... PDMS / ProE/3Ds Max
Interaction: gaze, voice, gesture Mixed Reality Toolkit
System Structure
Key features: data integration, simulation animation, model recognition, scene sharing... Unity3D
Integrated release: HoloLens Microsoft Visual Studio 2017
Fig. 5. Hololens system structure of HPR1000 training system
The project deeply analyzes the advanced design concept and key technology of HPR1000. The function design flow chart for this application (see Fig. 6): There are some features in this system. (1) The system can place the HPR1000 plant layout and the virtual 3D models of key equipment in the real environment for real-time interaction (see Fig. 7). (2) Due to the mobile nature of the mixed reality helmet, students can not only use the system in the office, training classrooms, etc., but also in the factories or workshops of nuclear power plant. (3) Through the system, students can look at the equipment in the real environment, while using gaze, gestures, voice and other interactive means to view the internal structure of the equipment, maintenance steps, operations and other virtual objects. (4) The system has a multi-person shared view function that allows multiple Hololens devices to interact in real time. Through spectator view, the system shares instructional content with more users.
18
Y. Zhang et al.
Start
System deployment to the environment
3D layout information Factory layout Factory internal structure
Primary circuit system and key equipment
Significant innovation design
Primary circuit system principle Key equipment information (pressure vessel, main pump, etc.) Core structure
Pressure vessel design
End
Fig. 6. Function design of HPR100 training system
Fig. 7. Hololens application results of HPR1000 training system
Application of Mixed Reality Based on Hololens
19
3 Analysis of Application Effect Mixed reality technology can successfully exert technological advantages in the fields of nuclear power engineering. The main effects of its application are as follows. (1) Intuitive When working in the field, nuclear power workers often need to consult a large number of drawings. It is very inconvenient. Hololens is able to render 3D models directly in a real environment. Workers can view the device from any angle. Workers can split 3D models, zoom in and zoom out. This can help users to get more information more intuitively. (2) Diversity Hololens can provide multiple types of information. It includes 3D models, videos, pictures, text, sounds, and more. It can meet the information needs of nuclear power workers. (3) Interactivity Hololens provides natural interactions such as gaze, voice, and gestures. It approaches the way people interact with each other. It liberates the hands of nuclear power workers and can improve work efficiency. (4) Record Nuclear power workers can take pictures of equipment and record the repair process while performing maintenance, which is helpful for staff training, problem analysis and experience summary in the office. (5) Simplicity Hololens provides the workers with operational steps, operating tools, and operating positions. Hololens can help a worker to complete work tasks more easily. It can reduce the training time of employees and the cost of staff training for enterprises. (6) Synergy The shared feature of Hololens allows each staff wearing Hololens to view the same image. It is ideal for team work by nuclear power designers.
4 Conclusion This paper describes the main technical features of mixed reality. Some problems in current nuclear power engineering including design, maintenance and staff training are analyzed. Requirements and advantages of combining mixed reality technology and nuclear power engineering are analyzed. Some solutions are proposed to change the
20
Y. Zhang et al.
work way and improve work efficiency. Some key technologies of these solutions are researched. The HPR1000 training system on Hololens is developed. The system introduces the key technology and advanced design of HPR1000 using mixed reality technology, which can be used for the training of workers in nuclear power plant. The application effect of the use of Hololens on nuclear power engineering is summarized. In the future, mixed reality technology will be continuously improved. The combination of nuclear power plants and mixed reality will be deeper and deeper.
References 1. Yu, H.-F., Xing, G.-F., Zhang, K.: Application of virtual reality technology in scenery simulation system. Comput. Eng. Des. 27(6), 1108–1110 (2006) 2. Azuma, R., Baillot, Y., Behringer, R., et al.: Recent advances in augmented reality. IEEE Graph. Appl. 21(6), 34–47 (2001) 3. Tamura, H., Yamamoto, H., Katayama, A.: Mixed reality: future dreams seen at the border between real and virtual worlds. Comput. Graph. Appl. IEEE 21(6), 64–70 (2001) 4. Ong, S.K., Nee, A.Y.C.: Virtual and augmented reality applications in manufacturing. Springer Science & Business Media Press, New York (2013) 5. Hughes, C.E., Stapleton, C.B., Hughes, D.E., et al.: Mixed reality in education, entertainment, and training. IEEE Comput. Graph. Appl. 6, 24–30 (2005) 6. Favalora, G.E.: Volumetric 3D displays and application infrastructure. Computer 8, 37–44 (2005) 7. Morimoto, C.H., Mimica, M.R.: Eye gaze tracking techniques for interactive applications. Comput. Vis. Image Underst. 98(1), 4–24 (2005) 8. Kim, M., Lee, J.Y.: Touch and hand gesture-based interactions for directly manipulating 3D virtual objects in mobile augmented reality. Multimed. Tools Appl. 75(23), 16529 (2016) 9. Huang, J., Han, D.-Q., Chen, Y.-N., et al.: A survey on human-computer interaction in mixed reality. J. Comput. Aided Des. Comput. Graph. 28(6), 869–880 (2016)
Visualization of Geologic Engineering Data Based on Nuclear Power Plant Hui Chang(&) State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co. Ltd., 518172 Shenzhen of Guangdong Prov., China [email protected]
Abstract. The article has researched mainly the visualization of engineering data during the earlier selection of nuclear power plant. Firstly, in view of the kinds and amount and quality and format of engineering data has difficulty in comparing and classifying and analysis. Secondly, engineering data with an abundance of specialty information has brought to read difficultly for laypeople and has different meaning between intercommunion, so the more depth information and share has been limited. Thirdly, considering the strict and comprehensiveness and data integrity and invisibility of underground rock beds, 3D model has caused to apprehend briefly between the interrelation of data, so it has necessary to carry out visualization research and regard as an important foundation for the future planning and construction. It has four parts for visualization of geologic engineering data and it has included data acquisition and data management and arithmetic disposal and three-dimensional imaging. Geologists can unscramble hidden information from 3D model and then infer the terrain. At the same time, the research has provided a referenced interpolation method of making continuous surface to new nuclear power plant in the future. Keywords: Geologic
Engineering data Visualization
1 Research Background Considering some factors such as electromagnetic radiation and geologic stability and nature environment, nuclear power plant should been set up far away living area of people. Whether a place would been built or not has rested with evaluating and measuring and arithmetic and deducing the engineering data that we had collected. More data more understand for the farther research, but the larger data has a certain difficulty in the process of classifying and contrasting. Furthermore, some data has been estimated and read only by geologist. Besides, because underground rock stratums have invisible, CAD or ichnography can’t give intuition, but 3D model could cause interrelation of data to more simple and intuition, it can show the change from one shape to another shape of rock stratum [1]. In geologic field, technology has large gap between china and developed country, some countries such as American and Japan and Singapore had done advanced engineering researched abroad and thoroughly. Researched methods and results had been © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 21–29, 2020. https://doi.org/10.1007/978-981-15-1876-8_3
22
H. Chang
protected by strict legislation. So developed country had come to being mature technology with clear division of labor and specialty and high technology. But in view of Chinese fact, firstly, different area has different method for measuring which had caused to measure repeatedly for the same area and to save repeatedly for data. Secondly, an abundant of data has old and updated slowly. Thirdly, government has no established uniform standard for protecting data, so data has been made use incompletely of further sharing. Finally, Geotechnical Engineering in china has belonged to different fields. These reasons has certain difficulty for communicating between engineers and has made against market economy and international cooperation [2]. Currently, new technology has come forth continuously, technology of geologic field has cried for updating. Information technology and data technology and visualization methods and GIS have developed quickly, especially GIS can manage and organize an abundant of data and can implement spatial analysis as well as [3]. So these questions would been solved.
2 Visualization Blue Print The article has an example of somewhere which the segment of engineering data had been gathered when nuclear power plant had been built early. 3D geological model has been created by new technology, the course of actualizing has four parts: data collection and data management and arithmetic disposal and three-dimensional imaging, the arithmetic has played a vital role. 2.1
Data Collection
Data has been collected by boring holes and numbered every hole. At the same time, correlative information has been collected for example describing information or picture. Then the table has been created with important information by designing and classifying according to database rules, the table has number ID and Name and X coordinate and Y coordinate about holes and has Name and Elevation of top and Elevation of bottom and lithology and reason of formation about rock stratum, As Table 1. Table 1. Information of engineering data ID 1 2 3 4 5
Shape Point Point Point Point Point …
X coordinate 39379154.7 39379202.0 39379225.5 39379245.8 39379272.2 …
Y coordinate 2517995.7 2517962.6 2517944.0 2517919.9 2517900.3 …
Top elevation −2.44 0.72 −1.29 2.86 −3.94 …
Bottom elevation Radius −3.16 91 mm −2.38 91 mm −6.99 91 mm −6.84 110 mm −6.34 91 mm … …
Rock stratum has got information from holes and correlative holes and has been divided and sorted, the number of rock stratum has been divided according to the cut-
Visualization of Geologic Engineering Data Based on Nuclear Power
23
off point that holes had met rock stratum, lithology similitude as a rock stratum, spatial sequence relation has been ascertained by the relation which holes has met vertical coordinate Z of rock stratum and the relation between pressure and pressure of between layer and layer [4]. 2.2
Data Management
The article has integrated storage management about CAD and picture and table and describing information and geological data by making use of data management function and strong spatial analysis capability of GIS [5]. Table has adopted SQL server and ArcSDE engine to save a great deal of attribute data and been classified by feature of point or line or polygon. The method of importing spatial database has shown as Fig. 1.
Fig. 1. Importing database
The spatial database has been built for engineering data basing on ArcGIS and can show the relation between the position of point and attribute character. A large quantity of data can be queried or added or deleted or arranged. Total table has been distilled rows or lists then has created many sub-tables according to require application by querying function. The key has been set to relate between sub-tables and total table. At the same time, CAD or describing information or picture or video can be linked and imported database also as Fig. 2.
Fig. 2. Data management
24
2.3
H. Chang
Arithmetic Disposal
The course of getting 3D geological model that how point has been created surface and then how surface has been created body. Form point to surface has must insert point that has been calculated according to known points around it. Data Interpolation Method has played an important role to build 3D model, it has provided with veracity and precision and with reflection of spatial variability and spatial relativity that has affected immediately the authenticity of three-dimensional geological model [6]. Many interpolation methods have been found, the best of interpolation method has been experimented and compared that has tried to simulate the surfaces for geological features for the nuclear power plant. For example, some known interpolation methods have been tried by some engineering data for the certain domain, then triangular surfaces according to them create have been compared. These familiar interpolation methods as IDW or Kriging or Natural neighbor or Spline [7]. Such as Fig. 3(I, II, III, IV).
(I)IDW
(III)Natural neighbor
(II)Kriging
(IV)Spline
Fig. 3. Interpolation method
Visualization of Geologic Engineering Data Based on Nuclear Power
25
By comparing advantage and disadvantage of some familiar interpolation methods, the Inverse Distance Weight (shortened form IDW) has been found, but it has existed insufficiency. In view of the characteristic of the nuclear power plant, IDW has been improved on the number of participating in calculation of point. Supposing there has being n points, point coordinate denotes (xi, yi), zi has denoted elevation. i; j ¼ 1; 2; 3; . . .n, IDW function expression: zj ¼
Xn
zðxi ÞDr ij i¼1
.X n
Dr ij
i¼1
ð1Þ
zj has denoted the average elevation of working out, z(xi) has been known i point elevation, Dij has denoted the distance of between two points, r has denoted the constant value greater than zero. On the one hand, traditional IDW has been affected on centralized points, but these engineering data of researched domain have been gathered by rule according to rows, it has unaffected. On the other hand, the domain researched has about 10 km2, interpolation point has been asked more precision to calculate. In order to avoid the effect of far away from point or sudden point, the scope of around the unknown point has been limited to take part in calculation, at the same time computational complexity has been cut down greatly. Dij has been improved on the distance-gene and has been assumed that the unknown point has looked as the center of circle with R radius. if Dij > R, so Dij has dropped out of calculation, if Dij R, so Dij has been asked to participate in calculation. Improved on formula as follows: (
zi ¼
Pn
zðxi ÞDr ij i¼1 zj ¼ 0
.P
n i¼1
Dr ij
Dij R Dij [ R
the formula has been named IDW+, Result surface as Fig. 4.
(I)IDW
(II)IDW+
Fig. 4. Interpolation compare
ð2Þ
26
H. Chang
According to smooth surface and joint point, the result has compared and educed as follow: (1) IDW+ has created more triangle surfaces than IDW or Kriging or Spline or nature neighbor. (2) IDW+ has more points on the triangle surface. (3) IDW+ has avoided the effect of far away from point or sudden point. So IDW+ has been selected and more adapted to the character of nuclear power plant. 2.4
Three-Dimensional Imaging
Up to now, spatially distribution of rock stratum has been explained and deduced by salted engineer according to data of reconnaissance and sound and earthquake, further
(I)Disperse drill points (II)Fit surface
(III)Geological body
Fig. 5. The geological body process
Visualization of Geologic Engineering Data Based on Nuclear Power
27
more the great mass of work has done on plan [8]. Besides, blueprints have been expressed by nonrepresentational symbol. The article with different of traditional method has used chart or graph to express data and show relation between factors. Firstly, engineering points have been divided and assorted from top to bottom and have been shown a sort of color on the same rock stratum. These have nine rock stratums as Prime soil layer and Fine sand layer and Medium sand layer and Clay layer and Gravel layer and Total weathering layer and Middle weathering layer and Aeolian layer and No weathering layer etc. Secondly, geological triangle surfaces have been created by way of IDW+. Lastly, computer might draw according to elevation Z to 3D geological model has been built according to elevation Z between two rock stratums. As follows Fig. 5(I, II, III).
3 Visualization Application Geological models and holes have been superposed and calculated, 3D cylinder model has been shown and signed different colors through every rock stratum. The function has been realized with an interface function Stacked Chart Type, as follows: publicpartialclassStackedChartType : UserControl, IFunctionViewer { privatePanelEx panelChart; privatePanel panel1; privateCheckBox checkBoxShow3D; privateChart chart1; privateIContainer components = null; }
3D cylinder model as Fig. 6(I), Then CAD plan has been compared with it as Fig. 6(II). The outcome of comparing as follow: (1) The 3D cylinder model has shown third dimension and marked many rock stratum with different colors, whereas traditional CAD has only shown line on plane. (2) The 3D cylinder model and traditional CAD have might supplemented and validated each other. By comparing, the result has shown that the 3D cylinder model could reflect the truly state of underground rock stratum. It has a fact that engineer might read intuitionistic information from the 3D cylinder model and read hidden information from CAD. These information have caused engineer to judge by rule and line and regard them as reference to instruct construction of nuclear Power plant in the further.
28
H. Chang
(I)3d cylinder
(II)CAD section plane
Fig. 6. Compare CAD and 3D cylinder
4 Conclusion and Expectation The article has researched engineering data about some nuclear power plant, the research can help engineer to analyze invisible rock stratums. Conclusion as follow: (1) Making use of GIS technology, engineering data include space position and attribute has been integrated from zero and established a storage rule and offered an effectual way for data sharing. This has supported to classify and analyze and compare for data and design for plant. (2) IDW+ has been applied to the researchful domain, by comparing and experience, the method has reflected the truly state of underground rock stratum. (3) Visualization Data has caused engineering data to more understandability and intuitively. On the one hand, laypeople engineer can read professional information. On the other hand, 3D geological model can make up the spatial imagination according to blueprint. Domestic and foreign scholars have put forward a lot of conceptual models from different aspects, but the method and technology for building 3D geological model has been at the stage of theoretical research. In fact application, many problems have been need further solution still. Someone said visualization of engineering data would play an increasingly important role in application of nuclear power plant.
References 1. Cai H.G., Li X.G., et al.: Using multi-patch to build 3D underground features [J]. J. North China Univ. Water Resour. Electric Power 25(4) (2004) 2. Yan e chuan. Frontiers in Engineering [R]. http://www.docin.com 3. Li, B.: Application of geographic information system in geotechnical engineering survey. Sci. Technol. Innov. Herald 02 (2010)
Visualization of Geologic Engineering Data Based on Nuclear Power
29
4. Chen, X.X., Wu, L.X., Che, D.F., et al. Three-dimensional modeling method of geological body containing faults based on Borehole data [J]. Coal Geol. Explor. 10(33) 5 (2005) 5. Zheng, W.F., Zheng, Z.Y., et al. In: Proceedings of the Conference on Computer Applications in Engineering Design [C]. J. Zhejiang Univ. (2008) 6. Chen, L., Zhang, F., et al. In: Proceedings of the National Symposium on Engineering Survey Informatization [C]. J. China Univ. Geosci. (2007) 7. Lun, W., Yu, L., Jing, Z., Xiu-Jun, M., Zhong-Ya, W., Yuan, T.: Geographic Information System-Principle, Method and Application. Science Press, Beijing 8. Li, M.H.: Application of GMS software in 3D geological modeling [D]. J. Changchun Inst. Technol. 2–5 (2010)
Research on Defense-in-Depth Zone of Low-Altitude Security Area in Nuclear Power Plant Lin Ye(&), Jie Zhang, and Guang Meng Department of Electrical and I &C, Hualong Pressurized Water Reactor Technology Corporation Ltd., Beijing 100036, China [email protected]
Abstract. In recent years, international and domestic public facilities and nuclear facilities have repeatedly intruded by UAV. As a sensitive and important public facility, nuclear power plants need to consider how to against sabotage from UAV. The guidelines and guidance for the physical protection of nuclear facilities suggest that the design requirements for physical protection of nuclear facilities should be based on defense in depth, but there is no clear indication of defense-in-depth of the air. Therefore, in order to against sabotage from UAV, In the quantification of the establishment of air defense in depth according to the grade of nuclear power plants, it is applied to the physical protection design of nuclear power plants at this stage. The article analyzes the land occupation of various types of nuclear power plants, considering the three-factor defense and correlation of physical protection detection, delay and response. At the same time, the paper selects the main technical parameters of some UAVs and detective equipments as the basis of the defense-in-depth zone. Through all above analysis, the time and distance of defense-in-depth are quantified, combined with the function of detection, delay and response of physical protection. It is generalized the concept of a defense-indepth zone of the air which is corresponded to the defense zone on the ground. Keywords: Physical protection Defense-in-depth Defending area UAV (Unmanned aerial vehicle) Detection Delay Response Control area Protect area Vital area
1 Preface Physical protection of nuclear facilities is an important part of nuclear security. It is the most intuitive and direct security defense for nuclear facilities. In recent years, with the widespread use of UAVS, there are many UAVs intrusions of NPPs (nuclear power plants) around the world. The incidents have caused public panics about the safety of nuclear facilities. In 2018, relevant domestic law and legal guidelines were promulgated and implemented, no organization and individual shall endanger the nuclear facilities and nuclear security and higher nuclear safety requirements were put forward for the physical protection of nuclear facilities to antiterrorism by using UAV [3, 4]. This research base on the design basis threat (DBT) of physical protection system and analyzes the possible threats of UAV intrusion to nuclear facilities, and the site © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 30–37, 2020. https://doi.org/10.1007/978-981-15-1876-8_4
Research on Defense-in-Depth Zone of Low-Altitude Security
31
condition of different kinds of nuclear power plants, and analyzes the technical requirements of UAV intrusion and response effect, then gives an effective low-altitude protection solution for physical protection systems that meet the needs of nuclear power plants and nuclear facilities.
2 Analysis of Low-Altitude Defense Zones in Nuclear Power Plants The design basis of physical protection for nuclear power plants is the design basis threat. The three elements of system design: detection, delay, and response [1, 2]. Through the analysis of nuclear power plant security area, intrusion UAV, detection equipment, and response, we can achieve low-altitude protection and defense-in-depth protection of nuclear power plants. 2.1
Analysis of Nuclear Power Plant Security Area
The objectives of nuclear power plant physical protection are all set within the control zone of the nuclear power plant, and the low-altitude security zone should cover at least the perimeter of the control zone. However, due to the different site conditions, various types of the NPPs, different project scales and other reasons, the protection area has certain differences. This section tells the maximum control zone of the nuclear power plant by analyzing the protection areas of typical nuclear power plants of various types. Hualong No.1 demonstration project is a single-reactor unit, and its ground security area is partitioned as shown in Table 1. Table 1. Hualong NPP site Partition area characteristics
Hualong demonstration project Z Control Protected Vital area area area Ground area (m) 700 700 400 500 300 400
Hualong demonstration project H Control Protected Vital area area area 900 800 500 700 320 460
The CPR1000 double-reactor unit is partitioned into the following zones in the security area of the NPPs as Table 2. Table 2. CPR1000 NPP site Partition area characteristics Ground area (m)
CPR1000 F1 Control area Protected Vital area area 1000 900 500 600 200 300
CPR1000 F2 Control Protected Vital area area area 800 600 700 500 200 300
32
L. Ye et al.
Other single-reactor type units are partitioned into the following zones in the security area of the NPPs as Table 3. Table 3. Other NPP site Partition area characteristics Other single-reactor type units Control area Protected area Vital area Ground area(m) 1100 1200 1000 400 500 300
According to the analysis of the above-mentioned nuclear power plant sites, the ground control zone of the double-reactor or single-reactor NPPs that have been built, under construction or expanded construction is not more than 2 Km2. 2.2
Analysis of the Intrusion UAV
This section selects the multi-rotor UAV that is relatively easy to obtain on the market as the analysis sample of the invading object, and takes the main flight parameters of the UAV as the analysis object, such as the maximum flying speed, maximum load, and endurance time, etc. These flight parameters of these UAVs are related to the design basis threat or effectiveness of physical protection (such as the weight of the explosives carried, the response time, etc.). Table 4 shows the analysis samples of UAVs with the highest technical indicators in each series of DJI brand UAVs at this stage. Table 4. UVA technical indicators in each series Number Product name 1 Phantom 4 Pro 2
Inspire2
3
M600 Pro
4
MG-1P
Maximum flying speed Maximum load
Endurance time
Horizontal direction: 72 km/h Vertical direction: 3 m/s Horizontal direction: Self-weight 92 km/h 3.44 kg Vertical direction: 4 m/s Flying weight 4.25 kg Horizontal direction: Self-weight 65 km/h 10 kg Vertical direction: 3 m/s Flying weight 15.5 kg Horizontal direction: Self-weight 54 km/h 9.8 kg Flying weight 23.8 kg
30 min
Control distance 7 km
27 min
7 km
Load 6 kg: 16 min 5 km Without Load: 32 min
With maximum load: 9 min With standard load: 20 min
3 km
According to the parameters of Table 4, the flight speed of the UAV is inversely proportional to the flight load capacity. The stronger the load capacity is the greater the possibility of carrying explosives that meet the design basis threat weight, and the greater the nuclear safety threat faces. At the same time, the stronger load capacity the
Research on Defense-in-Depth Zone of Low-Altitude Security
33
UAV has, the less endurance time the UAV lasts, and the speed is relatively slower, and the time of flying over the same distance in the air is relatively increased, which provides time guarantee for detection and response. The flight time analysis of the two types of UAVs with high capacity and relatively big threat to nuclear safety is shown in Table 5 here below. Table 5. UAV flight time to vital zone Product name M600 Pro MG-1P
Flight time outside 2.5 km from the vital zone 2.3 + 0.5 2.8 + 0.2
Flight time outside 3 km from the vital zone 2.7 + 0.5 3.3 + 0.2
Flight time outside 4 km from the vital zone 3.9 + 0.5 4.4 + 0.2
According to the above table, the UVA takes less than 3 min from the 2.5 km of the vital zone; the UVA needs more than 3 min from the 3 km to the vital zone; the UVA is 4 km away from the vital zone, it takes more than 4 min to reach the vital zone. 2.3
Analysis of Detection Equipment
The solution designed for physical protection systems is usually a combination of technical precautions and personnel precautions which complements each other to form a reliable and effective physical protection. In the previous chapter, we mainly analyzed the main invading objects for physical protection systems. In this chapter, we will mainly analyze the technical parameters and characteristics of the mainstream UAV detection equipment on the market, which is shown in Table 6 below: Table 6. Detective device parameters Detection technology Radar detection
Characteristic analysis
Basic parameters
Long effective detective distance; All-day detection; High positioning accuracy; Mature technology; Low probability of detection under 20 m
Photoelectric detection
Medium effective detective distance; Mature technology; Poor ranging accuracy; Affected by weather
Detection distance: 2–6 km, related to radar transmit power. Scanning speed: 90°/s Target speed range: 1– 80 m/s Detection distance:2.5 km; Coverage: Azimuth direction 0–360°, pitch direction 0–90°
According to market research, the detection distance parameter of 3 km for the detecting device, its cost is relatively reasonable.
34
2.4
L. Ye et al.
Analysis of Response Time
The three-element time model for physical protection of nuclear facilities is as follows (Fig. 1):
Fig. 1. Time factor diagram of three elements of ground intrusion and physical protection system in NPPs
The physical protection system of NPPs requires that the total time from the detection of the adversary to the response of the responding force must be less than the time required for the adversary to complete the mission. Time required for the adversary to complete the mission = the time from the start of the mission to the first alarm + system delay time after detection and plus adversary operation time. Physical protection system response = the time to discover the adversary and confirm the real intrusion alarm + system response time = 5 min. The three-element time model of low-altitude intrusion in NPPs is as follows (Fig. 2):
Fig. 2. Time factor diagram of three elements of low-altitude intrusion and physical protection system in NPPs
Research on Defense-in-Depth Zone of Low-Altitude Security
35
For the intrusion behavior from the air path, it is impossible to set the delay facility, and there is no delay after the air intrusion detection. The calculation method of the response of the physical protection system is unchanged. So to make the low-altitude intrusion prevention system of the physical protection effective, we need to reduce the response time so that the physical protection system deadline is less than the adversary’s operating time. The following conditions are required to reduce response time: investigate the intrusion behavior in advance to cope with the situation without delay time, and to provide more time for the responding force; shorten the system response time to reduce the physical protection system deadline. In order to achieve the above conditions, the solution is as follows: 1. The detection area is extended beyond the ground control zone to increase flight distance and time: According to the comprehensive analysis results of the invading object and the detection device, the outermost detection area in the air can be selected at a distance of 3 km from the center of the vital area to cover the entire ground plant area and protection target. 2. Local response of responding force to low-altitude intrusion: After the air intrusion acknowledges the alarm, the response unit can directly take the corresponding counter-technical measures after receiving the alarm. It is not necessary to arrive at the nuclear power plant site. The response force from the barracks to the nuclear power site is 3 km away. It takes about 2 min to arrive at the response site by car. Physical protection system for UVA response = the time to discover the adversary and confirm the real intrusion alarm + system response time = 3 min.
3 Defense-in-Depth Zone of Low-Altitude Area in NPPs Based on the impact analysis of the above-mentioned low-altitude threats and the results of the site analysis of the invading objects and protection targets, and refer to the requirements of the IAEA INFCIRC/225/REV5 < uclear Security Recommendations for Physical Protection of Nuclear Materials and Nuclear Facilities >,we recommend to establish protection measures for nuclear facilities and nuclear materials through risk management, hierarchical protection, and defense in depth. Through the analysis of various indicators such as the invading object and the site of the NPPs, we meet the defense-in-depth (Fig. 3) protection principles of low-altitude area in NPPs. 3.1
Proposal for Defense-in-Depth Zone of Low-Altitude Area in NPPs
The low-altitude UAV defense zone is also partitioned according to the 3-layer defense-in-depth principle, and the description of the partition of the defense-in-depth protection area in the air is as below:
36
L. Ye et al.
Fig. 3. Schematic diagram of the defense-in-depth zone of low-altitude area in NPPs
(a) Supervisor area: according to the impact analysis of the design basis threat, invading object and site condition and investigation analysis of intrusion detection equipment, see Chap. 6, the radius of the supervisor area is set to 3 km; (b) With the radius of the supervisor area setting 3 km the boundary can cover the ground area of the NPPs. Thus, considering the different NPP’s geographical environment and the feature of on-site, the supervisor area can be adaption. (c) Control response area: we take the boundary of the ground control area of the NPP as the second layer of the defense-in-depth in the air. The second layer is named as the control response area. The UAV entering this area has entered the NPP production area and the responding force can act to the intrusion. (d) Inner area: The boundary of the ground protect area of the NPP is corresponding to the third layer of the defense-in-depth in the air. This area is named as the inner area, and the main protecting objects of PPS are within this area. 3.2
Problems
This paper mainly takes quantitative analysis of the three factors of physical protection system for nuclear facilities and analyzes the typical UAV samples as threats to nuclear power plants. Through the above analysis, we give the defense-in-depth zone partition in the air of NPPs, and some qualitative conclusions. Due to the limitations of the
Research on Defense-in-Depth Zone of Low-Altitude Security
37
selection of UAV samples and the continuous development of UAV technology, the level of the monitoring zone in the low-altitude defense area can be adjusted appropriately according to the geographical location of the NPP and the improvement of the performance parameters of the UAV and the invasion detection device. And other zones remain associated with the defense-in-depth zone on the ground.
4 Conclusion Through the decomposition of detection, delay, response these three factors of physical protection design of nuclear facilities, this paper analyzes the invading UAV, intrusion detection equipment, response time and other factors, and forms the basic conclusion of the low-altitude defense zone partition of NPP. The area graded approaches match the corresponding emergency response plans and can be applied to the NPPs which physical protection design basis threats which contain low-altitude UAV threats. Meanwhile, it has accumulated practical experience for the full scale of application of low-altitude UAV defense technology in NPPs and made adaptive adjustment according to the development of UAV technology and UAV detection technology.
References 1. IAEA Nuclear Security Series No. 13 Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities (INFCIRC/225/REVISION 5) 2. Physicial Protection of Nuclear Facilities, HAD501/02, (2018) 3. The Nuclear Safety Law of The People’s Republic of China, (2018) 4. The Antiterrorism Law of the People’s Republic of China, (2018)
Research on Axial Power Deviation Safety Early Warning Technology Based on Online Simulation Hong-Yun Xie(&), Ke Tan, Wei-Jun Huang, Chao Zhang, and Zhen-Yu Shen State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd, Shenzhen 518172, China [email protected]
Abstract. At present, there have been a large number of researches on nuclear power plant (NPP) process simulation, such as the researches on the NPP fullscope dynamic process simulation. However, these simulation researches mainly adopt the simulation modeling calculation based on the offline mode and historical data, so they cannot keep up with the real field data. Hence, the application of online simulation technology in NPP has become a new research direction. Based on the NPP real-time information monitoring system and the full-scope simulation verification platform, a high accuracy mathematical model is established which can realize the parallel operation of simulation system and NPP systems. Since the axial power deviation is an important index that could reflect the safe operation state of NPP, the online early warning measures based on online faster-than-real-time simulation is proposed for axial power deviation. By monitoring the field key parameters, the online calculation and analysis are realized. In addition, they can also predict the future states of NPP equipment and systems. These results can provide the references for operators to balance the NPP economic efficiency and safe requirements. Keywords: Online simulation Early warning technology
Axial power deviation
1 Introduction The application of simulation technology plays an important role in improving the safe operation of nuclear power plant (NPP). In order to understand the intrinsic characteristics of systems and equipment under normal and accident conditions, the simulator is applied for the dynamic analysis of system and equipment state characteristics [1]. However, most current simulators could only analyze historical data, so they can’t provide predictive information to support and assist NPP operation [2]. Hence, the technology of online simulation, which can use the current and historical database to calibrate the model in real time, has developed rapidly. In fact, the online simulation is exactly the parallel operation of real NPP systems with a powerful capability of data analysis and long-time operation incessantly. Besides, combined with faster-than-real© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 38–45, 2020. https://doi.org/10.1007/978-981-15-1876-8_5
Research on Axial Power Deviation Safety
39
time simulation model, the simulator can predict field abnormalities, give early warning information, and provide feasible reference solutions [3]. In this paper, the online faster-than-real-time simulation for axial power deviation is realized by tracking the field real-time data and analyzing the possible consequences. It can predict the future states and alarm to operators. These results can provide reference information for the safe and economic operation of NPP which is online and intelligent.
2 Mechanism of Online Simulation Technology The realization of online simulation technology consists of four steps: online data collection, operating conditions initialization, online parameters correction and online commissioning [4]. The online real-time data are collected from the filed by the KNS system, which is the real-time information monitoring system. Then the simulator receives the data sent from KNS system and the commands from user interface so that it can establish simulation model. In order to ensure the initial conditions of simulation model is consistent with the field operating conditions, the initialization must be performed. It can be primarily realized by selecting a saved initial condition that is nearest to the current condition as the starting point of the initialization calculation. If the selected initial condition still deviates from the actual states, the initialization calculation program will start to calculate all model variables until all tested values meet the deviation requirements and all on-off states are identical to the field values. Then the real-time online parallel simulation model can be put into operation. In order to improve the simulation accuracy, keep the parallel operation with actual units and realize timely tracking of actual field states, the method of online correction of characteristic parameters has been adopted in the process of online simulation. In fact, the purpose of parameter correction is to minimize the difference between the simulation output results and the actual measured data. In this way, the parameters that can’t be obtained from KNS system can be corrected in a real-time manner. The online parameter correction has two situations. One is the correction of simulation results. In this case, proper algorithm is applied to correct the simulation results so that it can be consistent with the actual system data. The corrected simulation results work as the initial conditions for the online initialization of simulation system to keep the parallel operation of simulator and real systems. This method is relatively easy to implement, but since the original model is kept for the calculation, there will be the problem of accumulative error. The other method is adaptive computation of model. By this method, each individual parameter in the simulation system is adjusted independently according to the actual system operating conditions. Essentially, it is the combination optimization of the objective function. There are two input types for each objective function. One is the data obtained from the field, and the other is the corresponding data from simulation model [5]. The commissioning process of simulator is automatic. Key parameters that reflect the actual NPP characteristics can be obtained by solving characteristic equations. When these parameters are consistent with field data, the commissioning process is terminated. According to the test and verification of the calculation of the online simulation system, error under the steady-state conditions is controlled within 1%, and
40
H.-Y. Xie et al.
under the transient conditions is controlled within 2%. Hence, the high accuracy and fidelity of online simulation has been ensured.
3 Axial Power Deviation Safety Early Warning Technology 3.1
Safety Early Warning Mechanism and Axial Power Deviation
Currently, the main methods of NPP safety warning is based on the fault diagnosis system. Concretely, the status parameters of important equipment are monitored while corresponding thresholds are set. When the monitored status parameter exceeds the alarm or protection threshold, the monitoring system will alarm and trigger the corresponding protection measures [6–8]. This kind of alarm mode plays an important role in the safety monitoring of nuclear power, but lacks the early warning ability for early potential faults, and the criterion of this alarm mode is single. The NPP safety early warning technology based on the online simulation, with the parallel operation of the simulation system and the NPP system, can predict the future trend of the device by using the faster-than-real-time operation. Therefore, it can provide corresponding measures to avoid accidents before the fault occurs [9–11]. The axial power deviation of the core (DI), which is the main research object during the reactor operation, represents the homogeneous degree of axial power distribution. The effects influencing the DI include those causing the reactivity change: moderator temperature effect, burnable poison effect, Doppler effect, power effect, control rod effect, xenon poisoning effect and burn-up. In the pressurized water reactor, DI control is difficult, especially at the end of lifetime of reactor. The relation between DI and power is shown in Fig. 1. This trapezoidal chart is the regional division of the positions of normal power operational state points. The trapezoids are divided by the limit lines inside the trapezoids into I, II and timing zone, which corresponds to different alarm zones and protection measures.
Fig. 1. First application of trapezoidal chart
Research on Axial Power Deviation Safety
41
The regulation of DI is based on the regulation of control rod and boron concentration. The fundamental principles are as follows: (1) it is forbidden to regulate the boron concentration during the power regulation; (2) after the power regulation, if the absolute value of axial deviation minus its reference value is larger than 0.05, the boron concentration regulation shall be performed accordingly; (3) during the boron concentration regulation, except the boron concentration dilution during which the control rod withdrawal is forbidden, the control rod can be moved. If the absolute value of axial deviation minus its reference value becomes less than 0.02, the boron concentration regulation will be completed. As a result, according to the analysis of factors influencing DI and the corresponding strategy for controlling DI, we proposed the online early warning measures for DI control within the whole reactor lifetime. It can help the NPP operators to better control DI, thus ensuring that the NPP power transient operation meets both the NPP economic efficiency and the safety requirements. 3.2
Early Warning for Axial Power Deviation DI Control
The online early warning function for axial power deviation DI means that when the axial power deviation DI reaches the early warning line, the warning system will start up to help the NPP operators control the axial power deviation DI according to the calculation of the early warning system and the regulation of R rod and boron concentration. The flow chart for online early warning function for axial power deviation DI control is shown in Fig. 2. The flow chart is described in detail as follows [11]. First, we choose a proper initial condition and take DI and R rod position as warning indicators. In order that online early warning system could be put into operation, we need to set the threshold or the warning lines. There are two types of online early warning lines: the left and right online early warning lines and the R rod online early warning line. The left online early warning line is formed by the left limit line moving N%FP to the right (+N%FP) within the DI Operational Zone I, where N shall be confirmed according to engineering experience or repeated tests. The right online early warning line is formed by the axial power deviation reference line DIref1 moving 3%FP to the left (+3%FP) within the DI Operational Zone I. When the operational state point touches the online early warning line, an early warning signal will be sent out, and the online early warning system for axial power deviation DI control will be started. The R rod online early warning line refers to the early warning line when the R rod reaches the limit, mainly the lower limit value and the top of regulation zone. When the R rod position is at this limit, an early warning signal will be sent out. And then the online early warning system for DI control will be started. After the startup of online early warning system, it will run faster-than-real-time module at a speed of twice than the real time to predict the trend of DI. In this case, the R rod and boron concentration will not be regulated. During the prediction of axial
42
H.-Y. Xie et al.
Start
Select initial condition
Warning object parameters
Set early warning threshold Invoke the fasterthan-real-time module Twice faster than real time calculation
Operation result analysis
Exceed early warning threshold?
No
Yes Operator intervene? No Operation during 1h causing reactor trip
Yes
Results verification evaluation
Reach the safety warning state
No
Yes Exit the faster-thanreal-time module
Safety early warning ends
End
Fig. 2. Flow chart of online early warning function for axial power deviation DI control
power deviation DI, it is necessary to obtain the maximum and minimum values of axial power deviation DI and the time for axial power deviation DI beyond the predetermined scope.
Research on Axial Power Deviation Safety
43
According to the operation result, the system judges if the value of DI exceeds the threshold. If it exceeds the threshold, we will simulate the case without intervention firstly. In this case, there are two situations that should be noticed: (1) the operational state point reaches the left online early warning line within the DI operational zone but does not reach the left limit line, and it can still return to Zone I through the left online early warning line; (2) the operational state point reaches the right online early warning line of the DI operational zone, or even enters Zone II or the timing zone, and it can still return to Zone I through the right online early warning line within an hour. If the above two situations can be met, the operators do not have to perform the intervention and the online early warning system for axial power deviation DI control can be stopped, and meanwhile the monitoring of DI and R rod position shall be continued. Otherwise, the online early warning system shall further calculate the margin of maximum axial power deviation introduced by R rod and boron concentration regulation to guide the operator. The calculation of axial power deviation DI mainly refers to the calculation of maximum axial power deviation DI introduced when one of the R rod position or the boron concentration remains unchanged, while the other reaches the limit value. The purpose of the calculation is to judge whether the R rod or boron concentration regulation can return the operational state point back to the safety zone. In this case, it is necessary to consider the calculation of DI introduced by differential worth of R rod and the boron concentration change. The early warning system for axial power deviation DI calculates the maximum axial power deviation DImax, then DImax would be used to calculate the maximum zone that the operational state point can reach, and it will also be used to determine whether the operational state point can return to the predetermined normal operational zone by R rod and boron concentration regulation. If the operational state point can return to the normal operational zone by R rod position and boron concentration regulation, the regulation amount of R rod and boron concentration shall be calculated. In this case, the early warning system for axial power deviation DI shall ensure that each variable regulation can realize the recalculation of DI trend change and maximum axial power deviation DImax via faster-than-real-time simulation, thus guiding the operations of the operators more accurately. It should be noted that, after each R rod position regulation or boron concentration change, the trend of DI shall be predicted again and the remaining maximum axial power deviation margin shall be calculated as well. The DI trend prediction can provide the decision for next step, and the remaining DI max can provide the final position that the operational state point can reach. If it doesn’t come back to normal state, the power regulation must be performed and during this process, the regulation amount of R rod and boron concentration can be calculated by the early warning system with the steps similar to previous process. However, it should be checked whether there is any mutual effect among the R rod position, boric acid concentration and the power level. Then, if the operational state point can return to the normal operational zone after the power regulation, the online early warning system can be shut down. And if the operational state point still cannot return to the normal operational zone, the calculation shall be performed again.
44
3.3
H.-Y. Xie et al.
System Verification
The online early warning system for axial power deviation control uses two parallel sets of online simulation models for calculation: one is for the real-time calculation, and the other is for the faster-than-real-time calculation. The real-time model is used for field tracking calculation, while the faster-than-real-time model is used for prediction calculation. The main implementation process is as follows: (1) All input conditions and boundary conditions of the two online simulation models are identical. The faster-than-real-time simulation model can predict the trend of axial power deviation DI from now on. Therefore, the trend of axial power deviation DI can be used to judge whether the operational state will reach the left or right warning lines or enter Zone II or the timing zone, thus guiding the calculation of real-time model. (2) If the above situation occurs, the margin for R rod or boron concentration regulation under current state shall be calculated. The margin calculation is used to judge whether the operational state point can return to the predetermined normal operational range by R rod and boron concentration regulation. After each operation, the state of the real-time model shall be retransferred to the faster-than-real-time simulation model for the faster-than-real-time prediction recalculation based on the current state. (3) After each R rod or boron concentration regulation, the two sets of simulation models perform the parallel real-time and faster-than-real-time recalculation of axial power deviation DI after the change of conditions to guide the NPP operators to perform the further operations.
4 Conclusions In this paper, the mechanism of online simulation is proposed. With this technology, the performance of equipment in real world could be realized on simulator after these points: collecting the online data, selecting simulation initial conditions, correcting simulation data, performing the automatic commissioning, realizing the online early warning and analyzing system events. Based on these, the operation trapezoidal chart for axial power distribution is derived according to the relevant axial power limitation distribution criterion. Besides, the causes of difficulties in axial power deviation DI control at the end of life are also analyzed, and its control principle is given which is based on the actual unit operating experience. Furthermore, the online early warning system is put forward for axial power deviation DI on considering previous difficulties in the actual operation, as well as its flow chart. In addition, the functions of online early warning system for axial power deviation DI control are realized and verified. This early warning system can guide the NPP operators to control the axial power deviation DI, avoid the power decrease and xenon oscillation that could take place, thus ensuring that the power transient operation of NPP is both economic and safe. In the future, the deduction method of online simulation can combine with the NPP operation and the NPP safety to guarantee the operational efficiency and safety of NPP
Research on Axial Power Deviation Safety
45
in the aspect of online early warning, the system event analysis or the monitoring of online equipment. Furthermore, the intelligent application of real-time and historical data generated by NPP can provide the states of the entire NPP for advance prejudgment, optimization and improvement. It could also be the operation guidance to optimize the engineering design, ensure the safe unit operation and improve the economic efficiency of unit operation.
References 1. Salfner, F., Lenk, M., Malek, M.: A survey of online failure prediction methods. ACM Comput. Surv. (CSUR) 42, 1–68 (2010) 2. Baldoni, R., Montanari, L., Rizzuto, M.: Online failure prediction in safety-critical systems. Futur. Gener. Comput. Syst. 45, 123–132 (2014) 3. Hwang, S.L., Lin, J.T., Liang, G.F., Yau, Y.J.: Application control chart concepts of designing a pre-alarm system in the nuclear power plant control room. Nucl. Eng. Des. 238, 3522–3527 (2008) 4. Øien, K., Utne, I.B., Herrera, I.A.: Building Safety indicators: Part 1 - Theoretical foundation. Saf. Sci. 49, 148–161 (2011) 5. Ma, J.P., Jiang, J.: Applications of fault detection and diagnosis methods in nuclear power plants: A review. Prog. Nucl. Energy 53, 255–266 (2011) 6. Øien, K., Massaiu, S., Tinmannsvik, R.K.: Development of early warning indicators based on resilience engineering. In: International Probabilistic Safety Assessment and Management Conference, Seattle, USA. (2010) 7. Hürster, W., Wilbois, T., Chaves, F.: An integrated systems approach for early warning and risk management systems. Int. J. Inf. Technol. Syst. Approach 3, 46–56 (2010) 8. Wang, H., Peng, M.J., Wu, P., Cheng, S.Y.: Improved methods of online monitoring and prediction in condensate and feed water system of nuclear power plant. Ann. Nucl. Energy 90, 44–53 (2016) 9. Mazzola, A., Fantoni, P.F.: Multiple-failure signal validation in nuclear power plants using artificial neural networks. Nucl. Technol. 113(3), 368–374 (1996) 10. Liu, Y.K., Xie, F., Xie, C.L., Peng, M.J., Wu, G.H., Xia, H.: Prediction of time series of NPP operating parameters using dynamic model based on BP neural network. Ann. Nucl. Energy 85, 566–575 (2015) 11. Xie, H.Y., Li, J.X., Yan, Z.Y., Tan, K.: Research of critical reactivity control online early warning technology in nuclear power plant. Lect. Notes Electr. Eng. 455, 102–108 (2017)
Integrated Digital Control Platform for Flywheel Systems with Active Magnetic Bearings Kai Zhang, Yang Xu(&), and Xing-Jian Dai Department of Engineering Physics, Tsinghua University, Beijing, China [email protected]
Abstract. Active magnetic bearings (AMBs) have advantages of no contact, low power loss, lubrication free, controllable dynamics, active unbalance compensation ability and so on. They are attractive for high speed flywheel application as key technologies. A digital control platform for flywheel AMBs based on a single-core digital signal processer (DSP) could not satisfy a high speed flywheel system with high dynamic complexity for its low integration, complex structure and inadequate interaction performance. An integrated digital platform for AMBs was designed based on a double-core DSP. A digital control board, a power amplifier control board and a displacement sensor board were integrated into a new board for the platform. The platform could run real time control codes with a higher speed. At the same time, it could transfer data quickly between the DSP and foreign digital systems by a network interface. A special data acquisition system for AMB condition monitoring was not needed anymore. The new platform owned the ability of adjusting parameters of an AMB controller on-line without influencing its real time operation. The new control system would be applied to the developing high-speed flywheel system with AMBs. Keywords: Flywheel
Magnetic bearing Digital control system
1 Introduction A flywheel energy storage system (FESS) increases rotational energy of its flywheel rotor as storage energy by accelerating the rotor to a high speed with a motor. When energy is needed, the storage energy is extracted from the system by a generator, the flywheel’s rotational speed is reduced as a consequence of the principle of conservation of energy. FESS plays an important role in energy storage application for its advantages of high energy efficiency, fast response speed, strong instantaneous power, low maintenance, long lifetime and environment-friendly feature. FESS is also attractive for a nuclear electrical power plant as a novel uninterrupted power supply system to increase its operation safety. In a FESS application, high speed bearings are integral parts of the FESS. They are considered as key technologies to assure a stable operation of a high speed flywheel rotor with a low power loss in a long time [1]. © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 46–57, 2020. https://doi.org/10.1007/978-981-15-1876-8_6
Integrated Digital Control Platform for Flywheel Systems
47
Active magnetic bearings (AMBs) use controlled magnetic forces between bearing magnets and a ferromagnetic rotor to achieve a stable rotor suspension. AMBs have advantages of no contact, low power loss, lubrication free, controllable dynamics, active unbalance compensation ability, maintenance free, integrated health monitoring and so on. They are especially suitable for high speed flywheel application [2–4]. AMBs are typical mechatronic systems. An AMB system is composed of magnet stators, rotors, power amplifiers, displacement sensors and a controller. Its structure is shown in Fig. 1.
Disturbance
Ref posiƟon
Controller
Amplifier
Sensor Fig. 1. Structure of an AMB system.
In Fig. 1, the amplifier, the sensor and the controller compose an electronic control unit of the AMB system. The magnets and the rotor can be seen as the mechanical part of the system. Of course, the magnets and the amplifier can also be seen as the actuator of the close loop system. As the core of the close loop system, the controller includes a hardware system and control codes running on it. When the dynamics of the mechanical part and the other hardware parts are determined, the performance of the controller will determine the performance of the whole system. The performance of the controller hardware influences the complexity of control algorithms running on the hardware. In the early stage of the AMB controller development, a control platform was composed by analog circuits. A control algorithm was implemented through analog calculation. With the rapid development of microelectronics technology, digital controllers based on digital circuits have been mainstream of AMB controllers for their advantages of convenient implementation and flexible application [5, 6]. An electronic control circuit for AMBs includes a displacement sensor module, a power amplifier module and an AMB control module. Generally, the every module made of a single circuit board. The different boards are connected by signal cables and operate as a whole electronic control system. The core of the AMB control module is generally a single-core digital signal processer (DSP). The structure of such a system is clear and its units can be manufactured and tested separately. When a fault happens, the units can be replaced conveniently. But the integration level of such a system is low and its structure is complex. The features are not suitable for the need of low cost and small volume. Furthermore, the signal transmission through the cables between the different circuit boards could be affected by electromagnetic noise.
48
K. Zhang et al.
Considering the insufficiency of the digital control platform based on the singlecore DSP, a novel integrated digital control platform was developed. In the new system, an AMB digital control circuit unit, a power amplifier control circuit unit and a displacement circuit unit were composed into a single circuit board. The integrity of the control platform was increased obviously. The DSP unit was built based on a dual-core chip. The controller could run complex codes in real time and complete a high speed data transmission with external digital systems through network at the same time. The interaction ability between the control system and external systems was strengthened rapidly. With an embedded front-end system added, the controller could finish a large capacity data communication with a PC when the real time AMB control codes were running. So an on-line control parameter adjustment by a remote PC was achieved for the AMB system. The new control platform could be applied to the developing highspeed flywheel system.
2 Nonintegrated Digital Control System A nonintegrated digital control system was generally built based on a single-core DSP. Such a classical nonintegrated control system was composed with separated sensor circuit, amplifier control circuit and AMB control circuit units. Its structure was shown in Fig. 2. DAQ Board
Disp Signal
DAQ Board
PC
AMB Current Signal
JTAG/RS232 Sensor Circuit
Sensor Probes
Disp Signal
ADC
Singlecore DSP
DAC
Single-core DSP Control Circuit Board
Control Signal
Amplifier Control Circuit
H Bridge Circuit
Fig. 2. Nonintegrated digital control system based on a single-core DSP.
The sensor probes received sine-excitation waves from the sensor circuit and converted it to modulated sinusoidal waves with rotor displacement information. The modulated signal was sent back to the sensor circuit. The circuit demodulated the signal and obtained displacement signal voltages. The voltages were sent to the single-core DSP control board and the monitor system which was composed by DAQ boards and a monitor PC. The single-core DSP control board sampled the displacement voltages through analog-to-digital converters (ADCs). The real time control codes running in the DSP and the digital controller calculated output control signal according to the displacement signal. The output control signal was converted to analog control voltage by
Integrated Digital Control Platform for Flywheel Systems
49
digital-to-analog converters (DACs). The converted control voltage was sent to the amplifier control circuit. The amplifier control circuit adjusted the coil currents of the AMBs according to the current command. When control codes of the DSP needed to be adjusted, new controller codes were downloaded to the DSP by an emulator through a JTAG interface. The DSP could also respond the command from its host PC and upload data to the PC. The data transmission would suspend the running of the real time control codes. When the AMBs ran, such a code suspension would cause a rotor drop disaster and was prohibited. Though it was possible to transfer data on-line between the PC and the DSP with some simple interface such as RS232. The data amount transferred and the operation frequencies were strictly limited. When the amplifier control board received the command signal from the DSP board, it generated PWM signals to drive an H bridges of the driving circuit board. In the driving board, there were current sensors for detecting the currents in the AMB coils. The detected current signals were sent back to the amplifier control board. The PWM signals were adjusted in real time according to the error between the command signals and the measured current signals. Then the coil currents would track the command currents. To monitor the running status of the AMB system on the host PC, special DAQ boards were needed to sample the displacement and coil current signals and transfer them to the PC. 2.1
Insufficient of the Single-Core DSP Control Platform
The processing speed of a single-core DSP control platform was enough for real time control code running of a AMB system when dynamic behaviors of the rotor system was not so complex. When the complexity of the dynamic behaviors increased rapidly, the code amount for real time digital controller increased rapidly too. Especially for a high speed flywheel rotor in a high-power application, stability problems corresponding to rotor gyroscopic effects and critical vibration from flexible rotor modes appeared at the same time [3]. The controller for such a rotor system would be very complex and the calculation ability of the DSP should be increased. Furthermore, for the single-core DSP controller, its interaction ability with external digital system was poor when real time control codes for AMBs ran. The on-line parameter adjustment was difficult. More complex data interaction such as network data transmission was hard to achieve. When a controller needed to be adjusted, the AMB rotor had to be stop. New codes should be compiled and download again. 2.2
Similar Tasks Between the Digital Control Board and the Amplifier Control Board
In the nonintegrated digital control system, the driving control of the H bridge was implemented by a special amplifier control board. The core of the board was a FPGA chip. The FPGA drive ADCs to sample the command voltages coming from the DSP board and coil current signals from the H bridge circuit. The control codes for the current amplifiers ran on the FPGA. The control codes determined the PWM driving
50
K. Zhang et al.
signals sent to the H bridge according to the error between the command signals and the current measurement results. The switching of mosfets was control by the PWM signals. The high speed switching changed the equivalent voltage on the coils and adjusted the coil currents quickly. The relationship between the digital control board and the amplifier control board was shown as Fig. 3.
Amplifier control board DAC
DSP Disp Signal
Through conditioning circuit
FPGA
ADC
PWM Signal
ADC Single-core DSP control board
H Bridge circuit
Current Signal
Fig. 3. Relationship between the digital control board and the amplifier control board.
From the viewpoint of signal transduction, the DSP board communicated with the amplifier control board over analog interfaces. In order to send internal digital signal to the amplifier control circuit, the digital signals were converted to analog voltages by DACs. When the analog signals reached the amplifier control board, they had to be converted to digital signals by ADCs again to be received by the FPGA. The cost of high speed ADCs and DACs was high. Obviously, such a work pattern caused waste of resources. Furthermore, the DSP had to spend time on driving DACs and ADCs. It influenced the real time control performance. The two boards could be merged into one. Then the FPGA could replace the DSP to drive the ADC and sample the displacement signals. The DSP could communicate with the FPGA over high speed digital interfaces and the original DACs and ADCs for this task could be removed. With the combination, the signal conditioning circuit could also be removed and the power supply modules in the two boards could combine into one. Then the components on the board were reduced, the total board area was decreased obviously and the electromagnetic interference (EMI) during signal transmission between the DSP board and the amplifier control board could be avoided. Furthermore, with the circuit structure alteration, DSP could obtain coil current signals in real time from FPGA over digital interfaces directly. Such ability provided potential performance improvement for AMB systems.
Integrated Digital Control Platform for Flywheel Systems
2.3
51
Higher Integration Degree
With the combination of the DSP board and the amplifier control board, the integration degree of the control platform was increased rapidly. A higher integration degree could be achieved if the sensor circuit was merged in the control board too. Their power supply modules could combined and the corresponding conditioning circuit on the signal transmission road could be removed. With the new integration, the platform board area could be further decreased.
3 Integrated Digital Control System In view of the above disadvantages of the single-core DSP control platform, a novel integrated digital control system for AMBs was developed. The single-core DSP was replace by a dual-core DSP L138 which became the real time control core of the new control platform. The real time data processing capability was strengthened. Furthermore, a high speed data transmission through network without influence a real time control task could be achieved. The data exchange capability of the digital control platform was greatly improved. In the new platform, the digital control board for AMBs, the power amplifier control board and the sensor board were merged into one circuit board. The integration degree of the platform was increased obviously. Working with an embedded front-end system based on ARM architecture, the platform could achieve high speed data transmission with a master PC. A special data acquisition system was not needed any more. When such a data transmission ability was applied in control parameter transmission, an on-line control parameter adjustment could be achieved. The structure of the integrated digital control platform was shown in Fig. 4. ARM front-end system
Host PC
Network
Network Interface
Dual Core DSP/ARM
Sensor Probes
Sensor Circuit
Disp Signals
PWM Signals
FPGA
ADC
Current Signals
H Bridge Circuit
Integrated Digital Control Board
Fig. 4. Structure of the integrated digital control platform.
52
K. Zhang et al.
3.1
Dual-Core DSP
The dual-core chip OMAP-L138 was chosen to replace the single-core DSP chip as the new control core. The dual-cores of OMAP-L138 including a C6748 float DSP core and an ARM9 core. Their clock frequency were both 456 MHz. So a higher real time data process speed could be achieved and more complex real time control codes could be implemented in time. The ARM core could act as a system controller. With necessary memory chips and interface chips working with it, an embedded operating system (EOS) could run on it. Flexible and stable task scheduling and memory management could be undertaken by the EOS. Furthermore, a convenient data transmission with foreign digital systems could be achieved with rich software and hardware resources. L138 provided a high-speed internal shared memory for the two cores. They could transfer data to each other in a high speed while carrying out their own tasks. In the single-core control platform, some hardware codes had to run on the DSP, such as codes driving ADCs. For the new platform, a FPGA was added to the control board and it could replace the DSP to carry on such tasks. The DSP could put more time to run real time control algorithm. Furthermore, the FPGA could implement an oversampling mechanism, additional digital filters for displacement signals. A necessary rotation speed pulse signal from a rotation sensor could be reshaped by the FPGA too and it was key to active unbalance compensation of AMBs. The signal processing of the FPGA improved quality of the input signals, increased control accuracy of AMBs and enhanced system stability. The tasks for the DSP core were simplified and the core concentrated on running of real time algorithm codes, a more intelligent and complex controller. Then the control performance for high speed flywheel rotors with AMBs whose rotor dynamics were more complex could be guaranteed. In an application, the ARM core communicated with a remote host PC, an embedded Linux system was run on it. Complex IO protocols were conveniently implemented. Controller parameters, displacement signals and current signals could be smoothly transmitted between the ARM core and the host PC through network, RS232 and so on. 3.2
Integration of the Digital Control Board, the Power Amplifier Control Board and the Displacement Sensor Board
After integrating the digital control board, the power amplifier control board and the displacement sensor board, the system structure was changed as Fig. 5. The functions of the three boards were fused on one board. The dual-core chip served as the core of the new board. It worked with the FPGA to obtain the rotor displacement signals and the coil current signals in real time. The signals obtained could be sent to outside digital systems through network without disturbing the real time control tasks. A embedded front-end which was based on ARM architecture could be installed to the AMB control system. It could receive data from the dual-core chip and display the data on its interactive screen. The data could be further transmitted to a remote PC. The remote PC could monitor AMB systems on line without needing a special acquisition system.
Integrated Digital Control Platform for Flywheel Systems
53
Amplifier Control Board DAC
Through Conditioning Circuit
DSP Sensor Board
FPGA PWM signals
ADC Single-core DSP Control Board
Dual-core DSP/ARM
Sensor Circuit
ADC
Current Signals
H Bridge Circuit
PWM Signals
FPGA
ADC
Current Signals
H Bridge Circuit
Integrated Digital Control Board
Fig. 5. Integration of the three boards.
3.3
Control Parameter Adjustment on Line
Due to the application of the dual-core chip, a powerful ability of data receiving and sending on line between a host pc and the new control platform was achieved. The data including the AMB control parameters, the displacement signals and current signals could be smoothly transmitted without disturbing real time control of AMBs. Then, control parameter adjustment on line was implemented. When an AMB system was operated normally, its controller could be changed on line.
4 Function Implement With the integration design, the new control platform merged the DSP control board, the amplifier control board and the displacement sensor board into one. The platform was successfully used to suspend an AMB spindle. With markedly decreased volume and reduced cost, the suspension performance was guaranteed and higher suspension precision was achieved. A special data acquisition system was removed. The displacement signals and the current signals were successfully transferred from the DSP core to a host PC through network. Control parameter updating on line was implemented and the AMB controller adjustment test was performed on line without influencing the running of real time control codes of the AMBs.
54
4.1
K. Zhang et al.
Board Integration
The new digital control board integrated was shown in the right up corner of Fig. 6. The new platform had the functions of the single-core DSP board, the amplifier control board and the displacement sensor board. But its area is only about 1 to 3 of the total areas of the original three boards.
Integration Solution
Single-core
Amplifier Control
Sensor Circuit
Fig. 6. Comparison of the integrated and nonintegrated control platforms.
4.2
Experiments Using the Integrated Platform to Replace the Nonintegrated Platform
The integrated platform was applied to the spindle with AMBs. In experiments, a stable 5-DOF suspension was achieved and the spindle successfully ran to a rotation speed of 12000 rpm. The new platform replaced a nonintegrated platform and achieved better performance. The photo of the AMB motor was shown in Fig. 7 and the photo of the integrated digital control platform was shown in Fig. 8.
Fig. 7. AMB motor
Integrated Digital Control Platform for Flywheel Systems
55
Fig. 8. Integrated digital control platform
The interface of the monitor system for the AMBs was shown in Fig. 9. In the interface, an orbit of the AMB rotor appeared as a point representing a static suspension with micrometer accuracy. The current ripples were small on the current waves representing a good current control performance. Because the signal transmission was simplified, the suspension performance was even better than using the single-core digital platform. Furthermore, the displacement and current data for the monitor system was sent by the dual-core chip from network and the original sampling system was removed. The signal transmission was achieved based on a 3-layer structure. Each two layers were communicated by network. The digital control platform was seen as the bottom layer. It was responsible for signal sampling, data sending and parameter receiving. Its data sending and receiving both connected with a middle layer. The middle layer was built on an embedded front-end system. Signal waves could also be shown on the system which provided a touch screen for human-computer interaction. When data from the control platform and the monitor PC came, the front-end system merged the data and sent it to the control platform or PC according to requirements. Rotor Orbits
Current Waves
Test Sine Waves
Fig. 9. Interface of the monitor system
56
K. Zhang et al.
For a future system expansion, the front-end system connected with the monitor PC with a data access strategy based on network variables. The network variables were accessed through a unified interface. It was suitable for accessing data from the frontend system itself, a remote monitor PC or a multi-pc system at the same time. The sine wave at the bottom right-hand corner of Fig. 9 was a virtual wave with a frequency of 20 Hz which was created by the DSP core of the control platform. It was sent to the ARM core by the internal shared memory and transmitted by the ARM core to the PC. The successful transition of the wave shown that the real time data interaction ability of the new platform was powerful. 4.3
Control Parameter Adjustment on Line
The monitor system could not only receive data from the dual-core chip but also send control parameters to the control platform. Depending on the powerful ability of the new digital control platform in data transmission, the parameters of the AMB controller could be adjusted on line when the real time codes ran. The interface of the software for the parameter adjustment was shown in Fig. 10. It had been used to improve the controller performance with the AMB spindle running.
Fig. 10. Interface of the software for the parameter adjustment
Users could enter different control parameters in the corresponding input boxes. Or they could update the parameters from a parameter file. When a button named “Parameter download” was pressed, the corresponding control parameters in the running controller would be changed. If such a function worked with artificial intelligence technologies in the future, the intelligence level of AMB controllers would be greatly increased.
Integrated Digital Control Platform for Flywheel Systems
57
5 Conclusion The novel integrated digital control platform was developed for AMB systems. In the new platform, the digital AMB control board, the power amplifier control board and the displacement sensor board were merged into one integrated board. With the increased integration level, the board volume was reduced, the system cost was decreased and the signal transmission quality was improved. With the architecture of the dual-core chip plus the FPGA, the calculation ability and the network data transmission ability of the control platform was developed. The dual-core chip could transmit amount of data in a high speed with the host PC and the special sampling monitor system was removed. Furthermore, the new platform owned a strong on-line parameter adjustment ability and the AMB control parameters could be changed when the rotor ran. The disadvantages of low integration, complex structure, poor interface performance and lacking on-line parameter adjustment mechanism that the nonintegrated platform had was avoided. The new platform would be applied to high speed flywheel systems with AMBs and help to improve their performance. Acknowledgments. The project is supported by National Key Research and Development Project (Number 2018YFB0905500) and National Natural Science Foundation (Number 51775292).
References 1. Dai, X.J., Wei, K.P., Zhang, X.Z., et al.: A review on flywheel energy storage technology in fifty years. Energy Storage Sci. Technol. 7(5), 755–782 (2018) (in Chinese) 2. Schwertzer, G., Maslen, E.: Magnetic Bearings Theory, Design, and Application to Rotating Machinery. Springer, Berlin (2009) 3. Bai, J.G., Zhao, L., Zhang, K., Dai, X.J.: Vibration control by AMBs for composite material energy storage flywheel with flexible structure. J. Mech. Eng. 52(8), 36–42 (2016) (in Chinese) 4. Yang, S.Q., Cai, G.W., Yang, J.J., Liao, D.X.: Suspension mechanism and stability of electrodynamic magnetic bearings. J. Huazhong Univ. Sci. Technol. Nat. Sci. Ed. 31(4), 9–11 (2003) (in Chinese) 5. Zhang, X.Y., Xie, Z.Y., Huang, Y.L., Zhang, H.: Research on dynamic performance of integrated control system of magnetic suspension spindle. Mach. Electron. 35(4), 3–8 (2017) (in Chinese) 6. Zhang, L., Liu, K.: Integrated control system design of magnetic bearings for flywheel based on FPGA. Electr. Mach. Control. 16(4), 84–90 (2012) (in Chinese)
Off-Line Performance Calculating Software of the Secondary Loop Thermal System in AP1000 Nuclear Power Plant Zhi-Gang Wu(&) and Wen Chen State Nuclear Electric Power Planning Design & Research Institute Co., Ltd., Beijing 100095, China [email protected]
Abstract. The thermal system of secondary loop in nuclear unit is a concentrated expression of thermal performance of the plant. Calculating and Analysis the thermal system of secondary loop is an important project in the design and operation of nuclear power plant. In this paper, the thermal system of secondary loop in the typical AP1000 unit is studied. For the problem in heat balance method when the parameters in thermal system change, it needs to be detailed quantitative calculation on the whole thermal system, it is tedious and not conducive to the daily use of the operator, the paper base on the Eclipse and Java and accomplish the Off-line performance calculating software of the Thermal System of AP1000 Secondary Loop. The software can not only reduce the burden of manual calculation, and intuitively build accurate thermal performance file of units under different conditions and it is the basis of the on-line performance monitoring and fault diagnosis. Keywords: The secondary loop thermal system Java language Nuclear power plant
Thermal calculation
1 Introduction Since the “13th Five-Year Plan” Energy Development Plan, China’s power industry structure has also undergone big changes, which specifically shows the need to vigorously develop new energy sources and safely develop nuclear power [1]. As of the end of 2016, China mainly focuses on advanced third-generation nuclear power technology. Its main representative types are AP1000, Hualong No.1 and CAP1400, the total installed capacity can reach 13. 32GW [2]. With the large-scale use of a million kilowatt-scale PWR nuclear power unit in China’s nuclear power construction, in addition to the need to solve the problem of how to reduce the fuel consumption per unit of power generation, analyze and evaluate the perfection of the nuclear power unit thermal power conversion process, The calculation and analysis of the performance of the loop thermal system [3, 4], and early fault diagnosis of the operating performance of the secondary circuit system of the inservice unit has become an important issue in the design and operation of nuclear power plants. © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 58–68, 2020. https://doi.org/10.1007/978-981-15-1876-8_7
Off-Line Performance Calculating Software of the Secondary
59
For the calculation and analysis of thermal performance of nuclear power units, domestic and foreign scholars are based on the research methods of thermal power units. The commonly used thermal performance calculation methods are equivalent enthalpy drop method, cyclic function method, conventional heat balance method, matrix analysis method and enthalpy analysis method and etc. [5–7]. Among them, because the conventional heat balance method has high calculation accuracy and is easy to understand, it only needs to be solved by Z + 1 equations, so it is the most widely used in practical engineering [8]. However, at the same time, the thermal balance method computer group thermal performance have a strong professionalism, and when a certain steam-water parameter changes in the thermal system, it is necessary to re-quantify the entire thermal system in detail, which is cumbersome and is not conducive to the daily use of the operating personnel. In view of this, this paper takes a second-loop thermal system of AP1000 nuclear power unit as the research object, first builds the thermal balance calculation model of the second-circuit thermal system; then based on the algorithm, based on the Eclipse development platform, develops the corresponding program module using Java language. Complete offline performance calculation and analysis software for the main equipment and system of the AP1000 nuclear power unit secondary circuit. The software can not only reduce the burden of manual calculation, but also intuitively establish the accurate thermal performance file of the unit under different design conditions, or the basis for subsequent performance monitoring and fault diagnosis of the unit.
2 Offline Software Theoretical Calculation Model 2.1
Design Condition Module Main Equipment Calculation Model
Unlike the thermal power unit, the nuclear power plant secondary circuit system has its particularity in the calculation and analysis of thermal performance. The specific performance is two points: First, because the main steam of the nuclear steam turbine is saturated steam, steam-water separation and reheat system should be arranged during the steam and water circulation. The system is used to timely remove the moisture in the wet steam and reheat the steam. Therefore, the coupling characteristics of highpressure extraction and reheating should be considered in the calculation of thermal performance. Second, the working fluid of the nuclear steam turbine mainly works in wet. In the steam zone, the work steam has a high humidity. In order to reduce the influence of wet steam on the blades, it is necessary to adopt the dehumidification structure and hydrophobic hole. Therefore, the enthalpy values before and after hydrophobicity are different in the computer group efficiency [9]. The steam-water separation reheater is a unique device that distinguishes the nuclear power unit from the thermal power unit. The condensed water is first heated into saturated steam in the nuclear island, and then the steam enters the steam turbine high-pressure cylinder of the conventional island to expand work, the steam temperature and pressure after work are gradually reduced, and the humidity is increasing. Therefore, in order to improve the dryness of the steam flowing in the low pressure
60
Z.-G. Wu and W. Chen
cylinder, and also to improve the safety and economy of the turbine operation, the nuclear power unit will arrange a steam-water separation reheater at the outlet of the high-pressure cylinder. Therefore, the dryness of the inlet steam of the high and low pressure cylinder is increased, so that the final exhaust of the steam turbine meets the design requirements [10, 11]. The calculation model is shown in Fig. 1. The calculation formula is as shown in the following (1)–(3) equation.
h (D
rh
h
+ D se )
h
h
d se
D
rh1
D
rh1
h h
d rh1
D
h rh 2
D
h rh 2
h
rh1
D
rh
se
h
h
se
D
5
h
d rh1
rh
D
rh
h
d rh 2
D
rh
d rh 2
Fig. 1. Steam and water separation reheater model
hse h5 Drh h5 hdse
ð1Þ
Dhrh1 ¼
hrh1 hse Drh hhrh1 hdrh1
ð2Þ
Dhrh2 ¼
hrh hrh1 Drh hhrh2 hdrh2
ð3Þ
Dse ¼
Where: Drh and Dse are the reheat steam flow into the low pressure cylinder and the split water flow in the steam separator, respectively, kg/h; hse and h5 are the steamwater separator outlet and inlet enthalpy, kJ/kg; Dhrh1 , Dhrh2 are the primary and secondary steam extraction, kg/h; hrh1 , hrh are the steam enthalpy of the primary and secondary reheater outlets, kJ/kg; hhrh1 , hhrh2 are the extraction enthalpy of the primary and secondary reheater, kJ/kg; hdse , hdrh1 , hdrh2 are the hydrophobic enthalpy of the steam separator, the primary and secondary reheaters, respectively, kJ/kg. There are three cases in calculating the efficiency of the stage of a nuclear steam turbine: the stage is not hydrophobic, the stage is hydrophobic and the stage is purely hydrophobic [12]. When a certain stage is not hydrophobic, the stage efficiency can be calculated by the following formula (4). For the partial extraction stages of turbine high pressure cylinder and low pressure cylinder, these groups generally have hydrophobicity. Since the enthalpy values before and after the hydrophobic group are inevitably different, it is usually necessary to calculate the enthalpy before the hydrophobicity in the calculation of the efficiency of the upper first stage, the enthalpy after the hydrophobicity is required to calculate the efficiency of the current group. Therefore, the enthalpy after hydrophobicity is generally determined by heat balance, as shown in the following formula (5). When a certain section of the steam turbine is purely hydrophobic, the pure hydrophobic quantity and pure hydrophobic enthalpy of the
Off-Line Performance Calculating Software of the Secondary
61
stage are often given on the steam heat balance diagram of the steam turbine, and the efficiency of the stage can be directly solved by the formula. gn ¼
Dh Dhs
ð4Þ
Where: gn is the efficiency of a certain stage; Dh and Dhs are the effective enthalpy drop and the ideal enthalpy drop, respectively, kJ/kg. hn2 ¼ ð1 gnw Þhðn þ 1Þ1 þ gnw hnw
ð5Þ
Where: hnw , hn2 and hðn þ 1Þ1 are hydrophobic and hydrophobic front and back enthalpy, kJ/kg; gnw is the ratio of the amount of water separated from the extraction point to the flow rate of the stage. 2.2
Variable Working Condition Module Calculation Model
Generally speaking, the nuclear power unit may deviate from the design condition frequently during actual operation, and the unit load will be different according to the arrangement of the power grid. Therefore, it is necessary to carry out the calculation of the variable working condition of the second-circuit thermal system. The calculation of the variable working condition first needs to calculate the complete heat balance diagram, and a complete heat balance diagram includes not only the parameters of the pressure and temperature of the extraction steam at all levels, but also the steam enthalpy values used for heating at all levels. For nuclear power systems, since wet steam is expanded in the steam turbine, when calculating the design conditions, based on the material balance and energy balance, the extraction point enthalpy and the inlet enthalpy of the regenerative heater are known. It is necessary to calculate the value after the extraction point. For the variable working condition calculation, we need to first calculate the extraction steam enthalpy value of the wet steam, and then calculate the enthalpy value after the extraction point and the inlet enthalpy value of the regenerative heater. It can be seen from the literature [13] that for the calculation of the extraction enthalpy of the high pressure cylinder and part of the low pressure cylinder containing the hydrophobic stage: firstly, the enthalpy of the main steam can be obtained by the known pressure and dryness; then, according to the relationship between the exhaust steam and the load in the design specification, the high pressure cylinder exhaust steam value is determined; under the condition that the extraction pressure of each level is known, it is assumed that the dry efficiency is constant, and the dry basis enthalpy under a certain extraction pressure is obtained; then using the dehumidification efficiency to correct the dry basis to obtain a wet base; the enthalpy under this efficiency is then calculated using the wet basis efficiency, and so on, until the final two calculated dryness errors are within 0.1%. After determining the extraction enthalpy, the enthalpy after the extraction point is calculated by the method described above, and then the inlet enthalpy of the regenerative heater is calculated according to the heat balance. Based on the above-mentioned calculation method of enthalpy value, on the basis of obtaining
62
Z.-G. Wu and W. Chen
the extraction enthalpy value, the calculation of the variable working condition of the nuclear power system and the calculation of the actual operating conditions can be completed, and then the calculation of the relevant characteristic parameters is carried out. The basis for performance testing, early performance diagnosis of operating conditions, etc. 2.3
Consumption Difference Analysis Module Calculation Model
The purpose of consumption difference analysis is to determine the change of unit heat consumption caused by the change of decision variables, so as to further analyze the problems existing in equipment design, operation, maintenance and other aspects, and to seek solutions [14]. For the nuclear power plant secondary circuit system, the heat consumption rate is usually used as the energy consumption index. This index is based on the first law of thermodynamics, and is often evaluated by the heat balance method. The influence of the unit parameter change on the unit heat rate is as follows (6), (7) shown. DHR jDx ¼ HR jDx HR0 dHR jDx ¼
DHR jDx 100 HR0
ð6Þ ð7Þ
Where: HR is the unit heat rate, kJ/(kWh); Dx is the change value of the unit’s decision variables; DHR jDx , dHR jDx are the absolute values of the change in heat loss of the unit parameters, kJ/(kWh), relative value, %.
3 Off-Line Software Development Environment 3.1
Off-Line Software Development Platform
The AP1000 nuclear power unit secondary loop system offline performance calculation software is implemented in Java language using Eclipse development tools. Java is an object-oriented programming language developed by Sun to write cross-platform applications that can be “written once, run everywhere.” Eclipse is a well-known platform integration development environment, users can go to the official website for free download. But before using Eclipse for Java development, you need to install the JDK and configure the runtime environment [15]. Based on the Eclipse development platform, the offline performance calculation software for the AP1000 nuclear power unit secondary circuit system is a comprehensive application software that integrates the thermal calculation of the design conditions of the secondary circuit system, the thermal calculation of the variable working condition and the analysis of the main parameter consumption difference. As shown in Fig. 2 below:
Off-Line Performance Calculating Software of the Secondary
63
Fig. 2. Schematic diagram of Software development module
3.2
Off-Line Software Program Execution Block Diagram
The block diagram of the offline performance calculation software program of the AP1000 nuclear power unit secondary circuit system is shown in Fig. 3. After opening the software, select the corresponding module. When selecting the design condition module, in addition to the performance calculation under the unit design condition, you can also query the unit’s thermal performance file table and the main parameter change trend chart. When selecting the variable working module, first input the power you want to calculate. After the prompt input data does not exceed the limit, and then click the calculation button on the program panel, the program will automatically complete the performance calculation under the working condition. When selecting the main parameter sensitivity analysis module, first input the unit power, and then select the variation range of the corresponding parameter under the current power, you can see the value of the heat consumption rate before and after the change.
64
Z.-G. Wu and W. Chen
Fig. 3. Structure execution block diagram of Off-line software program
4 Off-Line Software Function Module In this paper, a typical AP1000 PWR nuclear power unit is selected as a case unit. The secondary loop thermal system mainly includes main steam system, reheater system of soda water separation, extraction and recovery system of steam turbine, condensate and main water supply system, and recovery water drainage and steam exhaust system, etc. The detailed thermodynamic calculation and loss analysis under different working conditions are carried out by using the off-line software prepared above, and the accurate thermal performance file of the case unit is established, at the same time, the basis for subsequent linear performance monitoring and fault diagnosis is provided. Table 1. Calculation parameters of steam extraction flow in regenerative system under THA, 90% THA and 75% THA conditions Project
Unit THA
Balance diagram
Error
No. 7 High pressure heater No. 6 High pressure heater Deaerator
kg/h 389027
390960
−0.49% 320714.57 319596
0.35% 222675.84 223361
−0.31%
kg/h 335056.76 333331
0.52% 291475.01 292409
−0.32% 234804.07 234701
0.04%
kg/h 421263.5
0.10% 364542.75 364747
−0.06% 287460.54 286804
0.23%
420859
90%THA
Balance diagram
Error
75%THA
Balance diagram
Error
(continued)
Off-Line Performance Calculating Software of the Secondary
65
Table 1. (continued) Project
Unit THA
No. 4 Low pressure heater No. 3 Low pressure heater No. 2 Low pressure heater No. 1 Low pressure heater First reheater Secondary reheater
kg/h 223120.67 223039
0.04% 196459.41 195978
0.25% 157610.24 157665
−0.03%
kg/h 222218.18 221790
0.19% 196126.63 196033
0.05% 159307.28 159269
0.02%
kg/h 164610.43 164518
0.06% 142677.86 143020
−0.24% 113157.11 112820
0.30%
kg/h 317909.14 317653
0.08% 273054.57 272420
0.23% 208911.44 208365
0.26%
kg/h 323381.48 324456
−0.33% 276574.08 277088
−0.19% 211475.37 212684
−0.57%
kg/h 182939.12 182690
0.14% 211880.95 211492
0.18% 239822.57 239440
0.16%
4.1
Balance diagram
Error
90%THA
Balance diagram
Error
75%THA
Balance diagram
Error
Design Conditions Module
For the case unit under the design condition, the calculation is completed by selecting the design condition module. In this module, detailed thermal calculation can be carried out for THA, 90% THA and 75% THA of case units, and the calculation results meet all the data requirements in the thermal balance diagram. For the case unit, the thermal efficiency of the unit is 36.77% and the heat consumption rate is 9790.84 kJ/kWh under THA condition. The minimum error and maximum error of the regenerative heater flow in each section are 0.06% and 0.52% respectively, compared with the design specifications, while the calculation error of the extraction steam flow in other design conditions is less than 1%, which meets the requirements of engineering accuracy. The specific calculation results are shown in Table 1. Therefore, the software can quickly model and calculate the nuclear power unit, obtain its detailed thermodynamic parameters, and facilitate the study of the dependence of the parameters, providing a theoretical basis for the follow-up performance analysis. Through the design condition module calculation of the case unit design condition performance file list and parameter trend chart, it can be seen that the characteristic flow area of the case unit, stage efficiency, internal power, extraction pressure at all levels of steam extraction, steam supply from shaft seals and steam leakage and other parameters change with the main steam flow trend. Taking the characteristic flow area as an example, when the working condition of the unit changes, although the operation status of each group and the thermal parameters of the working fluid change, the characteristic flow area basically remains constant, and gradually increases with the flow characteristic flow area of the working fluid. Therefore, in the process of unit operation, any factor affecting the efficiency of the stage will affect the characteristic flow area of the stage, that is, within a certain accuracy, the characteristic flow area can be used as an important basis for the performance diagnosis of the steam turbine flow passage part.
kJ/kg kJ/kg kJ/kg kJ/kg % % kg/s m2
Initial enthalpy Endpoint enthalpy Effective enthalpy drop Ideal enthalpy drop Intra-stage efficiency Stage dry efficiency Stage flow CFA Pressure ratio Ideal power Effective power Ideal enthalpy reduction sum Actual enthalpy reduction sum Total enthalpy drop of ideal Gravimetric coefficient Flow efficiency 1 1.03 0.88
1.01 0.87
958.7 737.6 0.40 188056.4 168784.9 853.9
914.9 1608.7 0.44 135917.2 127817.8
Low pressure First Second stage stage 2979.9 2803.9 2803.9 2664.2 176.0 139.7 196.1 148.5 89.7 94.0
827.0
Fourth stage 2627.3 2535 92.3 102.4 90.1 90.1 1158.9 449.3 0.55 118725 106981.3
kJ/kg 292.5
Third stage 2695.6 2621.7 73.9 87.8 84.1 90.4 1224.1 327.0 0.61 107585.5 90477.5
732.6
High pressure First Second stage stage 2783.5 2718.9 2717.4 2694.1 66.1 24.4 77.9 27.2 84.5 89.5 87.4 94.2 1344.7 1285.9 219.3 456.4 0.66 0.86 104779.3 35099.9 89008.6 31414.3 295.5
kJ/kg 256.8
kw kw kJ/kg
Unit
Project Fourth stage 2567.9 2495.9 72.0 93.4 77.0 80.4 870.6 839.2 3076.0 8336.9 0.37 0.53 137492.4 78451.5 102741.7 60461.3
Third stage 2664.2 2546.2 118 157.9 74.7
Table 2. 75% THA steam turbine body part calculated thermodynamic parameters Fifth stage 2527.6 2435.9 91.7 123.1 74.4 78.4 781.2 13101.6 0.42 96240.8 71681.9
Sixth stage 2475.0 2340 135.0 134.6 96.3 96.3 762.0 28662.9 0.36 102636.4 102943.2
66 Z.-G. Wu and W. Chen
Off-Line Performance Calculating Software of the Secondary
4.2
67
Variable Working Condition Analysis Module
Application of the software to the case of secondary circuit system variable condition calculation module. In this module, the basic data on the heat balance chart and the calculation of unit characteristic parameters under any working condition above 75% load of the case unit can be achieved by inputting the unit power, such as the extraction pressure, extraction enthalpy, characteristic flow area, power in the stage, thermal efficiency and so on. For example, when the input unit power is 939.75 MW, the detailed calculation results of thermal performance parameters of the unit can be quickly obtained in the table. Under this condition, the thermal efficiency of the unit is 35.35%, and the thermal consumption rate is 10182.63 kJ/kWh. The detailed calculation results are shown in Table 2. In addition, the off-line software also includes the modules of the thermodynamic parameters of the steam turbine body and the thermodynamic parameters of the regenerative system. The data can be visually and intuitively displayed in the system diagram, and the thermoeconomic parameters such as extraction parameters, heat consumption rate, net heat absorption rate, thermal efficiency and steam consumption rate of the units at all levels can also be read intuitively. Get out and get rid of the job you’re looking for. 4.3
Dissipation Analysis Module
For nuclear power units, when a certain thermodynamic parameter changes, the performance of the unit may change accordingly. Therefore, it is particularly important to analyze the loss difference of some important thermodynamic parameters of the unit. Therefore, this paper applies the above software to analyze the sensitivity of the case unit with high adding, low adding end difference, exhaust pressure and reheat temperature. Firstly, input the power of the unit, select the range of change of end difference under this power, and click “calculate” button to calculate the heat consumption of the unit before and after the parameter change under a certain power, and obtain the change of heat consumption. For example, for the end difference, the size of the end difference is usually related to the heat transfer area of the regenerative heater and the feed water flow through the regenerative heater. When the unit runs, the actual end difference will deviate from the design value. When the end difference increases, the feed water temperature of the heater entering higher pressure level will decrease, which will lead to more high-pressure steam extraction to heat the feed water and reduce the economy of the steam turbine.
5 Conclusion Aiming at the secondary loop system of nuclear power unit, this paper firstly studies the calculation methods of its main equipment and thermal system. On this basis, taking a typical AP1000 PWR nuclear power unit as an example, using Eclipse development tool and Java language, the corresponding off-line performance calculation and analysis software is developed. Different requirements can be achieved by choosing different
68
Z.-G. Wu and W. Chen
functional modules of the software. This software not only completes the programmed calculation of the thermal performance of the secondary loop system of nuclear power unit, eliminates the restriction of specialization, but also establishes the list of the performance files and the parameter change chart of the unit. Only by clicking the corresponding button according to the operation process, the relevant results can be seen intuitively. At the same time, it lays a foundation for the subsequent development of AP1000 nuclear power unit online performance monitoring and diagnosis software.
References 1. National energy administration of the People’s Republic of China, The 13th five-year plan for energy development [EB/OL]. (2016-11-07). [2016-11-23]. National energy administration website 2. Energy statistics division of the national bureau of statistics of the People’s Republic of China, National energy administration comprehensive division. CHINA ENERGY STATISTICAL YEARBOOK. China Statistics Press, Beijing 3. Ji, Gui-ming: Modern protection system for high-pressure heaters in nuclear power plants and thermal power stations. Thermal Power Eng. 1, 41–41 (2015) 4. Heo, G., Chang, S.H.: Algebraic approach for the diagnosis of turbine cycles in nuclear power plants. Nucl. Eng. Des. 235(14), 1457–1467 (2005) 5. Zheng, T.-K.: Thermal Power Plant. China Electric Power Press (2008) 6. Lin, W.-C.: Energy Saving Theory of Thermal System in Thermal Power Plant. Xi’an Jiaotong University Press (1994) 7. Min-chen, G., Qing-zhao, W., Nan W.: The improvement of thermal system matrix analysis of power plant. J. Eng. Thermal Energy Power 02, 103–106 (1997) 8. Li-kai, K.: EEDM Equation of the Thermal-economic Analysis for Nuclear Power Units. North China Electric Power University (2010) 9. Chen-juan, J., Xu D.-M.: Characteristics and selection of nuclear power turbine. J. Eng. Thermal Energy Power 25(4), 459–462 (2010) 10. Peng, J.-M.: Thermal Analysis of Nuclear Power Plant. Harbin Engineering University Press (2012) 11. Junjie, Y., Yunze, L., Wanchao, L.: Thermo-economics analysis for the secondary-circuit of PWR nuclear power plant. J. Xi’an Jiaotong Univ. 34(5), 19–23 (2000) 12. Xu Q., Wang S.-Y.: Calculation and application of heat balance in nuclear steam turbines. Thermal Turbine 45(2), 118–122 (2016) 13. ASME, ASME PTC PM-1993: Performance Monitoring Guidelines for Steam Power Plants. New York, USA (1993) 14. YANG, Zhi-ping, YANGg, Yong-pin, WANG, Ning-lin: Sensitivity analysis of energy consumption for cylinder efficiency of 1000 MW steam turbine unit. Proc. CSEE 32(26), 1– 9 (2012) 15. Tomorrow’s World. Mastering Java
Monitoring and Analyzing of Wall Temperature Fluctuations for Thermal Fatigue in Elbow Pipe Jun Ling1,2(&), Hao Fu1, Hong-Tao Liu1, and Jing-Qi Yuan2 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, Shenzhen, Guangdong 518172, People’s Republic of China [email protected], [email protected] 2 Department of Automation, Shanghai Jiao Tong University, 800 Dongchuan Road, Minhang, Shanghai 200240, People’s Republic of China
Abstract. Turbulent penetration and unsteady thermal stratification can occur when hot/cold fluids mix and valve leakage in some elbow pipe regions in the nuclear power plant. Temperature fluctuations with large amplitude and high frequency caused by the unstable thermal stratification can lead to time-varying thermal stress and even induce thermal fatigue. Monitoring of wall temperature fluctuations of elbow pipes has received considerable interest because the thermal fatigue failure of these pipes could present severe environmental implications and large economic losses. In this study, based on the energy conservation law and the turbulent permeation laws, the linear interpolation method is used in this paper to calculate temperature distributions in the fatigue-sensitive region. The FLUENT software is used to verify algorithm effectiveness and accuracy, which provides a new solution for indirect measurement of internal temperature of the elbow pipe. Keywords: Nuclear power plant Elbow pipe conservation Linear interpolation
Thermal fatigue Energy
1 Introduction During the past few decades, some thermal fatigue events have been observed in equipments of nuclear power plants in places where two fluids at different temperatures were mixed or valve leakage. If not detected in time, temperature fluctuations driven by turbulent flow maybe induce thermal fatigue on wall Accurately acquiring temperature fluctuation information in the elbow pipe is of great importance to thermal stress analysis and thermal fatigue study of pipes. Due to completeness of primary coolant circuit and safety requirements of the nuclear power plant, holes shall not be arbitrarily opened on the pipe to install temperature sensors in order to indirectly measure inner wall temperature. Therefore, how to seek for an indirect nondestructive method to obtain input data sources for the thermal fatigue analysis is a problem worthy of profound studies. Prediction of pipe temperature fluctuation mainly includes two aspects of contents: one is to predict temperature fluctuation intensity [1–3]; the other is to predict temperature change frequency [4–8]. Common prediction methods include physical model researches or numerical simulation of fluid mixing through computational fluid © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 69–82, 2020. https://doi.org/10.1007/978-981-15-1876-8_8
70
J. Ling et al.
dynamics (CFD) such as direct numerical simulation (DNS) and large-eddy simulation (LES). However, due to complexity of the flow field, the above methods have rigorous requirements and need to consume a large quantity of experimental and calculation resources, and moreover, it’s difficult to obtain accurate calculation results, so their application scopes are considerably restricted. Based on the energy conservation law and the turbulent permeation laws of the elbow pipe, linear interpolation method was used in this paper to calculate temperature distribution of inner and outer walls of the fatigue-sensitive region in the elbow pipe, and FLUENT was used to verify algorithm effectiveness and accuracy, thus providing a new idea for indirect internal temperature measurement in the elbow pipe.
2 Model Analysis 2.1
Inversion Heat Conduction
The elbow pipe structure is shown in Fig. 1. A thermometric belt is set on the downstream horizontal segment of the elbow pipe (1 thermocouple is arranged every other 30° at a single side, and there are totally 7 temperature measuring points), and temperatures measured using thermocouple belts at 7 different measuring points are T1 –T7 respectively. Under general circumstances, points 8 and 9 to be analyzed maybe encounter three different working conditions:
Fig. 1. Thermocouple temperature measuring positions in the elbow pipe structure
Monitoring and Analyzing of Wall Temperature Fluctuations
71
① The temperatures at measuring points of the horizontal pipe at the bottom of the elbow pipe are all the temperature of the high-temperature cooling agent in the main pipe. As thermocouple temperature measuring position is located at downstream part of the elbow pipe structure and temperature at the elbow pipe is identical with the fluid temperature in the main pipe, inner and outer wall temperatures at both points 8 and 9 to be measured are the fluid temperature in the main pipe. ② Temperatures at all measuring points of the horizontal pipe at the bottom of the elbow pipe are dead water temperature in the branch pipe, indicating that hightemperature fluid in the main pipe doesn’t influence the position of the elbow pipe. Points 8 and 9 of the elbow pipe to be analyzed are both in the unaffected region, and inner and outer wall temperatures of points 8 and 9 to be analyzed are both original dead water temperature in the branch pipe. ③ Temperatures at 7 different measuring points are different, indicating that thermal stratification occurs at each position. Temperatures at some or all measuring points are between the high-temperature water temperature in the main pipe and lowtemperature dead water temperature in the branch pipe, indicating that thermal stratification occurs at measuring points, and it will also occur at the elbow pipe. In order to acquire temperature values at analysis points of the elbow pipe under this circumstance, calculus is used in this paper to solve heat capacity and calculate equivalent height, and linear interpolation method is used to calculate temperature distribution on inner and outer walls in the fatigue-sensitive region of the elbow pipe. 2.2
Interpolation Analysis of Temperature Fields
In the turbulent permeation test of the elbow pipe, Toru proposed that the temperature in the horizontal pipe under steady state changes along the height direction but not changes along the axial direction [9]. Therefore, when horizontal height of the analysis point is between temperature measuring points 1 and 7 in the horizontal pipe, its temperature can be obtained through the interpolation method.
Fig. 2. Distribution diagram of thermocouple measuring points
72
J. Ling et al.
Assuming that the pipe doesn’t have variable diameter, inner diameter and thickness are r and d respectively, and hi in Fig. 2 can be expressed as: pffiffiffi 3 1 Þ ð r + dÞ h3 ¼ ð r + dÞ h1 ¼ 0 h2 ¼ ð1 2 2 pffiffiffi 3 3 h4 ¼ r + d h5 ¼ ðr + dÞ h6 ¼ ð1 þ Þ ð r + dÞ h7 ¼ 2 ð r + dÞ 2 2 Curvature radiuses of the elbow pipe are set as r1 respectively from inside to outside, inner radius of the pipe is r, thickness is d, and then the vertical distances from 7 points to the horizontal line are respectively: H10
¼ r1
H50
H20
pffiffiffi 3 1 Þ ðr þ dÞ H30 ¼ r1 þ ðr þ dÞ H40 ¼ r1 þ ðr þ dÞ ¼ r1 þ ð1 2 2
pffiffiffi 3 3 0 ¼ r1 þ ðr þ dÞ H6 ¼ r1 þ ð1 þ Þ ðr þ dÞ H70 ¼ r1 þ 2 ðr þ dÞ 2 2
For the analysis point 9 as shown in Fig. 3, as temperature points on both of its inner and outer walls are located in the horizontal extension directions of the horizontal pipe, and heights where temperatures of its inner and outer walls are located can be judged so as to whether its temperature is within the interval among 7 temperature measuring points. Heights of outer wall point and inner wall point at point 9 to be analyzed are respectively:
Fig. 3. Isothermal lines of measuring points in the elbow pipe structure
Monitoring and Analyzing of Wall Temperature Fluctuations
H9outer
73
pffiffiffi pffiffiffi pffiffiffi pffiffiffi 2 2 2 2 r4 ¼ ðr1 þ 2r þ 2d Þ; H9inner ¼ r3 ¼ ðr1 þ 2r þ d Þ ¼ 2 2 2 2
Its position in the interval can be judged by comparing of H9outer , H9inner and H10 –H70 . Inner wall temperature and outer wall temperature at point 9 to be analyzed are then obtained through interpolation. For the analysis point 8 as shown in Fig. 4, temperatures on the horizontal line are all set as the fluid temperature in the main pipe. Through the numerical calculation, it can be found that at the inflection point of the elbow pipe, temperature difference of the inner circumference is larger than that of the outer circumference under the same angle. Based on an analysis, this is because volume of the inner circumference is different from that of the outer circumference under the same angle, and the volume difference also results in the difference of heat capacity. The integral is obtained through the mathematical method, and height difference under the same heat capacity is calculated. S1 can be solved by means of integrating: Z S1 ¼
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 1 ½ð r22 ðr1 HÞ2 r12 ðr1 HÞ2 Þ þ ð r22 ðr1 H dHÞ2 2 0 qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
H1
r12 ðr1 H dHÞ2 ÞdH
The same procedure may be easily adapted to obtain the S2 . Z S2 ¼
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 1 ½ð r42 ðr3 H dHÞ2 r32 ðr3 H dHÞ2 Þ þ ð r42 ðr3 dHÞ2 2 0 qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ffi
H2
r32 ðr3 dHÞ2 ÞdH
Letting S1 ¼ S2 , then the value of H2 can be calculated. The temperature on the horizontal line is set as the coolant temperature in the main pipe, then the temperature at H2 can be obtained through interpolation of the temperature value on the horizontal line and the temperature measured through point 8 thermocouple at the measuring point, namely the temperature at H2 is temperature value at point 8 to be analyzed. As for inner wall temperature solving at the analysis point 8, it is obtained through interpolation of the outer wall temperature at the analysis point 8 and the temperature measured through the thermometric belt at the measuring point 8.
74
J. Ling et al.
Fig. 4. Comparison chart of thermal capacities
3 Model Solving and Calculation 3.1
Pipe Structural Information
The outer diameter and wall thickness of the elbow pipe are 273.00 mm and 28.58 mm respectively, so its inner diameter is 215.84 mm, and the curvature radiuses r1 –r4 from inside to outside are respectively: r1 ¼ 136:88 mm; r2 ¼ 165:46 mm, r3 ¼ 381:30 mm, r4 ¼ 409:88 mm
3.2
Solving of Inner and Outer Wall Temperatures at the Analysis Point 8
(1) Solving of outer wall temperature pffiffiffi 2 H1 ¼ ð1 Þ r1 ¼ 0:293 136:88 ¼ 40:1 mm 2 Then: Z 40:1 qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 1 ½ð 165:4612 ð136:881 HÞ2 136:8812 ð136:881 HÞ2 Þ S1 ¼ 2 0 ffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi þ ð 165:4612 ð136:881 H dHÞ2 136:8812 ð136:881 H dHÞ2 ÞdH S1 ¼ 1884:39 mm2
Monitoring and Analyzing of Wall Temperature Fluctuations
75
Similarly, S2 can be obtained: Z S2 ¼
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 1 ½ð r42 ðr3 HÞ2 r32 ðr3 HÞ2 Þ þ ð r42 ðr3 H dHÞ2 2 0 qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
H2
r32 ðr3 H dHÞ2 ÞdH
S2 ¼ 30:47 H2 Letting S1 ¼ S2 : 30:47 H2 ¼ 1884:39 H2 ¼ 61:8 mm The temperature on the horizontal line is set as water temperature in the main pipe, being T1 . As shown in Fig. 5, the outer wall temperature at the analysis point can be obtained through the interpolation method:
Fig. 5. Schematic diagram of local temperatures in the elbow pipe
T T1 H2 61:8 ¼ 0:45 ¼ ¼ 136:88 T1 T1 r1 T8outer ¼ ðT1 T1 Þ 0:45 þ T1
ð1Þ
76
J. Ling et al.
(2) Solving of the inner wall temperature The height of the inner wall position at the analysis point 8 is: H8inner
pffiffiffi pffiffiffi 2 2 r2 ¼ 165:461 ¼ 117 mm ¼ 2 2
The height of the outer wall position at the analysis point is: H8outer
pffiffiffi pffiffiffi 2 2 r1 ¼ 136:881 ¼ 96:8 mm ¼ 2 2
The outer temperature symbol at the analysis point 8 is set as: T8outer . The height of the inner wall point at the analysis point 8 is between the outer wall height at point 8 and outer wall height at point 8 of the thermocouple belt, and the inner wall temperature at the analysis point 8 can be obtained through the temperature interpolation. The inner wall temperature at the analysis point 8 is: T8inner ¼ T1 þ
3.3
r1 H8inner ðT8outer T1 Þ ¼ T1 þ 0:504 ðT8outer T1 Þ r1 H8outer
ð2Þ
Solving of Inner and Outer Wall Temperatures at the Analysis Point 9
(1) Calculation of outer wall temperature For the outer wall point of the analysis point 9, this point is located in 45° direction of the arc r4 . H9outer
pffiffiffi 2 r4 ¼ 289:83 mm ¼ 2
As H40 \H9outer \H50 , its height is between heights of measuring points 4 and 5, T4 and T5 are measured outer wall temperatures at corresponding measuring points on the horizontal straight pipe. The following can be obtained according to the interpolation principle: H9outer H40 T T4 ¼ 0 0 H5 H4 T 5 T4 Outer wall temperature at the analysis point 9 is: T9outer ¼ T4 þ ðT5 T4 Þ
H9outer H40 ¼ T4 þ 0:24 ðT5 T4 Þ H50 H40
ð3Þ
Monitoring and Analyzing of Wall Temperature Fluctuations
77
(2) Calculation of the inner wall temperature For the inner wall point of the analysis point 9, this point is located in 45° direction of arc r3. H9inner
pffiffiffi 2 r3 ¼ 269:62 mm ¼ 2
As H30 \H9inner \H40 , its height is between measuring points 3 and 4, and inner wall temperature of the analysis point 9 is: T9inner ¼ T3 þ ðT4 T3 Þ
H H30 ¼ T3 þ 0:945 ðT4 T3 Þ H40 H30
ð4Þ
4 Test and Analysis 4.1
Experiment Condition
In order to simulate the leakage under actual working conditions, a small hole with diameter of 10 mm is opened on the branch pipe. To avoid the entry-end effect, the length which is 10 times of the pipe diameter is reserved at the entry of the main pipe to ensure sufficient flow in the intersection region between main pipe and branch pipe. In order to prevent possible factors like backflow at the exit from influencing the heat transfer in the intersection region, the length which is 5 times of the pipe diameter is reserved at the exit. Initial condition is that temperatures in all regions of the pipe are 293 K, because fluid-flow heat transfer problem and internal heat conduction problem in the solid exist, and this is a fluid-solid coupling heat transfer problem. The fluid in the pipe is water. The fluid temperature in the main pipe is 603 K, a small hole with diameter of 10 mm is opened at the tail end of the pipe to simulate the possible leakage phenomenon, and fluid flow velocity in the main pipe is changed, and working conditions are shown in Table 1. Table 1. Simulated working conditions Working conditions The fluid flow velocity of main pipe (m/s) Turbulence intensity Working condition I 21 1.53 Working condition II 10 1.68
4.2
Meshing and Boundary Conditions
The mesh is totally divided into 10 regions, and different meshing methods are adopted in different regions. Hexahedral meshes are established in a sweeping way at entry and exit of the main pipe, tetrahedral mesh division is adopted for the middle part of the
78
J. Ling et al.
main pipe, inner wall of the elbow pipe is the region taken as the priority in this study, so tetrahedral meshes of smaller sizes are used for division. Velocity boundary conditions are adopted at entries of both main water inlet pipe and safe injection pipe. Turbulence kinetic energy and hydraulic diameter are given for the turbulence at the entry, and pressure boundary conditions are adopted for the exit of the pressure vessel, where: in order to accord with experimental conditions, pressure exit is set as 0 Pa and the wall is treated with heat insulation and no slipping condition. 4.3
Results Analysis
(1) Analysis method under a single thermocouple temperature-measuring belt When the fluid flow velocity of main pipe is 21 m/s, average flow velocity of the 10 mm leakage hole is 2.99 m/s, and thermal stratification is shown in Fig. 6. The thermal stratification at its bottom can be seen, and all temperatures change with the horizontal height. Under this working condition, temperature values at 7 measuring points are acquired as outer wall temperatures obtained in the test, and results are shown in Table 2:
Fig. 6. Schematic diagram of thermal stratification of the elbow pipe under 21 m/s
Table 2. Temperature values of each measuring point in horizontal pipe (Working condition I) Measuring point Point 1 Point 2 Point 3 Point 4 Point 5 Point 6 Point 7 Temp. (K) 603 603 603 600 598 594 588
Under the working condition I, when there is only one temperature measuring belt at the bottom, the above temperature values are substituted into Eqs. (1)–(4), and then their temperatures are obtained as seen in Table 3.
Monitoring and Analyzing of Wall Temperature Fluctuations
79
Table 3. Comparison of linear interpolation calculation and FLUENT calculation with single thermocouple temperature measuring belts (Working condition I) Point to be analyzed Temp. values calculated by linear interpolation (K) Temp. values calculated by FLUENT (K) Absolute error Relative error
Point 8 inner wall 603
Point 8 outer wall 603
Point 9 inner wall 600.165
Point 9 outer wall 599.52
603
603
600.1
598
0 0.00%
0 0.00%
0.065 0.01%
1.52 0.25%
When the fluid flow velocity of main pipe is 10 m/s, the average flow velocity of the 10 mm leakage hole is 0.15 m/s. Under this working condition, temperature values at 7 measuring points are acquired as outer wall temperatures obtained in the test, and results are shown in Table 4.
Table 4. Temperature values of each measuring point in horizontal pipe (Working condition II) Measuring point Point 1 Point 2 Point 3 Point 4 Point 5 Point 6 Point 7 Temp. (K) 383.23 372.85 365.46 358.36 345.28 336.67 318.21
Under the working condition II, when there is only one temperature measuring belt at the bottom, the above temperature values are substituted into Eqs. (1)–(4), their temperatures can be obtained as show in Table 5. Table 5. Comparison of linear interpolation calculation and FLUENT calculation with single thermocouple temperature measuring belts (Working condition II) Point to be analyzed Temp. values calculated by linear interpolation (K) Temp. values calculated by FLUENT (K) Absolute error Relative error
Point 8 inner wall 433.08
Point 8 outer wall 482.13
Point 9 inner wall 355.22
Point 9 outer wall 358.75
406.57
410.49
354.17
358.23
26.51 6.52%
71.64 17.45%
1.05 0.30%
0.52 0.15%
According to the results, the differences between temperatures at analysis points calculated through formulas and those calculated through FLUENT are large when only one thermocouple is arranged at the bottom namely calculated temperatures are higher than those (more conservative) obtained through FLUENT, but absolute error and relative error are large.
80
J. Ling et al.
(2) Analysis method under two thermocouple temperature measuring belts When there is only one temperature measuring belt at the downstream part, absolute error and relative error of inner and outer wall temperatures at different analysis points are large. In order to improve accuracy, the other thermocouple temperature measuring belt is set at the upstream part of the elbow pipe, and the two temperature measuring belts are arranged as shown in the Fig. 7. The temperature solving method at the analysis points when there is one temperature measuring belt at each of upstream and downstream parts of the elbow pipe will be herein analyzed. HH 0
Outer wall temperature at the analysis point 9 is: T ¼ T4 þ ðT5 T4 Þ H 0 H40 ¼ T4 þ 0:24 ðT5 T4 Þ.
5
4
HH 0
Inner wall temperature at the analysis point 9 is: T ¼ T3 þ ðT4 T3 Þ H 0 H30 ¼ 4
3
T3 þ 0:945 ðT4 T3 Þ. When the temperature of the upstream temperature measuring belt 2 is equal to the main fluid temperature, it can be deemed that the permeation depth is already below the temperature measuring belt. In order that the calculation result can be partially conservative namely the calculated temperature value is greater than or equal to actual temperature value, inner and outer wall temperatures at the analysis point 8 are both the main fluid temperature.
Fig. 7. The layout of two thermocouple temperature measuring belts
When the temperature of the upstream temperature measuring belt 2 is lower than the main fluid temperature, inner and outer wall temperatures at the analysis point 8 will be certainly between the temperature at upmost part of the temperature measuring belt 1 and the temperature of temperature measuring belt 2.
Monitoring and Analyzing of Wall Temperature Fluctuations
81
Inner and outer wall temperatures at the analysis point 8 can be acquired through the calculation according to Eq. (2) and linear interpolation. Outer wall temperature Tup at the upstream temperature measuring belt is set as, and then the following formula can be obtained: Outer wall temperature at the analysis point 8 is: T8outer ¼ ðTup T1 Þ 0:45 þ T1 . Inner wall temperature at the analysis point 8 is: T8inner ¼ T1 þ 0:504 ðT8outer T1 Þ. In order to judge temperature field errors calculated under the two thermocouples arranged at upper and lower parts, two same working conditions are adopted for the calculation, and experimental results are obtained: Under the working condition I, when there are two temperatures measuring belts (upper and lower ones), the above temperatures values are substituted into Eqs. (1)–(4), and then their temperatures can be obtained as shown in Table 6.
Table 6. Comparison of linear interpolation calculation and FLUENT calculation with two thermocouple temperature measuring belts (Working condition I) Point to be analyzed Temp. values calculated by linear interpolation (K) Temp. values calculated by FLUENT (K) Absolute error Relative error
Point 8 inner wall 603
Point 8 outer wall 603
Point 9 inner wall 600.165
Point 9 outer wall 599.52
603
603
600.1
598
0 0.00%
0 0.00%
0.065 0.01%
1.52 0.25%
Under the working condition II, when there are temperature measuring belts at the bottom and top, the above temperature values are substituted into Eqs. (1)–(4), their temperatures can be obtained as shown in Table 7. Table 7. Comparison of linear interpolation calculation and FLUENT calculation with two thermocouple temperature measuring belts (Working condition II) Point to be analyzed Temp. values calculated by linear interpolation (K) Temp. values calculated by FLUENT (K) Absolute error Relative error (%)
Point 8 inner wall 408.5
Point 8 outer wall 427.7
Point 9 inner wall 355.22
Point 9 outer wall 358.75
406.57
410.49
354.17
358.23
1.93 0.47
17.7 4.31
1.05 0.30
0.52 0.15
82
J. Ling et al.
When two thermocouples are arranged at upper and lower parts respectively, the maximum error between linear interpolation method and FLUENT method always kept within 5%, which can meet the demand of the engineering project.
5 Conclusions Based on the energy conservation law, a linear interpolation method was used in this paper to establish a numerical temperature field model of the fatigue-sensitive region of the elbow pipe. Numerical test results using the FLUENT software have proved reliability and accuracy of the mathematical model under two different working conditions. Therefore, a new solution for accurate prediction of inner wall temperature distribution in the elbow pipe and its fluctuation in the actual engineering application is provided.
References 1. Tokuhiro, A., Kimura, N.: An experimental investigation on thermal striping mixing phenomena of a vertical non-buoyant jet with two adjacent buoyant jets as measured by ultrasound Doppler velocimetry. Nucl. Eng. Des. 188(1), 49–73 (1999) 2. Metzner, K.J., Wilke, U.: European THERFAT project—thermal fatigue evaluation of piping system “Tee”-connections. Nucl. Eng. Des. 235(2–4), 473–484 (2005) 3. Guo, Zhouchao, Zou, Jinqiang, et al.: Monitoring of wall temperature fluctuations for thermal fatigue in a horizontal mixing T-junction pipe. Prog. Nucl. Energy 104, 298–305 (2018) 4. Bieder, U., Errante, P.: Numerical analysis of two experiments related to thermal fatigue. Nucl. Eng. Technol. 49(1), 675–691 (2017) 5. Shams, A., Edh, N., et al.: Synthesis of a CFD benchmarking exercise for a T-junction with wall. Nucl. Eng. Des. 330(1), 58–67 (2018) 6. Kamide, H., Igarashi, M., Kawashima, S., et al.: Study on mixing behavior in a tee piping and numerical analyses for evaluation of thermal striping. Nucl. Eng. Des. 239(1), 58–67 (2009) 7. Walker, C., Simiano, M., Zboray, R., et al.: Investigations on mixing phenomena in singlephase flow in a T-junction geometry. Nucl. Eng. Des. 239(1), 116–126 (2009) 8. Lee, J.I., Hu, L.W., Saha, P., et al.: Numerical analysis of thermal striping induced high cycle thermal fatigue in a mixing tee. Nucl. Eng. Des. 239(5), 833–839 (2009) 9. Oumaya, T., Nakamura, A.: Thermal stress evaluation of a closed branch pipe connected to reactor coolant loop. In: 14th International Conference on Nuclear Engineering, Florida, pp. 279–287. ASME press, USA (2006)
Discussions on Information Security Test Strategy for Digital Industrial Control System in Nuclear Power Plant Wang Xi(&), Peng-Fei Gu, and Wei Liu State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, I&C Equipemnt Qualification and Software V&V Laboratory, China Nuclear Power Engineering Co., Ltd., Shenzhen, Guangdong 518172, China [email protected]
Abstract. The control system decides the safety and economy as a neural center, the information security plays a critical role in control system. With the fusion of industrialize and information, and with the development of digital nuclear power plant, the increasing number of general software technologies including network communication, operational system, etc., have been used, the security problem from traditional IT system has been introduce into industrial control system. By the view of information security, this paper analyzes characteristics of industrial control system that used in nuclear power plant, and establishes a hierarchy model from company management to software entity, then provides the defensive method for probably and potential intrusion on each level. Finally, this paper summarizes defense in depth system from software design and development to social engineering, and provides references for the optimization of information security in industrial control system. Keywords: Nuclear power plant security Digital
Industrial control system Information
1 Introduction Industrial control systems such as data acquisition and monitoring systems, distributed control systems, process control systems, and programmable logic controllers are widely used in industrial fields to control the operation of production equipment [1]. Unlike general systems, industrial control systems affect the entire production process, and their information security vulnerabilities can lead to serious industrial safety and economic risks. Nuclear power plants are important industrial production facilities, and their operational safety issues can have disastrous consequences for the social environment. With the development of digital nuclear power, the digital instrument control system (DCS), as the nerve center of the nuclear power plant, is an important interface for the monitoring and operation equipment of nuclear power plant personnel, which determines the safety and economy of the operation of the nuclear power plant. In 2010, the Iranian nuclear power plant was attacked by the “Seismic Network” virus attack, which sounded © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 83–89, 2020. https://doi.org/10.1007/978-981-15-1876-8_9
84
W. Xi et al.
the alarm for the information security of the nuclear power digital instrument control system [2]. Information security has become a key issue in the digital design process of the nuclear power plant industrial control system. Information security testing methods are an important means to ensure information security of nuclear power plants.
2 Related Works 2.1
Difference Between Industrial Control System and IT System
The difference between traditional industrial control systems and general IT systems is: (1) Industrial control system to control industrial production, damage or information security threatened may lead to industrial disaster consequences, the principle of information security of industrial control system is not the principle of confidentiality, integrity, and availability that the general system follows, but is available, complete, and confidential. Ensure the availability of industrial control systems, minimize the consequences of disasters, and propose the concept of functional safety primacy [3]. (2) The industrial control system is designed from the perspective of special design in terms of architecture and hardware and software design. For example, the general agreement cannot be adopted, so the protocol must be specially designed for information security. The pair of industrial control system and IT system is shown in Table 1. Table 1. Comparison of industrial control and IT system Items Architecture
IT System Computer Network
Operation System
General OS (Windows/Linux/UNIX) Easy TCP, IP
Update and Maintain Communication Protocol Priority
2.2
Confidentiality
Industrial control system Sensor, actuator, embedded, complicate architecture, hierarchical RTOS Hard, Special Tools Special protocol Availability
Status of Application of Industrial Control System in Nuclear Power Plants
The traditional industrial control system design is obviously different from the general IT system. Through the isolation principle, the system’s closeness realizes certain information security [4]. With the current integration of industrialization and Information, industrial control system products are increasingly used. General-purpose protocols, general-purpose hardware and software [5], industrial control systems use information technology and network technology to realize the interconnection of control systems, and introduce the dangers (Trojans, viruses) and vulnerabilities faced by traditional IT systems into industrial control systems [6].
Discussions on Information Security Test Strategy
85
Most of the nuclear-level instrument control systems currently in operation are provided by foreign manufacturers, as well as the application of commodity-grade software. The instrument control system platform developed independently is operating system and chip driver layer, and cannot avoid some foreign products, and cannot fully grasp the development process. The documentation and source code products, as well as the complexity of the instrumentation system itself, pose a significant potential threat to the safety and confidentiality of nuclear power plants [4]. In the nuclear power production network, some nuclear power instrument control systems use common industry standard protocols, network equipment, Windows/Linux workstations and servers, and most of them are platforms based on traditional information systems [7]. The human-machine interface is based on commercial operating systems, such as Windows, with commercial system vulnerabilities, system versions, vulnerabilities and patch upgrades are slow [8], and there is no difference in principle between industrial Ethernet technology and commercial Ethernet technology. Therefore, the information security of industrial control systems of nuclear power plants, especially digital instrumentation control systems, has gradually faced the potential safety hazards of traditional IT systems. The information security defense deployment of nuclear power plant industrial control systems should be further discussed and optimized.
3 Nuclear Electric Control System Information Security Layering Model The typical industrial control system is divided into management coordination layer, production execution layer, industrial control layer, and equipment execution layer [1]. This paper is mainly divided into four levels of human-machine interface, network transmission, entity, and enterprise for information security are shown in Fig. 1.
Enterprice
Management coordination Production execution
Human-machine
Industrial control
Entity
Network transport
Equipment execution Typical model
Information security model
Fig. 1. Information security hierarchy model of industrial control system
86
W. Xi et al.
• Man-machine interface layer: The interface between the industrial control system and the operator (including the normal operation interface and maintenance interface), providing the operator access, monitoring and control of the industrial control system. This level is the area where the external personnel directly contact the target system. It is a key area for online information security intrusion; • Network transport layer: The transmission channel of command and data between operators and equipment and equipment, including point-to-point communication and ring network communication. This level contains a lot of important information, which directly determines the availability of industrial control system. And the network transport layer of the universal interconnection protocol is the weak link of information security; • Entity layer: including the application software itself, mainly refers to the software program code, and the system environment in which the software is running. The software entity can embed information in the design and development stage, which is a key area for hiding information security vulnerabilities; • Enterprise layer: including the management collaboration layer, functional departments, etc., from the side through the entire life cycle of the software. These departments are not directly involved in the design, development and use of the target system, but they master some of the key information and operation and maintenance strategies of the target system, such as equipment information, operator information, access control authorization, and system user name and password. The confidentiality of this level of information directly determines the security of the subsequent levels, and is also a key area that is easily broken by social engineering.
4 Nuclear Power Plant Industrial Control System Safety Test It is one of the most effective safety testing methods to test the layers of the information security model of the industrial control system of the nuclear power plant by simulating the intrusion. The simulated intrusion and its corresponding test point measures are shown in Table 2. Table 2. Information security Intrusion and Defensive in each level Layer
Attract
Test point WAF, code rule checking, Biometric File backup, ManSQL injection, XSS, monitoring and machine Deserialization, cracking, authentication, link monitoring recovery Stack overflow Network Data flow analysis, Packet Data encryption, Interconnection protocol encryption transport interception and camouflage layer Entity Backdoor, Trojan, reverse Source code auditing, vulnerability engineering scanning, code rule checking, and shell protection Enterprise Social engineering Personnel awareness and equipment confidentiality
Discussions on Information Security Test Strategy
4.1
87
Human-Machine Layer Test
The man-machine interface and the industrial control system mostly use the upper and lower position machines to build the C/S or B/S architecture, and mainly carry out information security design through access authority control (password, password, etc.). For the password protection in the form of database, the intruder uses SQL injection or blasting to crack the password, obtain the database information, and design the B/S architecture. It can also use XSS bypass and deserialization to attack. The intruder of the software ontology program can use the stack overflow attack method. For the human-machine interface layer test, code rule checking should be performed at the software development stage to eliminate SQL injection points and stack overflow vulnerabilities. Then, the firewall (WAF) is detected, and most of the filtering rules of the input information can block most of the information. SQL injection; third, password detection, avoid weak password design, increase the complexity of password design, can effectively avoid blasting; Finally, complex authentication test, using biometric authentication (fingerprint, retina) to eliminate character input The login method can effectively prevent various types of intrusion of the human-machine interface layer. For industrial control systems with external network connections, external link detection should be performed to close illegal ports. 4.2
Network Transport Layer Test
The network transport layer mainly exchanges information in the form of data packets. The main attack methods of the intruder are analysis and forgery after data packet interception and traffic analysis, etc., and can obtain important information of the industrial control system to different degrees, or forge instructions and data transmission. The test of the network transport layer mainly uses data encryption test and dedicated or encrypted transport protocol test to ensure that the data packet cannot be analyzed and forged. At the same time, intrusion detection systems and protocol anomaly detection technologies are deployed for networks with important data communication externally [9]. 4.3
Entity Layer Test
The software ontology (including application software and system environment) is formed in the design and development stage, mainly including the following three intrusion methods. First, the developer can create a security hole in the software ontology by implanting backdoors, Trojans, etc., during the software running process, obtain the execution permission of the software through the pre-implanted vulnerability (Trojan, stack overflow), or directly make the software run. Destroy the program; secondly, the intruder who can obtain the executable program of the software can reverse-engineer the source code of the software by reverse engineering, thereby further obtaining the vulnerability of the software; third, using the system environment Vulnerabilities, access to applications from the system.
88
W. Xi et al.
The testing of the ontology layer should start from the software development process. First, the software code is audited, and the backdoors, Trojans, etc. in the code are searched, and the corresponding code security rules of information security are executed to avoid possible SQL injection and stack overflow attack points. Then, the reverse engineering test of the executable program generated by the code compilation and the shell protection can effectively increase the difficulty of reverse engineering. Finally, a vulnerability scan of the system environment in which the software is running should be performed to remove weak points from the system level. In the software development life cycle V&V activities, the analysis of software security should be strengthened [10]. In addition, the recovery capability of the target system should be tested. For example, file backup, monitoring and recovery are a powerful online defense method. If the system has been invaded, the strong kill strategy is not applicable to the industrial control system, and the suspicious files infected with the virus are forcibly deleted or Disabled may affect system availability. File monitoring can instantly view files that have been modified, deleted, or moved, and immediately replace them with backup source files to restore security status. 4.4
Enterprise Layer Test
The main intrusion method at the enterprise level is social engineering. The personnel and equipment at the enterprise level who master the elements of industrial control information security and their management and technical systems are the main targets. The testing of the enterprise layer is mainly aimed at the information security capabilities of personnel and equipment at the enterprise level. The enterprise layer should understand the loopholes in social engineering, consciously defend, and the equipment should be designed confidentially. 4.5
Nuclear Power Plant Information Security Defense in Depth
For the defense of information security of industrial control systems, multiple levels of defense should be carried out from the entire software life cycle, as shown in Fig. 2. First of all, we should improve the localization level of software, and fundamentally get rid of the dependence on foreign non-open source systems and commodity-level software. Secondly, design and development and test personnel must master the theory of information security and offensive and defensive techniques, so that we can know ourselves and know each other. Third, it should pay attention to the software V&V of the whole life cycle [11], and pay attention to static testing [12] and security defense analysis in V&V activities. Fourth, it should deploy defense measures at all levels of the information security model. Fifth, fully penetrate testing. Finally, the social engineering intrusion prevention awareness of personnel should be comprehensively improved.
Discussions on Information Security Test Strategy
Improve the development of software
The ability of people in develop and test
Software V&V in life cycle
Defenses allocation
89
Penetration test
The awareness of social engineering
Fig. 2. Information security defense in depth
5 Conclusions Based on the industrial control characteristics of the nuclear power plant instrument control system and its current characteristics of information integration, this paper constructs an information security layered model of the nuclear power plant control system, and analyzes the test points and defense methods of each layer of information security by simulating the intrusion. This paper proposes an information security defense strategy covering the software life cycle, and provides reference for the test ideas and design optimization of industrial security system information security.
References 1. Wei, K.-C., Li, Bin, et al.: Research on the planning of information security protection for industrial control system. Process Autom. Instrum. 36(02), 49–52 (2015) 2. Chen, Jie, Chu, X.-Q., et al.: Research on nuclear power plant digital instrumentation and control system cyber security. Instrumentation 24(02), 42–44 (2017) 3. Xia, D.-Y., Xu, Z., Xiang, Y., et al.: Cyber security analysis of reactor protection system. Nucl. Electron. Detect. Technol. 36(11), 1103–1107+1141 (2016) 4. Yin, B.-J., Ding, Y.-X., et al.: Research on security analysis method of digital I&C system used in NPP. Nucl. Sci. Eng. 36(03), 430–434 (2016) 5. Mao, Lei, Zheng, Wei, Zhang, S.-H.: Cyber security system development process in nuclear power plant. Autom. Panor. 06, 106–109 (2016) 6. Ou, H.-J.: Overview of research on the information security of industrial control system. Process Autom. Instrum. 38(07), 4–8 (2017) 7. Ma, B., Zhao, S.: Nuclear power industrial control system cyber security defense architecture design. Comput. Knowl. Technol. 14(03), 39–42+47 (2018) 8. Zhan, N.-S., Qiao, Z.-Y.: The research on information security protection of industrial control system. Cyberspace Secur. 8(12), 66–70 (2017) 9. Zhao, Jing, GU, P.-F., et al.: Application of protocol anomaly detection technology in real time information system of nuclear power plant. Process Autom. Instrum. 36(02), 42–44 (2015) 10. Liang, H.-H., Gu, P.-F., Tang, J.-Z., et al.: The software security analysis for digital instrumentation and control systems of NPPs. Lect. Notes Electr. Eng. 455, 233–239 (2018) 11. Xi, W., Gu, P.-F., Liu, W., et al.: A study and application about software V&V requirement management scheme in digital RPS. Lect. Notes Electr. Eng. 455, 13–20 (2018) 12. Chen, W.-H., BAI, Tao, GU, P.-F., et al.: Research on static testing of nuclear safety-critical software. Nucl. Sci. Eng. 36(03), 392–397 (2016)
Study and Implementation on General Operating Procedure of CPR1000 Main Control Room in China Ji Shi1(&), Qing-Wu Huang2, Chuang-Bin Zhou2, Liang-Jun Xu2, and Hui Jiang1 1
State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China, Nuclear Power Engineering Co., Ltd., Shenzhen 518172, Guangdong, China [email protected] 2 China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, Guangdong, China
Abstract. This paper focuses on the study and implementation of General Operating Procedure (GOP) of CPR1000 nuclear power plant control room in China. Hong Yan He Nuclear Power Plant (HYH NPP) is on behalf of the first standard technology CPR1000 plants based on the LING AO 3 & 4 nuclear plants project. Some technical improvements for Main Control Room such as Computerized Operating Procedure Systems (COPS), Backup-Panel (BUP), Large Display Panel (LDP), Advanced alarm system, Safety Parameter Display system (SPDS) were implemented in the LING AO 3 & 4 NPP. New development for General Procedure of CPR1000 Main Control Room is detailed in this paper. Meanwhile, New I&C systems provide new features that affect the control room operating concept, therefore a detailed analysis is required to take into consideration all the operating and human factor aspects. Any modernization for Control Room such as COPS, that affects what information the operator sees or the system’s response to a control input must be empirically evaluated to ensure that the new study does not compromise human-system interaction effectiveness. Based on experience with HYH NPP Units 1 & 2 in China, this paper presents the approach used as well as the most relevant aspects of this kind of project. This approach will be used in new nuclear power plant, and also used in modernizing I&C system in currently operative nuclear power plants, in addition to meeting safety requirements and the plant’s operational requirements, to improve cost-effective plant and human performance and to reduce likelihood of human errors, to gain maximum benefit of the implemented technology and to increase the performance, resulting in improved plant safety, availability, reliability, and cost-effective operation. Keywords: Human system interface
Advanced control room
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 90–100, 2020. https://doi.org/10.1007/978-981-15-1876-8_10
Study and Implementation on General Operating Procedure
91
1 Introduction CGNPC has adapted the successful features of M310_reactors (French 2nd generation technology), to establish the Generation II+ CPR1000 technology. Generation II + designs are being developed to satisfy the following key design goals: • • • • •
□DCS+ Advanced MCR, □Half-speed steam turbine, □Further enhanced safety, □Lower cost/better economics, and □Ease of operability/operations and maintenance
The CPR1000 is an evolutionary product, starting with the strong base of LINGAO 3 & 4 reactor technology, coupled with thoroughly demonstrated innovative features to enhance safety, economics, operability and maintainability. The CPR1000 Redesign has evolved since the original M310 plants such as LingAo 1 & 2. A common theme is that all these plants have computer control and an increasing degree of computergenerated “soft control” and seldom conventional “hard control” as designs have evolved. In earlier works, we have researched that changes made to the Human System Interface (HSI) affect the way that information is presented to personnel [7]. For instance, rather than being presented via individual, spatially dedicated instruments, the information may be presented via computer-based video display units (VDUs). Computer-based systems provide the opportunity to automate various cognitive functions, such as with computerized procedures, automatic diagnosis, advanced alarm processing system, etc. These changes in automation can impact the role of plant personnel, as well as significantly affect individual and team performance [7]. Procedures are typically written documents (including both text and graphic formats) that present a series of decision and action steps to be performed by operators and other plant staff to accomplish a wide variety of tasks from administration to testing and plant operation. The use of paper procedures in the control room causes some problems that should be considered even if they are infrequent. Sometimes, some steps are not signed in an execution and, very rarely, the version in the control room is out of date or the copy is missing. Also, it takes its time to find the copy to start a procedure or an auxiliary instruction or to look up related documents. Paperwork is needed after the execution to archive it. Computer-based procedures were developed to assist personnel by computerizing paper-based procedures with the aim of increasing the likelihood that the goals of the procedures would be achieved more efficiently. Computerization can be applied to any procedures, (e.g., emergency operating procedures, abnormal procedures, alarm procedures, normal operating procedures). Human factors engineering (HFE) principles should be systematically considered throughout design and development process of COPS, including but not limited to the following: • Prospective COPS users should be iteratively involved in the design process to ensure that their needs are adequately addressed, • Human operators are responsible for the proper application of operating procedures. Thus, COPS should be designed and implemented such that human operators remain in command of the processes being operated,
92
J. Shi et al.
• The organization and structure of procedures on COPS should be compatible with the organization and structure of currently used paper-based procedures, • COPS with sufficient capability may evaluate the logical conditions of one or more procedure steps, if the results in each case are fully determined by the step logic and the available process data. Steps with elements not fully determined will require a decision to be made by the operator. COPS should not make such decisions. • Results produced by COPS evaluation should be the same as those expected from operator evaluations of the same steps. • Loss of COPS should not affect the operator’s ability to safely operate the plant. For the purposes of this guide, three types of COPS are identified, based on successive levels of functional capability. The capability of each type is assumed to include the capabilities of simpler types. Thus, a Type 2 system should address both Type 1 and Type 2 guidance and a Type 3 system should address the guidance for Type 1, Type 2, and Type 3 systems (see Table 1). Type 1 system represent procedure text documents for operational use on a computer-generated visual display. Type 2 systems use dynamic process data for embedded display, to evaluate conditions or procedure logic, or to monitor plant conditions during procedure-defined intervals of applicability. Type 2 COPS cannot issue control commands, but they may provide access to soft control capabilities that exist outside of the COPS. Table 1. Computerized procedures types according to IEEE 1786 Capability
Select and display procedure on computer screen Provide navigation links within or between procedures Display process data in the body of procedure steps Process step logic and display results Provide access links to process displays and soft controls that reside on a separate system Provide embedded soft controls On operator command, initiate procedure-based automation
Paper
– – – – –
COPS Type 1 √ √ – – –
Type 2 √ √ √ √ √
Type 3 √ √ √ √ √
– –
– –
– –
√ √
2 General Operating Procedure of CPR1000 Main Control Room The COPS functionality, and the way this functionality is employed in the design and by the operating crew, can have an impact on the roles, responsibilities, and interactions of the crewmembers. Of course, the design of the overall control room, arrangement of the operators’ workstations, and design of the associated system interfaces also play an important role here. However, the focus of this discussion is on implementation of different levels of COPS and their interaction with the crew
Study and Implementation on General Operating Procedure
93
organization, roles and responsibilities, and overall concept of operations. COPS should be considered an operator aid for operating the plant, and loss of an aid should not prevent the operator from performing required actions. Failure of COPS should not have any impact on control systems. The CPR1000 COPS design has been applied for LingAo 3 & 4 units, HYH NPP 1 & 2 units, NINGDE NPP 1 & 2 UNITS and YANGJIANG NPP 1, 2, 3 & 4 units. It is mainly designed for MCR operating staffs and their operating procedures such as General Operating Procedure (GOP), Abnormal Operating Procedure (AOP) and Emergency Operating Procedure (EOP), etc. It is widely known that COPS is helpful for decreasing operator’s human error by collecting proper information, monitoring procedure status and providing next instructions or actions. 2.1
Structure and Operating Means
CPR1000 GOP include G (Nuclear Island), GS (Conventional Island), D (Refueling outage) and I (Abnormal), which should be divided to five functional area such as Reactor start-up, Reactor trip, Primary circuit general operation, Secondary circuit general operation, abnormal operation. GOP may provide different levels of functionality, ranging from translations of traditional procedures for use via a VDU, to systems that integrate process (e.g. real time state graphics with the link to the appropriate procedure) and equipment information and alarms with procedure steps, and provide control and automation features to aid the execution of tasks. It is very convenient for navigation to link between computer-based procedure and displays according to functional requirement. A strategy for producing the computerized operating modes (MOPS) and overview operating methods (computerized or paper-based) should be provided at CPR1000. There are still also paper-based procedure for BUP operation. Compared with the traditional paper procedures, the computerized systems offer huge advantages such as equipment and key parameters surveillance, monitoring support, fast navigation into and between procedures and an enhanced integrated documentation management. Also, the waste of paper is minimized and paperwork hours can be reduced. The use of the new digital I&C systems in the design of the new nuclear power plants, as well as the modernization of the existing ones, implies relevant changes in the control room and Human-system Interface design. Meanwhile, New I&C systems provide new features that affect the control room operating concept, therefore a detailed analysis is required to take into consideration all the operating and human factor aspects: – Integrated display of dynamic plant data – Display of relevant indications either directly in the procedure itself or on another display page or section of the display – Access to soft controls via links to an applicable system interface outside of GOP – Evaluation of step logic and display of the results to support operator decision making – Tracking of initial conditions over multiple steps – Context-sensitive aids for making branching decisions – Cautions or warnings based on current and/or changing plant conditions (Fig. 1).
94
J. Shi et al. General Procedure
System Dispaly Alarms
Navigation
Status Dispaly
MOPs
Function Display
General Procedure Index
Fig. 1. Structure of GOP operating means
2.2
Navigation
In earlier works, we have researched that Computer-based procedures have the potential to greatly support crew performance. Computerizing tasks such as data gathering, monitoring of steps of continuous applicability, and keeping track of procedure navigation paths allows the crew to devote more attention to achieving the goals of the procedure [7]. Since computer-based procedures alter the level of task automation, they have a direct impact on crewmember roles and responsibilities. When the procedures involve significant operations, such as emergency response, the concept of operations will be altered and the new roles and responsibilities should be addressed and evaluated as part D10
Unit
3
G
REACTOR VESSEL HEAD CLOSURE AND FILLING OF REACTOR COOLANT SYSTEM
QSR
Rev
A
PAGE 2/5
3.
ASG001YCD
3.1
MCS
A
MCS001YST
PTR001YCD RCP002YCD
S VVP 001
RCP003YCD
S GCT 001
OKA001YST
P
RCP004YCD
FWC001YFU PTR001BA
P-T
KRT001YCD
3.1.2
RCP005YFU
Domain P,T
1400m3
RCV001YCD
ASG001YCD 3.4
PTR001YCD
RCP
S RCP 001
3.2
D10-PAGE3
MLO
RRA001YCD
RRA
RCP004YCD
RCP005YFU
3D1003M02 MLO
,
3D1003M03
D10-PAGE1
D10-PAGE4
D10-PAGE3
D10-PAGE5
RCP 525 KC
3D1003M01 3.3
RIC001YCD
RCP005YFU 3D1003M04
S RCP 002 RIC
REN003YCD RIC001YCD RIS001YCD
RIS003YCD RPE001YCD RPN001YCD RRA001YCD
S RCP 003 SEBIM
REA001YCD
RIS002YCD
T8DHP 009
3.1.1
RCV002YCD
3.3
UOP A
Fig. 2. Example of GOP navigation
TEP001YCD
Study and Implementation on General Operating Procedure
95
of computer-based procedures design and implementation. Changes to the mode of interaction and degree of automation of users’ tasks may require existing function allocations or task analyses to be updated or reconsidered [7] (Fig. 2). 2.3
Data Integrity and Monitoring
It is generally accepted that computers are well-suited to such tasks as monitoring, display, and logical evaluation of real-time data. COPS should provide monitoring and status indication for any step with extended or continuous applicability, while that step remains active (Figs. 3 and 4).
Fig. 3. Example of GOP data monitoring
Fig. 4. Example of GOP alarm monitoring
96
2.4
J. Shi et al.
Computerized Operating Modes
Five functional area such as Reactor start-up, Reactor trip, Primary circuit general operation, Secondary circuit general operation, abnormal operation consist of different MOPS, which are linked with overview operating methods(computerized or paperbased) corresponding to operation tasks (Fig. 5).
Fig. 5. Example of GOPMOPS
2.5
Document Management
Document management is key factor for the success of the GOP as it is directly connected to the maintainability because the procedures need to be changed often. The procedures changes can be done by external software (i.e. Adobe Dreamweaver) or with an internal tool of the system. A paper copy should be automatically printed and carried to the back-up controlled copy in the main control room. All the execution reports should be available for queries and as an operator experience logbook. The major structure of GOP is separated from operating modes, so that it would be very helpful for quickly changing the procedures affected by plant design modifications (Fig. 6).
Study and Implementation on General Operating Procedure
97
Normal_operating_instruction System cssfile Blank.html topstyle.css leftstyle.css sheetstyle.css modestyle.css Normal Primary_side Secondary_side Auxiliary_system Ventilation_system Waste_collect_treatment List_sys.html
General Normal D_DOWN D_UP G GS Abnormal I
List_gen.html
Fig. 6. Example of GOP document management
3 Human Factor Engineering In according to the standard of IEC 61839, IEC 1771 and IEC 1772, IEEE STD 10232004, NUREG 0800/0700/0711, etc. Because of the relationships between human factor and the HSI, the evaluation with real-time simulator is preferred, including the validation of the performance from intelligent element and the observation of operator’s time response. The problems including address human factors and efficacy evaluation are faced by HSI design (Fig. 7). The project verification and validation plan should include: 1. Verifying the text of the procedures is exactly the same as in paper 2. Human Factors Engineering verification according to IEC\NUREG recommendations 3. Task analysis 4. Procedure edition tools testing 5. System validation in the full scope simulator with real operation staff 6. Factory Acceptance Tests 7. Site Acceptance Tests 8. System Availability Tests
98
J. Shi et al.
Fig. 7. V&V activities for COPS
3.1
Commissioning Test Results
Twenty general operating procedures (G/GS/D/I) are computerized including 240 operating modes and related to 84 displays (status display, system display and function display). Human factors engineering (HFE) principles should be systematically considered throughout commissioning test, including but not limited to the following (Table 2): • • • • •
To check computerized procedure on computer screen. To check navigation links within or between procedures. To check display process data in the body of procedure steps. To check process step logic and display results. To check access links to process displays and soft controls that resides on a separate system.
Table 2. Commissioning Test table Commissioning procedures (ENS) Chapter ENS 21
Content Primary circuit cold test
… ENS 23 §6.1.9.2 ENS 23 §6.2.2 ENS 23 §6.2.4
… RRA Static discharge, Dynamic exhaust The charging pump Start RCV start until Low pressure drain control valve control RCP pressure
Corresponding general procedures (D) Chapter Title D26 Primary circuit hydrostatic test … … D9 Preloading - water §3.1.2/3.1.3 filling, exhaust D10 §3.3.5 Dome hoisting and RCP water filling D10 §3.9.2 Dome hoisting and RCP water filling
Study and Implementation on General Operating Procedure
3.2
99
Application Results
The implementation of first fuel loading cycle of LingAO 3 & 4 is beginning from August 26, 2011, the units go down to low low level of primary circuit using D1, D2, D3, D4, D5 and D6 of GOP on September 7, 2011, and then carry out containment squeeze test using D7 of GOP until October 8, 2011. After that, using D9, D10, D11, D12, D13, D14 and D15 of GOP to grid-connected successfully on November 11, 2011 during 79 days. Fang Cheng gang 1 & 2 nuclear power plant also finish first fuel loading cycle on March 27, 2017. The above implementation prove that CPR1000 GOP meet safety requirements and the plant’s operational requirements, improve cost-effective plant and human performance and reduce likelihood of human errors, gain maximum benefit of the implemented technology and increase the performance, resulting in improved plant safety, availability, reliability, and cost-effective operation.
4 Conclusions The CPR1000 GOP design is based upon the LingAo 3 & 4 MCR with further upgrades to meet customer needs with respect to the key design goals discussed above. A conceptual assessment of the CPR1000 GOP has been completed, focusing on human factors design. Development of technical improvements for in the main control room will be used on the CPR1000 units through close cooperation with other domestic design and research institutes and DCS supplier. This study in the paper is a technical support to be used by the designers to complete the detailed design of GOP in CPR1000 units project.
References 1. HAF 102 Nuclear Power Plant Design Safety Requirements 2. IEEE Std 1786IEEE Guide for Human Factors Applications of Computerized Operating Procedure Systems (COPS) at Nuclear Power Generating Stations and Other Nuclear Facilities 3. NUREG-0700 Human-System Interface Design Review Guidelines 4. Ji, S., Mingyu, J., Yunqin, M.: Redundancy and defense-in-depth for instrument and control systems and main control room of NPP. In: The 15th Conference on Electric Power Supply Industry (CEPSI), vol. 10 (2004) 5. Ji, S., Pechuzal, F. et al.: Study on technical improvements for SOP of LINGAO 3&4 under construction in China. In: 5th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human Machine Interface Technology, NPIC & HMIT 2006, vol. 11 (2006) 6. Ji, S.: Study on technical improvements for six safety state functions monitoring during emergency operation of LINGAO 3&4 under construction in China. In: ISSNP (2008) 7. Ji, S., Xu, X., et al.: Study on technical improvements for human system in the main control room. In: Proceedings of the 18th International Conference on Nuclear Engineering, ICONE18, vol. 5 (2010)
100
J. Shi et al.
8. Ji, S., Jiang, G., et al.: Technical improvements for human machine interface in the digital control system of LINGAO 3&4. In: 7th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human Machine Interface Technology, NPIC &HMIT 2010, vol. 11 (2010) 9. Ji, S., Zhang, J., et al.: Development of technical improvements for CPR1000 advanced main control room in China. In: 8th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human Machine Interface Technology, NPIC & HMIT 2012, vol. 7 (2012) 10. Ji S.: Design and modernization of nuclear power plant control room and human-system interface in LINGAO NPP Units 3&4. In: 9th American Nuclear Society International Topical Meeting on Nuclear Plant Instrumentation, Controls, and Human Machine Interface Technology, NPIC & HMIT 2015, vol. 2 (2015) 11. Ji S., Liu, Q.: Study on main control room and human-system interface of generation III in China. In: 10th International Conference on Nuclear Plant Instrumentation, Control & Human–Machine Interface Technologies (NPIC & HMIT 2017) (2017)
Inductive Displacement Sensors Based on the Integrated Demodulation Chip Ya-Ting Liu, Kai Zhang(&), and Yang Xu The Department of Engineering Physics, Tsinghua University, Beijing 100084, China [email protected]
Abstract. As an important component of a high-speed active magnetic bearing (AMB) system, a non-contact displacement sensor has important impacts on the overall performance of the system. A traditional inductive displacement sensor signal demodulation circuit which is composed of discrete components, has a high cost and a large space occupation. In order to develop a low-cost, highintegrated demodulation design of an inductive displacement sensor, this paper took the integrated synchronous demodulation chip as the core, performed tasks including the hardware design and manufacturing, software development and circuit debugging, built a test platform of the inductive displacement sensor and finished evaluation experiments for the integrated synchronous demodulation design. The experimental results shown that the linearity between the synchronous demodulation chip output signal and rotor displacement was 2.187%, the sensitivity was 2.9185 V/mm, the minimum resolution was up to 1 lm, and it could meet the displacement detection requirements of general AMB systems. Keywords: Active magnetic bearing Inductive displacement sensor Synchronous demodulation ADA2200
1 Introduction With its inherent safety and high power generation efficiency, the high-temperature gas-cooled reactors are expected to become the fourth-generation advanced nuclear energy system and have been listed in the National Major Project. Instead of the original steam turbine cycling power generation system, the direct circulation helium turbine power generation system can effectively improve the power generation efficiency and simplify the system structure in the high-temperature gas-cooled experimental reactor, which brings obvious economic advantages and a favorable industrial foreground. Ordinary oil-lubricated bearings cannot meet the requirements that keeping clean in the primary circuit of high-temperature gas-cooled reactors. However, the magnetic suspension bearings, which have the non-contact and non-lubrication control, have high application value [1]. As one of main components of a magnetic bearing system, displacement sensors directly affects suspension accuracy of an AMB controlled rotor. An accurate and reliable displacement sensor is necessary for the system stability [2–4]. The most widely used displacement sensors in AMB systems include eddy current displacement © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 101–111, 2020. https://doi.org/10.1007/978-981-15-1876-8_11
102
Y.-T. Liu et al.
sensors and inductive displacement sensors [5–7]. An eddy current displacement sensor has advantages of minor size, high sensitivity and high linearity, which can generally meet the requirements of a magnetic bearing system, but its nonlinearity, high temperature drift and high sensitivity to tested materials restrict the application of the eddy current displacement. For an inductive displacement sensor, on the one hand, in noncontact displacement measurement, it can meet system requirements with its good sensitivity, linearity, resolution and bandwidth. On the other hand, an inductive displacement sensor is insensitive to environmental factors including oil pollution, water and so on. What’s more, an inductive sensor can transmit signals over long distances without front-end circuits on its probe side. Here we choose to study an inductive displacement sensor in an AMB system.
2 Design and Principle 2.1
Sensor Principle
With electromagnetic induction, an inductive sensor converts a displacement of a rotor into a changing self-inductance coefficient or mutual inductance coefficient which can be converted into a measurable voltage or current, finishing the conversion of the displacement to an electrical parameter. With a single coil in circuit, the resolution of an inductive sensor system is sensitive with noise and its linearity is poor. Applying a differential inductance displacement sensor structure can improve system performance. The basic structure of a differential self-inductance sensor is illustrated in Fig. 1.
Fig. 1. Basic structure of a differential self-inductance sensor
When working: Dd Dd Dd Dd L1 ¼ L0 1 þ ð Þ þ ð Þ2 þ þ ð Þn þ oðð Þn Þ d d d d Dd Dd Dd Dd L2 ¼ L0 1 ð Þ þ ð Þ2 þ þ ð1Þn ð Þn þ oðð Þn Þ d d d d
ð1Þ ð2Þ
Inductive Displacement Sensors Based on the Integrated
103
Output inductance (ignore high-order items): Dd Dd Dd Dd L ¼ L1 L2 ¼ 2L0 ð Þ þ ð Þ3 þ oðð Þ3 Þ 2L0 d d d d0
ð3Þ
The sensitivity: k0 ¼
DL=L 2 ¼ Dd d0
ð4Þ
It is obvious that the output inductance and the input displacement in the differential self-inductance sensor have better linear relationship, and the sensitivity of differential self-inductance sensor is twice as much of a single coil sensor. 2.2
Synchronous Demodulation
To measure the tiny sensor signal accurately with noise, it is necessary to demodulate the modulated output voltage from a displacement sensor. Besides the multiplication synchronous demodulation, the division synchronous demodulation can be applied to sensors as well. For example, in paper [8], AD698 worked with LVDT (Linear Variable Differential Transformer) to obtain a displacement sensor whose sensitivity was up to 25.16 V/mm. But the AD698 can just operate from 20 Hz to 20 kHz, which cannot meet requirements for higher frequency signal measurement, and the cost is expensive too. Here we choose the multiplication synchronous demodulation, whose schematic is illustrated in Fig. 2. Input Signal A Filtered Signal
Output Signal
fm
LPF Reference Signal
0
2fm
0
B fr
Fig. 2. Schematic of synchronous demodulation
Suppose the input signal’s carrier frequency is fm and its amplitude is A while the reference signal’s carrier frequency is fr = fm and its amplitude is B. The output signal of demodulation is: 1 1 A sinð2pfm tÞ B sinð2pfr tÞ ¼ AB þ AB cosð4pfm tÞ 2 2
ð5Þ
104
Y.-T. Liu et al.
The additional reference signal enables the input signal to be moved to a frequency band with lower noise, where a simple low-pass filter can remove most of the undesired noises, the sensitivity can be improved efficiently. 2.3
ADA2200
The ADA2200 is a synchronous demodulator which utilizes SAT (Sampled Analog Technology) [9]. Compared to adding digital signal module into the circuit, applying SAT to process analog signals directly can reduce sensor complexity. As is shown in the Fig. 3, when the switch is turned on under the control of the digital input, the analog input signal would charge the capacitor and accomplish a quantity corresponding to the multiplication of the digital data and the analog data, realizing the multiplication of the signals in the analog domain. This technology is applied to the low-pass filter of the ADA2200.
Fig. 3. Simplified diagram of the switched capacitor circuit
The detailed functional block diagram is shown in Fig. 4, the ADA2200 includes an analog domain low-pass decimation filter, a programmable IIR filter, a mixer function, and a differential pin driver.
Fig. 4. Functional block diagram of ADA2200
Inductive Displacement Sensors Based on the Integrated
105
The CLKIN is the master clock from outside, which determines the input sampling frequency with the clock signal divider (Fig. 5).
Fig. 5. Output sample timing relative to RCLK
3 Hardware Design The measuring circuit of the inductive displacement sensor based on ADA2200 mainly consists of 3 parts including the driving module, the processing module and the demodulation module. The circuit structure is shown in Fig. 6.
Driving Signals
Driving Circuit
RCLK SYNCO
Input Signal
Signal Processing
Processed Signal
Signal Demodulation (ADA2200)
Digital Signal
ADC
Fig. 6. Simplified structure of hardware circuit
Controlled by FPGA, ADA2200 drives signals for a coil, provides a synchronizing signal for ADC, and demodulates the signals which carry displacement information. The coil-driving module converts the RCLK signal into sinusoidal signals which drive the inductor coil with power operational amplifier. The amplitude of the voltage signal output from the coil center tap is proportional to the displacement of the rotor center position. The signal is processed by a signal processing circuit to remove high and low frequency noise and its phase is adjusted to facilitate the ADA2200 output sampling point to locate the sine wave peak. ADA2200 demodulates the filtered signals and output them to the ADC circuit that acquires signals under the control of the FPGA.
106
Y.-T. Liu et al.
4 Software Design As a programmable logic design environment, Quartus II, a FPGA development software, is powerful and it can complete a series of functions including program design, verification, simulation, etc. In this paper, once the board is powered on, the FPGA configures the ADA2200 register to work in the expected state, and then drives the ADC chip to acquire synchronous data. 4.1
The Configuration of the ADA2200
The chip configuration including the selection of clock source and the selection of the operation mode is completed by setting the ADA2200 through serial ports CS, SCLK and SDIO. The timing diagram of the ADA2200 is revealed in Fig. 7 while the workflow diagram is shown in Fig. 8. After the chip select signal CS is pulled from logic high level to low level, SDIO is manipulated for data byte transfer on the following 24 rising edges of subsequent SCLK.
Fig. 7. Serial port interface timing
Start N CS falls from 1 to 0 Y N The rising edge of the SCLK Y On the SDIO : R/W = 1, A14 ~ A0 = Register Address, D7~D0 = Serial Data
End Fig. 8. Work flow chart of serial ports
Inductive Displacement Sensors Based on the Integrated
107
As soon as the board is power-up, the FPGA initializes ADA2200: (1) Select clock source and configure ADA2200 to receive external 1.28 MHz level clock on CLKIN pin as the system clock; (2) Carry out the demodulation control on ADA2200. In order to adjust the phase difference between RCLK and the control signal, 0° phase or 90° phase can be selected: when 0° phase is selected, the demodulated signal has four bit update outputs at RCLK’s high level and the last bit would be maintained at RCLK’s high level low level, while all would be opposite when 90 degree phase is selected. 4.2
Data Collecting of the ADC
During the collection and process of the collected data, the ADC under the control of the FPGA collects the output data of the ADA2200 according to the synchronizing signal (SYNCO) when the RCLK signal is high. The collected data keeps stable which can be used to calculate rotor displacement.
5 Experimental Results and Discussion 5.1
The Build of the Test Platform
Following the determination of the design circuit diagram, the layout and wiring of PCB were finished. With the manufactured PCB board, the sensor test platform was built whose structure was shown in Fig. 9.
Rotor&Probe
DC Source
Inductive Displacement Sensor
FPGA
Signal Generator Oscilloscope (For Circuit Debugging)
Computer
Fig. 9. Test platform
In the test platform, the displacement sensor probe is fixed on the displacement calibration platform, and the probes are shown in Fig. 10. The inductance value of a whole coil is 2.08 mH without rotor inside, and with the rotor in the center, the inductance value of the coil is approximately 4 mH. The rotor displacement range is about 1.2 mm. The stator is fixed on the displacement calibration platform, which has a stepping accuracy of 1 lm.
108
Y.-T. Liu et al.
Fig. 10. Probe of the inductive displacement sensor
When the position of the rotor is changed, sensor debugging and measuring can be accomplished by an oscilloscope and a monitor computer. 5.2
Debugging with an Oscilloscope
The sensor excitation circuit provides a pair of sinusoidal excitation signals (R+ and R-) for the sensor coil. Once the position of the rotor changes, the signal of the sensor coil tap changes accordingly. The signal measurement is shown in Fig. 11. As revealed in Fig. 11, output from the excitation circuit, the driving signals, are a pair of differential signals (R+ and R-) with a peak-to-peak value of about 20 V at 20 kHz. Figure 11a shows the signals measured when the rotor is placed in the center position, and the amplitude of the coil tap signal V_in is absolutely close to 0. Figures 11b and c show signals measured by moving the rotor away from the center position. It is obvious that when the rotor is displaced in different directions, the phase of the coil output displacement voltage signal is opposite, and the larger the displacement, the larger the amplitude of the coil output displacement voltage signal is.
Fig. 11. Signals of the sensor coil
Figure 12 shows a signal measured when the rotor is moved to a position on one side. Before demodulation, the signal INP has a frequency of 20 kHz and an amplitude range of 0 to 2.048 V; the frequency of synchronous acquisition signal SYNCO is 160 kHz; meanwhile RCLK signal is output to the excitation circuit and it ensures the synchronous demodulation with a frequency of 20 kHz; Demodulated output signal
Inductive Displacement Sensors Based on the Integrated
109
OUTP is output to the ADC circuit as a signal carrying rotor displacement information for acquisition and processing. These signal results are consistent with the reference input and output of Fig. 5.
Fig. 12. Output sample timing relative to RCLK
5.3
Signal Acquisition and Processing
The digital displacement signals can be observed via the Signal Tap of Quartus II. Move the rotor from one end to the other end in two directions with 50 lm step precision, and process the digital displacement signals to obtain Fig. 13. In Fig. 13, the abscissa is the indication of the displacement calibration platform while the ordinate is the digital quantity of the displacement signal received by the FPGA, and we already know that the AD7357 is a 14-bit ADC, i.e. the output range is 0 to 16383; the differential voltage input signal range before the AD conversion is −2.048 V to +2.048 V.
14000
L->R R->L
12000
AD_out
10000 8000 6000 4000 2000
5.7
5.8
5.9
6.0
6.1
6.2
6.3
6.4
6.5
6.6
POSITION(mm)
Fig. 13. Relationship of sampled signals and displacements of probe
110
Y.-T. Liu et al.
The sensitivity of the inductive displacement sensor is about 3 V/mm at the excitation frequency of 20 kHz by linear fitting of the signals obtained from multiple measurements and the linear correlation coefficient R2 is greater than 0.997; The maximum deviation between the measured signal and the fitting straight line is not more than 250, which means the nonlinear error is not more than 2% and the linearity is good. The repeated error of the test data is not more than 10%. Collected the digital displacement signal continually for 25.6 ms in Quartus II, we got Fig. 14. 14674
N(AD_sample)
N(AD_sample)
14672
14670
14668
Np-p=12 14666
14664
14662
14660 0
5
10
15
20
25
Time (ms)
Fig. 14. Measurement of resolution
As is presented in Fig. 14, the maximum fluctuation range of the output digital signal is 12, so the minimum resolution of the inductive displacement sensor is: D ¼ 12
6:5mm 5:7mm ¼ 1:0 l m 12384 3026
ð6Þ
That is, the minimum resolution is 1.0 lm, which already meets the suspension precision requirements of general magnetic suspension bearing systems.
6 Conclusion Taking a displacement sensor in an AMB system as the research object, this paper completed the design of the inductive displacement sensor circuit and the fabrication of the actual PCB board with the integrated demodulation chip ADA2200. Meanwhile, a testing platform was built to evaluate the key performance parameters of the inductive displacement sensor. The results show that the output signal has a good linear relationship with the displacement of the rotor with the nonlinear error no more than 2%,
Inductive Displacement Sensors Based on the Integrated
111
the sensitivity of the sensor is 3 V/mm and the minimum resolution is 1.0 lm. It turns out that the inductive displacement sensor can meet the requirements of the general magnetic bearing system. Acknowledgments. The project is supported by National Key Research and Development Project (Number 2018YFB0905500) and National Natural Science Foundation (Number 51775292). Email: [email protected]
References 1. Schwertzer, G., Maslen, E.: Magnetic bearings theory, design, and application to rotating machinery. Springer, Berlin (2009) 2. Zhang, W.Y., Zhu, H.Q., Yuan, Y.: Study on key technologies and applications of magnetic bearings. Trans. China Electrotech. Soc. 30(12), 12–20 (2015, In Chinese) 3. Li, Y.Y., Zhu, H.Q., Zhu, L.D., Wu, X.J.: Development and research status of key technologies on magnetic bearings. Micromotors 47(06), 69–73 + 82 (2014, In Chinese) 4. Liu, L.L., Shi, Z.Y., Zhang, M., Yang, J.: Characteristic optimization of structural for inductive displacement sensors. J. Mech. Electr. Eng. 31(06), 684–688 (2014, In Chinese) 5. Zhao, Z.J.: Research on measurement model and error correction of redundant displacement sensors in magnetic bearings. Wuhan University of Technology (2015, In Chinese) 6. Wang, K., Zhang, L.S., Chen, S.H., Han, B.C.: Hartley eddy current sensor used in maglev molecular pump. Opt. Precis. Eng. 26(02), 344–354 (2018, In Chinese) 7. Zhang, L.S., Wang, K., Zheng, S.Q.: Design and experimental study of a novel selfinductance displacement sensor for active magnetic bearings. Chin. J. Sci. Instrum. 39(01), 100–109 (2018, In Chinese) 8. Chen, W., Zhang, K., Dai, X.J.: Signal modulation circuit design of the half-bridge LVDT based on AD698 for high sensitivity applications. Appl. Electron. Tech. 34(07), 69–71 + 75 (2008, In Chinese) 9. Analog Devices: Synchronous Demodulator and Configurable Analog Filter ADA2200, Analog Devices Datasheet (2014)
The Development of TMSR-SF0 Simulation Protection System Guo-Qing Huang(&), Jie Hou, Ye Liu, Wei Lai, and Bing-Ying Li Shanghai Institute of Applied Physics, Chinese Academy of Science, Shanghai, China [email protected]
Abstract. The protection system is an important part of the reactor, and this paper introduces the overall structure and the development of TMSR-SF0 simulation protection system. It adopts modular design of the advanced FPGA platform, which consists of a kind of FPGA carrier board and various IO sub boards. It can flexibly realize the acquisition and processing of the various sensor signals of the protection variables. The performance is tested, and meets the technical specifications. Through the TMSR-SF0 simulation protection system constructs, the TMSR-SF1 protection will be verified, and the experience of the design and development will be accumulated. Keywords: Reactor protection system instrumentation system
FPGA Simulated nuclear
1 Introduction The Thorium molten salt reactor nuclear energy system (TMSR) is one of the leading research projects of the Chinese Academy of Sciences. Its research goal is to develop the fourth generation fission reactor nuclear energy system. The near future goal is to build a 2 MW liquid -fuel thorium molten salt reactor (TMSR-LF1) and a 10 MW solid-fuel thorium molten salt reactor (TMSR-SF1), master the relevant key technologies, and achieve an improved thorium-uranium fuel cycle under open-loop mode [1]. As one of the six fourth generation reactor, TMSR has good economy, safety, sustainability and prevention of nuclear proliferation. The protection system of TMSR includes emergency shutdown system and engineered safety features driver system. The protection system monitors the parameters related to reactor safety. When these parameters exceed the preset protection setting value, the reactor protection system automatically triggers the emergency shutdown system and drives the corresponding engineered safety features to limit the development of accidents, mitigate the consequences of accidents, prevent the release of radioactive materials to the surrounding environment, and ensure the safety of equipment and personnel.
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 112–119, 2020. https://doi.org/10.1007/978-981-15-1876-8_12
The Development of TMSR-SF0 Simulation Protection System
113
TMSR-SF0 is a non-nuclear simulation experimental reactor of TMSR-SF1, which is constructed in 1:3 scales. The simulation protection system of TMSR-SF0 is constructed according to the protection system of TMSR-SF1. Because it has not nuclear fuel and nuclear signal, the NIS signal will be replaced by simulated signal from the signal generator. The other sensor signals are taken from the real sensor signal of TMSR-SF0. The simulation protection system of TMSR-SF0 will be developed independently using FPGA to verify the protection function of TMSR-SF1 and accumulate the design and construction experience of the protection system of TMSR.
2 System Design 2.1
System Configuration
The protection system consists of all electrical, mechanical and circuit components from the signal sensor to the input of the actuator. Safety process instruments and nuclear instrumentation collect the reactor status information to the protection system. The protection system generates logic signals after comparing operation with setting values. The logic signals of the different sequence are logically operated to generate the signals of the emergency shutdown and engineered safety features. The signals of emergency shutdown cause the shutdown circuit breaker to open, the power supply of the rod to lose, the control rod to fall, and the reactor to shutdown. The signals of the engineered safety features are processed logically with the commands from the control system then drive the engineered safety features to operate. The protection system of TMSR-SF0 is designed with 2-of-3 logic. Three redundant monitoring channels and logical coincidence sequences are set up, and each protection variable is voted on by 2oo3 respectively using local coincidence logic. The output signals of each sequential logic processing unit drive two shutdown circuit breakers, totally six shutdown circuit breakers. Six shutdown circuit breakers constitute the second stage 2oo3 logic. The design can effectively reduce the malfunction rate and rejection rate, and meet the reliability requirements of the protection system. The protection system of TMSR-SF0 includes signal processing chassis, logic processing chassis, local engineer station, one-way gateway, simulation nuclear instrument system, safety panel, circuit breaker cabinet of emergency shutdown, circuit breaker cabinet of engineered safety features, periodic test device, etc. as shown in Fig. 1. The signal processing cabinets digitalize the signal of the sensor, and compare with the setting value. The logic processing cabinets process the local logical coincidence, and output the signal to drive the circuit breaker cabinets. The local engineer stations monitor the operation status of each module of the protection system. The one-way gateways are responsible for communicating with the non-security DCS and isolating with the non-security DCS. The simulation nuclear instrument system simulates the neutron signal using the signal generator. The safety panels of the control room provide the necessary operation information to the operators. The circuit breaker cabinets of the emergency shutdown drive the rod to fall. The circuit breaker cabinets of the
114
G.-Q. Huang et al. Control Room no-safety panel
Safety panel
control net B
A
C
one-way gateway
one-way gateway
one-way gateway
local engineer station
local engineer station
local engineer station
simulation NIS
simulation NIS
simulation NIS
sensor 1...N
sensor 1...N
sensor 1...N
signal processing chassis
signal processing chassis
signal processing chassis
To CHB To CHC
To CHA To CHC
To CHA To CHB
From CHB
From CHA
From CHA
From CHC
logic processing chassis
From CHC
logic processing chassis
From CHB
logic processing chassis
High Speed Point-to-Point Bus Bidirectional Local Area Bus Ethernet Hard wiring of the analog signal Hard wiring of the logic signal
circuit breaker cabinet
ESF cabinet
Fig. 1. Overall structure of the protection system of TMSR-SF0
engineered safety features drive the ESF to operate. The periodic test device provides the test signals and tests the performance of the protection system regularly. 2.2
Signal Processing Chassis and Logic Processing Chassis
The signal processing chassis and logic processing chassis are the core of the protection system. They adopt ATCA high reliability chassis, FPGA platform, and the way of carrier boards and sub boards [2, 3]. There are one kind of carrier board and many kinds of sub boards in the platform of the FPGA. The sub boards are mainly responsible for external interface functions, such as IO input interface, IO output interface, voltage signal input interface, current signal input interface, analog output interface, temperature sensor input interface and so on. Each carrier board can be installed with 6 sub-boards. By choosing different sub-boards, the protection functions of different physical parameters can be realized. The physical picture of the FPGA platform is shown in Fig. 2.
The Development of TMSR-SF0 Simulation Protection System
115
The design of the FPGA platform can minimize the types of hardware models, reduce the number of spare parts, and make the system more flexible. Through different software configurations, it can achieve a combination of different functions, which is in line with the current trend of technological development, that is, the hardware platform is fixed, and the software is used to achieve a variety of functions.
Fig. 2. Physical picture of the FPGA platform
2.3
Local Engineer Stations
Each RPS sequence has a local engineer station, which monitors the working status of each sequence and adjusting the operating parameters of the RPS. It communicates point-to-point with the signal processing chassis and the logic processing chassis through RS485 bus. Each communication is independent and meets the principle of single fault. 2.4
One-Way Gateways
One-way gateways are the communication interface between the safety protection system and the non-safety control system. It uses one-way optical fiber to realize hardware signal isolation and data unidirectional transmission. The structure of oneway gateway is shown in Fig. 3.
116
G.-Q. Huang et al.
RS485
serial/ Fiber fiber Converter
Safety system
RS485 fiber/ serial Converter
Serial Device Server
Ethernet
Non-safety system
Fig. 3. The structure of one-way gateway
2.5
Safety Panel
The safety panel in the central control room is mainly used to display the measured values and the working status of RPS. The emergency manual switches on the panel directly drive the control rod to drop and drives the engineered safety features to act. The HMI is designed with a concise style. Because the protection variables of the TMSR-SF1 are relatively small, the main parameters are displayed on the main interface, which reduces the steps of the specific operation. The interface is shown in Fig. 4.
Fig. 4. The interface picture of RPS
The Development of TMSR-SF0 Simulation Protection System
2.6
117
Simulation Nuclear Instrument System
There is no neutron signal in the TMSR-SF0, and NIS is one of the important parts of the protection system, so it is realized by the signal generator which outputs the simulation signal of the neutron detector. The signal generator adopts PXI chassis, which is convenient to realize and communicate with the external system. When the signal generator receives the power data from the control system, it drives the hardware to output the corresponding pulse signal or current signal. The NIS cabinet receives the pulse signal or current signal, processes through the stages of filtering and amplification, and outputs the linear 0–10 V signal to RPS. The NIS also is three-sequence structure, which has two-channel source range, twochannel intermediate range and three-channel power range. Because of the digital RPS, the NIS will mainly realize signal filtering and amplification, and output linear standard voltage to RPS. Digital processing is directly implemented by RPS. 2.7
Periodic Test Device
According to the safety regulations of the reactor, it is necessary to inspect the safety equipment periodically, confirm to work normally, find out problems in time, and avoid accidents [4–8]. There are the periodic test device interfaces in the RPS cabinet. Through these interfaces, the periodic test device can input various test signals, such as pulse signal, voltage signal, current signal and temperature signal. The RPS cabinet processes these signals and returns the results to the periodic test device. The periodic test device compares the output data and the output data, so determines whether the system works normally. The periodic test device of RPS is designed as a movable device, which is implemented by PXI hardware and LabVIEW software of NI Company. The PXI hardware outputs various test signals, and then the processing results are read by RS485. The software completes the comparison and automatically gives the report of the system working status.
3 RPS Experiment According to the technical specifications, the performances of the simulation RPS of TMSR-SF0 are tested, such as the accuracy of analog signal, the precision of fixed value comparison, the logic function and the response time, etc. Using Keithley 2636A output standard voltage and current signal to test the accuracy of AI and VI board, using arbitrary waveform generator (AWG5002C) output standard frequency signal to test the accuracy of FI board, using thermocouple signal generator (Pickering 41-760004) output standard K-type thermocouple signal to test the accuracy of TI board, then record the test data. As shown in Fig. 5.
118
G.-Q. Huang et al.
(a) AI Test
(b) VI Test
(c) FI Test
(d) TI Test
Fig. 5. The test data of the RPS
According to the test data, the accuracy is calculated, and the result is shown in Table 1. It can be seen that the performance of RPS is similar to that of similar products and meets the technical specifications.
Table 1. The performance of RPS Item Voltage Current Temperature Setting value Response time
Range 0–10 V 4–20 mA K Thermocouple / /
Test accuracy 2‰ 2‰ 2‰ 2‰ 100 ms
The Development of TMSR-SF0 Simulation Protection System
119
4 Conclusions TMSR-SF0 is the simulation reactor of TMSR-SF1, which is to verify the key technology of TMSR-SF1. The simulation protection system is an important part of TMSRSF0, which is constructed according to the RPS 1:1 of TMSR-SF1. In addition to the NIS signal, the other signals are all real sensor signals. The RPS includes signal processing chassis, logic processing chassis, local engineer station, one-way gateway, simulation nuclear instrument system, safety panel, circuit breaker cabinet of emergency shutdown, circuit breaker cabinet of engineered safety features, periodic test device, etc. The performance of the RPS is tested, and meets the requirements of the technical specifications. At present, the RPS has been installed in the field, and has been working normally.
References 1. Jiang, M.-H., Xu, H.-J., Dai, Z.-M.: Advanced fission energy program-TMSR nuclear energy system. Bull. Chin. Acad. Sci. 27(3), 366–374 (2012) 2. Liu, Y., Liu, Z.B., Hou, J.: Design and implementation of FPGA-based digital and logical signal processing functions of reactor protection system for TMSR. Nucl. Tech. 38(4), 43–49 (2015) 3. Liu, Z.B., Liu, G.M., Hou, J.: ADS8325 with FPGA applied in TMSR protection system. Comput. Meas. Control 23(3), 886–888 (2015) 4. Liu, Z.B., Liu, Y., Liu, G.M., Hou, J.: Reactor protection system testing for the solid fuel thorium molten salt reactor. Nucl. Sci. Tech. 27, 123–131 (2016) 5. Shui, X.-X., Wu, Y.-C., Wu, Z.-Q., et al.: Development and verification of FPGA-based reactor protection subsystem. Nucl. Electron. Detect. Technol. 35, 1043–1047 (2015) 6. Naser, J.: Guidelines on the use of field programmable gate arrays (FPGAs) in nuclear power plant I&C systems. Final Report-1019181 EPRI (2009) 7. Naser, J.: Recommended approaches and design criteria for application of field programmable gate arrays (FPGAs) in nuclear power plant I&C systems. Final Report-1022983 EPRI (2011) 8. Fink, B., Killian, C., Nguyen, T., et al.: Guidelines on the use of field programmable gate arrays (FPGAs) in nuclear power plant I&C system. EPRI TR 1019181 (2009)
Assessment of Operating Safety State of Nuclear Power Plant Based on Improved CAE Method Chao Lu(&), Jia-Lin Ping, Wei-Jun Huang, Ke Tan, and Hong-Yun Xie State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China, Nuclear Power Engineering Co., Ltd., Shenzhen, Guangdong 518172, China [email protected]
Abstract. In order to solve the real-time quantitative assessment of nuclear power plants, a safety state assessment model of nuclear power plant based on CAE (Claim-Argument-Evidence) theory is constructed. From the aspects of reactivity control, core cooling and radiation shielding model the nuclear power plant as a hierarchical node assessment structure with information of weight distribution and safety assessment value. The weights of the assessment factors are allocated according to the dynamic optimization value of the security assessment variables. Based on the above methods and visualization tools, a real-time human-computer interaction system for evaluating the security state of typical systems is developed. Finally, the real-time operation data and simulation method of nuclear power plant proves the correctness and practicability of the assessment model and algorithm. Keywords: Health state assessment Arithmetic of variable weight Analytic hierarchy process Visualization
1 Introduction Compared with traditional power plant, nuclear power plant is more harmful than traditional power plant in accident. Because of its complexity and strict safety requirements, it is necessary and extremely important to evaluate the safety state of nuclear power plant. In power system, the operating state of the system changes and evolves with the time. The continuous static section is used to describe and analyze the state of the system, which is called operational state assessment [1]. Health assessment of complex systems is a multidisciplinary, and the assessment of methods vary according to the object and purpose, based mainly on model, signal and knowledge. The assessment method based on signal and intelligent assessment method based on knowledge. Traditional condition monitoring mainly sets a certain threshold for parameters, which is beyond the threshold to alarm or think that is the equipment fault or system failure. On the one hand, the operator can only make a lag response. On the other hand, the actual © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 120–128, 2020. https://doi.org/10.1007/978-981-15-1876-8_13
Assessment of Operating Safety State of Nuclear Power Plant
121
operation parameters always have certain statistical fluctuation, which is easy to appear a high false alarm rate, and it is also difficult to set the threshold. The concept of “safe state” is rarely mentioned in nuclear power plants, but it is involved in a lot of actual operations and researches. To evaluate the long-term safety performance of nuclear power plants, the International Atomic Energy Agency (IAEA),) World Nuclear Power operators Association (WANO), the American Nuclear Energy Regulatory Commission (NRC), the American Nuclear Power Operation Association (INPO) and so on, have established a corresponding assessment system. Research on the reliability of special system or key equipment of the nuclear power plants is extensive.
2 State Assessment Method Based on CAE Theory 2.1
Simplified State Assessment Method Based on CAE Theory
The CAE argument structure is a state that meets the safety performances through a series of structured evidence-argument systems, so the assessment model based on CAE has the characteristics of clear structure, strict logicality, maintainability and so on [2]. However, there are complex relationships between the system layer and the function layer, so it is difficult to classify the system into a certain function. The assessment method of CAE theory is improved to combine the system layer and function layer, so that the detailed functional structure decomposition can effectively describe the influence of the system internal changes on the key functions and the whole power plant objectives. It is very necessary. Moreover, in the process of CAE argument, the results obtained by argument and analysis are usually two-state, such as “whether the system fails”, “whether the function is realized”, “whether it meets the accepted recommendations” and so on. In order to make full use of the knowledge of safety analysis, the assessment structure is still based on the realization of function target or the success of the system, but the result of assessment after argument can be more detailed system or function maintenance state. In the process of argument, in order to make full use of the knowledge of safety analysis, the assessment structure is still based on the realization of function targets. However, the assessment process adopts a bottom-up approach and pays more attention to the impact of basic evidence on the top-level objectives. The result of the assessment after argument may be a more detailed system or function state. In addition, more attention is paid to the characteristic parameters of the running state of the system, so it is necessary to take the state parameters into account in the process of modeling and assessment. Combined with the above, improvements are made from the point of view of running state assessment in the following areas: (1) The result of the argument is that the health state of the system or sub-system is more detailed, which breaks through the restriction of two states and is beneficial to get the detailed assessment of the system state.
122
C. Lu et al.
(2) Referring to the basic theory of CAE and the method of GSN demonstration, the model structure is simplified according to the running state, which is convenient for operators to understand and use.
The shielding security of radioactive material shielding
Integrity of radioactive material shielding
The integrity security of fuel cladding shielding
The integrity security of primary loop boundary pressure
The integrity security of containment
Fig. 1. Three-layer security assessment structure
2.2
Quantification of Assessment Results
Taking the three-tier assessment structure shown in Fig. 1 as an example, according to the combination of states, if a function has n sub-functions or evidence, the number of functional state is 4n , but in many cases it can be simplified according to the specific relationship. If a sub-function is D (mean unsatisfied state), the function is D (mean unsatisfied state). A set of evidence (E1, E2……En) directly affect a sub-argument (C1)which can obtain the state of sub-argument (C1) by argument 2. The combination of the current state of sub-arguments (C1, C2……Cn) can obtain the state of upper argument (C) in the process of argument 2. At the same time, when using the second-tier sub-function to demonstrate the upper argument (C), the effect of the third layer can be considered in more detail. For example, the sub-function (C1) has only two evidentiary factors E1 and E2, if: State1 : E1 ðAÞ \ E2 ðBÞ ! C1 ðBÞ
ð1Þ
State2 : E1 ðBÞ \ E2 ðBÞ ¼ C1 ðBÞ
ð2Þ
Or : E1 ðAÞ \ E2 ðBÞ [ E1 ðBÞ \ E2 ðBÞ ¼ E1 ðBÞ
ð3Þ
Assessment of Operating Safety State of Nuclear Power Plant
123
If the difference between state 1 and state 2 is still large, these two different states can be distinguished in C1. After the above process, there is a distinguished set of state combinations for each state of the top-level state claim that is ultimately to be evaluated: CðAÞ ¼ S1 [ S2 [ . . .SI
ð4Þ
Si represents a state combination of lower or much lower level influencing factors, such as: S1 ¼ C1 ðAÞ \ C2 ðBÞ \ . . .Ci ðAÞ
ð5Þ
C1 ðAÞ ¼ E1 ðAÞ \ E2 ðBÞ \ . . .Ei ðAÞ
ð6Þ
Other state grade C (B), C (C), C (D) of the group C can be divided into j, k, l groups. The total number of status in the group C is n = i+j + k+l, which can be distinguished from each other. We Sort i kinds of status according to their advantages and disadvantages, and map them to [0, 100], as shown in Table 1. If it maps i kinds of status in C (A) to [90, 100], maps j kinds of status in C (B) to [80, 90], maps k kinds of status in C (C) to [60, 80] and maps l kinds of status in C (D) to [0, 60]. In this way, for each value range corresponding to a certain state level, there is a clear physical meaning. The advantages and disadvantages of the state within the level can be more detailed through the specific score. Table 1. Assessment quantization table State grade C(A) C(B) C(C) C(D)
State combination S1……Si Si+1……Si+j Si+j+1……Si+j+k Si+j+k+1……Si+j+k+l
Score [90, 100] [80, 90] [60, 80] [0, 60]
3 A Variable Weight Analytical Hierarchy Process Algorithm for Assessment Model 3.1
Variable Weight Algorithm and Weights Optimization
Saaty et al. [3] studied the problem of variable weight of assessment factors, but this is a variable weight of time-varying systems that the weight of factors varies with time rather than with the change of state value of assessment factors. Some scholars
124
C. Lu et al.
represented by Professor Hong-xing Li have systematically studied the theory of variable weight, and put forward a multi-objective variable weight decision method of promoting variable weight, punishing variable weight, incentive type variable weight, mixed variable weight system, the variable weight vector based on state, balance function and so on [4]. However, the existing multi-objective variable weight decision method has the state that the determination of weight vector is too subjective arbitrariness, mainly by the experts to determine the optimistic coefficient according to experience so as to solve the problem of variable weight. In this paper, the reasonable objective function is put forward by cooperating with nuclear power experts according to the quantity and weight of the assessment factors, and the objective function is continuously iterated by genetic algorithm (7) in order to find the most suitable optimistic coefficient automatically. Thus, the weights of assessment factors are dynamically allocated so that it can solve the problem of the determination of optimistic coefficient which is too subjective and depends on expert experience in the variable weight analytic hierarchy process [5]. Formula for calculating the safety state score of each factor in the model: V¼
n X
w i xi
ð7Þ
i¼1
Where: V—The security state value of the assessment factor wi —The weight of the ith sub-assessment factor xi —The safety state assessment value representing the ith sub-assessment factor is determined by real-time direct measurement or quantitative data according to the nuclear power operation specification. In the process of actual assessment, when some relatively small weight factors have serious deterioration or state deviation, due to the weakening of the weight, it is not obvious in the overall assessment results so as to get serious impact in actual fact. In order to keep dynamically balance of the influence of various assessment factors and fit the actual operation state, a variable weight algorithm is introduced, which adjusts the weight distribution according to the safety state of real-time assessment factors, and accurately displays the safety state of nuclear power operation. The formulas of the conventional variable weight algorithm are as follows: ð0Þ
ðw Þxa1 wi ¼ Pn i ð0Þi a1 i¼1 ðwi Þxi
ð8Þ
Where: ð0Þ wi —The initial weight xi —The value of the assessment representing the ith assessment factor a—Expression of optimism coefficient, when a ¼ 1, it is same as constant weight state; when 1/2 < a < 1, the problem of the equilibrium of various factors is not too serious; when 0 < a < 1/2, Serious deviations from certain factors cannot be tolerated.
Assessment of Operating Safety State of Nuclear Power Plant
125
4 Establishment of Operation Safety Assessment Model for Nuclear Power Plant 4.1
The Assessment of Integrity State of Pressure Boundaries in Nuclear Power Plants
In accordance with the requirements of nuclear safety, the nuclear power plant should ensure the reactivity control, the core residual heat export and the radioactive material shielding three basic security functions in any working condition [5]. Therefore, the protection and maintenance of these functions in the operation process of the nuclear power plant is an important basis for evaluating the operation state of the power plant. The decomposition of the safety target function of the nuclear power plant is shown in Fig. 2.
The security target of nuclear power plant
Reactivity control
The Reactivity control of control rod
The Reactivity control of boron concentration
Discharge core residual heat
Core cooling
Guarantee of water quantity of primary loop
Coolant circulation of primary loop
The Shielding of radioactive substances
Integrity of fuel cladding
Integrity of pressure boundary of primary loop
Integrity of containment
Fig. 2. Nuclear power plant safety target functional decomposition map (normal or accident conditions) [6]
This paper takes the integrity state of the primary loop pressure boundary as an example. The integrity state of the primary loop pressure boundary is mainly identified by the parameters such as the leakage of reactor building and radioactivity monitoring. The anomalies of related parameters can reflect the leakage and break of the primary loop. 4.2
The Determination of Weights
A nuclear power plant simulator is used to simulate the large break loss of coolant accident, which is the main coolant pipe shear fracture at both ends. “Integrity of the pressure Boundary of the Primary loop” is taken as an example. The date from analog machine and direct monitoring information data corresponding to the assessment model are collected and the two groups of assessment factors which are in normal operation and in the accident are taken out respectively. According to the assessment model, there presents an algorithm to calculate the security assessment value and the corresponding weight distribution value of the corresponding argument. The safety state values map
126
C. Lu et al.
the results to [0, 100] based on the four safety status defined in the American Nuclear Regulatory Scientific and technological report and the corresponding assessment criteria. They are normal (90–100), early warning (80–90), alarm (60–80), danger (0–60), each value range corresponds to a certain state level, which meets the corresponding criterion requirements. The advantages and disadvantages of the state at the same level can be reflected by the specific score [7]. The changes of safety state and weight of each assessment factor at two situations (Normal and Accident conditions) can be observed intuitively and clearly. When the main coolant pipeline is in the both ends of shear fracture accident, it is observed that the assessment factors of “the aerosol radioactivity of containment” and “main pump shaft seal is normal” are in a dangerous state and the weight is obviously increased compared with the normal operation state. The parameter value of “the aerosol radioactivity of containment” of assessment factor is obviously abnormal. The assessment factor type of “main pump shaft seal is normal” is that the parameter value of the argument to check its argument also appears obvious abnormal condition and is in a dangerous state. The assessment factors of “radioactive emission from nuclear auxiliary building” are in the state of alarm and the weight is also increased, while the parameter value and the safety state of other assessment factors have not changed obviously. “The integrity of the primary pressure boundary” can be calculated by the weighted average of each assessment factor. The safety state of the above assessment factors can accurately reflect the operation state of the nuclear power plant when the main coolant pipeline is shearing at both ends.
5 The Verification of Operation Safety Assessment for Nuclear Power Plant The nuclear power plant simulator simulates both ends of shear fracture of the main coolant pipe. The evolution process of this real-time assessment system and visual monitoring system is shown in Fig. 3. (1) The nuclear power plant runs smoothly. After a period of time, it suddenly appears early warning condition. It is a fall in the value of the line chart from top to bottom. The stack maps of weight variation of early-warning equipment appear early warning. Aster Plot diagram shows the overall state is warning state, and the health state of “pressure integrity of primary loop” significantly declines. TreeMap figure is displayed as alarm state. (2) Click the node of “pressure integrity of primary loop” of TreeMap diagram for carefully monitor. It is found that the health state of assessment factors under the “pressure integrity of primary loop” is very dangerous, and the health state assessment value of node of “pressure integrity of primary loop” is shown in the health state line graph. Clicking on the node of “Seal water flow” with the most weight and the worst health state, it also shows the value of the assessment which fluctuates greatly in the state of health discount chart.
Assessment of Operating Safety State of Nuclear Power Plant
127
Fig. 3. The process of the change of the monitoring system of the case test system
(3) It is found that the number of warning devices displayed by stack map is more than the number of warning nodes displayed by TreeMap. It is also found that the health state of containment integrity assessment factors in Aster Plot diagram is also problematic. We immediately intersect with TreeMap to perform monitoring analysis under the containment Integrity node. As expected, there are 4 assessment factors above early warning level, through a variety of interactive observations. (4) Over time, due to the intervention of each exclusive safety system of the nuclear power plant, it is found that the health state of each assessment factor tends to be stable. The “containment integrity” factor returns to its normal state, and the assessment factors of the pressure integrity of the primary loop are constantly alerted, and the weight of the assessment factors which its lower assessment value becomes bigger and bigger. For example, the apparent “containment aerosol integrity” shows that the containment is more inclusive of radioactive gases.
6 Conclusion Under the background of the question about how to ensure the safe operation of nuclear power plant, this context has constructed a model of assessment to show the safety state of real time operation of nuclear power by using the CAE safety assessment theory and being premised on the basic of the main goal– safe operation of nuclear power plant. This model links the main safety functions, sub-functions and basic monitoring information of the nuclear power plant into an overall hierarchical assessment structure from three aspects: reactive control, core cooling and radioactive material shielding. In order to be more suitable to the actual nuclear power plant operation state, this paper improves the variable weight algorithm. It can distribute the weight dynamically and
128
C. Lu et al.
reasonably according to the safety state of the assessment factor, and evaluate the operation state of the nuclear power plant more scientifically. The study of visualized monitoring and control system for the operation safety state of nuclear power plant adopts visual design and means such as multi-scale and multi-view linkage to display the operation state of nuclear power in real time, which can help users perceive the safety state of nuclear power plant operation from different views. The study of cases shows that the system can help users monitor and analyze the real-time operation state of nuclear power plant. In the future, we can make more use of professional knowledge and historical data accumulation in nuclear power and realize pattern recognition and visualization of realtime data through some advanced means like data mining technology and machine learning technology to achieve intellectualizing of monitoring system, reduce the risk of failure of power plant staff, relieve the stress of power plan staff, etc.
References 1. Meng, X.-P., Gao, Y.: Electric systems analysis. Higher Education Press, Beijing, pp. 3–21 (2004) 2. Yu, L., Jingsen, L.: Mechanism and improvement of direct anonymous attestation scheme. J. Henan Univ. 37(2), 195–197 (2007) 3. Li, Yu., Jing-sen, L.: Mechanism and improvement of direct anonymous attestation scheme. J. Henan Univ. 37(2), P195–197 (2007) 4. Jian-zhong, S.: Research on evaluation and prediction of aeroengine health state for unit. Nanjing University of Aeronautics and Astronautics, Nanjing (2012) 5. Saaty, T.L.: Decision making with dependence and feedback: the analytic network process, vol. 7, pp. 557–570. RWS Publications, Pittsburgh (2001) 6. Hong-xing, L.: Factor spaces and mathematical frame of knowledge representation (VIII)variable weights analysis. Fuzzy Syst. Math. 3 (1995) 7. Liu, W.Q.: The ordinary variable weight principle and multiobjective decision making. Syst. Eng. Theory Pract. 3(20), 1–11 (2000)
Analysis and Solution of Design Difficulties of HMI with Scale Increase in Limited Space Bo Cheng(&), Ting Mao, Shi-Bo Mei, Xue-Gang Zhang, Yi-Qian Wu, and Zhen-Hua Luan State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd, Shenzhen of Guangdong Prov 518172, China [email protected]
Abstract. With the rapid development of the technology and product of Instrumentation and Control (I&C) and computer industry, the Human-Machine Interface (HMI) of the Main Control Room (MCR) is also changing. The change of HMI may cause the scale equipment increase. When the increase of HMI equipment scale is in limited space, it will lead to the difficult problem of HMI design in the MCR of Nuclear Power Plant (NPP). Basing on a model of this kind of problem in the MCR of a special NPP, this paper analyses the causes of the difficult problem, formulates effective countermeasures, and finally completes the design scheme of HMI, which solve the problem and make the scheme with many innovations and advances at the same time. It is very meaningful for the HMI of MCR of NPP because it lays foundation and provides concrete guidance for the follow-up design of HMI in the MCR of NPP. Keywords: Human-Machine interface plant
Main control room Nuclear power
1 Introduction In a special NPP, the changes of the technology and product of I&C and computer industry lead to the increase of equipment scale in the MCR, but the plant building based on specific reactor type will not change easily. This leads to the contradiction between equipment scale and limited space in the MCR, which makes the design of HMI in the MCR face enormous challenges. This paper will analyze this problem in the design of HMI in the MCR of a NPP, and put forward a series of coping strategies, and ultimately complete the HMI scheme, so as to make the HMI of the MCR more meet the Human Factor Engineering (HFE) and the requirement of operators, and enhance the safety and economy of the NPP.
2 Analysis of HMI Change After analysis of various changes, the main factors of HMI change in the MCR are listed as following: © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 129–134, 2020. https://doi.org/10.1007/978-981-15-1876-8_14
130
B. Cheng et al.
(1) Requirements for Defence in Depth (DiD) of the overall I&C scheme [1, 2]. In order to better meet the requirements for DiD of the overall I&C scheme, adaptability modifications have been made to the overall I&C scheme of NPP. As a result, Diverse Human interface Panel and Severe Accident Panel need to be added in the MCR alone. Diverse Human interface Panel is the HMI of the Diverse Actuation System which provides diverse backup functions to mitigate frequent faults concurrent with postulated Common Cause Failure in the Protection System. Severe Accident Panel is the HMI of Severe Accident I&C System which performs managing and monitoring functions in some Design Extension Condition. (2) Requirements of user After many in-depth communications with the users, more than 20 optimization and improvement items have been identified. For example, adding office computers on the Operator Workplace (OWP) in MCR are put forwarded by the users. Such requirement will increase the scale of the OWP. (3) Requirements to ensure the progressiveness of the HMI in MCR Considering the development trend and frontier achievements of technology and equipment, the application of mature and reliable technology and equipment to the HMI in MCR is an important measure to ensure the progressiveness of the HMI in MCR, and this measure can solve the purchase problem of spare parts caused by the old HMI in the MCR. Liquid Crystal Display (LCD) screen can improve the monitoring effect and user experience, and save operation and maintenance costs, but this will increase the occupied area of the OWP and lead to a larger scale of the OWP and the operator’s transverse moving distance which is not conducive to the implementation of the operator’s task (Table 1, Fig. 1). Table 1. The screen width of different screen type Screen type 19 inch 4:3 screen 22 inch 16:10 screen Screen width (CM) 38.61 47.39
(4) Requirements of HFE In the overall layout of the control room and the design of the panel structure, the requirements of HFE need to be considered. Especially the non-conformity items in the reference NPP need to be improved and perfected. This also increases the difficulty of HMI design, and may affect the MCR space. These changes of HMI in the MCR directly lead to the increase of equipment scale. Simply placing new equipment and enlarging equipment size will result in the space of the MCR under the current building scale not meeting the space requirements of HMI layout. Therefore, we must take measures to solve this problem.
Analysis and Solution of Design Difficulties of HMI
131
Screen Width( CM) 50 45 40 35 30 25 20 15 10 5 0 19 inch 4:3 screen
22 inch 16:10 screen
Fig. 1. Increase of screen width because the change of screen type
3 Formulating Effective Coping Strategies By formulating effective coping strategies, the above problems in the design of the HMI in MCR of NPP can be effectively solved, and the HMI in MCR of NPP can be optimized. (1) Carding Regulations and Standards Meeting the requirements of regulations and standards is the basic requirement for the design of HMI in the MCR of NPP [3–10]. Therefore, the general layout principle of the control room, the design principle of panel surface, the HFE requirement, the operation and maintenance space, etc. are sorted out in detail. And some of them are detailed into measurable and standardized data requirements applicable to the design of HMI in the MCR, lay a solid foundation for the design of HMI in the MCR. (2) Experience Feedback and User Demand Survey If the project experience feedback and user needs are not fully implemented in the early stage, and the HMI equipment in the MCR of NPP is reformed and optimized in the later stage, the cost of economy and schedule will be too high. Therefore, it is necessary to fully and accurately understand the user’s needs and experience feedback of the previous project in the early stage, and consider it in the design of HMI in the MCR of NPP [11]. (3) Product Research Product research for HMI can contribute to keeping pace with the development of technology and products. At present, there are not many kinds of large LCD screens of
132
B. Cheng et al.
industrial application level in the market. In order to meet the design requirements, it is necessary to conduct extensive market research on LCD. The size of LCD large screen should be determined by considering the characteristics of LCD large screen products on the market and the space limitation of MCR. At the same time, in order to meet the safety and operation requirements of personnel and equipment in the MCR of NPP, large LCD screens must meet the seismic requirements, and the seismic appraisal test can ensure the seismic performance of products. Wide-screen LCD on OWP also should meet these requirements similar to large LCD screens, but because the product size is relatively small, the difficulty of implementation will be reduced. (4) Optimizing and Innovating In order to effectively solve the contradiction between the equipment scale and the limited space of the MCR, it is necessary to carry out technical research and innovation on the HMI in MCR of the NPP in accordance with the characteristics of the HMI and the user’s requirements. So improving and optimizing the product type, shape, size and layout of the HMI are the key measures to the design of HMI in the MCR with the limited space. (5) Mock-Up Validation Mock-up validation activities can be carried out for many times. Before each Mock-up validation [12], the design review and questionnaire preparation are carried out. The scheme is optimized according to the review opinions, and then Mock-up validation is carried out. Questionnaire opinions are collected and sorted out in time, and the design scheme is adjusted again, so that the design scheme can be continuously improved. Such an iterative process can make the design of HMI in the MCR of NPP better meet the requirements of regulations and standards, HFE and user requirements (Fig. 2).
Fig. 2. An iterative process of the design and Mock-up of HMI
Analysis and Solution of Design Difficulties of HMI
133
4 Design Scheme of HMI After the analysis of above problems in the design of HMI in MCR of a NPP and the effective measures taken, the design scheme of HMI in the MCR of a NPP is as follows (Fig. 3): (1) According to the requirements for DiD of the overall I&C scheme, Diverse Human interface Panel and Severe Accident Panel are added in the MCR, which are integrated with the Back-Up Panels and Large Display Panel and placed in front of the OWP, so as to make the functional zoning and layout of the MCR more centralized and concise, and reduce the space occupancy. The integration of these HMI equipment is the key measures to solve the difficult problem of the design of HMI with increasing scale in the MCR with the limited space. (2) The type selection of hardware equipment is innovated, so the mosaic equipment is adopted to effectively reduce the size and scale of equipment. (3) For the first time, lager LCD screen with seismic appraisal is adopted, which is different from the Digital Light Processing (DLP) screen used in previous NPP projects. The display effect is clearer and more economical and durable. The Large Display Panel with lager LCD screen is redesigned and validated according to the experience feedback of previous NPP projects and the requirements of regulations and standards, so as to meet the users’ requirements more.
Fig. 3. Layout diagram of HMI in MCR of a NPP
134
B. Cheng et al.
(4) The screen of the OWP is changed from the plain screen used in previous NPP projects to the large-size wide screen, which effectively improves the visual effect of Visual Display Unit (VDU) on OWP; all the displays are redesigned according to the wide-screen mode, which is more in line with the requirements of HFE and user; the OWP adopts arc layout idea to effectively reduce scale of OWP and the operator’s transverse moving distance and improve the work performance. (5) For the first time, the office computers are set up on the OWP to meet the work needs of users. (6) KVM embedded installation, tilted layout and elevation enhance of communication equipment display screen, and other optimizations improve comfort and convenience for users.
5 Conclusions This paper makes a comprehensive and clear analysis on the design of HMI in the MCR of NPP, which is caused by the contradiction between the rapid increase of equipment scale and the limited space. According to the space size of the MCR, the equipment characteristics of HMI, the operation characteristics of NPP and the requirements of users, a series of coping strategies are adopted to solve the problems at the same time. It effectively integrates and optimizes the HMI resources in the MCR, provides a compact and high-quality HMI for operators, implements the humanoriented design concept in the design of HMI in the MCR of NPP, and the design scheme more meets the user’s needs. The design of HMI in the MCR of NPP has the characteristics of “keeping pace with the times”, which is an important measure to ensure its advancement. It is expected that the HMI in the MCR of NPP will be more secure, humanized and modernized in the future.
References 1. IAEA, Safety of Nuclear Power Plants Design, SSR-2/1, Revision 1[S] (2016) 2. HAF102, Chinese Nuclear Safety Regulation, Safety of Nuclear Power Plants Design [S] (2016) 3. IEC 61227, Nuclear Power Plant-Control rooms-Operator controls [S] (2008) 4. ISO 11064.1-7, Ergonomic design of control centres [S] 5. Nureg0700, Rev.2. Human-System Interface Design Review Guidelines [S] (2002) 6. EUR 2.10 revision D, Instrumentation & control and human-machine interface [S] 7. URD revision 8 volume III chapter 1, Overall requirements [S] 8. HAF.J0055, Engineering principles for control room design of nuclear power plant [S] (1995) 9. GB/T 22188.1-3, Ergonomic design of control centres [S] 10. NB/T 20059, The operator controls in control rooms of nuclear power plant [S] (2012) 11. IEC 60964, Nuclear Power Plants-Control Rooms-Design [S] (2009) 12. NUREG 0711, Rev. 3. Human Factors Engineering Program Review Model [S] (2012)
Application Analysis of Wireless Sensor Networks in Nuclear Power Plant Zhiguang Deng(&), Qian Wu, Xin Lv, Biwei Zhu, Sijie Xu, and Xuemei Wang National Key Labortory of Science and Technology on Reactor System Design Technology, Chengdu 610213, China [email protected]
Abstract. As a distributed network system, wireless sensor network can reduce the cable routing workload of monitoring system and cut back the impact of cable aging and termination faults in device use and maintenance in nuclear power plant. And It contributes to the integration and miniaturization of equipment for automation and informationization in the nuclear power plant. However, its application is also subject to special and complex nuclear environments such as strong ray and neutron irradiation, radio frequency and electromagnetic interference. This paper makes an in-depth analysis of the problems faced by wireless sensor networks in the nuclear power plant, and provides corresponding feasible solutions for the problems, and providing a basis for subsequent practical applications. Keywords: Wireless sensor network Nuclear environment Anti-interference Anti-irradiation Low power consumption Information security Reliability
1 Introduction As a new research field, wireless sensor networks (WSN) have attracted much attention in the world. The development of WSN originally originated from military applications such as battlefield monitoring. Today’s wireless sensor networks are also used in many civilian fields, such as environmental and ecological monitoring, health monitoring, home automation, and traffic control. They have also been gradually applied in nuclear power plants [1, 2]. The wireless sensor network is applied to the nuclear power plant, which can reduce the cable wiring workload and wiring cost of the monitoring system. The layout is flexible and convenient, and the number of nodes is large, which can effectively shorten the maintenance time of the device in the nuclear environment and improve the automation and information level of the device. Wireless sensors are highly maintainable and can be flexibly upgraded, replaced and added with the core structure of the nuclear device or the original sensor arrangement solidified, without significant impact on the infrastructure as technology and or demand changes influences [3]. The wireless environment of nuclear power plants has strong special characteristics, such as complex cabin structure, electromagnetic start-up of high-power © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 135–148, 2020. https://doi.org/10.1007/978-981-15-1876-8_15
136
Z. Deng et al.
electromechanical equipment, etc., which will have interference effects on the wireless transmission process of wireless sensor networks. In addition, wireless communication environments in some areas of nuclear power plants have the characteristics of the closed space of the multi-metal barrier, there are many sensor nodes in the proximity range, the electromagnetic environment is extremely complicated, multipath interference, multi-user interference, co-channel interference is serious, and the transmission delay is random. This paper proposes corresponding constructive measures for the problems faced by wireless sensor networks in the application of nuclear power plants, and provides suggestions and basic conditions for subsequent implementation.
2 Wireless Sensor Network Architecture and Node Composition The WSN consists of sensor, sink, and manager node, as shown in Fig. 1. The sensor node performs object monitoring, and transmits the initially processed monitoring data to the aggregation node according to a unique routing protocol by multiple relay modes. The aggregation node acts as an interface between the sensor network and the external network, and implements communication between wireless sensor network and manager node through network protocol conversion. The terminal user effectively configures and manages the sensor network through the management node, issues monitoring tasks, and collects monitoring data.
Internet, satellite, mobile network
Sensor Node
Management node
Perception scene
Terminal users
Fig. 1. Wireless sensor network architecture
A typical wireless sensor node consists of sensing module (sensor, signal processing circuit, A/D converter), data processing module (microprocessor, memory), communication module (wireless transceiver) and power module [4], shown as Fig. 2.
Application Analysis of Wireless Sensor Networks Positioning System
137
Mobile System
Process Sensor
Transceiver
A/D
Network
Memory Sense module
Process Module
Communication module
Power module
Fig. 2. Sensor node structure
The sensing module is used for sensing and acquiring object information in the monitoring area, and converting it into a digital signal through an A/D converter; the data processing module is responsible for controlling the work of each part of the coordination node, and performing necessary processing and saving on the data collected by the node and the forwarded data; the communication module is responsible for communicating with other sensor nodes, transmitting and receiving the collected data and exchanging control information; the power module mainly provides the sensor nodes with the energy necessary for normal operation, and often uses a miniature battery.
3 Application of Wireless Sensor Networks in Nuclear Power Plant 3.1
Application Status
At present, wireless technology has been initially applied in nuclear power plants. The following are some specific application cases. Comanche Peak nuclear power station is one of the first nuclear power plants in the United States to use wireless technology for voice and data communications and equipment condition monitoring. At present, a large number of equipment in Comanche Peak nuclear power station Nuclear Island and other places are equipped with wireless sensors for automatic monitoring of the state, such as vibration and temperature sensors, to monitor the status of the secondary side pumps and motors of the entire equipment [4, 5]. ANO installed a wireless signal access point and a wireless vibration monitoring system in the containment of its Unit 1, which consisted of one or more remote units and a communication center. The system works well when the plant is powered and the fuel is exhausted. The system records vibration data at a frequency of 20 kHz twice a day and wirelessly transmits data outside the container. During the operation of the nuclear power plant, the ANO wireless vibration system will develop maintenance plans and measures based on more than 2000 wireless monitoring point data on each
138
Z. Deng et al.
fan. Prior to this, the ANO must develop a maintenance plan based on four data values at the same time. Therefore, the use of this wireless vibration monitoring system greatly improves the reliability of equipment monitoring [5]. The San Onofre Nuclear Generating Station installed condition monitoring wireless sensors for many pumps in the power station in 2003, and was equipped with a Wi-Fi 802.11b network to transmit data from the condition monitoring sensors. The wireless system provides sufficient warning to the plant to repair or replace these motors (if needed) during power outages or low power operations. Since the deployment of the wireless sensor system in 2003, no pump has failed during the operation of the plant, greatly reducing the cost of the downtime and the maintenance costs of these motor pumps [5]. The High Flux Isotope Reactor (HFIR) at the Oak Ridge National Laboratory (ORNL) tested the potential of predictive or condition-based maintenance techniques to reduce maintenance costs, minimize the risk of catastrophic failures, and maximize system availability by attaching wireless-based sensors to selected rotating equipment at HFIR. Figure 3 is a comparison of the vibration spectrum obtained from the collected wired and wireless data (tested in the MRC Laboratory of Tennessee University). The results show that the frequency and amplitude of the wired and wireless vibration data signals are basically the same, which also proves that the selected wireless monitoring system can be applied to the monitoring of reactor rotating equipment.
Amplitude
Relation between Frequency and Amplitude in Vertical Direction 0.15
wireless wired
0.1 0.05 0
0
20
60
80
100
120
140
Frequency Relation between Frequency and Amplitude in Horizontal Direction
0.08
Amplitude
40
160
wireless wired
0.06 0.04 0.02 0
0
20
40
60
80
100
120
140
160
Frequency
Fig. 3. Vibration spectrum data collected by wired and wireless systems
Based on the literature [4–11], the application status of wireless sensor technology in nuclear environment in China, the United States and the United Kingdom is summarized, as shown in Table 1.
Application Analysis of Wireless Sensor Networks
139
Table 1. Application of wireless system in nuclear power plant Nuclear power plant Type Location App1 App2 App3 App4 App5 App6 Tian Wan VVER China √ √ Daya Bay PWR China √ Qinshan PWR China √ TaiShan EPR China √ SanMen AP1000 China √ Beznau PWR Switzerland √ √ SizewellB PWR U.K √ ANO PWR USA √ √ Browns Ferry BWR USA √ Callaway PWR USA √ √ √ Columbia BWR USA √ √ Comanche Peak PWR USA √ √ √ √ Crystal River PWR USA √ √ Fermi2 BWR USA √ √ √ √ Fitzpatrick BWR USA √ √ H.B. Robinson PWR USA √ Peach Bottom BWR USA √ √ √ SanOnofre PWR USA √ Shearon Harris PWR USA √ √ South Texas Project PWR USA √ √ Diablo Canyon PWR USA √ √ √ Farley PWR USA √ √ √ √ Note: App1: voice communication; App2: data communication; App3: Equipment monitoring; App4: Security monitoring; App5: Radiation measurement; App6: Heavy Equipment Manipulation;
3.2
Application Analysis
From the above application status, wireless technology in nuclear power plant is mainly voice communication, data communication, security monitoring, equipment condition monitoring, radiation measurement and heavy equipment operation, among which WSN is mainly used for equipment condition monitoring, radiation measurement, monitoring of related process variables (such as temperature, pressure, vibration) and so on. In these applications, WSN is not used in radiation environments as well as in safety, protection, and control related systems. Strong electromagnetic interference (EMI), radio frequency interference (RFI), and multipath interference, network security, and reliability and the sensitivity of some instrumentation equipment to wireless signals are the difficulties faced by wireless sensor networks in nuclear environments. At the same time, the long-life work of wireless sensor nodes is also a problem that must be solved. Next, we will propose a targeted solution to these application difficulties.
140
Z. Deng et al.
4 Technical Feasibility Analysis The use of wireless sensor network technology in nuclear power plants must solve the problems it faces in the nuclear environment analyzed above. 4.1
Anti-jamming Technology
4.1.1 Spread Spectrum Frequency Hopping Spread spectrum modulation techniques were originally developed by the US military and used in anti-jamming applications. It occupies a large bandwidth by spreading the data transmission across the entire frequency band (the frequency bandwidth occupied by the signal is much larger than the minimum bandwidth necessary for the transmitted information). The extension of the frequency band is accomplished by an independent code sequence, and implemented by coding and modulation methods, independent of the transmitted information data. This extension makes the transmitted signal less susceptible to noise, interference and snooping, and enables many users to use the same bandwidth without interfering with each other. Spread spectrum modulation includes direct sequence spread spectrum (DSSS) and frequency hopping spread spectrum (FHSS). The DSSS propagates the baseband signal in the transmitter by multiplying the baseband signal with a pseudo noise (PN) sequence and then despreading it at the receiver side. The FHSS utilizes the entire bandwidth (spectrum) and divides it into smaller subchannels. The sender and receiver work on each channel for a period of time and then move to another channel to minimize the effects of electronic countermeasures. The broadband frequency hopping technology monitors the channel quality and interference of each channel at the current working frequency point through the sensor node in real time. According to the monitoring result, it is necessary to switch the channel or switch the frequency point. If only a small number of channels of the frequency attachment are not working properly, the channels that are not available are still circumvented through channel selection. If most of the channels are not used normally, the wideband frequency hopping switching frequency point is performed. 4.1.2 Ultra-Wideband Communication Technology Ultra-wideband (UWB) communication technology is a new type of wireless communication technology based on IEEE 802.15.3 protocol. It is directly modulated by an impulse with very steep rise and fall times, giving the signal a bandwidth of the order of GHz. It is now used in low-cost, low-power, high-speed wireless multimedia applications and portable consumer electronic devices. UWB uses narrow RF pulses as the cornerstone of communication. Its performance is very different from traditional narrowband systems. Traditional RF systems use narrowband signals (continuous waveforms, high power, narrow bandwidth) to transmit/receive information. UWB systems use narrow pulses (sub-nanosecond duration, low power, ultra-wideband) to transmit and receive information, as shown in Fig. 4.
Application Analysis of Wireless Sensor Networks Noise floor
Power
BW=KHz
Power
141
BW=GHz
Frequency
Frequency
(a) traditional RF systems
(b) UWB systems
Fig. 4. The difference between the transmission signals of traditional RF systems and UWB systems
UWB technology has strong anti-signal interference and tampering, is insensitive to channel fading, has low power spectral density of transmitted signals, has good signal penetration capability in harsh environments, high channel capacity, and can be inherently encrypted by pulse coding, and high multipath resolution The Massachusetts Institute of Technology Research Reactor (MITR) verified the superior transmission characteristics of UWB signals through relevant field experiments [12]. For the nuclear power plant environment with many equipments and limited space, its multi-path resolution and strong signal penetration capability have great application advantages. 4.1.3 Separation Limits Between I&C Equipment and Wireless Devices According to the US Nuclear Regulatory Commission (NRC) Regulatory Guide 1.180 (Regulatory Guide 1.180, RG 1.180) certified test standards, in order to protect electromagnetic interference (EMI) /radio frequency interference (RFI) sensitive equipment, the distance between it and the wireless device must be appropriate management and control [13, 14]. To provide at least 8-dB margin between the transceiver emissions limit (4 V/m) and the recommended equipment susceptibility limits (10 V/m), a minimum transmitter exclusion distance should be maintained. The separation distance criterion is calculated by the following Eq. (1). The equation is based on a free-space propagation model that takes into account various factors such as transmission power, antenna gain, and electric field strength at the desired exclusion distance boundary. This allows the isolation zone of the device to be identified, allowing for the smooth deployment of wireless sensor devices on site. d¼
pffiffiffiffiffiffiffiffiffiffiffiffiffiffi 30Pt Gt E
ð1Þ
Vd (Electromagnetic field, V/m), P(Wireless Output, Watt), G (Antenna gain), d (Distance, m) It can ensure that the wireless device and the mechanical environment in the nuclear environment do not interfere with each other by the separation distance criterion, combined with the measured electromagnetic environment of the nuclear facility, and the appropriate location to arrange the wireless access point and the wireless gateway.
142
Z. Deng et al.
4.1.4 Cognitive Wireless Anti-Jamming Based On Machine Learning Machine learning-based cognitive radio technology is a new intelligent and reliable wireless communication technology that utilizes machine learning technology to enable sensor terminal devices to sense, understand, learn, and evaluate the surrounding electromagnetic environment, and to interact and integrate with wireless environments. The obtained wireless background knowledge adjusts system decision parameters and transmission parameters in real time to achieve interference suppression and reliable wireless transmission. At the receiving end, through the monitoring, sensing and identification of the electromagnetic environment, the interference is automatically perceived, identified and classified from the time domain, the frequency domain, the air domain, the power domain and the waveform domain, and the receiving end takes the best anti-jamming measures according to the sensing and recognition results. Based on the sensing, identification and classification results of the interference signals, the traditional air, time and frequency domain anti-interference methods can be used more effectively to improve the anti-interference ability of the wireless sensor network. Such as Frequency-Hopping /Spreading Spectrum(FHSS), antenna beamforming technology (Beamforming, BF) and time hopping technology (Time Hopping) [15–17]. 4.2
Low Power Technology
4.2.1 Sleep/Wake Mechanism Because of its special nature, the nuclear environment cannot replace the battery of wireless sensor frequently. Therefore, the energy consumption problem is a core issue that must be considered in the design of wireless sensor networks. As integrated circuit processes advance, the power consumption of processors and sensor modules becomes very low. Figure 5 shows the energy consumption of each part of a wireless sensor node.
Power consumption
20 15 10
(mW)
5 0 sensor
processor
transmisson
reception
idle
sleep
communication
Fig. 5. Wireless sensor node energy consumption
It can be seen that most of the energy of the sensor node is consumed in the wireless communication module from Fig. 5; the communication module has four states of transmission, reception, idle, and sleep, and its energy consumption is
Application Analysis of Wireless Sensor Networks
143
maximum in the transmission, reception, and idle states, and the sleep state is low energy consumption. For the energy consumption of sensor nodes, a wake-up mechanism based on a twostage preamble can be designed in the nuclear environment. The preamble is divided into two parts, the former part is the group identifier used to distinguish different groups, and the latter part is the intra-group identifier used to distinguish different terminal nodes in the same group. When the wake-up cycle comes, all nodes wake up to receive the preamble. If the terminal node finds that its packet is inconsistent with the packet identification of the preamble, it can immediately enter a dormant state and its dormant time can be extended. If the packet identification is identical, it completes the reception of the entire preamble before deciding whether to enter the dormant state (Fig. 6).
Initialization
Enter working status, power saving mode
No
SETA=1 SETA=0
Wake-up timeout Yes Yes Radio Frequency Receiving State
Whether the working mode saves electricity or not
No
Search preamble
End of output, AUX high
Wrong
Check whether the received data is incorrect
Right
New working mode
Set AUX low, serial port will output data
Fig. 6. Wireless sensor low power wakeup flow chart
4.2.2 Power Management Node power management mechanism is a method to reduce node energy consumption by reducing the transmission power of wireless communication. In wireless sensor networks, sensor nodes use multi-hop communication to transfer data between each other, and the communication radius of the nodes is generally larger than that of the nodes to determine the detection radius of the neighboring nodes. By reducing the transmission power of nodes and multi-hop with short distance to complete the communication of nodes, the spatial multiplexing rate of the network can be effectively improved and the network throughput can be improved. However, if the transmission power drops too low, some nodes may be disconnected from the network. Therefore, in order to realize the dynamic management of sensor resources, the transmission power of nodes can be reduced as much as possible under the premise of ensuring the twoway connectivity of nodes in the network [4].
144
4.3
Z. Deng et al.
Wireless Coexistence Measures
With the expanded arrangement of various types of wireless sensor devices in nuclear power plants, the coexistence of wireless sensors with other devices or with each other will also become a problem. The first step in solving the coexistence problem is to identify which wireless protocols have the inherent characteristics of allowing coexistence. Also verify that the protocol has an appropriate method to avoid interference, such as channel selection, RF spectrum sensing, to detect or avoid transmission interference. If interference does occur, there should be a mechanism to detect and correct the error, or a mechanism to provide false confirmation and request retransmission. Ensuring that these aspects are embedded in the device’s wireless protocol will make the next step in the coexistence process easier [14]. The second step in the coexistence process is to evaluate the coexistence of the selected equipment with other wireless networks used in the nuclear power plant. By examining various protocol development documents, researching reports of the IEEE Standards Committee, etc., frequency bands, channels can coexist among the respective protocols are determined. For example, Fig. 7 shows an example of overlapping channels for several 2.4 GHz wireless protocols, including Bluetooth, Zigbee, and Wi-Fi. After selecting a specific protocol and evaluating the coexistence according to the document, coexistence testing between devices is also required. Coexistence testing is critical because even if different devices follow the same specific wireless protocol, the performance gap of the device may be large because it comes from different manufacturers. Some devices may only meet the minimum requirements of the protocol, while others will improve their device performance through intelligent algorithms and other tools. Once the test is completed and verified to be acceptable for implementation, the wireless sensor equipment can be installed in the nuclear power plant. At the same time, the spectrum management of the wireless network of the whole nuclear power plant shall be carried out to ensure that the subsequent equipment and wireless installation will not have adverse impact on the operation of existing wireless equipment. channel
1MHz 1
2402
11
21
2412
2422
2MHz 11
12
13
2405
channel 14 15
2420
31
41
51
2432
2442
2452
2412
71
2462
2472
79
2480
Bluetooth 16
17
18
19
2435
20
2450
21
22
23
24
2465
ZigBee
22 MHz channel1
61
channel11
channel6
2437
2462
Wifi
Fig. 7. Overlapping channel of 2.4 GHz wireless protocol
25
26
2480
Application Analysis of Wireless Sensor Networks
4.4
145
Information Safety
Security considerations in nuclear environment are always the first. Because of the openness of wireless channel transmission space, wireless sensor systems are vulnerable to external malicious attacks. Wireless technology has not been applied in the 1E and non-1E control systems of nuclear power plants, which is partly due to the consideration of network security. From the practical experience, this consideration is a little conservative. Research and industrial application experience at home and abroad show that the security of wireless sensor networks using the latest security technology is no less than that of wired networks. At present, the security of wireless sensor networks is guaranteed mainly through the following advanced technologies [11, 18–21]. (1) Data encryption Symmetric key data protection technology uses the same key at both ends of the process, applies authentication information to the key of the data and verifies it again, and uses the key of the encrypted data to decrypt the data again. These algorithms are compact in structure, fast in speed and low in energy consumption. They are very suitable for small wireless sensor platforms. (2) Authorization mechanism Before establishing the connection, authentication must be carried out to prevent unauthorized devices from accessing the network. At the same time, the key must be changed dynamically to ensure that the authorization mechanism is secure enough in encryption. The latest technology is to implement one-time key distribution by using an out-of-bandwidth mechanism, such as infrared transmission. (3) Channel Fault Tolerance The complex electromagnetic environment of nuclear facilities may interfere with normal wireless communications, so the channels are usually damaged. Communication protocols must be able to detect and adapt to packet loss and have the capability of communication resynchronization. (4) Federal Information Processing Standard (FIPS) 140-2 Compliance Verification The U.S. Department of Defense requires all military wireless systems to pass FIPS 140-2 compliance verification. FIPS140-2 conformance verification for nuclear environment is of great significance to ensure the security of wireless technology applications. (5) Network Diversity/Hierarchical Structure For security and scalability, isolated and layered networks can be deployed. Sensitive information is placed on protected network segments, which do not contain nonsensitive information. The least sensitive information is located nearest to the network boundary.
146
4.5
Z. Deng et al.
Anti-irradiation Measures
In the nuclear environment, the main threat to electronic components, electronic devices and their components is gamma rays (energy is around 1 MeV). Shielded and radiation-resistant chips can be selected in parallel to node anti-radiation design,. Radiation resistance research is carried out as follows (Fig. 8): Replaceable node electronic components Radiation shielding
Using components with good radiation resistance
Non-radiation resistant component analysis Non-replaceable node electronic components
Radiation fault tolerant technology
Passivation Film on Radiation Resistant Surface
Fig. 8. Radiation protection design of sensor node
On the basis of comparing with conventional materials, the radiation shielding ability of composite materials is first verified from the composite materials themselves by analyzing the properties of composite materials with shielding effect. Then the important parameters of material and structure design are determined by numerical calculation and Monte Carlo simulation, and the corresponding experimental modules are made, as shown in Fig. 9.
Fig. 9. Shielded housing
Special circuit designs, such as discrete components, are used to design special functional modules to replace for devices or chips with poor radiation resistance, and the technology of radiation fault tolerance is adopted for the electronic components which have certain requirements and can not be replaced,. At the same time, three mode redundancy technology can be used to avoid radiation errors and detect faults. After fault finding, it can locate in time and deal with faults, so as to reduce the probability of two failures.
Application Analysis of Wireless Sensor Networks
147
Finally, the radiation shielding can be studied on the surface of components which are vulnerable to radiation interference, such as chips, using surface passivation layers with strong radiation resistance, such as Al2O3, Si3N4 and phosphorus-silicon glass films, as well as their multi-layer composite films with SiO2.
5 Conclusion Wireless sensor networks have unique advantages in the application of nuclear environment, but also face some technical challenges. Only by solving these challenges one by one, can they be truly applied in the nuclear environment. The existing research has taken corresponding measures to solve some key technical points. It has been gradually applied in the non-security system of nuclear facilities, but it has not been implemented in the security system. With the further development and maturity of wireless sensor technology, the application of wireless sensor and network in nuclear environment will be more and more.
References 1. Ning, L.: Research on hotspots of wireless sensor networks. Comput. Dev. Appl. 24(9), 1–3 (2011) 2. Junfeng, S., Xianxin, Z., Shuai, C., et al.: Analysis of the structure and characteristics of wireless sensor networks. J. Chongqing Univ. 28(2), 16–19 (2005) 3. Budampati, R., Kolavennu, S.: Wireless sensor networks for the monitoring and control of nuclear power plants. Ind. Wirel. Sens. Netw., 125–154 (2016) 4. Xinghong, S.: Research on Some Key Technologies of Wireless Sensor Networks. Nanjing University of Technology (2013) 5. Dillard, C.L., Ewing, P.D., Kaldenbach, B.J., et al.: Assessment of wireless technologies and their application at nuclear facilities (2006) 6. Daowei, B., Junwu, Z.: Application of wireless technology in nuclear power plants and its key issues. Autom. Instrum. 31(09), 47–53 (2010) 7. Xinbo, Z.: Tianwan nuclear power station wireless monitoring case. China Public Safety (Market Edition) 01, 118–119 (2007) 8. Dillard, C.L., Ewing, P.D., Kaldenbach, B.J., et al.: Assessment of wireless technologies and their application at nuclear facilities (2006) 9. Hashemian, H.M.: Wireless sensors for predictive maintenance of rotating equipment in research reactors. Ann. Nucl. Energy 38(2–3), 665–680 (2011) 10. García-Hernández, J., García-Hernández, C.F.: An analysis of implementing wireless lan technology in nuclear power plants. In: Electronics, Robotics and Automotive Mechanics Conference (CERMA ‘08), Morelos, pp. 116–121 (2008 ) 11. Li, D.: Analysis of wireless network security of AP1000 nuclear power plant. Instrum. Users 26(06), 66–68 (2019) 12. Nekoogar, F.: A robust wireless communication system for harsh environments including nuclear facilities (2017) 13. Ye, S.H., Kim, Y.S., Lyou, H.S., et al.: The applications of wireless technology for operating nuclear power plants. In: International Conference on Control. IEEE (2014)
148
Z. Deng et al.
14. Kiger, C.J., Shumaker, B.D.: Managing the electromagnetic compatibility and wireless coexistence concerns for the implementation of existing and future wireless technologies in nuclear power plants. In: Future of Instrumentation International Workshop. IEEE (2012) 15. Bkassiny, M., Li, Y., Jayaweera, S.K.: A survey on machine-learning techniques in cognitive radios. IEEE Commun. Surv. Tutor. 15(3), 1136–1159 (2013) 16. Jayaweera, S.K.: Machine Learning in Cognitive Radios, in Signal Processing for Cognitive Radios, pp. 768–770,Wiley Telecom (2015) 17. Kao, C.-H., Robertson, C.: An improved Link-16/JTIDS receiver in pulse-noise interference. IEEE MilCom 2011, pp. 341–346 18. Kim, S., Lim, H., Lim, S., Shin, I.: Study on cyber security assessment for wireless network at nuclear facilities. In: 2018 6th International Symposium on Digital Forensic and Security (ISDFS), Antalya, pp. 1–5 (2018) 19. Braina, F., Joao, G., Matthew, H., et al.: wireless communications for monitoring nuclear material processes PART II: wireless in-plant data transmission (2008) 20. Hwang, J., Kim, Y.: Revisiting random key pre-distribution schemes for wireless sensor networks. In: ACM Workshop on Security of Ad Hoc & Sensor Networks (2004) 21. Čapkun, S., Hubaux, J.P.: Mobility helps security in ad hoc networks (2003)
Development and Application of Intelligent Platform for Collaborative Electrical Design of Nuclear Power Chao Guo(&), Yu Zhang, Xin-Wei Xu, Jia-Kun Hu, and Xiao-Fen He State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd, Shenzhen of Guangdong Prov, Shenzhen 518172, China [email protected]
Abstract. Faced with the complexity of electrical design work and the electronic transfer of design results in nuclear power engineering project, it is necessary to take into account the whole life cycle of the project and deeply understand the value of data collaboration in various stages of engineering design, procurement, construction, startup, operation and maintenance. It is needed to comprehensively consider the synergistic design of electrical specialty and other specialties and combine the characteristics of electrical design itself to construct an integrated platform for electrical design coordination. The target is construction of an intelligent platform including all electrical design functions such as Engineering Design, High Voltage Main Wiring Design, Medium and Low Voltage System Design, Electrical Secondary Design, Plane Design and interfaces with other systems like 3D design software (PDMS - Plant Design Management System), cable routing system (CRS), etc. to form a digital electrical design platform with professional engineering, work coordination, knowledge management, system standardization and automatic drawing. It thoroughly solves the problems of scattered design work, inconsistent data and inconvenience of multi-specialty collaboration in electrical design. Keywords: Nuclear power Electrical design Data collaboration Automatic drawing
Intelligent platform
1 Introduction At present, with the popularization of three-dimensional technology in design application of factories and power plants, and the continuous development of network technology and information technology, how to use new technologies in the construction of nuclear power plants to achieve digital design and improve the overall level of power plant information management has become one of the focal points of power plant design. Digital design takes data flow and information flow as the main line based on the unified standards and norms. It provides standard, unique and authoritative data source for the whole process of nuclear power plant engineering design, equipment procurement, construction and startup (EPCS) [1]. Its management runs through the full © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 149–161, 2020. https://doi.org/10.1007/978-981-15-1876-8_16
150
C. Guo et al.
life cycle of power plant in a digital way. With the development of national energy construction, the digital transfer of nuclear power plants has become a necessary task for design institutes [2]. Electricity is an important part of digital nuclear power plant. Establishing the connection of every link in electrical design, assisting the efficient completion of electrical design to form a complete electrical system model, using the threedimensional factory design software to combine the system logic relationship with the three-dimensional model can not only greatly improve the design efficiency, produce high-quality design results but also form a more comprehensive digital nuclear power plant. It extends to the full life cycle of construction, operation and maintenance of the plant.
2 Electrical Design Platform 2.1
Project Information
Design Institute of China Nuclear Power Engineering Company (CNPEC) started to build collaborative electrical design platform since 2016. It took two years and two months to complete and was put into operation in 2018. The platform consists of independent electrical design software and AutoCAD software, including six function modules such as platform management, engineering design, high-voltage main wiring design, medium and low voltage system design, electrical secondary design and plane design [3]. It has four interfaces with the design production management platform, VPE, PDMS and CRS. The platform integrates digital tools such as main wiring design, system design, lightning protection grounding design, lighting design, schematic design and terminal diagram design. At present, it is the most advanced collaborative design platform for electrical specialty in the design institute. 2.2
Construction Objectives
To build a unified electric collaborative design platform, the following goals are achieved by means of “tool digitalization and integration, electronic process management, structured data organization, seamless information transfer through interfaces, and intelligent applications of knowledge”: (1) Controllability of design process and traceability of design results which can improve design quality. (2) Collaboration among different design specialties, uniqueness of data sources, data and knowledge sharing which contribute to the improvement of design efficiency and quality [4]. (3) Effective collection and intelligent application of regulations, standards and senior design experts’ knowledge will standardize the design work. The verification and automation will improve the design efficiency.
Development and Application of Intelligent Platform
2.3
151
Features of Electrical Design Platform
With the development and implementation of the system, a new generation of electrical engineering design platform is constructed based on the electrical engineering data model. Through the analysis of the data models of various specialties and stages of electrical design, and taking full account of the business logic, the standard model of electrical engineering design is systematically formulated. In view of above, on the one hand, the design modules includes main wiring, auxiliary power supply, lighting, lightning protection grounding and secondary design are realized, covering all aspects of power generation electrical design; on the other hand, the professional and design stages are seamlessly linked together to build a complete business logic system of electrical design, which realizes the data process in multi-professional electrical design. The automatic and accurate data transmission makes the electrical design process an organic whole. The platform is a complete digital system for primary and secondary design and management of the overall business. All business modules have unified planning, unified development, unified standard, unified data and they are shared globally, linked in real time which provides a strong and complete basis for digital design.
3 Platform Technical Scheme and Functions The construction process of the collaborative electrical design platform is based on the principle of unified planning and step-by-step construction method. In the initial stage, the complete professional requirements are systematically analyzed, and a unified and sound basic data platform is established. On this basis, the professional design modules are gradually being built. For the data storage mechanism, the platform takes large-scale network database as the physical storage structure, and establishes a complete, unique and standard electrical engineering design data source. As a result, it realizes the unified storage of all data. In the aspect of data access mechanism, it is through the standard data access layer and the access mode of the data is normalized to ensure the standardization of data access. Through the above means, the problem of information islands in heterogeneous databases is fundamentally avoided, and the seamless data transmission in the process of electrical design is realized. 3.1
System Architecture
The construction of electrical design platform integrates the electrical design process with professional software process, realizes design information sharing with digital technology, achieves design automation, and makes the design process and results visible and controllable. The project uses C/S architecture to develop. The server side uses Microsoft SQL Server’ enterprise-level network database. Through the establishment of a unified engineering database and coding system, the information can be transferred between various design processes. Electrical design is applied in AutoCAD platform, relying on ObjectARX class library, using C++ language to develop
152
C. Guo et al.
functional modules. The platform business logic layer and interface display layer are developed by combining C# language with C++ language. The goal of the project is to build a unified and standardized design data management system. On this basis, it is necessary for us to build exclusive data transmission channels and make data browsing tools to provide complete and safe data support for engineering information services and digital handover. The platform framework adopts hierarchical architecture, establishes clear logical hierarchy, and provides unified access interface for future business expansion. At the same time, it supports the expansion of hardware devices when there is a business expansion to solve the problems of complex software upgrade and interface with other systems [5] (Fig. 1).
Fig. 1. System architecture of electrical design platform
3.2
Platform Application Framework
The collaborative platform for electrical design of nuclear power adopts the C/S architecture. It manages the platform and engineering data on the server side as a whole and realizes business functions on the client side. Taking engineering database as the core, the electrical system model and layout model are integrated to satisfy the characteristics of electrical design on its system and logic. At the same time, the collaboration and sharing of three-dimensional power plant design model information are taken into account [6]. The design process is automated by data-driven with one modification, multiple linkages. And a digital design system based on the integration of power plant design is established. Horizontally the automation process is formed throughout the design process, and vertically the behavior of each link is regulated. The electrical platform bears the complete design operation system and standardization of electrical specialty.
Development and Application of Intelligent Platform
153
The platform mainly realizes the following functions and applications: (1) Task management, including task distribution, task management and link to the process of “Editing, Checking, Examining and Approving” of the design production management system; (2) Tool integration, digitization, main wiring design, system design, secondary design, lighting design; (3) Unified storage, data sharing, engineering data, equipment library, graphics library, documents; (4) Design specialties collaboration, primary design collaboration, secondary design collaboration, primary and secondary design collaboration, collaboration with VPE, PDMS and other systems; (5) Integration applications of unified standards, regulations and knowledge including basic data, typical schemes, coding rules, etc. and knowledge including basic data, typical schemes, coding rules, etc (Fig. 2).
Fig. 2. Platform layers and applications framework
3.3
Function Modules
See Table 1. Table 1. Platform function modules Platform Management modules
Modules Platform management
Basic data management
Submodules [7] Engineering Project Management User and Rights Management Typical Library Management of Selection Rules Typical Library Management of Coding Rules Equipment Material Library Management Graphic Legend Management Voltage Level Management (continued)
154
C. Guo et al. Table 1. (continued)
Platform
Modules
Engineering data management
Design modules
Main wiring design
Medium and low voltage system design
Plane design
Secondary design
Interface modules
Design aiding
Drawing tools
Submodules [7] Distribution Cabinet’s Analog and Digital Configuration Engineering Equipment Library Unit Number Management System Number Management Room Number Management Load Management Cable Management Drawing of Main Wiring Equipment Definition Equipment Selection and Verification Load Distribution Equipment Selection and Verification Wiring Distribution Design and Automatic Generation of System Diagram Graph and Data Synchronization Equipment Material Statistics Equipment Layout Wiring layout Lighting System Lightning Protection Design and Grounding Design Schematic Diagram Design Terminating Diagram Design Primary and Secondary Design Relevance Calculation and Verification CRS Cable Design Interface VPE Load Information Interface PDMS Lighting Room Interface Interface with Task Distribution System Text Tool Graphics Tool Form tool
4 Platform Application and Advantages 4.1
User Rights Management
User rights management of electrical design platform can be described in three dimensions: basic information management, design role and specialty. (1) Administrator/NonAdministrator: Administrator has privileges of basic data management, public
Development and Application of Intelligent Platform
155
configuration, etc. (2) Main Designer/Common Designer: The main designer has the authority of project configuration, task distribution management, etc. (3) High Voltage/Primary/Secondary Design: Different professional permissions correspond to different design module permissions. The three dimensions of rights can be combined to form user permissions for specific functions. As you can see in the following figure, the electrical design platform’s data are divided into three types: Project Database, Public Equipment Database and Public Equipment Gallery. Design engineers can read and modify Project Database, but can only read Public Equipment Database and Public Equipment Gallery. The system administrator can do all operations (such as reading, modifying, deleting, etc.) in all databases including Project Database, Public Equipment Database and Public Equipment Gallery. The design data administrator can read, modify and delete in Public Equipment Database and Public Equipment Gallery (Fig. 3).
Fig. 3. Data type and access or modification rights
4.2
Intelligent Applications
The platform software covers all the contents of electrical design and it is a milestone of nuclear power electrical design. It fundamentally promotes the upgrading of electrical design technology within the company and pushes electrical design to a new height in profound aspects of process automation, design intelligence, operation
156
C. Guo et al.
standardization, refinement of results and etc. Finally, it significantly improves the design efficiency and the design quality in electrical specialty field of the whole design institute. In order to achieve intelligent application of electrical design platform, it is necessary to configure the basic data and manage the collaborative platform according to standards and rules, including the following content. (1) Equipment material management: the equipment is classified into the preset types according to voltages and functions, and new component materials that are required will be added. (2) Graphic data management: graphic data is needed to do plane design and they include the legend symbols, typical loop schemes and typical graphics libraries of different specialties. (3) Integration and management of selection rules: configure modules according to the manufacturer’s cabinet types, different types of equipment are allocated according to the design planning and technical constraints. The selection rules can configure the typical scheme selection, component selection and cable selection for each subitem of the project. (4) Coding Rules Management: medium and low voltage systems include cabinets, circuits, cables, etc.; lighting systems include circuits coding rules, equipment coding rules, cable coding rules, etc.; electrical secondary systems include equipment coding rules, cable coding rules and etc. (5) Drawing style management: this module mainly includes the configuration of low and medium voltage drawing style, component marking style, bus drawing style, and etc. After the above configuration of basic data is done, we can design main wiring, medium and low voltage system design, electrical secondary design, plane design and so on. For medium and low voltage system design, we first configure equipment material library and legend Library in the platform management module. Secondly, we set the selection rules according to the needs for electrical design of nuclear power plant, and then manage the load on the platform and distribute the electrical load. Thirdly, we design the relationship of wirings in the electrical systems and configure the group cabinets and group boxes. If the cabinet is set up, the electrical system drawings can be automatically produced. The electrical design process of the medium and low voltage system is shown as follows based on the above information. Figure 4 is the typical workflow of an electrical design process to do on the collaborative platform. After all basic data being entered, selection rules being chosen, electrical load being managed and distributed, electrical systems being linked, group cabinet being configured the system drawings can be produced automatically (Fig. 5).
Development and Application of Intelligent Platform
157
Fig. 4. Typical workflow of electrical design
The software provides abundant typical design libraries of main wiring which can directly retrieve, preview and invoke the general main wiring scheme. It also provides an open graphics library of expansion interface. Designers can freely expand the commonly used main wiring scheme. It can flexibly combine the typical main wiring schemes according to the voltage level. The circuit and components are edited in a mixed way. It does not need precise positioning, insertion, deletion and replacement. The circuit is completely automatically processed. The equipment is marked automatically and the equipment list is automatically generated. We can import the load information in batches, set the drawing pattern, and then the system wiring diagram is generated automatically together with data comparison of different editions.
Fig. 5. Automatic drawing and version comparison
158
4.3
C. Guo et al.
Platform Advantages
The intelligent platform of collaborative electrical design we developed has many advantages, such as the following. (1) Unique data flow technology: from system design to plane design, from calculation to verification, from two-dimensional design to three-dimensional design, the data flow technology of the software integrates all the data needed in the whole design process. The data flow from one link to the next automatically. The data collaboration greatly simplifies the data input of the software avoiding human errors and improving the drawing speed and design quality. (2) Intelligent expert design system: the software is an expert design system full of design experiences and wisdom which are put into the function modules on intelligent platform of nuclear power electrical design. It completes the fundamental transformation from assistant drawing to assistant design, meets the design needs of electrical engineers in an all-round way at the level of intelligent assistant design. It improves the design efficiency, the design quality and promotes the standardization of designing work process. (3) Modeling and parameterization: the intelligent platform of collaborative electrical design describes the electrical design object in a modeled and parameterized way and stores it in the engineering database. This makes the design process intuitive and concise. It also shares the engineering data information, thus realizing the linkage between drawings, and the linkage between graphics and data. At last it can achieve accurate material statistics. (4) Overall openness: graphics libraries, engineering databases and system interface menus can be easily expanded and modified by users at any time according to their own needs. (5) Outstanding compatibility: the interface compatibility of the platform is very good, and it can achieve seamless connection with other relevant systems.
5 Applications in Nuclear Power 5.1
Project Application Status
The electric design platform was put into use in Huizhou nuclear power project on June 13, 2018. The project’s public database has input 77,000 data of equipment materials, 2000 components or legend symbols, 230 typical circuit schemes and 15 sets of configuration selection rules. The collaborative platform of electrical design has already been used for high voltage main wiring of Huizhou nuclear power project in 2018 and has published fiftyseven drawing documents. Engineers of different specialties have already done electrical design analysis collaboratively of the Huizhou nuclear power project on our electrical design platform [8]. In 2019, the electrical design platform will continue to be promoted in Huizhou project. Main modules such as high voltage main wiring, medium and low voltage system, lighting, lightning protection and grounding design will be fully used (Table 2).
Development and Application of Intelligent Platform
159
Table 2. Platform application status Dimension Basic data for design
Function modules for design
Collaborative working environment
Platform application status 1. Equipment material base, numbering rule base and drawing style base have been established 2. Technical condition database, medium and low voltage type selection rule database have been established 3. Electric load can be imported through VPE interface, excel or added one by one 1. High-voltage main wiring design: main electrical wiring diagram of the whole plant, 500 kV main electrical wiring diagram, 220 kV main wiring diagram and the main wiring diagram of each system 2. Medium and Low Voltage System Design: connection diagram of medium and low voltage system, diagram of single line system, DC system capacity calculator book, etc. 3. Electrical secondary design: transformer installation wiring diagram, fixed value list, cable terminal diagram, cable inventory, etc. 4. Plane design: lighting system, communication and fire protection, lightning protection and grounding, cable bridge layout, etc. Based on C/S architecture, serverside manages the unified platform and engineering data and client-side realizes business functions: 1. It can satisfy 300 people to design simultaneously online 2. Real-time data publishing and collaboration among electrical design specialties 3. Four interfaces with design production management platform, PDMS, CRS and VPE
Completeness Basically complete
Complete
Basically complete, interface with VPE will subsequently upgrade to interface with Diagram
160
5.2
C. Guo et al.
Deficiencies and Improvement Direction
The collaborative platform of electric design developed by the design institute of China Nuclear Power Engineering Company covers all specialties of electrical design. It implements digital design and drawing comprehensively, and centralizes storage and management of the design results. However, the control of design process documents is not yet complete, and the management of design process documents needs to be further strengthened. The intelligent platform of collaborative electrical design can be improved by the following measures. Fully study the management requirements of the design process of electrical specialty, link it with other professional collaborative design platforms, and jointly create a web-based collaborative design platform which is fully docked with the design production management platform including process management system, design input system, AED document management system, etc. It covers the whole process from planning, distribution, design process (such as design process guidance, design tool configuration, process document storage, etc.) to publication of design results. And it displays them explicitly in the web interface, realizing the functions of version control of design process files, update and contrast between file versions [9]. In addition, the dynamic management of electricity load collection is not perfect, so it is necessary to further strengthen the standardization of electricity load collection including the standardization of change management.
6 Conclusion The collaborative electric design platform of Design Institute, CNPEC is a digital electrical design system which integrates platform management, professional designing, operation coordination, knowledge management and standardization system. The platform covers six major function modules in electrical specialty such as system design, layout design, cable laying, lightning protection & grounding, lighting design and secondary electrical control. It has a complete set of functions including electrical construction drawings, calculation, type selection and verification. The electrical design platform realizes the standardization and electronic management of design process, the controllability and traceability of design process, the digitalization and integration of design tools, the intelligent application of design regulations, experience & knowledge and seamless interfaces with other systems. The platform integrates the design data structurally, realizes the interconnection of electrical systems at all levels of the plant, optimizes design system, automatically drawing and intelligently analyze. It combines system design and layout design to achieve data collaboration and knowledge sharing which contributing to error-free design.
Development and Application of Intelligent Platform
161
References 1. Engineering Training Center of Nuclear Power Institute, China General Nuclear Power Corporation: General Contracting and Project Management of Nuclear Power Projects. 1st Edition. China Electric Power Press, Beijing (2010) 2. Ge, Y.-f., Guo, X., Liu, J.-y.: Requirement Specification Instructions for the Project of China Nuclear Power Engineering Company (CNPEC) Collaborative Electrical Design Platform. V1.4 Edition. Beijing Bochao Times Software Co., Ltd., Shenzhen (2018) 3. Ying-bin, G., Wang, L.: Electrical Principle and Equipment of Nuclear Power Plant, 1st edn. Atomic Energy Press, Beijing (2010) 4. Hou, S.-q., Yao-guo, S., Zhao, Y.-y., Zhang, Y.: Application of three-dimensional design technology in transformer substation design. Sci. Technol. Innov. Herald 31, 23–24 (2017) 5. Ge, Y.-f., Xu, L., Liu, J.-y.: Outline Design Instructions for the Project of China Nuclear Power Engineering Company (CNPEC) Collaborative Electrical Design Platform. V1.4 Edition. Beijing Bochao Times Software Co., Ltd., Shenzhen (2018) 6. Ding, Z.-y.: Application of 3D visual channel design and intelligent cable laying in power plant. Electr. Age 5, 83–85 (2017) 7. Northwest Electric Power Design Institute: Electrical Design Manual for Electric Power Engineering, 1st edn. China Electric Power Press, Beijing (2018) 8. Wang, N.: Electrical design analysis of nuclear power units. China Nucl. Power 3(4), 308– 315 (2010) 9. Zhou, Y.-z.: Construction of electrical design collaborative platform based on enterprise information management. Res. Urban Rail Transit 2, 111–116 (2017)
Research on Stewardship-Intensive Digital Procedure System Hao Qin(&) State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., 518172 Shenzhen of Guangdong Prov., China [email protected]
Abstract. Taking pressurized water reactor as the object, a stewardshipintensive digital procedure system (SIDPS) is developed in this paper, which is based on the overall operation requirements of Nuclear Power Plant (NPP), the design principles of NPP procedure and the principles of human factors engineering. The application of the system earns theoretical significance and practical value and can play a role in improving operation safety. The system directly provides an effective tool to support the decision-making of NPP procedures, solves some problems existing in the current digital procedures of NPPs, and also provides ideas and methods for the realization of computerized procedures in other fields. Keywords: Digital procedure Stewardship-intensive NPP Operation safety
1 Preface The most important thing during the NPP operation is safety, which involves all aspects of nuclear power plants, such as operational management, operational procedures, training, human factors engineering, operational experience feedback, etc. The operation procedures are the necessary basis and guidance for the NPP operators to maintain the normal operation of the power station and handle various events and accidents; the human factor which means the correct operation and response of the operator is also very important [2]. According to the statistics of the world nuclear industry, approximately 70% of nuclear power operation accidents occurs caused by human error. Human error can be divided into two types: one is a “procedural error” which is caused by the operation in violation of the operation procedures, such as the Chernobyl accident. The other is “knowledge error”. This kind of error is the misoperation caused by operator’s incorrect judgment, which occurs as a result of the operator’s understanding or the lack of knowledge, such as the Three miles Island accident. Therefore, in order to ensure safe and stable operation of the power station, qualified nuclear power plant operators and integrated operation procedures are required [4].
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 162–168, 2020. https://doi.org/10.1007/978-981-15-1876-8_17
Research on Stewardship-Intensive Digital Procedure System
163
2 General Introduction 2.1
Development of Digital Procedure of NPPs
The design of the operation procedures is complex. In the past, the operator needs to operate in accordance with the requirements of the paper procedures to achieve the operation of the power station, The information of paper procedures provided to the operator is limited which increases the burden on the operator. In order to use the procedures correctly, the operator must operate properly, read the procedures, and perform supervisory and control tasks. These tasks increase the operator’s workload [1]. With the development of information technology, the conventional main control room has been improved into a digital main control room, and the digital operation procedures are integrated into the digital workstation. The operator can locate the corresponding operation procedures through index and operate according to instructions gave by the digital operation procedures system. The system can automatically generate the corresponding operation log, and can also call various operation displays which are required to assist the operator to control the NPP under normal or emergency conditions, and improve the operation safety of the NPP. Although there are a series of improvements, the current digital operation procedures still have some problems in the implementation process: First, there is a lack of effective and unified management mode, because operators often pay attention to the implementation of the procedures and part of the power plant parameters. The communication between the information has been lost more or less, the involved monitoring information is relatively narrow, which affects the operator to do the integration and analysis of the data, and the overall state of the power station cannot be accurately grasped, and the untimely intervention may cause the serious impact to the safe operation of the power station. Second, the implementation mode of the operation procedures is unscientific. The current digital operation procedures do not have the monitoring function for the operation state of the NPP. When the operation state deviates from the normal condition, the operator still needs to judge and pay attention to the operation status of the relevant equipment and system, and manually start the corresponding operation procedures at the same time. 2.2
Overall Goal of SIDPS
Develop a stewardship-intensive NPP digital procedure system, which has the stewardship function that not only successfully integrates system operation procedures, overall operation procedures, abnormal operation procedures, emergency operation procedures, periodic test procedures, alarm response procedures, refueling overhaul procedures, etc., but also provides the display of support information, it changes that the operator only pays attention to the execution of the steps and the changes of certain power plant parameters in the execution of the traditional procedures, which plays the role of “intensive” monitoring [5]. According to the operation conditions, the operation procedures and the results of timely operation feedback provide a good operating environment for the operator, which reduces the mental burden and workload of the
164
H. Qin
operator, and making full use of computer and artificial intelligence technology, which makes the operation process more intelligentized and conveniently. The ability of operators to control the strain in various accident situations is improved with the help of computers and information systems. 2.3
Function of SIDPS
The SIDPS includes characteristics managing of the procedures, detecting and supervising the status and parameters of the NPP, analyzing the abnormal symptoms of the equipment or systems, and selecting corresponding operation procedures. Data acquisition function. The operators executing the procedure and making decisions is based on the operation data acquisition and preprocessing. When the system starts, it gets the operation parameters of the NPP from the DCS real-time server. Operation status monitoring function. The system makes a reasonable analysis of various operation states according to the collected NPP operation information, triggers an alarm and starts the relevant procedures when the operation state deviates from the normal condition. The operator may ignore or omit certain parameters when evaluating the operation status. The digital procedure system can continuously monitor the operation status according to the procedures and logics which are preset, and avoid the judgment errors caused by the operator’s understanding limitations and negligence. Display function. During the execution of the procedure, the system can provide a display of the support information, and the procedure display conforms to the design principles of the human-machine interface [3]. Critical safety function evaluation. The system obtains the required data from the parameter database, performs calculations such as critical safety function determination, gives the working condition recognition result, and displays the result to the operator through the human-machine interface.
3 Technology Implementation of SIDPS 3.1
Logical Architecture Design
SIDPS is roughly divided into four levels: the public service layer, the application service layer, the underlying service layer, and the protocol access layer. Public service layer: It contains some background alarm module, external interface module and administrator management module. Application service layer: It is the implementation layer of the system function, which completes all the logic of the execution of the procedure, and presents the information to the operator. The underlying service layer: It completes the acquisition of data, calculations and storage functions, and provides configuration displays for the system designer to design the procedure displays.
Research on Stewardship-Intensive Digital Procedure System
165
Protocol access layer: It gives access to the third-party system data in a flexible manner according to actual conditions; it also provides information to other applications through open protocols. The architecture of the system is shown in Fig. 1.
ApplicaƟon service layer
Equipment informaƟon related to the procedure
Real Ɵme monitoring 1.procedure steps 2.equipment informaƟon
Data analysis 1.procedure steps execuƟon informaƟon 2.warning informaƟon 3.sheet graph 4.calculaƟon execuƟon and display
Logic judgements 1.procedure execute logic 2.warnning 3.abnormal condiƟon entrance
Common service layer
External interface
Protocol interface layer
Background management service
Displays configuraƟon
Hard core plaƞorm
Monitory point definiƟon
Substrates service layer
Acquisition service
Data storage 1.real Ɵme database 2.historical database
browser Protocol interface
User management Procedure editor
Other common service module Operator workplace
SoŌware of NPP control system
Fig. 1. System architecture
3.2
System Deployment
Cross-platform: The system software can adopt advanced cross-platform technology as the development platform, and the server can run stably under various operating system platforms such as Unix/Linux/Windows, and users can flexibly choose according to the requirements. B/S architecture: The system adopts B/S mode to present the procedure interface. The user terminal does not need to install any special client software. it can use all functions in the browser, or integrate the procedure interface into the software of the power station control system. Coupling design: The platform adopts modular loosely coupled design to reduce the dependency between the client and the remote service, and facilitates the integration between the client and the service. The system at least contains the application service module (main program service), acquisition services (acquiring data from DCS servers or third-party system communication stations), and web services, each service module deployed on a dedicated procedure server. Configuration function: The procedure editor software running on the procedure server has the procedure configuration function to realize the maintenance work such as editing and modification of the procedure [6]. The system deployment is shown in Fig. 2.
166
H. Qin
OWP-A
Procedure displays OWP-B
OWP-C
DCS-MNET
Procedure Server
DCS Server
Data acquisiƟon
Procedure Maintenance
Fig. 2. System deployment
3.3
Workflow of SIDPS
SIDPS acquires and processes the data from the DCS real-time server, and identifies the overall operation conditions of the NPP according to a preset program. When it is judged that abnormal condition occurs, the judgment result and corresponding
Fig. 3. Workflow of the system
Research on Stewardship-Intensive Digital Procedure System
167
procedure information will be given. The system workflow is shown in Fig. 3. According to the basic structure and the functional requirements of the system, periodic workflow of the system is established. The workflow of the system is described as follows: (1) The system acquires the operation parameters of the NPP equipment or systems from the DCS real-time server, and then diagnoses the abnormal symptoms. These parameters include real-time operation data of the NPP, such as the temperature and pressure of the equipment; (2) If the current system does not deviate from the limit value, the calculation of this cycle is ended; if it is deviated from the limit value, abnormal symptoms are calculated for some key parameters, including the parameter increase or the fluctuation, such as the change rate of a certain parameter, the judgment whether the water level of steam generator is rising or not, the judgment whether the temperature of the main feed water is decreasing or not, and the judgment of change of the main coolant system average temperature. (3) According to the calculated abnormal symptoms, a value of accordant degree is calculated according to the set rules, and the critical safety functions are judged according to different coefficient values. (4) According to the current condition of the NPP and the abnormal symptom diagnosis real-time result, the processing measures are given, and the feedback is promptly given to the operator for decision support.
4 Improved Function of SIDPS (1) The system can guide the operator to execute the system operation procedures, the overall operation procedures, the abnormal operation procedures, the emergency operation procedures, the periodic test procedures, the alarm response procedures, and the refueling overhaul procedures. And it has a comprehensive topology monitoring function, it helps the operator to get a global overview and understand the execution of each procedure. (2) During the execution of the procedure, the operator can not only acquire the information related to the procedure steps, but also acquire the parallel information, such as warning, insert, table, graph, and attachment calculation. It helps the operator to grasp the current state of the power station and clarify the objectives of the execution of the procedure. (3) Through the automatic acquisition and processing of data, the logic of the procedure is judged, which greatly improves the efficiency of the operator’s execution. At the same time, the symptom oriented procedure is used to reduce the mental stress of the operator to a certain extent under accident conditions. (4) The automatic operation of the procedure, the system starts up automatically when the abnormal conditions are met, and the entry condition of the emergency operation are satisfied. It ensures that the system responds in the first time, automatically calls the corresponding operation procedure for the operator to execute in the
168
H. Qin
abnormal condition or accident condition, which improves the speed of the operator’s response to the event, and greatly reduces the probability of getting into the wrong procedure caused by the operator’s judgment.
5 Conclusions and Prospects With the increasing safety requirements of NPP operation and the development of information technology, comprehensive computerization and intelligence are becoming the development trend of NPP operation. With the help of computers and information systems, the ability of the operator to control the strain in various accident situations can be improved. This paper takes pressurized water reactor as the object, and studies and develops a SIDPS based on the overall operation requirements of NPPs, the design principles of procedure design and the principles of human factors engineering. The system is still in the primary stage of principle development, and will be verified on the full range simulator of NPP. The application of the system improves the application level of the procedure and can play a role in improving operation safety. The system directly provides an effective tool to support the decision-making of NPP procedures, solves some problems existing in the digital procedures of NPPs, and also provides ideas and methods for the realization of computerized procedures in other fields.
References 1. Nuclear Power Engineering Committee: IEEE Guide for the Application of Human Factors Engineering in the Design of Computer-Based Monitoring and Control Displays for Nuclear Power Generating Stations. 1289–1998 2. National Energy Administration: Design criteria for computer-based procedure system in nuclear power plants. NB_T_20267-2014 3. Lee, S.J., Seong, P.H.: Development of automated operating procedure system using fuzzy color petri nets for nuclear power plants. Ann. Nucl. Energy (2004) 4. NUREG 0700, Human-System Interface Design Review Guideline (2002) 5. International Atomic Energy Agency: Developments in the preparation of operating procedures for emergency condition of nuclear power plants, IAEA-TEC-DOC-341, IAEA, Vienna (1985) 6. Park, J., Jung, W.: A study on the validity of a task complexity measure for emergency operating procedures of nuclear power plant—comparing task complexity scores with two sets of operator response time data obtain under a simulated SGTR. Reliab. Eng. Syst. Saf. (2008)
Study and Optimization of Load Fluctuation of the Turbine Generator After Connected to the Grid in Nuclear Power Plant Xiao-Lei Zhan(&), Yan Liu, and Gang Yin State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Company, Ltd., Shenzhen 518172, China [email protected]
Abstract. In normal operation of the nuclear power plant, the speed and load control mode of the turbine governing system are adopted before and after the unit connected to the grid. The load fluctuation reason of the turbine generator after connected to the grid is studied and the speed deviation is considered as the main reason. To solve the above problem of the speed deviation, the principle schemes of the speed and load control are researched. The optimization of grid connection scheme and the optimization of the load closed loop control are proposed, modifying the speed set-point value of grid connection and designing automatic load closed loop control method. Finally the speed deviation during grid connection is eliminated and the load fluctuation is reduced after grid connection. The proposed scheme can ensure the safety and reliable operation of the steam turbine unit after synchronizing to the grid. Thus the safety and reliable operation of entire nuclear power plant is guaranteed technically. Keywords: Load fluctuation
Speed deviation Load closed loop control
1 Preface The turbine governing system of turbine generator unit in nuclear power plant controls the steam valve by electro-hydraulic actuator through speed control mode and load control mode. The turbine control scheme directly affects the speed and load of the turbine unit, close relating the stable operation and safety of the nuclear power plant. Due to the speed deviation and the unreasonable load control scheme, the load fluctuation is great and even the unit initial load is too large during and after the unit synchronizing to the grid, resulting in the risk of overcooling in primary circuit of the nuclear island. So analysis and optimization of the load control scheme must be supplied to ensure the stability of the turbine unit.
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 169–175, 2020. https://doi.org/10.1007/978-981-15-1876-8_18
170
X.-L. Zhan et al.
2 Technology Description of the Turbine Speed and Load Control The steam turbine unit adopts speed control mode before connecting to the grid, and carries out speed-up control until the unit’s speed is up to the rated speed and stabilizes in idling mode. When the unit receives the signal of allowable connecting to the grid, the unit carries the minimum load and switches to the load control mode. After connecting to the grid, the unit is in the load open loop control mode, and then the operator manually controls the unit into the load closed loop control function, the turbine generator actual load output quick tracks of the unit load set-point value and ensures the safety and stable operation of the unit [1, 4]. Three speed probes are equipped for 2-out-of-3 logic control and the voting results are taken as the actual values of speed. According to the relationship of speed and the load, the load contribution value of the speed deviation is controlled by PI algorithm controller. The output of the control value is added to the load value of the idling speed set-point by F(x) function to form an effective speed control setting value. Finally the effective steam demand is formed to control the steam valve, and the unit is stabilized at the rated speed. The control principle diagram of the turbine speed control is shown as follows in Fig. 1.
+
F(x) Speed Setpoint +
Speed Deviation
-
a a/b
Actual Speed Value droop
PI control
+
Speed Control
+
b
Valve Opening Reference Value Accelerometric Correction
Fig. 1. The principle diagram of the turbine speed control
The F(x) function in Fig. 1 is described as follows. Table 1. The F(x) function Speed input value/% Load output value/% 0 −100 0.53 0 100 4
When the generator outlet circuit breaker switches and high voltage grid switches are all closed, the steam turbine unit enters the load control mode. The load open loop control mode is adopted at the beginning of load control mode, and then the load closed loop control function is manually put into by the operator. Finally the unit carries out
Study and Optimization of Load Fluctuation of the Turbine
171
load-raising control under the load closed loop control mode. The principle diagram of the turbine load control is shown as follows in Fig. 2.
Fig. 2. The principle diagram of the turbine load control
3 Study in Load Fluctuation and Optimization of the Control Scheme It can be seen from the above-mentioned principle diagrams of speed and load control that the calculation formula for the opening order of high and medium pressure valves (total steam demand) before grid connection is the idling steam demand plus steam demand of speed deviation. Since idling steam demand is a fixed value, the steam demand before grid connection depends on the speed deviation. The reference value formula for the opening order of high and medium pressure valves at the moment of grid connection is the minimum load set-point plus idling steam demand plus speed deviation steam demand. Because idling steam demand and the minimum load setpoint are fixed values as 4% and 5% at the moment of grid connection, the steam demand during grid connection also depends on the speed deviation [2]. The initial load output of the turbine generator after grid connection is proportional to the steam demand, but there is no definite linear relationship. That is to say, the initial load output after grid connection also depends on the speed deviation. If the initial load output is too large, it will lead to the power mismatch between the nuclear island and the conventional island, and even cause the primary circuit to be overcool.
172
3.1
X.-L. Zhan et al.
Optimization of the Grid Connection Scheme
With the increase of generator unit capacity, quasi-synchronous grid connection mode is adopted for generator units, which allows the frequency deviation between the generator unit to be connected to the grid and the grid side within a certain range (the allowable frequency deviation is between 0.03 Hz and 0.15 Hz) [3, 6, 8]. Therefore, in the process of grid connection, the steam demand fluctuates due to the speed deviation, which results in the fluctuation of the initial load output of the turbine generator. According to the normal design, the unit is connected to the grid at the rated speed of 1500 rpm. At this time, the frequency of the turbine generator unit is the same as that of the grid. In order to synchronize to the grid it must break the same frequency between the turbine generator and the grid, the grid synchronization and connection system will send a speed-increasing signal to the steam turbine governing system, and the unit will introduce the speed-regulating process. As a result, the speed set-point value is equal the current speed value plus 0.04%. Because of the lag of the speedregulating system, the speed deviation is positive at this time, after PI control the total steam demand will be increased and the valve opening order will be increased. Finally, the initial load output of generator will be larger and fluctuating after grid connection. Therefore, in order to ensure the overall steam demand and initial load output stability after grid connection, it is necessary to reduce the unit speed regulation process in the process of grid connection. Through a large number of field tests, the unit is finally selected to connect to the grid at 1503 rpm platform. The grid frequency is 50 Hz at the speed of 1500 rpm and so the frequency deviation is 0.1 Hz at the speed of 1503 rpm, the grid connection frequency deviation is within between 0.03 and 0.15 Hz. Under 1503 rpm speed platform, grid connection not only satisfies the condition of differential frequency grid connection, but also avoids the variation of steam demand caused by the instantaneous speed deviation in the process of speed regulation during grid connection, which can maintain the initial load output stability of the turbine generator after grid connection. 3.2
Optimization of the Load Closed Loop Control
Load open loop control is still used after the turbine unit is connected to the grid. The initial load output of the generator depends on the speed deviation when the unit is connected to the grid. Load closed loop control is manually input by the operator. Due to the delay of the operator’s operation, the actual electric power value can’t be accurately controlled during the beginning of the closed loop control operation, caused by large human factors. To solve this problem, the closed loop control of the load needs to be automatically put into after grid connection, so that the actual electric power value of the turbine generator unit can track the load set-point quickly and maintain the stability of the power both in the conventional island side and the nuclear island side [5, 7]. When the unit is switched from open loop control to closed loop control, the load set-point of closed loop control is equal to the actual electric power value of the unit at the moment of switching. In order to ensure that the initial load output is not too large when the unit is switched into closed loop control, it is necessary to select the appropriate actual electric power value in the appropriate time for the closed loop
Study and Optimization of Load Fluctuation of the Turbine
173
control. Considering that the thermal efficiency of the unit is different in different seasons, the actual electric power value corresponding to the minimum steam demand during grid connection should be selected when the thermal efficiency of the unit is higher. The principle diagram of automatic putting into the load closed loop control is shown in the following Fig. 3.
Fig. 3. The principle diagram of the automatic putting into the load closed loop control
In Fig. 3, it can be seen that when the actual electric power value of the unit is detected >P0 within the delay time after the unit sends out the grid connection pulse signal, the load closed loop control mode is automatically input, and the load closed loop control mode is automatically cut off when the measured electric power fault is detected. In addition, the change rate of the target load set-point value is also the reason that the actual load output is fluctuated can’t track quickly. For example, in the initial design, the target load changing rate is set at 50%/min, which means that the target load will be finally effective after setting the target load for two minutes, and the fluctuation of load output cannot be eliminated. In serious cases, the load output of the turbine generator will be too large, which will affect the stability of temperature and pressure of the primary circuit in the nuclear island side, finally impacting on nuclear safety. Under this situation, it is necessary to modify the rate of load closed loop control, and to set the initial target load change rate to a bigger value, so as to ensure that the load closed loop control can be effective quickly and ensure the rapidity and stability of load control (Table 1). The following data are recorded at the moment of synchronization in the mentioned nuclear power plant.
174
X.-L. Zhan et al. Table 2. The data recorded at the moment of synchronization Load measured (MW)
Before modification 78 MW After modification 52 MW
HP Valve opening reference (%) 10.17% 7.37%
Load set-point (%)
Target speed (rpm)
Measure speed (rpm)
5.96% 3.56%
1501.8 1502.4
1501.5 1503.2
From Table 2 it can be seen that after modification, the turbine is synchronizing to the grid at the speed of 1502.4 rpm, and switched to the load closed loop control automatically, the initial actual load is smaller and closed to the set-point value and the valve opening reference is smaller, so the effective steam demand is finally smaller (the minimum synchronization effective steam demand is 7% in past record). The result is shown that the optimization is successful and can avoid the initial actual load too bigger.
4 Conclusion The turbine generator load fluctuation and the initial load output too large after connected to the grid are studied. The speed deviation of the turbine during synchronizing to the grid is the main reason. For solving the above problem, the scheme of turbine automatic load closed loop control is proposed. The study and optimization shows that this scheme can effectively solve the problem of load fluctuation caused by the speed deviation. The proposed scheme can ensure the safety and reliable operation of the steam turbine unit after synchronizing to the grid. All above provides a practice support for the load control mode switching from open loop control to closed loop control by automatic of the nuclear power plant.
References 1. Dong, W., Huang, M.H., Zeng, B.: Study on the valve position fluctuation of turbine main regulator valve in nuclear power plant [J]. Process Autom. Instrum. 36(11), 50–52, 56 (2015) 2. Li, Y.D.: Analysis and discussion on initial power fluctuation of nuclear power plant during grid synchronization [J]. Telecom World. 2(3), 206–207 (2016) 3. He, X.M.: Research on grid connection of the turbine generator [J]. Electric. Technol. 12(41), 41–42 (2010) 4. Wang, H.: SIEMENS 1000 MW control logic optimization in turbine DEH system [J]. China Electric. 47(09), 6–10 (2014) 5. Xu, H.W., Huang, H.Y.: Control optimization of excessive negative active power of a nuclear power turbine-generator unit connecting to grid [J]. Thermal Turbine 45(2), 144–147 (2016)
Study and Optimization of Load Fluctuation of the Turbine
175
6. Xiang, Y.B.: Research on the optimization of the initial load control strategy of CPR1000 unit grid connection [J]. Value Eng. (13), 49–50 (2015) 7. Xie, D.M.: Analysis of digital electro hydraulic control system of turbine transformation programme [J]. J. Chengde Pet. Coll. 14(4), 44–48 (2012) 8. Hu, H.F.: Problems and countermeasures of synchronization [J]. Heilongjiang Electric Power 33(6), 475–477 (2011)
Study for Design and Application of Procedure-Based Automation in Nuclear Power Plant Xue-Gang Zhang, Fang-Fang Gao, Yan-Tong Luo(&), and Zhi-Yao Liu State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co. Ltd., Shenzhen of Guangdong Prov. 518172, China [email protected]
Abstract. For most of the newly built nuclear power plants, the computerized human machine interface (HMI) are adopted. The control system changes from analog technology to digital control system that gives the possibility to integrate computerized procedures (CPs) into computerized HMI. Thanks for the application of digital control system, CPs has been accepted by various regulatory authorities and is used at several nuclear power plants around the world. According to the study of relevant good practice and operating experience of CP used in operating nuclear power plant designed by us, an updated CPs with procedure-based automation (PBA) function has the ability for the system to automatically carry out multiple procedure steps when directed by the operator. And by verifying, it is indicated that use of CPs with PBA can effectively increase the human performance and decrease the possibility of human error. However, shortcoming for the CPs with PBA will also be studied which should be considered in future application. Keywords: Computerized HMI Computerized Procedures system (CPs) Procedure-Based Automation (PBA) Human performance and human error
1 Types of Operating Procedures The operating procedure is operating instruction for operators to operate the nuclear power plant. According to media presented, types of procedures are divided to paper-based procedures (PBPs) and computerized procedures (CPs), which are respectively presented on paper or on computer-driven video display unit (VDU). According to the ability and the degree of automation, CPs are divided to electronic procedures (EPs), computer-based procedures (CBPs) and computer-based procedures with procedure-based automation (CBPs with PBA, PBA) (Table 1). EPs are the same as PBPs, but presented on visual displayed unit (VDU). In addition, EPs have the possibility to navigate between different operating procedures. For CBPs, in addition to the ability of EPs, they integrate the procedures with process information relevant to procedure step, which is convenient for operators to © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 176–184, 2020. https://doi.org/10.1007/978-981-15-1876-8_19
Study for Design and Application of Procedure-Based Automation
177
obtain the related information in executed procedures. What’s more, CBPs may have the functions below: (1) Automatic processing of procedure step logic and indicating of results; (2) Integrated soft controls providing capability to send control commands to equipment. All these functions of CBPs are performed by operator manually instead of automatic implementation. PBA have all the functionalities of CBPs. Additionally, they have the ability to automatically carry out multiple steps on request from operator. This is the most typical difference between CBPs and PBA. PBs are popularly used in previous nuclear power plant with analog technology. After changing from mimic panel to DCS with VDU, it gives the possibility to present procedures on VDU. Therefore, considering the convenience of operation and to record the operation easily, CPs are selected for nuclear power plant recently with related requirement form regulation and design principles form standards.
Table 1. Functionality provided by different categories of computerized procedures [6] Function
Medium Ability to select and display on computer Links between procedures Display of process information Automatic processing of procedure step Ability to send commands manually Ability to send commands automatically at the operators’ requirement
CPs PBPs EPs
CBPs
CBPs with PBA Paper Computer-based display ✓ ✓ ✓ ✓ or ✓ ✓ ✓ ✓ ✓ or ✓ ✓ or ✓ ✓
2 Consideration for CBPs Design and Application There are many review requirements, such as criteria presented in chapter 13.5 of NUREG 0800 [3], which require that procedures of different category must be written according to the applicable criteria and meet the human factor design process requirements. Method and explanations provided in Chap. 8 of NUREG 0700 provides an acceptable way that can meet the review requirements [1]. It is important to note that computer technology is widely used in the human-computer interface of nuclear power plants. There are some concerns in the use of CPs in nureg 0711 [7], such as:
178
X.-G. Zhang et al.
(1) It is necessary to analyze and record the advantages of CPs over PBs step by step; (2) It is necessary to set up backup operating mean and solve the problem of uninterrupted switch to it. Reference focuses on the technical development basis of CBPs design and application [4], and puts forward the key points of the review process. At the same time, the NRC had identified key review guidance, based on problems raised from the review process for CBP application. Attention is paid to the question that how operators can fully monitor the operation process of the automation with increased use of automation in the main control room.
3 Characterization Framework of PBA The following design characters should be considered in the design of PBA framework: (1) (2) (3) (4) (5) (6)
Representation of PBA Functionality of PBA Management and support of PBA PBA hardware Backup system for PBA Integration with other HMI components, such as operating format.
4 Design and Application of PBA In this document, study for design and application of a type of PBA system is introduced. Operators contribute to the plant’s defense-in-depth approach to safety, serving a vital function in ensuring its safety operation. In a complex multiple-dynamic configuration of nuclear power plant, it is difficult for personnel to handle when events happens. One significant aspect of the HMI in responding to these events is the procedure system which supports the operators to complete two types of tasks including primary tasks and secondary tasks. Primary tasks involve several generic cognitive tasks, such as, situation assessment, monitoring and detection, response planning and response implementation in which plant procedures mainly support response planning. The objective of PBA is to reduce the cognitive workload, to have good situation awareness and to improve the human performance in response planning with less human error occurrence. 4.1
Automatic Diagnosis of Plant Conditions
The Automatic diagnosis (AD) function of PBA system continuously monitors the important process parameters of nuclear power plant to verify whether the entry condition of Emergency Operating Procedure (EOP) is satisfied or not. And the result of
Study for Design and Application of Procedure-Based Automation
179
AD will appear on the header of HMI to remind user by a special indicator. The indicator links to a dedicated display format which has more details for the AD logic steps and recommend the procedure that operator should use. Of course, the operator can select other procedures that are different to those recommended. During the operation of the procedure, if the state of nuclear power plant has changed, the procedure should be re-selected according to the new result of AD recommendation. This function achieves the automatic diagnosis of procedure entrance conditions. 4.2
Architecture of the CBPs of PBA
In principle, the procedure is divided into several sequences according to the operating strategy with one sequence corresponding to one display [2]. One reason is the limitation of the content of a display and another reason is the requirement of regulation of hold point. According to requirement from review guidance [5, 8], hold points should be established to allow operators to effectively monitor automation progress of PBA, to maintain adequate situation awareness, and to evaluate decisions at critical points in the procedure. For example, if upcoming decisions or actions could involve a risk to safety, a hold point is necessary (Fig. 1). As a consequence, the procedure is separated into several sections considering the setting of hold point to avoid automatically controlling the entire procedure. For a sequence with steps to be only operated by operators, the automatic control function will be cancelled with the same other functions. The Fig. 2 shows an example of the architecture of PBA.
Fig. 1. Architecture of CBPs of PBA
180
X.-G. Zhang et al.
Fig. 2. Example of PBA
4.2.1 Start/Stop by Operators According to requirement that automation should not select the procedure to be used, the operator should be responsible for selecting the procedure. However, a CBPs can recommend (e.g., via prompts) a procedure. The STOP/START button in the example permits to meet this requirement. Only if operator chooses to start, the procedure can be initiated and the possibility of automatic startup of the procedure is avoided. In addition, the STOP/START button can effectively meet the requirement of “The design of a computer-based procedure system should allow the operator to easily transition from one procedure to another procedure, at any time.” Additionally, it is in manual control mode by default to avoid automatic control before operator’s confirmation when the CBPs start. 4.2.2 Plant Parameters and Soft Controller Integrated into CBPs Plant parameters and soft controller are integrated into CBPs to improve the readability and to reduce the navigation links between operating procedure and plant process flowchart displays which can effectively reduce the workload of secondary tasks. 4.2.3 Automatic Calculation of Procedure Steps The PBA will automatically calculate the logic of each procedure step and give a clear indication of the result of calculation. Each procedure step has one binary indicator to indicate the result. By following the indicator for each procedure step, the operator can make a check or confirmation to ensure plant situation awareness which is also called “man in loop”.
Study for Design and Application of Procedure-Based Automation
181
4.2.4 Dynamic Path Indication The PBA has a special dynamic path indication function to improve the awareness of operating route. The dynamic path connecting step n−1 and step n will highlight in case the calculation result for the path is true. Consequently, operator can visually obtain the history path of the operating procedure. 4.2.5 Automatic Control Selected by Operator In this example, operator can choose to execute the procedure manually or automatically. At the top of procedure, the AUTO RUN function is designed to switch the operation mode between manual mode and auto mode (Fig. 3).
Fig. 3. Operation window of AUTO RUN
The AUTO mode is to start the automatic control of procedure from the current procedure step. The MANU mode can be selected at any time. The design solution can comply with the requirement that “The operator should be able to easily interrupt the automated sequence and step, one-by-one, through each procedure step.” 4.2.6 Record Function A tickbox in front of each procedure step is to record the operation of procedure. It is easy for operator to retrieve the operating history if necessary.
5 Verification In this section, we will verify the operation effect of the PBA design described above through an experiment. The operation effect of PBA is verified by compared with the EPs used in CPR1000 in the same scenario.
182
X.-G. Zhang et al.
The example of EPs was selected in CPR1000 in which the procedure and display was separated and navigation links was used for connection. Dynamic information indication on procedure and automatic processing of procedure step logic was not designed (Fig. 4).
Fig. 4. Example of EPs
According to the theoretical operation time of basic actions in Table 2, the operating time of PBA and EPs for CPR1000 is comprised as following (Table 3). Table 2. Theoretical operation time of unit action Number Unit action 1
Reading english speed
2 3
Check the tickbox Open the display by navigation link Choose the screen Find a parameter on display Compare with two numbers Communication speed
4 5 6 7 8
Theoretical operation Remark time 0.4 s/word Normal reading speed of operator 1s 1s 1s 3s 2s 0.3 s/word
Normal AC speed is 200 words/min
1s (continued)
Study for Design and Application of Procedure-Based Automation
183
Table 2. (continued) Number Unit action
9 10 11
Theoretical operation Remark time
Call the device operation window Switch of A/M 1s Execute 1s Check the feedback indicator 1 s
Table 3. Theoretical operation time of EPs and PBs in this project Step Step 0 Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Total time
Operation time of EPs (8) * 1 = 1 s (1) * 9 + (5) * 2 + (11) * 2 + (2) * 1 = 13.6 s (1) * 10 + (5) * 2 + (11) * 2 + (2) * 1 = 14 s (1) * 3 + (5) * 1 + (6) * 1 = 6.2 s (1) * 3 + (5) * 1 + (6) * 1= 6.2 s (1) * 6 + (5) * 3 + (11) * 3 = 14.4 s (1) * 4 + (5) * 2 + (11) * 2 = 9.6 s (1) * 3 + (2) * 1 = 2.2 s (1) * 15 + (2) * 1 + a (waiting time) = 8 s + a 75.2 s + a
Operation time of PBs (8) * 2 + (9) * 1 + (10) * 1 = 4 s WT = (1) * 9 + 2 s = 5.6 s WT = (1) * 10 + 2 s = 6 s Neglectable Neglectable Neglectable Neglectable WT = (1) * 3 + 2 s = 3.2 s WT + a = (1) * 15 + 2 s + a = 8 s + a 26.8 s + a
WT WT includes the time consumed on reading the operation request, the time consumed on controlling the equipment and the time necessary to stop the automatic control. For the operation time of PBA above, we assume that the time consumed on reading the operation request is set according to the actual operation time of unit action, and that the time to stop the automatic control equals 2S (time for pause the automatic control, call the operation window of AUTORUN), then the theoretical operation of PBAs in this project is 26.8 s+a. Except for the theoretical analysis, actual operation time of these two cases is also measured in the experiment (Table 4).
Table 4. Real operation time Times 1 2 3 4
Real operation time Real time of PBs 80 s+a 33 s+a 62 s+a 33 s+a 65 s+a 32.5 s+a 61 s+a 32 s+a
184
X.-G. Zhang et al.
According to the test results, it is clearly indicated that the application of PBA can save time for operator which make the operators to focus on the conditions of plant to enhance situation awareness with less workload.
6 Conclusion According to the study for design and application of PBA in nuclear power plant, it is clearly indicated that PBA can save operating time in case of events occurrence which could reduce work load of operator and improve the situation awareness. A design guideline for PBA is under development which will provide guidance for the CBPs designers. Some additional design features will be described in this guideline, such as CBPs hardware and backup system for procedures. Some challenges associated with PBA should be considered in this guideline, such as negative impact on crew communication and coordination.
References 1. 2. 3. 4. 5. 6. 7. 8.
Human-system interface design review guidelines, NUREG-0700 (2012) Zhi-Yao, L.: The research of intelligent SOP procedure in nuclear power plant (2017) Standard review plan, NUREG-0800 (2006) Computer-based procedure systems: technical basis and human factors review guidance, NUREG/CR-6634 (2000) Design criteria for computer-based procedure system in nuclear power plants, NB/T 20267 (2014) Computerized procedures: design and implementation guidance for procedures, associated automation and soft controls, EPRI 1015313 (2007) Human factors engineering program review model, NUREG-0711 (2004) Nuclear power plants—control rooms—computer based procedures, IEC 62646 (2012)
Research on KDA System Reliability Model Based on Total Probability Formula Ying-Jie Lin(&), Ze-Yu Xie, and Jie Lin China Techenergy Co. Ltd, Yard 5, Yongfeng Road, Haidian District, Beijing, China [email protected]
Abstract. With the rapid development of computer technology, automation and control technology is more and more widely used in all aspects of life. Severe accident instrument control system as an important defense to ensure nuclear power plant safety after the serious accident, its usability and reliability is vital. However, the traditional fault tree analysis method is faced with complicated and repeated combing problem. Therefore how to accurately assess the reliability of the system has become the focus of systematic analysis and research. In order to solve this problem, this paper analyzes the instrument control system in severe nuclear accident, decomposes the complex control system by using the system flow chart, builds the reliability calculation model based on the total probability formula, and proposes a new method to evaluate the reliability of the control system. In addition, the model can add or delete modules to suit different needs, and can be adjusted according to other control links or control systems to make it more scalable. Finally, the model is software simulation verification and the result is in line with the index, which proves that the method of this model is suitable for KDA and related system. It has great reference value for complex automatic control system and can be popularized in different control systems of nuclear instrumentation industry. Keywords: Reliability model control system
Total probability formula Nuclear power
1 Introduction After the Fukushima Class 7 nuclear accident, the nuclear power industry in all countries of the world was shaken, and the serious consequences caused by it were thought-provoking. Since then, the global understanding of nuclear safety has gone further, and detailed investigation and analysis have been carried out on the situation of the loss of on-site power supply in the Fukushima accident. In order to cope with similar accidents in the future, Chinese experience feedback from the Fukushima accident combined with the advanced three-generation pressurized water reactor nuclear power program, especially equipped with a serious accident instrument control system, namely KDA system. As an important line of defense for nuclear safety after the accident, KDA system has become a hot issue nowadays how to accurately evaluate its reliability and the corresponding reliability model. © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 185–193, 2020. https://doi.org/10.1007/978-981-15-1876-8_20
186
Y.-J. Lin et al.
2 Analysis of Serious Accident Instrument Control System The KDA system monitors and manually controls the necessary monitoring instruments and field devices in a factory in the situation of electric breakdown which toke place in the Fukushima accident in order to prevent and achieve function of mitigating serious accidents. In the situation of electric breakdown (including the loss of diesel engines) like the Fukushima accident, the electric pump in the nuclear power plant will get unusable. According to the severe accident management guidelines, the steam pump of the auxiliary water supply system will be used, and with the aid of the atmosphere system, the core decay heat can be discharged through the secondary side. At the same time, it is necessary to use safety valves of pressure stabilizer, severe accident relief valves, and exhaust valves in the top of core to relieve pressures so that to prevent the risk of melting. In addition, the core injection function is realized by controlling the injection valve to cool the core. In addition to the control of the above equipment, some monitoring instruments that can reflect the serious accident process need to be monitored in severe accidents, so that the technical support center can monitor the relevant parameters, and then judge the accident development status. And when conditions are met (If the external power supply is restored, the temporary water injection equipment is connected etc.), take corresponding measures to prevent and mitigate the accident. The KDA system mainly accomplishes the following two functions for the prevention or mitigation serious accidents: monitoring the necessary monitoring instruments and field devices and implementing logic processing and manual control of field devices. Because the KDA system has important functions, it is often designed with redundancy to increase system reliability. This article starts with analyzing its process block diagram, setting it to three-channel redundancy, and verifying its overall system reliability by analysing module reliability.
3 Application of Full Probability Formula The full probability formula is an important theoretical basis in the theory of probability. By using it, the probability of a complex event can be transformed into the sum of the probabilities of simple events in different conditions. In practical problems, in order to obtain the probability of a complex event, we usually decomposing it into calculate the conditional probability of each event and the probabilities of occurrence of these events. 3.1
Sample Space Division
First define the sample space partition and set it as the probability space Ai 2 F ði ¼ 1; 2; 3 n)
ð1Þ
Research on KDA System Reliability Model
187
Formula satisfaction Ai Aj ¼ /i 6¼ j, i, j ¼ 1; 2; 3 n
ð2Þ
Also [n i¼1
3.2
Ai ¼ X
ð3Þ
Derivation of the Full Probability Formula
Similarly, set the probability space ðX; F; P), which is a complete event group A1 ; A2 ; ; An . And: PAi [ 0ði ¼ 1; 2; 3 n)
ð4Þ
There is any event B, B 2 F which has pðBÞ ¼
Xn i¼1
pðAi ÞPðBjAi Þ
ð5Þ
The above is the full probability formula. Through analysis, the full probability formula gives the probability formula for calculating a complex event B. As long as the probabilities of occurrence of various causes of the final event B are known and the condition probability of B under various conditions. The probability of occurrence of the condition, then the probability of the occurrence of complex event B can be easily obtained by the formula.
4 Derivation of Reliability Model Based on Full Probability Formula Through the above analysis, it can be concluded that it is necessary to carry out quantitatively analysis toward reliability, establishing a suitable analysis model. Is necessary, therefore the reliability block diagram is used to establish the general model of the KDA system as follows (1 out-of 2 as a kind of logical degradation) Special cases) (Fig. 1). Input Module1
Processing Module1
Output Module1
Input Module2
Processing Module2
Output Module2
Input Module3
Processing Module3
Output Module3
Fig. 1. Hypothetical model
2oo3
188
Y.-J. Lin et al.
Through analysis, it is known that the control logic is three-channel mutually redundant, and is a series-parallel conforming model. It is not only complicated but also computationally intensive to be directly calculated. If using the traditional fault tree model analysis, the logic analysis of the mutual communication of the processing modules cannot be fully considered. Here a reliability model is introduced based on the full probability formula [1–3]. In the logic part, because the processing module is the most important link, and the output module can be replaced with the logic requirements of different links such as 3oo3 (3 out-of 3), 2oo3, 1oo3, etc., this paper can simulate the situation of different control systems by analyzing the state of the processing module, which is conducive to the analysis of the model. In this paper, 0 is used to indicate the fault state, and 1 is the normal state. In this paper, the state of the processing unit can be expressed as (000, 001, 010, 011, 100, 101, 110, 111): A ¼ fA1 ; A2 ; A3 ; A4 ; A5 ; A6 ; A7 ; A8 g
ð6Þ
Setting RðAi Þ as probability of each processing module in state Ai , then RðSjAi Þ represents the system reliability of the entire control system in state Ai . According to the above definition A as a complete division of the sample space X, the full probability formula can be derived as: RðSÞ ¼
X8 i¼1
RðAi ÞRðSjAi Þ
ð7Þ
Here, it is just assumed that the three lines that are mutually redundant have the same model of the equipment. On the one hand, the system is convenient for later maintenance. On the other hand, it reduce the complexity of the system configuration and improving the overall reliability. According to Probability science, the following relationships can be derived: Rð001Þ ¼ Rð010Þ ¼ Rð100Þ ¼ Rð1 RÞ2
ð8Þ
Rð011Þ ¼ Rð110Þ ¼ Rð101Þ ¼ R2 ð1 RÞ
ð9Þ
Rð011Þ ¼ R3
ð10Þ
In this way, the calculation amount of the following reliability calculation can be greatly reduced. 4.1
Sample Space Division
In this paper, using the analysis method of the flow chart. Is for facilitating the analysis, and then divide the processing flow of each signal channel with the basic model of “input-processing-output”. Here a structure is preseted, as shown in the following figure. For the KDA system, the input module consists of a single signal channel AI/DI module and a conditioning module. Since the communication unit (such as the ECC
Research on KDA System Reliability Model
189
module) which in front of the processing unit (such as the MPU module) is transmitted in both directions, here communication unit and the main processing unit are normalized into a processing module in the form of a series-parallel. In order to make the model more accurate, the output module only contains the AO/DO module, and the voting module is analyzed separately, making the whole model flexible and easy to calculate (Fig. 2).
Processing module
Output module
Input module
Fig. 2. Process boundary division model
4.2
Dual Unit Failure Mode
A two-unit failure means that two processing units in the control system are in an unusable state, at which the system becomes a single-channel control system with the following structure (Fig. 3):
Input Module
Processing Module
Output Module
Fig. 3. Dual unit failure model
Can be derived from probability theory: Rð001Þ ¼ Rð010Þ ¼ Rð100Þ ¼ Rð1 RÞ2
ð11Þ
190
Y.-J. Lin et al.
And without considering the controller itself and the output unit setting redundant communication, there are: RðSjA001 Þ ¼ RIN ROUT
4.3
ð12Þ
Single Unit Failure Mode
When a single processing unit fails, at this time the system state is assumed to be Rð011Þ, The functional block diagram of the system is shown in the Fig. 4 below.
Input Module1
Processing Module1
Output Module1
Input Module2
Processing Module2
Output Module2
1oo2
Fig. 4. Single unit failure model
It can be seen from the analysis that although the block diagram at this time is still complicated after decomposition, if module 1 or input module 2 are inputted but fail, however, the processing module 2 and 3 have communications, and the output module determines the final control signal. Here continue to expand downward based on the full probability formula, and set the fault state of the output module 2 and the output module 3 in the state, and the following relationship can be obtained: RðSjA011 Þ ¼ RðB00 ÞRðSjA011 B00 Þ þ RðB01 ÞRðSjA011 B01 Þ þ RðB10 ÞRðSjA011 B10 Þ þ RðB11 ÞRðSjA011 B11 Þ
ð13Þ
It indicates that the states of the output module 2 and the output module 3 are all invalid. It represents the System normal probability when only if the processing module 1 fails and the processing module 2 and 3 are normal, the output module 2 and the output module 3 are both invalid. The rest of the states are similar to this. And according to the probability theory, it can be deduced: B01 ¼ B10 ¼ ROUT ð1 ROUT Þ
ð14Þ
B11 ¼ R2OUT
ð15Þ
RðSjA011 B01 Þ ¼ RðSjA011 B10 Þ ¼ 2RIN R2IN ROUT
ð16Þ
RðSjA011 B11 Þ ¼ 2RIN R2IN R2OUT
ð17Þ
Then you can launch:
Research on KDA System Reliability Model
191
In summary, it can be deduced: RðSjA011 Þ ¼ RðB00 ÞRðSjA011 B00 Þ þ RðB01 ÞRðSjA011 B01 Þ þ RðB10 ÞRðSjA011 B10 Þ þ RðB11 ÞRðSjA011 B11 Þ ¼ 2ð1 ROUT Þ 2RIN R2IN R2OUT þ 2R R2 R4OUT R2 ð1 RÞ ð18Þ
4.4
No Unit Failure Mode
No unit failure means that the processing units of the control system are all not in a fault state. At this time, communication between the processing units is maintained, and the system structure diagram is the same as the following Fig. 5.
Fig. 5. No unit failure model
At this point, the reliability of the system can be simplified as follows RðSjA111 Þ ¼ C31 RIN C31 ROUT
ð19Þ
According to the probability theory: RðSjA111 Þ ¼ 1 ð1 RIN Þ3 ð1 ROUT Þ3
ð20Þ
In summary, it can be deduced: RðA111 ÞRðSjA111 Þ ¼ R3 R3 ð1 RIN Þ3 ð1 ROUT Þ3
ð21Þ
5 Model Calculation and Analysis In order to verify whether the above-mentioned model is reasonable, here the widely used KDA architecture is selected, that is, the control cabinet of the serious accident instrument control system. The signal is different according to the assigned chassis, and
192
Y.-J. Lin et al.
the transmission path is different as well. Here the maximum configuration of the chassis is worked as default. In order to dynamically reflect the mathematical characteristics of the model, uncertain value verification is used to set the reliability range of each module from 0.99 to 0.999 [3–8] (Table 1). Table 1. Module reliability data Module Input module Processing module Output module
Reliability 0.99–0.999 0.99–0.999 0.99–0.999
By establishing the models builted in the previous chapter, introducing the basic data by using the MATLAB program, and we establish a mathematical model of reliability. The following graphs can be obtained by processing the result data (Fig. 6). System reliability
Module reliability
Fig. 6. Reliability Model Results Analysis
It has been verified that the values meet the requirements of the system reliability indexes, because the values we set have a degree of floating, so the final result curve only reflects the situation of limit. It can be seen that the reliability of the system is as high as 99.999% when the reliability of each module is 99.9%. Compared with the traditional reliability model, it has no need to repeatedly analyze the fault tree calculation model and easy to calculate and has other advantages.
Research on KDA System Reliability Model
193
And the above derivation as a reliability calculation formula is just suitable for a specific part of the KDA system. And for different situations, such as 1oo2, etc., the corresponding redundant lines can be added or deleted to make it conform to the actual application.
6 Conclusion By using the full probability formula, it provide a computational formula for complex automatic control systems, the convenience is that the flow chart of the calculation can be adapted to the model requirements according to different architectures of different systems. By studying the three-channel link of nuclear power KDA system, the sample selection of probability space is carried out based on the full probability formula. The decomposition calculation method of complex system is proposed, and a new idea is obtained to simplify the calculation. Combine with the actual situation to do calculation check and analysis, the results shows standards compliant and the curve is reasonable. In addition, the flexible configuration of this method can be used in different aspects of 2oo3 and 1oo2, and has a large expansion space, and can be analyzed and evaluated accordingly. This method has good reference value for establishing of reliability modeling and quantitative analysis of nuclear power KDA system and can be extended to different systems.
References 1. Zeng, S.-K., Zhao, T.-D., et al.: The System Reliability Design and Analysis Tutorial [M]. Beihang University Press, Beijing (2001) 2. Hu, H.-F., Zhai, S.-L., Sun, H.-F.: Study on Reliability Model of Launch Vehicle GNC System Based on Total Probability Formula, Aerospace Control (2014) 3. Ma, X.-L., Zhang, L.: The Generalization of Total Probability Formula and Its Application in Insurance, Studies in College Mathematics (2010) 4. Yang, Z.-M.: Probability Theory [M]. Science Press, Beijing (2004) 5. Li, J., Liu, J.-H.: Study of reliability model for the multi-sensor fusion system [J]. J. Xian Jiaotong Univ. 38(8), 775–778 (2004) 6. Moses, F.: Design for Reliability-Concepts and Applications [C]. Optimum Structural Design, pp. 24i–261. John Wiley, New York (1973) 7. Feng, Y.S., Mose, F.: A method of structural optimization based on structural system reliability [J]. J. Struct. Mech. 14(4), 437–453 (1986) 8. Guo, Y.-J.: Principle of Reliability Engineering [M]. Tsinghua University Press, Beijing (2002)
The Research and Application of Test Method for 1E I&C System Platform’s Change Hu-Jun Jia(&), Yao Wu, Xiao-Sheng Dong, Min Qi, Xiu-Hong Lv, and Hong-Yan Chen CTEC, Yongfeng Road no 5 Yard no 5, Beijing, China [email protected]
Abstract. During the development and application of 1E I&C system platform, it’s inevitable to have change. There are two requirements to the change verification: one is to assure the changed platform has high quality, new defects can’t be produced, therefore the safety accidents can be avoided, and the other is to make the change to accomplish quickly. At present, there isn’t a systematic regression test method to these 1E I&C system platform’s changes in factory. This paper introduces a regression test method based on the analysis of changes: sort the changes, and provide impact analysis principles to every change category, and eventually establish a systematic test process and method. This method can not only assure the process’s integrity and platform’s high quality but also reduce the test cost. This method has been successfully applied to 1E I&C system platform FirmSys change testing process and obtain good effects. Keywords: Nuclear safety-class I&C system platform Impact analysis
Change testing
1 Introduction The nuclear power plant safety-class digital I&C system is the nerve center of the nuclear power plant, which controls the operation of the entire nuclear power plant and various types of working conditions. It plays an important role in ensuring the safe, reliable, stable and economic operation of the nuclear power plant. In the process of development and application of nuclear safety-class I&C products, it is inevitable that it needs to be iteratively changed due to new requirements, design defect repair or function optimization. According to the requirements of the relevant standards of the nuclear industry, in order to ensure that the changed products meet the requirements and design expectations, it is necessary to carry out the whole process change test of the changed products. There are two requirements for the verification of nuclear safety-class I&C products. First, the quality requirements of the product which is delivered to site directly after the change verification are high. New defects cannot be introduced to the product under the condition that the original defects or new requirements meet the quality requirements to avoid the safety consequences. Second, due to the short window and tight time of the change research and development, especially for the product change © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 194–201, 2020. https://doi.org/10.1007/978-981-15-1876-8_21
The Research and Application of Test Method for 1E I&C System
195
caused by the new application requirements, it is normally required to complete quickly. The current computer-based software regression test selection technology in the software industry proposes to select some test cases from the original test cases to test, which can greatly reduce the cost of regression testing. Such technologies include Retest-all, Min Tech, Random Tech, and Safe Tech [1]. For nuclear safety-class I&C platform change test, Retest-all regression test technique is neither necessary nor meet the short-term requirements; Min Tech regression test technology that only tests the changed part, does not meet the high quality requirements; Random Tech test technology that is relying on the experience of the test engineer to select the test case, is uncertain; and Safe Tech technology that is focusing on prioritizing the test cases by the number of defects found, and selecting a balance point according to the test time for regression verification, cannot fully meet the quality requirements for “zero” defects in safety-class products. In response to the above questions and in order to further ensure the export quality of nuclear safety-class I&C products, this paper proposes an improved test method based on change analysis, through classifying the product change types of nuclear safety-class I&C system, gives the rules of impact analysis, establishes the system verification process and method, and saves costs while ensuring complete process and quality standards.
2 Standard Requirements for Nuclear Safety Product Changes Through the analysis of domestic and international technology development trends and current status and related technical standards, the change requirements for nuclear safety-level I&C product are currently described in the domestic and international standards, details as follows: 1. HAD 102/16 Guide “15.1 General” chapter It is proposed that during the operational phase, it is necessary to ensure that the computer-based system should maintain its security functions after modification. These modifications should be considered and classified according to their importance to safety. Only items that have undergone a complete change process can be installed in nuclear power plant equipment [2]. 2. IEC 60880 standard “11.3 Software modification implementation process” chapter For changes to be made on the running equipment, due to the fact that it is practically impossible to conduct adequate testing, this paper proposes that the software vendor should be able to use one test configuration which is equivalent to the real system in all relevant aspects (including loading equipment, translation procedures, test tools, nuclear power plant simulations, etc.) to ensure the effectiveness of the modification [3]. It is proposed that after the implementation of the modification, the verification and confirmation process of all or part of the provisions of this standard shall be carried out in accordance with the software modification impact analysis [3].
196
H.-J. Jia et al.
3. The IEEE 829 standard only gives the software and system test documentation system and main contents. The above analysis draws the international and domestic standards only propose product changes to test whether the changed products meet the requirements of the nuclear safety-class protection system but no specific test methods are given. In this paper, an operational and executable nuclear safety-class I&C product change test method is proposed for this situation.
3 Technical Solutions In order to ensure the adequacy of the regression test, before starting the test, the overall planning is carried out, and based on impact analysis, the scope of the test is narrowed. The cost is reduced under the premise that the test is fully effective [5–10]. The overall technical solution is: 1. According to the change content described in the officially released change order, the change is classified, the test phase that needs to be performed is determined; the integrity of the process is ensured, meanwhile the difficulty of short test cycle is solved. 2. Through the refined influence range analysis, determine the test scope of the changed part, the affected part, and the engineering applicability part. Solve the requirements for high quality products. 3. For the demand and products that have no change and no impact through analyzing, no further tests are performed, and the results of the previous round test are directly reused. Through the above methods, the waste of resources for full-scale testing without performing change analysis is avoided, and the backwardness of potential problems caused by insufficient test scope without performing test change analysis is avoided. 3.1
Process Integrity
For the independent R&D nuclear safety-class I&C equipment, the design and implementation quality are controlled through the product development quality control process to confirm the consistency of design, implementation and requirements. Nuclear safety-class I&C products are mainly divided into three categories: hardware products (including embedded software), software products, structural parts products. According to the way from component to system, the quality control process in the development stage is generally divided into four stages: unit test, verification test, system integration test and system test [4]. Unit testing generally includes software unit testing, hardware unit testing, and programmable logic testing. The purpose is to test hardware boards, software units, and programmable logic units to confirm the consistency of unit component implementation and design. The verification test generally includes software product verification test, hardware product verification test and structural product verification test. The purpose is to
The Research and Application of Test Method for 1E I&C System
197
integrate the software and hardware units to form a single card product or a single software product, and confirm the consistency of the functional performance and product requirements of the single product. The purpose of system integration testing is to integrate different products into subsystems to confirm the correctness and compatibility of the interfaces between products. The purpose of system test is to test the system that can complete all kinds of complete functions after integration, and confirm that the integrated system functions and performance meet the requirements of the system requirements. To ensure the integrity of the change test process, the following rules are formed: 1. According to the purpose and the type of change of each test phase, confirm the change-related and irrelevant test phases, and do not conduct test activities for the test phase which is irrelevant to the change. 2. According to the type of change, the relevant test stages still need to be completed by the test activities in five steps which are test plan, test design, test preparation, test execution and test summary. The specific analysis results are shown in Table 1. The main words in all headings (even run-in headings) begin with a capital letter. Articles, conjunctions and prepositions are the only words which should begin with a lower case letter. Table 1. Change analysis of process integrity Change type
Software unit test
Hardware Software √ Programmable logic Software product √ Structural product Interface between products Remark: √ relevant; irrelevant Hardware product
3.2
Hardware unit test
Programmable logic test
Software product verification test
Hardware product verification test
Structural product verification test
System integration test
System test
√
√
√ √ √
√ √ √
√
√
√
√ √ √
Test Adequacy
In order to ensure that the quality of the nuclear safety-class I&C products passed in the in-factory regression test meets the requirements of the on-site application of the nuclear power plant, through the refined analysis of the change scope, the changed part and the affected part are determined, and meanwhile the engineering applicability part test is added. The routine change test method is based on the information of the change order, and only the defects and functions that lead to the change are targeted test. However, it is prone to omissions. In order to solve this problem, we carry out research on change impact analysis technology. The main contents include:
198
H.-J. Jia et al.
1. Compare the changes in design requirements, and confirm the correctness of new requirements one by one for changes caused by new requirements; 2. Compare all products code before and after the change, identify the changed product, the unit/component in the product; 3. Establish the corresponding matrix between the products/components in the product and the existing routine test items. After identifying the changed product range in step 2, the re-executed test items can be quickly located based on the product range. The correspondence between product/unit components and test items includes two categories: some products/unit components are used to directly implement a certain function, so they directly correspond to the test items of the function; some products/unit components are not the main body that implements a certain function but the information that they generated and transmitted affects the implementation of the function. In the corresponding matrix of the product/unit component and the test item, such product/unit component and the test item of the function should also have a corresponding relationship. A schematic diagram of the corresponding matrix of product/unit components and test items is shown below (Fig. 1).
Fig. 1. The corresponding matrix graph between product/component and test item
4 Application Practice Taking the algorithm block product change of the first set of independence R&D nuclear safety-class I&C platform-Firmsys as an example, the in-factory impact analysis and regression test technology of change test are introduced. The algorithm block change is the new requirement of the first set of Yangjiang No. 5 nuclear power plant after the factory. The quality flag transfer scheme of the algorithm block is modified to be directly transmitted. The data value is modified to the collected value. This change involves algorithm library requirement, design, and code. The specific changes are as follows (Table 2).
The Research and Application of Test Method for 1E I&C System
199
According to the nuclear safety-class I&C platform product change test method, first identify the change type, and then analyze the influence range according to different change types, and finally determine whether the test phase and test items need to be re-executed.
Table 2. Algorithms library analysis Change product Algorithm library
Before change
After change
Version: V1.1.3 Content: LAG, DIFFER, LLAG, PIDP: The quality flag of the input signal participates the numerical mathematical operation, and affects the output value SQRT_L: When the input signal is negative, put the signal quality flag of the algorithm block output signal to bad
Version: V1.1.4 Content: LAG, DIFFER, LLAG, PIDP: The quality flag of the input signal does not participate in the numerical mathematical operation and does not affect the output value SQRT_L: The magnitude of the input signal does not affect the quality flag of the output signal, and the output signal quality flag is only equal to the input signal quality flag
1. Change type This change belongs to “software product change”, which requires software unit test, software product verification test and system test; hardware products and structural parts products have not changed, so it does not need to perform unit test and board confirmation test related to hardware products; it does not involve product and system interface changes, and does not require system integration test (Table 3). Table 3. Change analysis of Algorithms library Table change type
Software unit test
Hardware unit test
Programmable logic test
Software product verification test
Hardware product verification test
Structural product verification test
System integration test
System test
Software product
√
√
√
2. Change impact analysis The change belongs to the demand change, and the changed algorithm blocks SQRT_L, LAG, LLAG, DIFFER, and PIDP are tested one by one according to the new requirements. The tester upgrades the corresponding test design and test case files, and executes software unit test, software verification test and system test activities on all test cases of the algorithm block. The algorithm block function of this change is relatively independent and does not affect the functions of the other algorithm blocks.
200
H.-J. Jia et al.
According to the corresponding matrix between the algorithm block and the existing regular test items, the test items to be re-executed according to the product change range are shown in Fig. 2.
Fig. 2. The corresponding matrix graph between product/component and test item
3. Test results The software unit test and the software confirmation test verify the LAG, DIFFER, LLAG, PIDP, and SQRT_L algorithm blocks according to the changed algorithm block requirements and design files. In the system test phase, the over-temperature function of the on-site RPC3 is extracted. Under the relevant working conditions that may affect the quality bit processing, whether the over-temperature function can meet the expected operation result of the engineering application according to the modified quality flag and numerical processing scheme output is tested. A total of 120 h will be spent to complete this change test using this change test method. If the method is not used, it is expected that 180 h will be required and the test cost savings are predicted to 60 h. After the publish of the algorithm block completed by the change test method, the first independently R&D and first set of application of the Yang jiang No. 5 nuclear power plant in China completed the transformation of eight control stations, and has been successfully applied and generated. It can be proved that this method is valid and effective.
The Research and Application of Test Method for 1E I&C System
201
5 Conclusion Under the condition of tight testing time and high quality requirement, it is a realistic problem to be resolved that how to complete effectively the change verification of the safety-class I&C products. For the above problem, an improved test method based on change analysis is proposed. This test method is based on the relevant standards, product development and on-site use requirements of nuclear power plants, and this paper studies the change causes and types of possible product changes, identifies the change types of nuclear safety-class I&C products, and analyzes the impact range for different changes types, straightens out the test phase trimming principle of different change types, and forms the methods of impact analysis and regression test technology research for the product changes of nuclear safety-class I&C platform. This method has been applied in the project, which saves the cost meanwhile ensures the process integrity and quality up to standard. It proves that it has good applicability and enforceability, and provides an operational and executable idea and method for infactory regression verification.
References 1. Liu, K.-F., Hang, D.-F., Miu, L., Wu, H.: A regression test method based on test state. Comput. Eng. Sci. 27(3), 80–82 (2005) 2. HAD 102-16-2004, Nuclear power plant computer-based security critical system software [S] 3. IEC 60880-2006, Nuclear power plants-instrumentation and control system important to safety-software aspects for computer-based system performing category a functions [S] 4. IEEE. 829-1998 IEEE standard for software test documentation [S]. Institute of Electrical and Electronics Engineers, Inc (1998) 5. IEEE 323-2003, IEEE standard for qualifying class 1E equipment for nuclear power generating stations [S] 6. RCC-E-2005, Nuclear Island electrical equipment design and construction rules [S] 7. Na, Zhao, Hua-ming, Zou, Ze-sheng, Hao, Qiao-rui, Du: Application of analytical methods in the identification of nuclear safety equipment. Instrumentation 24(11), 63–67 (2017) 8. Yan Juan, Wu Yao.: Research and practice on testing activities of nuclear safety level general instrument control platform system. Instrumentation (5) (2018) 9. IEEE. 1220-1998 IEEE standard for application and management of the systems engineering process [S]. Institute of Electrical and Electronics Engineers, Inc (1998) 10. Yao, Wu: Research on test requirements analysis method of digital nuclear safety level instrument control platform system based on quality characteristics [J]. Atomic Energy Sci. Technol. B11, 1101–1107 (2014)
Research and Application of a User Interface Automatic Testing Method Based on Data Driven Tai-Xin Huang(&), Jian-Wei Ji, Yun-Xu Shou, and Yan Kong Department of Quality Control, China Techenergy Co., Ltd,, Beijing, China [email protected]
Abstract. In order to fully test the various inputs of the software user interface and meet the ever-increasing quality requirements of software products, the test data are also increasingly large. The traditional manual testing process has poor reusability, which leads to low test efficiency. As for the conventional automated test, the scripts are closely related to the software interface. Any changes in the software user interface will cause a large number of test scripts to be re-updated, and thus there is a problem that the automatic test script maintains high cost. To improve the test efficiency under the huge test data and reduce the maintenance cost of the automated test script, this paper proposes a data-driven user interface automation test method, which decomposes the test process. The method separates the test data, the test operation and the test object, respectively forms a test data file, a basic operation library, a basic control library, and adopts a datadriven manner to form an interface automatic test case. The method has been successfully applied in the user interface test process of nuclear power offline configuration software, which greatly improves the execution efficiency of the software user interface test, and reduces the maintenance cost of the user interface automation test script. It is of great significance to improve the execution efficiency of the user interface test and reduce the maintenance cost of the user interface automation test script. Keywords: Data driven
User interface Automatic Testing method
1 Introduction With the development of software development technology, users have higher and higher requirements for the quality of software products. Each software must be evaluated and tested before being delivered for use [1]. In nuclear power application software, the software interface is the most direct excuses for software and users. In order to make the business logic of the interface more fully tested and meet the high quality requirements of nuclear power products, people will design a large number of test data for each interface. Test the input conditions. The traditional test method often passes the manual test method, which is timeconsuming and laborious [2], which leads to low test efficiency. When the test data reaches tens of thousands, the problem of inefficient manual test will be more obvious. In order to improve the efficiency of testing, automated testing is initiated on the basis © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 202–211, 2020. https://doi.org/10.1007/978-981-15-1876-8_22
Research and Application of a User Interface Automatic Testing
203
of manual testing. The automated testing is a process of transforming human-driven testing behavior into machine execution [3]. Automated testing is generally divided into recording playback and manual scripting. In this way, both methods are based on the test tool, leaving the test tool script can not run [4]. The principle of recording and playback technology is that when the tester operates the test software to execute the test case, the test tool records the track of the keyboard and the mouse, and automatically generates the test script code, so that the generated code has high redundancy, poor readability, and script code. The business logic code of the tested software is mixed with the control code, which is not conducive to the later maintenance [4]. Manual scripting is a further upgrade of the recording playback technology. Since the test script is written manually, the readability and reusability of the code are greatly improved. In order to further improve the readability, maintainability and writing efficiency of scripts, people have proposed a data-driven automated test method based on manual scripting. The data driver is simple: separate the test data from the test script [5]. The data-driven automated test method separates the test data from the test operation, reduces the coupling between the test data and the test operation in the script, and realizes the separation of the test data from the test script [5], further improving the readability, maintainability and writing efficiency of scripts. Although the conventional data-driven automated test can improve the readability, maintainability and writing efficiency of the script, but because the test operation is still closely related to the software interface, it still cannot overcome the heavy maintenance of the script caused by the software interface change. Especially in the software development process, the software interface often changes with the deep understanding of the user requirements. When the scale of the test cases reaches tens of thousands, if the project development needs to modify one of the interfaces of the tested software later. For the widget, you need to modify each test case script involved in the widget. The maintenance workload of the test script will be very large. In order to solve the above problems, this paper explores a data-driven automated test method, which further decomposes the test operation, strips the object and operation during the test operation, reduces the coupling degree between the object and the operation in the script, and further improves the script’s Maintainability and reduce the workload of post-script maintenance. Modular design of scripts with modular design ideas. The whole test script is divided into three modules: basic widget library, basic operation library and test data. The basic widget library contains the basic widgets of the software interface, such as buttons, text boxes, etc., which are the operation objects in the test operation; the basic operation library contains the basic operations of the widget, such as text input operations, button clicks. Operation, etc., the test data contains the data used in the test process. The test script identifies the widget of the software interface, reads the corresponding data from the test data and passes it to the widget, and performs related operations to form a complete automatic test case.
204
T.-X. Huang et al.
2 Technical Solution Realization When performing interface testing, you first need to identify the object that needs to be manipulated by the specific attribute such as the name and ID of the operation object, that is, the widgets on the interface, such as buttons and text boxes, and assign the test data to the corresponding widget according to the test case. Then follow the test operation steps, perform a click, double click etc. operation on the widget. After the interface response operation outputs the test result, compare the test result with the expected value to determine whether the test passes. It can be seen from the specific process of interface testing that it mainly includes three parts: interface widget, test data and widget operation. We classify these three parts and combine them for modular design. The most notable feature of the modular design is that it can add or modify software programs easily on the basis of the original computer program. This feature can effectively simplify the original complicated software design program [6]. In the interface test process, for the same version of the software, the widgets used by each interface are relatively determined. Each widget must have its own specific properties. In the script, the widget-specific properties are set to the control search properties. A widget with search properties forms the basic widget library. The test input involved in the interface test process is generally regular text or data, and the expected result is often also a data or text field. Equivalence class division of test input data and expected results, and classifies data of the same category into one data class. These different categories of data are test data files. The operation of the widget is generally mainly for file input, button click and other operations, and these operations are combined and classified to extract general operations such as button click operations, menu click operations, etc., and the code is used to implement the operations. The generic operation forms the basic operation library. When the test case script is written, the test input data is first read from the data file, the data is assigned to the corresponding interface widget, and then the widget is subjected to text input, click, etc. according to the execution order in the test case, and the test result and data are obtained. The expected results in the file are compared to automatically determine whether the test results are correct and form a complete automated test case script (Fig. 1). Basic operation library Data
Script Basic widget library Test result Fig. 1. Testing framework
Research and Application of a User Interface Automatic Testing
2.1
205
Basic Widget Library
For different software interfaces, the widgets used are not the same, even if the widget used is the same, but in different software, or in different interfaces with the software, the widget corresponding identification path is not the same. But in the same software interface, the recognition path of the widget is fixed. In order to facilitate the writing of test case scripts and to facilitate the maintenance of test scripts when the configuration software interface changes, the widgets in the configuration software can be classified and the search properties of the same type of widgets on each interface can be set in the test scripts. In the test script, the search attribute is adjusted to achieve the purpose of finding each target widget, which provides a basis for subsequent operations. In order to improve the reusability of the test case automation script and reduce the relationship between the basic operation and the widget, in the test case automation script writing process, the degree of coupling between the operation implementation script and the widget should be minimized. In the process of implementing the automated test script, the widgets in the software interface are extracted to form a basic widget library, which can facilitate the access of the same widget in each test case of the same software, thereby improving the efficiency of test script writing. It also facilitates maintenance of automated test case scripts when subsequent interfaces change. This program uses Visual Studio as a script development environment. In the Visual Studio environment, after the Visual C# test project is built, the coded UI test generator can be used to identify the widget. The identified widgets are uniformly placed in the coded UI test map, and the UI test map of each interface forms the basic widget library. Taking a nuclear power offline configuration software thermal resistance value conversion function as an example, an example of a test case widget library is as follows (Fig. 2):
Fig. 2. Widget library example
The partial control search property implementation code is as follows (Fig. 3):
Fig. 3. Widget search property example
206
T.-X. Huang et al.
For the “OK” button on the interface, the code “this.SearchProperties[WinWindow. PropertyNames.Name] = “OK”; this.SearchProperties[WinWindow.PropertyNames. ClassName] = “Button”;” is the search property of the control. 2.2
Basic Operation Library
Before you manipulate the widgets, you should let the automated test script recognize the widgets that need to be manipulated. In the configuration software, generally the same type of widget, its automatic search attribute must have one or more attribute values, the attribute value is the search attribute, for the common button, text input class widget, generally the name of the control Not the same, that is, the “PropertyNames.Name” property is inconsistent. The search attribute value of each widget has been defined in the basic widget library. By adjusting the search attribute value, the purpose of identifying the widget already defined in the widget library can be achieved. The core problem solved by the data-driven test method is to separate the data from the test script [7]. To separate the data from the test script, you must separate the operation of the control from the test data, making the control operation relatively independent. For different interface controls, the operation mode is generally different. For example, the main operation mode of the button class widget is click operation, and the main operation mode of the TextBox widget is input data. For similar operations of such similar controls (such as clicking, the implementation script of text input, etc.), is included in the unified script library for management, which is convenient for subsequent calls when the organization forms a specific test case. This script library is the basic operation library. For example, the click operation of a button, the implementation code in the base control library is as follows: public void Btn Mouse Click (string strName) { Win Radio Button. Search Properties [Win Radio Button. Property Names. Name] = strName; Mouse. Click(win Radio Button); }
The code “win Radio Button. Search Properties [Win Radio Button. Property Names. Name] = strName;” is to identify the control that needs to be manipulated, “Mouse. Click (win Radio Button);” is to click on the identified control. If you need to perform a click on a button named “OK”, you only need to call Btn Mouse Click (“OK”) in the test case. 2.3
The Test Data
A data-driven test is a test in which data is contained in an input test data file, and the data control automates the execution of the test script. The test data is test data for a specific test product and test combination [8]. For the same product, after the test case is determined, the type and value or text of the test data involved are fixed. The test data is classified into categories, and the data is put into the data file according to the
Research and Application of a User Interface Automatic Testing
207
organizational form of the use case, so that the use case can be formed. The required test data file. Test data is stored in a variety of formats, such as Excel, eXtensible Markup Language (XML) [9] and Structured Query Language (SQL), eXtensible Markup Language (XML) uses a unified method to describe application-independent data. Is a general data description language [10], it is recommended to use the xml format. In the xml format, the input data is divided into equivalence classes, and the data is arranged according to the input order of the data during the test operation. The data involved in one use case is placed in the same row, and the thermal resistance value in nuclear power configuration software is used. For example, some of the functions of the conversion are temperature values, and the output result is a resistance value. When the data format of the xml file is designed, the temperature values can be classified into one class, and the output result is a resistance class. The implementation is as follows:
208
T.-X. Huang et al.
In the subsequent test process, if you need to increase the test data, you only need to modify the xml file. The specific use case implementation script can be modified without any modification.
3 Test Case Realization After the basic widget library, the basic operation library, and the test data are ready, the test case script needs to organize these three parts according to the design idea of the test case to form an automated test case. The specific implementation steps are as follows (Fig. 4): Identify the controls to operate on Read and bind the test data
Operate on the control Determine if the test results are correct Fig. 4. Test case implementation process
Call the widget in the basic widget library to identify the widget that needs to be manipulated by adjusting the search property. When the basic operation is called, the search property of the widget is passed as a parameter to the basic operation function to realize the widget recognition and operate on the recognized widget. After reading the data from the xml file, it is assigned to the widget that needs to be operated, and the binding of the data and the widget is realized. Call the basic operations in the basic operation library, and organize the operation widget according to the execution sequence of the use case to achieve the purpose of performing the test according to the design steps of the use case. After the execution is completed, the script determines whether the test result is correct, and concludes whether the test case execution is passed. In Visual Studio, we can use [DataSource(“Microsoft.VisualStudio.TestTools. DataSource.XML”, “|DataDirectory|\\data.xml”, “Iterations”, DataAccessMethod. Sequential), DeploymentItem(“data.xml”), TestMethod] to bind the xml file, through Assert to determine whether the test results are consistent with the expected results. Take the ohm to temperature conversion function of a nuclear power configuration software as an example, and its use case realization script is as follows:
Research and Application of a User Interface Automatic Testing
209
[DataSource("Microsoft.VisualStudio.TestTools.DataSource.XML", "|DataDirectory|\\TC_RTD\\Pt100.xml", "WenDuToOumuOk", DataAccessMethod.Sequential), DeploymentItem("Pt100.xml"), TestMethod] public void Ohm2T() { string strOuMuValue = TestContext.DataRow["OuMu"].ToString(); string strResule = TestContext.DataRow["Wendu"].ToString(); //Step 1: click the "tools" menu, then click the "TC/RTD indexing table" menu under the "tools" menu libMtMainMenu.MouseClickMenuTool(); libMtMainMenu.MouseClickMenuTC_RTC (); Playback.Wait(500); //Step 2: set the thermoelectric resistance libTcRtd.SetRValue(strOuMuValue); //Step 3: choose the calculation method libTcRtd.MouseClick ("CalTemperature"); //Step 4: click the calculate button, and then click the ok button of the pop-up result prompt window libTcRtd.MouseClick ("Calculate"); Playback.Wait(500); libTcRtd.MouseClick ("OK")); //Step 5: assert whether the calculation result is correct. Method: determine whether the value in the control corresponding to "temperature value" is equal to the expected value libTcRtd.AssertTValue(strResule); }
4 Test Case Execution After the test case is written and compiled, a list of test cases can be displayed in the Test Explorer. For a test case in the list, you can execute one use case or multiple use cases at a time. Test case execution results can be viewed directly in the test explorer (Fig. 5).
Fig. 5. Test case execution result
210
T.-X. Huang et al.
5 Practical Application and Effect This method has been applied in the test of a nuclear power offline configuration software. In practical applications, the xml file is used to store the test data, and each interface in the configuration software separately generates a coded UI test map, and maps all UI tests into a control library. The implementation script of the control operation in the interface is placed in a separate source file (.cs) to form an operation library. In the test case script implementation, according to the operation steps of the use case design, the control in the control library is used to read the required data from the test data file to the corresponding control, and the operation sequence of each control is organized to form the required test case. For a certain function of a nuclear power offline configuration software (the test input data is 2641), when using the manual test method, it takes about 16 h to complete each round of testing. After using this method, it takes about 6 h to complete the first round of testing. Each round of regression testing then takes only one hour. For the same function mentioned above, using the conventional automated test method, the number of test scripts to be written is 79,230 lines. When the interface changes, all test cases (2641) need to be modified. After this method, the number of test scripts to be written is only 3124 lines (including 2647 lines of test data). When the interface changes, only the control library and a general test case need to be modified.
6 Conclusion This paper discusses a data-driven interface automation test method. By applying this method, test data can be automatically read from the test data file, assigned to the specified widget and executed test cases, and the test result is automatically determined. When the test case needs to increase the test data, you can modify only the test data file without any modification to the test script, strip the widget from the specific test operation, you can only make a small amount of test script when the software interface changes. Test script updates can be completed, greatly reducing the workload of script maintenance. The method has been applied in the interface test of an offline configuration software of nuclear power plant. When the test input data reaches a function of 2641, when the manual test is used, it takes 2 people to complete a round of testing. But only takes 1 h after adopting this method. When the interface of the function changes, the original maintenance script takes about 3 h. After the method is used, the script maintenance work can be completed in a few minutes. Through practical practice, this method can greatly improve the testing efficiency and greatly reduce the maintenance workload of the later test scripts.
References 1. Fu, A.-P., Zhang, S.-Y.: Evaluation test analysis of human-machine interface design. Sci. Technol. Vis. 25, 74 (2014) 2. Liu, S.-J.: Automated testing and implementation of communication software. Electron. Technol. Softw. Eng. 2, 49–50 (2018)
Research and Application of a User Interface Automatic Testing
211
3. Wang, W.-B., Dou, R.-P.: Research on data driven automated test methods. Comput. Program. Skills Maint. 24, 91–98 (2015) 4. Liu, H.-G., Huang, T.-X., Song, L.-X., Meng, G.-G.: Research and application of automatic testing technology based on DCS software interface. Autom. Panor. 4, 66–70 (2017) 5. Chen, L.-M.: Research and application of data-driven and keyword-driven. Comput. Eng. Softw. 4, 90–92 (2016) 6. Chen, Z.-Q.: Correlation analysis of modularization and computer software design. Comput. Program. Skills Maint. 21, 18–19 (2017) 7. Wang, M., Gao, X., Wang, Z.-C.: Data driven testing development based on QTP. Microcomput. Appl. 2, 91–94 (2004) 8. Liu, T.: The research and application for software testing techniques and automated testing framework. Comput. Knowl. Technol. 26, 7428–7431 (2009) 9. Xu, Y.: Research on interface design of display website based on waterfall flow layout. Light Ind. Sci. Technol. 12, 102–103 (2015) 10. Xie, Y.-H., Liu, J., Ji, B.: Design and implementation of data- driven based data editing framework. Comput. Inf. Technol. 5, 9–12 (2018)
Research on a Certainty Data Link Layer Protocol for the Communication Network in Nuclear Safety DCS Le Li(&)
, Chun-Lei Zhang, Kang Cheng, Xing-Xing Sun, and Wen-Yu Yang China Techenergy Co., Ltd, Beijing, China [email protected]
Abstract. With the development of digital instrument and control (I&C) technology for nuclear power plants in recent decades, communication networks have become an important part of safety digital control systems (DCS). The certainty of the protocol is the main difference between nuclear safety communication and other industrial communication networks. A particular safety communication protocol which is designed and applied in data link layer (DLL) in communication network in safety DCS is proposed in this research. The certainty for safety communication protocols is discussed, followed by the factors, such as cumulative, discrete, and parallel characteristics, influencing the certainty of protocol been analyzed. After the analysis of the typical topology and model of the safety network, the solution to proposing a certainty safety communication protocol implemented in DLL is demonstrated. Finally, the proposed safety communication verified though simulation and formal verification technique, which indicates that the proposed protocol could ensure the certainty of the safety communications. Keywords: Certainty
Protocol Safety communication Data link layer
1 Introduction Since the first application of digital instrument and control (I&C) technology to nuclear power plants in the 1980s, it has made tremendous progress in a few decades and has gradually replaced analogue I&C systems. With forty years of technological improvements, digital I&C systems have evolved from stand-alone control systems to digital control systems (DCS) [1]. In the safety DCS, a communication network is employed to connect the control stations dispersed in the NPP to perform data acquisition, calculation and control functions to the operation stations in the main control room, contributing to operators achieving to perform a variety of control operations and monitoring the real-time status of a power plant system [2]. In this case the communication network has an influence on the reliability of a safety DCS and should be mostly taken into consideration in the design of DCS. In safety DCS, communication networks where designed objectives are implemented by communication protocols at different layers achieved the transmission of © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 212–225, 2020. https://doi.org/10.1007/978-981-15-1876-8_23
Research on a Certainty Data Link Layer Protocol
213
inter-station communication data. It is shown that current communication networks normally employ industrial or open communication protocols in safety DCS in current research. For example, RS-485 protocol is implemented in the network of the CommonQ made by Westinghouse and applied as I&C system in the APR1000 nuclear project [3]. Furthermore, In TXS platform designed by Siemens, the safety communication network is achieved by ethernet technology where IEEE 802.3 protocol is employed. With the increasing amount of interconnected control station, the former protocol could not ensure the data transmission efficiently and provide a certainty time for transferring a data from a single node to other which means the above protocol is not suitable for the expanding size of safety communication networks. Furthermore, rare research involves in particular protocols with high certainty designed for largescale safety communication networks [4]. In this case, it is becaming more necessary to study a communication network protocol supporting faster transmission speed, larger network capacity and meeting security requirements to optimize the current system. A particular safety communication protocol which is designed and applied in data link layer (DLL) in communication network in safety DCS is demonstrated in this research. The proposed communication protocol meets the related standards and regulations in nuclear industry, and the certainty of the protocol is especially discussed which is the main difference between nuclear safety communication and other industrial communication networks. In addition, the designed safety communication protocol is verified in FirmSys, the first DCS with safety class 1E produced by China with proprietary intellectual property.
2 Certainty for Safety Communication Protocols 2.1
Certainty Required by Standards and Regulations
Due to applied in nuclear power plants, the design of safety communication networks should meet the related standards and regulations, such as IEC 61513, IEEE 7-4.3.2, NRC ISG-04 etc. [5, 6]. In other words, the safety communication protocol should obey the requirement listed in these standards and regulations where reliability, safety, real-time, certainty, independent for a safety communication network are described. Furthermore, the achievement of certainty mostly depends on communication protocols. In this case, certainty is the main consideration of designing the safety communication protocol in this paper. The definition of certainty has been stated in previous research. Certainty indicates that the speed, delay, throughput, load, and period of data updating should be calculated accurately, which ensure the nuclear safety communication network being statebased controllable. In this case, the designed safety communication protocol should avoid unclear, inconsistent, or reciprocal rules in descriptions. Due to many potential uncertainties existing in digital systems and their applications, it is necessary to identify the communication-related uncertainties and eliminate the influence of these factors in the proposed protocol. In order to ensure certainty for safety communication, communication behavior, completion time, and resource consumption are commonly considered as main rules in
214
L. Li et al.
safety communication protocols. Actually, the common rules have been clarified in related standards and regulations. In NRC ISG-04, the method that ensures the certainty of a safety communication network is illustrated, which indicates that the format and protocol of the message should be determined in advance. Moreover, in safety communication networks, each message should have the same structure and order and each transmission cycle should contain all data regardless of whether the data has changed [7]. 2.2
Factors Influencing the Certainty of Protocols
With the analysis of inherent features of the safety DCS, the main factors which influence the certainty of a safety communication protocol are cumulative, discrete, and parallel characteristics. 2.2.1 Cumulative Characteristics The cumulative characteristic refers to the behaviour of a communication entity affected by previous communication processing or communication results. In other, the behaviour of the communication entity is not only affected by the current state, but also limited by the historical state, which means that it is difficult to quickly predict the communication behaviour or judge the communication failure by the current state. In safety communication network, some influence made by the cumulative characteristic could lead to the network uncertain. The forms of the cumulative characteristic contain the times of the communication interacts such as count value, the number of occurrences of unexpected events such as packet loss or other abnormal actions, and the consumption of specific public communication resources such as amount of the channel’s buffer.
Fig. 1. A communication channel with 5 network nodes.
The amount of the channel’s buffer shown in Fig. 1 is taken as an example, where five communication entity P1, P2, P3, P4 and P5 are connected by a channel and share the same channel buffer. It is assumed that P1 requests to occupy the shared channel, and the requested amount of channel’s buffer is 8 Mbps. When the data from other nodes buffered on the channel exceeds 8 Mb in one second, P1 would fail to apply the channel buffer. At this time, P1 either continues to apply the channel buffer or abandons the application. In this case, it affects the normal transmission of data, which
Research on a Certainty Data Link Layer Protocol
215
would cause delay or packet loss of communication, resulting in the states of the network being uncertain. 2.2.2 Discrete Characteristics The discrete characteristic is the basis of a digital system, which means the behavior of the communication entity is sometimes absent and discontinuous. Due to discrete characteristics, the state at a certain time t is assumed to be a state of a period of time T which should be set carefully. A small value of T would increase the invalid load of the communication system which leads to the system being complicated. On the other hand, a large value of T would lead to the flooding of information, which could cause the digital system unable to effectively prevent, detect and handle faults.
Tsend P1
#1
#2 #1
#4
#3 #2
#5 #3
#4
#5
Φ P2 TP2
Trecv
Fig. 2. Discrete characteristics of communication systems.
A typical discrete communication network system is shown in Fig. 2, which illustrates an instance of packet loss. The communication entity P1 transmit data in a period Tsend, and the communication entity P2 operates in a period TP2 to receive data in a period Trecv which is much greater than Tsend. It starts counting from a certain packet data sent by P1, and this frame data is recorded as the frame #1. There is time interval u between the transmitting moment of P1 and the receiving moment of P2. After that, P2 would receive the frame #2, #3, #4, #5, …, consequently, and the relationship where the frame sent by P1 could be received by P2 should satisfy jTrecv i ¼ Tt1 ¼ u þTrecv . In the equation, the parameter u is influenced by the period of P1 and P2, which means that the value of u keeps changing in entire communication process [8]. There is a possibility that the channel buffer become full and could not buffer the coming data sent by P1 with an increasing u, which leads to the coming
216
L. Li et al.
frame pockets lost. In this case, the example demonstrates it is uncertain whether P2 could receive the frame sent by P2. 2.2.3 Parallel Characteristics The parallel characteristic means that the protocol allows several communication entities to involve in interactions or responses at the same time. A communication protocol with parallel characteristics could provide asynchronous cooperation of application functions, reduce mutual coupling between communication parties, which enhance high transmission efficiency. However, the coordination accuracy between the communication entities running in parallel is low, and in particular, resource acquisition conflicts could occur between communication entities. In this case, the key point of the communication protocol with parallel characteristics is to solve the problems of link access conflict, synchronisation between communication entities, and the choice of the master node [9]. Under the constraints of parallel communication protocol, the behaviour of each communication entities could not be completely determined by its own state, but also limited by the state and behaviours of other communication entities. In the case the state of all communication entities of the system is not fully grasped, the behaviour of the communication entity is unpredictable, which makes the operation of the communication network uncertain.
Transmission Ready
Channel Occupation Check
N
Y
Occupied Flag Assertion
Completion Check
Transmitting
Y
Occupied Flag Desertion
N
Transmission Delay
Fig. 3. The process of applying a channel resource.
In the case shown in Fig. 1, it is assumed that two identical communication entities P1 and P2 share the same communication channel to transmit message M, and the channel influenced by exclusiveness only allows to be occupied by one communication entity at the same time. The flowchart of P1 transmitting a frame is shown in Fig. 3, which indicates the process of the transmission applying the occupation of a channel. As illustrated by the figure, whether the channel is occupied will be checked when a frame is ready to transmit. If the channel is not occupied by other communication nodes, the flag of occupation should be asserted, which means other nodes could not apply the occupation of the channel successfully. After the transmission being
Research on a Certainty Data Link Layer Protocol
217
completed, the flag of occupation would be deserted. On the contrary, with the channel occupied, the P1 would apply the channel again after a specific period, which could lead to the delay of the transmission. The above is the algorithm of carrier sense multiple access (CSMA) where the time of the P1 transmitting the message M is uncertain [10]. When multiple communication entities share the same transmission channel, it may cause a communication entity not to transmit data efficiently, or unable to transmit data. In this case, it should be explicitly prohibited in nuclear safety communications. Both protocols based on time-sharing transmission and protocols based on masterslave structure could solve to the problem of above resource access competition. In the protocol of nuclear safety communication, the limited waiting principle should be adopted, where resources that are occupied are limited within a specified period of time. In this case, each communication node is guaranteed to acquire the resources within a certain time to ensure the certainty of protocol.
3 Solution to Certainty Safety Communication Protocols 3.1
The Topology and the Sample Model
Before certainty safety communication protocols proposed, the topology and model of the communication networks should be discussed which enhance the certainty of the protocol. 3.1.1 The Topology of the Safety Communication Network The parallel characteristic means that the protocol allows several communication entities to involve in interactions or responses at the same time. A communication protocol with parallel characteristics could provide asynchronous cooperation of application functions, reduce mutual coupling between communication parties, which enhance high transmission efficiency. However, the coordination accuracy between the communication entities running in parallel is low, and in particular, resource acquisition conflicts could occur between communication entities. In this case, the key point of the communication protocol with parallel characteristics is to solve the problems of link access conflict, synchronization between communication entities, and the choice of the master node. The topology of the typical safety communication network is shown in Fig. 4, which is shown that all communication nodes are connected with two reverse and redundant communication links to constitute a double ring topology. In this topology, the ring where data is transmitted clockwise is defined as Ring 0, and the other ring is defined as Ring 1. Each communication node sends its data to other nodes through both Ring 0 and Ring 1. Furthermore, each node could receive two sets of the same data from any other node through both clockwise and counter-clockwise ring [11].
218
L. Li et al.
Fig. 4. The topology of the safety communication network.
3.1.2 The Simple Model in the Safety Communication Network The parallel characteristic means that the protocol allows several communication entities to involve in interactions or responses at the same time. A communication protocol with parallel characteristics could provide asynchronous cooperation of application functions, reduce mutual coupling between communication parties, which enhance high transmission efficiency. However, the coordination accuracy between the communication entities running in parallel is low, and in particular, resource acquisition conflicts could occur between communication entities. In this case, the key point of the communication protocol with parallel characteristics is to solve the problems of link access conflict, synchronization between communication entities, and the choice of the master node.
Application Layer Transport Layer Network Layer Data Link Layer Physical Layer
Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
Application Layer
Application Layer Data Mapping MAC Control
Data Link Layer Physical Layer
MAC
Data Channel Physical Layer
Fig. 5. The simple model in safety communication networks.
Research on a Certainty Data Link Layer Protocol
219
As requirement of certainty, the protocol of the safety multipoint network should be designed simply to reduce the probability of errors influenced by complex model. Referring to the Open System Interconnection (OSI) seven-layer model developed by the International Organization for Standardization (ISO) and the five-layer model of TCP/IP, the model of the safety communication model is simplified, combined with regulations of nuclear safety DCS [12]. As shown in Fig. 5, the safety communication network employs physical Layer, data-link layer and application layer only, which indicates the protocol based on certainty discussed in this paper should be implemented in the DLL. 3.2
The DLL of the Safety Communication Network
As stated in the last section, the core function of the network is located in the DLL as shown in Fig. 6. The DLL functions in detail, including DLL function modules, service interfaces, communication scheduling mechanisms, frame structures. The implementation of the function does not depend on the specific implementation strategy, but must be implemented in the communication protocol. AP_STATUS.indication AP_DATA.indication
AP_STATUS.request AP_DATA.request AP_DATA.refresh Application Layer
Data Mapping MA_CONTROL.request MA_DATA.request Data Mapping MA_DATA.indication
MA_CONTROL.indication
MAC Control Mac-Control
Ring1 Channel Ring0 Channel
MAC-Data Channel Physical Layer
Fig. 6. The model of the DLL.
The model of the DLL in the safety communication network is shown in Fig. 6, which indicates the DLL is constituted by data mapping control sublayer, MAC control sublayer, and MAC data channel sublayer. The detailed functions of these sublayers in the communication protocol are listed as below. 3.2.1 The Data Mapping Control Sublayer The data mapping control sublayer is the interface between the DLL and the application layer in the safety communication network which achieves memory management and
220
L. Li et al.
data integrity maintenance. The packet provided by the MAC control sublayer is verified in data mapping control sublayer where the incorrect packet is discarded and the correct packet is updated in the memory mapping area. 3.2.2 The MAC Control Sublayer The MAC control sublayer is the brain of the DLL and the place to achieve the main function defined by the communication protocol which includes data processing, data analysis, communication ring selection, data mapping area access control, data frame scheduling management and fault handling. This sublayer provides a special channel connecting the data mapping control sublayer and the MAC data sublayer, which is indicated that data frames from the mapping control sublayer are packed, and the data frames from the data channel sublayer are unpacked. 3.2.3 The MAC Data Channel Sublayer The MAC data channel sublayer is the interface between the DLL and the physical layer in the safety communication network, providing the function of data sending to and receiving from the physical layer. This sublayer achieves rationality check, flow control, queue processing, and also implement the transmitting rule of the protocol such as insert, copy, transit, and strip based on IEEE 802.17 [13]. 3.3
The Certainty Protocol Implemented in the DLL
Based on the above description, the certainty could be mainly considered in the design of the safety communication protocol implemented in the DLL. The method which could prevent the influence from cumulative, discrete and parallel characteristics is discussed as below, which contributes the certainty of the safety communication protocol. 3.3.1 State-Based Communication with Certainty State-based communication means that the communication node sends data at regular intervals, regardless of whether the data has changed, corresponding to the event-based network, which means that the changing data would lead to data transmission occurring. Overflow of a buffer is the main reason causing network congestion or crash, and burst data in the network is the main cause of buffer overflow. In this case, the generation of burst data should be limited in safety communications to decrease cumulative characteristics making the system uncertain. State-based communication makes it difficult to generate burst data in the communication network, which can improve the certainty of the network. However, the failure of the network device may still generate burst data, which also needs to be prevented in the safety communication protocol. 3.3.2 Fixed Transmission Mode Only broadcast mode is employed to transfer data in the safety communication network, which means the sending node continuously sends data without any response from the receiving node required. Due to data of the safety communication network being transmitted by broadcast and the source node stripping strategy adopted
Research on a Certainty Data Link Layer Protocol
221
uniformly, the communication protocol could be extremely simplified, which reduces the complexity of communication protocol implementation. In this case, it improves eliminating the effect of parallel characteristics, which also contributes to the certainty of the network. 3.3.3 Producer-Consumer Model The producer-consumer model is utilised to interact with data across all stations in the safety communication network, which is illustrated in Fig. 7. As shown in the figure, this model contains three roles which are data producers, data and data consumers. Data producers refer to the one that generates the data, and the data consumers refer to the one that use the data, which respectively correspond to sending nodes and receiving nodes in the safety communication network.
Fig. 7. Data producer-consumer model.
There is only one data producer in the data producer-consumer model, but any amounts of data consumers. Regardless of how many consumers obtain data, data producers only send a data through broadcast mode. In the safety network, each communication node is both a data producer and a consumer of other nodes, because, each node broadcasts the data to the network with a fixed period, and at the same time receives the data sent by other nodes. In this case, it is not required that a producer prepares and sends data for every consumer, which could minimise data traffic and delay of sending data extremely. In this case, the model contributes to increasing the certainty of the safety network through decreasing the influence of cumulative characteristics. 3.3.4 Optimised Types of Frames Two types of frames, status frame (SF) and data frame (DF) are designed in the safety communication protocol, which are particularly optimised for the safety communication network. The SF of communication node indicates the status of the operation of the communication entity, and the DF of communication node expresses the actual data which need to be transferred to other nodes. In this case, the length of SF should be shorter than DF, which decrease the occupation of the channel resource and enhance the certain and efficient of the data transit. The interval of transmitting SF should also be mostly shorter than transmitting DF, which ensures the system continuously judging the operating status of the network. As
222
L. Li et al.
a result, it could decrease the inference of discrete characteristics contributing to the certainty of the safety communication network. 3.3.5 Fixed and Calculable Transit Data The data transmitted by the safety communication network is deterministic, which should be specified at the beginning of designing the protocol. The transit data is not allowed to change during the network operation which could avoid the generation of burst data. The fixed data combined the specific topology of the safety communication network introduced in Sect. 3.1 could promote to accurately calculating various parameters of the communication network during the design phase. In addition, the worst operating conditions of the network could also be calculated, which could eliminate the negative influence of cumulative and parallel characteristics. 3.3.6 Parallel Data Mapping Management In the safety communication network, the network communication process is actually the updating process of each station memory mapping area, which means each communication node updates the data received from other nodes in the corresponding data mapping area. The memory mapping in every node is fixed, which is shown in Fig. 8. Memory Mapping Node Data Area 1
Framing Data Data Frams
1
2
3
4
5
Node Data Area 2
Sending Data
Node Data Area 3
Node Data Area n-2
Data Frame 5
5
4
3
2
1
Receiving Data
Node Data Area n-1 Node Data Area n
Fig. 8. Framing data for transferring.
Since all communication nodes operate asynchronously in the safety communication network, transit frames and the insert frames may compete for the output channel at the same time. How to avoid or reduce the impact of collision on the network certainty is very important. Framing is the solution to large amount of data transferring in the network, and the memory mapping area for every frame is also fixed. In this case, it allows every small-size frame to be sent and received in parallel, which contributes to reduce the negative effect of parallel characteristics and ensure the certainty of the network.
Research on a Certainty Data Link Layer Protocol
223
4 Test and Verification The proposed safety communication protocol with the FirmSys, the first safety DCS produced by China with proprietary intellectual property, was simulated by a discrete event-based simulation model. In addition, the full-coverage verification of the protocol was performed using a formal verification technique based on model checking, which could guarantee the high certainty of the safety protocol. Finally, a comprehensive and in-depth practical testing had been taken for more than three years, using the communication network devices of the FirmSys to build a fully configured network prototype.
Fig. 9. A configurable network with the proposed protocol.
According to the actual application scenario of the safety communication network in the DCS applied in nuclear power plants, a configurable network is performed and tested. As shown in Fig. 9, all nodes are sequentially connected, which composes a safety ring network with a configurable number of nodes. Achieving a communication rate of 1 Gbps, the maximum update time of node data is less than 5.5 ms, under the configuration of 48 nodes. The transmission time with a particular application where ten communication pockets would be required to transmit is also tested, and the result is shown in Fig. 10, which shows the average update time of node data for transmitting through the whole network is around 50 ms. In the test, the test result shows that there is rare difference of particular transmission time. In this case, the proposed protocol applied in the test environment could ensure the certainty in the safety communication network.
224
L. Li et al.
Transmission time with the designed protocol (ms) 60 50 40 30 20 10 1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81 86 91 96 101 106 111 116 121
0
Sigle Transmission
Paritilar Trnasmission (10 Pockets)
Fig. 10. A configurable network with the proposed protocol.
5 Conclusion A particular safety communication protocol which is designed and applied in DLL in communication network in safety DCS is proposed in this research. The certainty for safety communication protocols is discussed, followed by the factors, such as cumulative, discrete, and parallel characteristics, influencing the certainty of protocol been analyzed. After the analysis of the typical topology and model of the safety network, the solution to proposing a certainty safety communication protocol implemented in DLL is demonstrated. Finally, the proposed safety communication verified though simulation and formal verification technique, and tested in a configured network prototype with 48 communication nodes. As a result, the maximum update time of node data is less than 7 ms with the testing prototype, which indicates that the proposed protocol could ensure the certainty of the safety communications.
References 1. Yang, Q.: Status and development tactics for key technology of digitized instrument and control system for nuclear power plant. Nucl. Power Eng. 23(2), 4 (2002) 2. Ma, G.-Q., Du, Q.-R., Shi, G.-L., Min, Q., Zhao, Y.: Research on communication protocol technology of advanced nuclear safety instrumentation and control systems. Electron. Instrum. Cust. 20(5), 4 (2013) 3. Westinghouse, AP1000 protection and safety monitoring system architecture technical report, Westinghouse Electric Company LLC, PA, (2010) 4. Hashemanian, H., Tipping, P.: Development and application of instrumentation and control (I&C) components in nuclear power plants NPP, p. 508. Woodhead, Cambridge (2010) 5. IEEE Std 603-2018 (Revision of IEEE Std 603-2009): IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, IEEE
Research on a Certainty Data Link Layer Protocol
225
6. Implementing Digital Instrumentation and Control Systems in the Modernization of Nuclear Power Plants, IAEA, US (2011) 7. Kisner, R.A.: Design practices for communications and workstations in highly integrated control rooms, U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research, Oak Ridge, TN (2009). http://purl.access.gpo.gov/GPO/LPS119853 8. Sun, W.-Q., Yin, B.-J., Zhou, X.-B., Long, W., Zhao, Y.-F.: The key factors influencing the safety network communication protocol. Autom. Panorama 1, 3 (2016) 9. Li, L., Ma, Z.-Y., Zhou, F.: FPGA-based technologies improving the efficiency of point to point communications in safety-related DCSs. In: 25th International Conference on Nuclear Engineering, Shanghai, ASME (2017). https://doi.org/10.1115/icone25-67903 10. Holzmann, G.J., American Telephone and Telegraph Company.: Design and Validation of Computer Protocols (Prentice-Hall Software Series), pp. xii, 500 p. Prentice Hall, Englewood Cliffs, NJ (1991) 11. Jiang, G.-J., Li, L., Shi, G.-L., Zhao, Y.: A Design of high efficient multipoint communication systems in nuclear safety digital control systems. In: Xu, Y., Chen, W., Liu, Z., Gu, P. (eds.), Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems, vol. 455. Lecture Notes in Electrical Engineering. Springer, Singapore (2018) 12. Dickson, G., Lloyd, A.: Open Systems Interconnection (Prentice Hall series in Computer and Digital Communications), pp. vii, 483 p. Prentice Hall, Sydney (1992) 13. IEEE Std 802.17-2011 (Revision of IEEE Std 802.17-2004, as amended by IEEE Std 802.17b-2007 and IEEE Std 802.17c-2010): IEEE Standard for Information technology– Telecommunications and information exchange between systems Local and metropolitan area netw. IEEE
A Design of FPGA-Based Self-healing System for Communication Networks in Nuclear Safety DCS Chun-Lei Zhang, Le Li(&) , Kang Cheng, Wen-Yu Yang, and Xing-Xing Sun China Techenergy Co, Ltd, Beijing, China [email protected]
Abstract. For the nuclear safety communication system, at the moment of communication faults occurring, the fault should be detected and handled immediately, otherwise it will cause serious harm to the operation of nuclear power plants. In this paper, a FPGA-based self-healing system applied in safety communication networks is proposed, which could make the fault node isolated from the safety communication network and keep the network operating normally. The fault mode of the FirmNet is firstly analysed, followed by the requirement of the self-healing system being proposed. In addition, the method of designing a self-healing system has been stated, and the FPGA-Based self-healing system is implemented and contributes to the he reliability, safety, real-time, certainty and independency of the safety network. Finally, the FPGABased system is simulated and verified, which proved the system is designed in line with expectations. Keywords: Safety communication
Self-healing FPGA Isolation
1 Introduction As monitoring and controlling the whole operation status of devices in nuclear power plants, Instrument and Control (I&C) systems play a vital role in ensuring the safe, reliable, stable and economical operation of nuclear power plant. After the thirdgeneration nuclear technology applied, a digital I&C, also known as a digital control system (DCS), have been increasingly utilized in nuclear power plants to replace the system implemented by analogue circuits [1]. As the neural system of a DCS, the communication system is responsible for reporting status and parameter of system operation and releasing control instructions, which extremely influences on the reliability, safety, real-time and certainty of the DCS [2]. In early years, communication networks are often implemented by relatively simple and low-speed communication protocols such as serial RS485 electrical interfaces,
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 226–237, 2020. https://doi.org/10.1007/978-981-15-1876-8_24
A Design of FPGA-Based Self-healing System
227
CAN fieldbus. With the development of communication technologies, safety communication systems are mostly promoted in recent years when the technology based on ethernet has been widely applied. In TXS platform designed by Siemens, the safety communication network is achieved by ethernet technology based on IEEE 802.3, where the communication rate is 10 Mbps. In addition, the resilient packet ring (RPR) technology based on IEEE 802.17 is employed to achieve the safety communication network in the MELTEC platform made by Mitsubishi, and the communication rate reach at 1 Gbps with supporting 32 communication nodes [3]. Furthermore, a double ring redundancy communication network with self-owned communication protocol called FirmNet which supports more communication nodes than MELTEC at the communication rate at 1 Gbps has been developed as the safety communication network of the FirmSys, the first safety DCS produced by China with proprietary intellectual property [2]. In the early application of FirmNet where the fault handling technology was not designed, at the moment of communication faults occurring, the failed node hardly executed the communication function. In the case of non-adjacent nodes being failed, the network with a number of nodes would be divided into several independent communication islands leading to the integrity of the network being lost, which causes serious harm to the operation of nuclear power plants. In this case, the study of fault handling technology in safety communication systems has been valuable, which contributes to the reliability of safety communication systems. In this paper, a FPGA-based self-healing system applied in safety communication networks is proposed, which could make the fault node isolated from the safety communication network and keep the network operating normally. The review of the FirmNet is firstly demonstrated in this paper, followed by the analysis of the fault model occurring in the system occasionally. According to the analysis, the self-healing system is designed employing FPGA technologies where complex logics are executed in parallel to promote higher processing speed contributing to high efficiency. The new designed system has been verified in FirmSys, and currently applied in engineering project.
2 Analysis of the Fault Mode in the FirmNet 2.1
Review of the FirmNet
According to the earlier research, the FirmNet is applied to transfer a large amount of data among different main control stations and maintenance networks in the safety DCS, which is shown in Fig. 1 [2]. The FirmNet is employed to achieve the communication between devices with specific functions, such as safety control display units and gateway units [4].
228
C.-L. Zhang et al.
APC Tr.A
APC Tr.B
GW -L1
PAMS
NC
Safety System Bus(Non-Safety)
ISO
DTC Tr.A
ISO
ISO
ISO
ISO
RPC CH-I
RPC CH-III
RPC CH-II
RPC CH-IV
ESFAC
ESFAC
Tr.A
Tr.B
Safety Bus Tr.A(Safety)
SCID Tr.A (1~8)
ISO
SRC Tr.A Gr.1~3
CIC Tr.A Gr.1~3
SRC Tr.A Gr4
Class 1E
DTC Tr.B
Safety Bus Tr.B(Safety)
SRC Tr.B Gr.1~3 CCMS Tr.A
CCMS Tr.B CIC Tr.B Gr.1~3
ISO
SCID Tr.B (1~8)
ISO
GW -L2
NC
HM Data Bus(Non-Safety)
Fig. 1. Architecture of the safety communication system in the FirmSys.
The FirmNet transmits data using broadcasting mode, which also achieve the property of real-time due to sending data only depending on the source node. In this case, FirmNet employs the topology of a ring network shown in Fig. 2, and achieves the function of redundancy for the reliability [2]. In other words, all communication equipment should be connected through two reversal and redundant communication link to constitute a double ring topology where the same data will be transmitted to both clockwise and counter-clockwise direction.
Fig. 2. The topology of the FirmNet.
A Design of FPGA-Based Self-healing System
2.2
229
Analysis of the Fault Mode
As illustrated in the last section, data frames are sent from one node, and all other nodes can be returned to the source point so that data can be transmitted to all nodes on the ring in the FirmNet which is an ideal bi-directional closed loop. In this case, a fault occurs in one or more nodes on the ring network, the operation of the network could be affected by the fault, which negatively affect the reliability of the network. The reliability of the FirmNet is mainly reflected in the case of a single node failure, that is, when a link is damaged or a node fails, the data transmission is still guaranteed. 2.2.1 Single Node Failure The single network node in the FirmNet sends the same data frame simultaneously on ring 0 and ring 1, which means the data could reach the destination node in both directions. As shown in Fig. 3(a), when the link between node D and node E is damaged, the data sent by node A reaches node E through ring 0, and can also reach node D through ring 1, which means data could still be sent to all nodes on the ring in the case. An instance of one node failure shown in Fig. 3(b), node E loses the function of communications, but all other nodes could communicate with each other normally. In this case, although a node in the network is damaged, the data communication between the remaining nodes could be still completed.
(a) Fault occurring in the link
(b) Fault occurring in the node
Fig. 3. Single node faults.
2.2.2 Multi-node Failure Compared with single node failure, the failure of multi-node is more complicated, which indicates that it is necessary to analyze for each situation. Adjacent node failure is shown in Fig. 4(a), which indicates that communication between other normal nodes is not affected by the failure. The ring network would be divided into multiple network islands, in non-adjacent node failure shown in Fig. 4(b). In this case, although the nodes in each island can communicate normally, the communication function of the whole ring network is lost. For example, node A could not communicate with node C or node D through any ring.
230
C.-L. Zhang et al.
The multiple link failures in the signal ring are shown in Fig. 4(c), and the communication of the entire network is not affected by the failures, which means all nodes could communicate with other nodes. Multiple link failures in both rings would lead to the entire network divided into multiple network islands and the function of the ring network lost.
(a) Adjacent node failure
(c) Multiple link failures in the signal ring
(b) Non-adjacent node failure
(d) Multiple link failures in both rings
Fig. 4. Multi-node faults.
2.3
Requirement of Self-healing Systems
After the detailed analysis of fault mode in the FirmNet, the requirement of self-healing systems could be defined, which contributes to reducing the influence of the network link or node failure. As analysed in the last section, the most fault mode influencing the communication for the whole ring network is the non-adjacent node failure where some nodes could not communication with others. In this case, a mechanism should be designed, which could isolate the failed node from the network and keep the other nodes communicate with each other normally and correctly. As the requirement of related standards and regulations, such as IEC 61513, IEEE 7-4.3.2, NRC ISG-04, the reliability, safety, real-time, certainty and independency must be considered in the design [5–7]. In this case, the basic feature of the new designed system should be fast response and low latency, which contributes to not affect the
A Design of FPGA-Based Self-healing System
231
original communication system and ensures the reliability, real-time and certainty. In addition, the system should also be mostly simplified in design and sufficiently verified, which promotes the safety of the system. Furthermore, the designed system should consider the isolation contributing to the independence of the system.
3 Design of a FPGA-Based Self-healing System 3.1
Design of the Self-healing System
3.1.1 Structure of the Network As discussed in the last chapter, the failure could lead to the integrity of the safety ring network lost, which also affects some non-fault nodes send and receive data due to becoming isolated single rings or islands. A self-healing system is designed to ensure that other non-faulty nodes could send and receive data normally, when one or more nodes in the ring network fail. The FirmNet with the self-healing system is illustrated in Fig. 5 where the FirmNet communication module is the main component to achieve the whole function of the FirmNet, and the self-healing system is an additional auxiliary system. As shown, the safety communication ring network is constructed mainly using the self-healing system instead the FirmNet communication module, which could ensure the self-healing system isolating the fault node from the ring network and forwarding the messages from the non-fault node.
Fig. 5. The FirmNet with the self-healing system.
3.1.2 Working Principle of the Self-healing System As discussed above, the main function of the self-healing system is to complete communication isolation and handover when a communication node fails in the FirmNet. The normal mode of the self-healing system is shown in Fig. 6, which indicates that the data received from other nodes though the fibre link is processed in the FirmNet communication module in this node. In addition, the FirmNet
232
C.-L. Zhang et al.
communication module works normally, and take in charge of send the processed data to other nodes employing the fibre link.
Fig. 6. The self-healing system working at normal mode.
The isolation mode of the self-healing system is shown in Fig. 7, which indicates the failed network node is isolated at the moment the node failure occurring. As the data is not reliable at the moment, the FirmNet communication module is isolated from the network achieved by the self-healing system where the data received from other nodes is directly forwarding to the next node without being processed by the FirmNet communication module.
Fig. 7. The self-healing system working at isolation mode.
A Design of FPGA-Based Self-healing System
3.2
233
Implementation of the Self-healing System on FPGAs
3.2.1 The Advantage of FPGAs FPGAs are more and more employed to enhance the efficiency of the system, as a preferred solution to increasing the processing speed in nuclear and other industries [8]. Differed from microprocessor-based systems, FPGAs could directly control cache memory and other functional chips [9]. Furthermore, logical processes could be executed in parallel without the resource sharing as microprocessor-based system, which contributes to process several tasks at same time [10]. Furthermore, there is no operation systems implemented in the pure FPGA-based system, which reduces the chances of the system being compromised or tampered. As a result, the FPGA technologies promotes the safety, real-time, certainty discussed above, contributing to increasing the reliability of the design system. 3.2.2 The Design of Logic The logic block diagram shown in Fig. 8, which indicates the main module of the FPGA is the switch control. The operating status of the communication module is transferred to the module named local status in the FPGA through RS-485, followed by processed in the self-diagnosis module and generating the switch signal to the switch control module. According to the switch signal from the self-diagnosis module, the switch control decides whether the local data process module should be connected to the network data process module, which will be presented in the following section.
Fig. 8. A configurable network with the proposed protocol.
234
C.-L. Zhang et al.
3.2.3 The Data Flow As previous discussion in chapter 3.1, the working Principle of the self-healing system is shown in Figs. 6 and 7, which provides the design method for the self-healing system in the FPGA. Illustrated in Fig. 9, data flow in two operating modes are introduced. As shown in Fig. 9(a), the data on the ring network would be transferred to the communication module for normal data processing, when the communication module works normally. If the communication module is abnormal, shown in Fig. 9(b), the data on the ring network is directly forwarded to other nodes without any connections to the communication module.
(a) Data flow in the normal mode
(b) Data flow in the isolation mode
Fig. 9. Data flow in two operating modes.
3.2.4 Isolation The design of isolation should be taken in the self-healing system, which could ensure the independence stated in chapter 2.3. As shown in Fig. 10, two communication nodes are physically separated and electrically isolated, which are the two main method for isolation. Furthermore, a RAM is employed to exchange data between communication nodes and implemented in the FPGA contributing to communication isolation.
physical separation electrical isolation
communication isolation
Fig. 10. Isolation design.
A Design of FPGA-Based Self-healing System
235
4 Simulation and Verification 4.1
Simulation
According to NUREG-CR-7006, behavioral simulation should be employed, as FPGA applied in a safety system [11]. The block diagram of functional simulation is shown in Fig. 11. There are two group of the signals, data verification and control verification, implemented in the testbench. A group of data generated from data generator is sent to FPGA-base module and the signal checker. The output data is verified by the original data in the signal checker to judge whether the output is correct. Furthermore, the mode detector is used to check whether the mode output of the self-healing module is correct when the injected error occurs.
Data Generator
Error Injector
Data Checker
Mode Detector
Verilog Code Self-healing module
Fig. 11. The block diagram of functional simulation.
Fig. 12. The verification model for the system.
236
4.2
C.-L. Zhang et al.
Verification
As shown in Fig. 12, a verification model is establish based on a designed system that contains three FPGA-based self-healing module, two computers and a network switcher. The switcher is used to inject the error signal, which made the connected selfhealing module operate at isolation mode. The other modules connected to the two computers works at normal mode, which contributes to PC1 sending message to the designed test network and PC2 receiving message from the network. In this case, both operation mode of FPGA-based self-healing module could be tested and verified. As a result, the message received by PC2 is total as same as the message sent by PC1, which proves the system operates correctly. The response time for the designed self-healing system is also be tested with the verification model. The time of the isolation signal triggered by an error signal injected is measured, which is shown in Fig. 13. In this case, the average response time could be negligible by landing at 40 ns, which means the new designed system would not affect the function of the original communication system with extreme low latency.
Response time for the self-healing system (ns) 50 45 40 35 30 0
20
40
60
80
100
120
140
Fig. 13. Response time for the designed self-healing system.
5 Conclusion The design of a FPGA-based self-healing system for the FirmNet is described, which contributes isolating the fault node from the ring network and ensuring the integrity of the safety ring network at the moment of node failure occurring. In this paper, the fault mode of the FirmNet is firstly analysed, followed by the requirement of the self-healing system being proposed. In addition, the method of designing a self-healing system has been stated, and the FPGA-Based self-healing system is implemented and contributes to the he reliability, safety, real-time, certainty and independency of the safety network. Finally, the FPGA-Based system is simulated and verified, which proved the system is designed in line with expectations.
A Design of FPGA-Based Self-healing System
237
References 1. Chen, L.: Basic design criteria of safety DCS system network in nuclear power plant. Autom. Panorama 1, 4 (2013) 2. Jiang, G.-J., Li, L., Shi, G.-L., Zhao, Y.: A design of high efficient multipoint communication systems in nuclear safety digital control systems. In: Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems, vol. 455, G. F. Xu Y., Chen W., Liu Z., Gu P. Ed., (Lecture Notes in Electrical Engineering. Singapore, Springer, 2018 3. Wang, S.-W., Wang, F.-Q., Li, G.-M.: Research and test validation of data bus base on MELTAC-N safety DCS platform. J. Mech. Electric. Eng. 32(1), 5 (2015) 4. Ma, G.-Q., Shi, G.-L., Qi, M., Sun, Y.-B.: Research on communication network FirmNet design technology of nuclear safety level instrument control system. Autom. Panorama 5, 6 (2018) 5. Implementing Digital Instrumentation and Control Systems in the Modernization of Nuclear Power Plants, IAEA, US (2011) 6. IEEE Std 603-2018 (Revision of IEEE Std 603-2009): IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations. IEEE 7. Kisner, R.A.: Design Practices for Communications and Workstations in Highly Integrated Control Rooms, U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research, Oak Ridge, TN (2009). http://purl.access.gpo.gov/GPO/LPS119853 8. Zhou, A., Wang, J., Qie, Y., Zhi, Y.: Analysis and test of respond time of nuclear power plant digital control system to reactor trip. Nucl. Power Eng. 33(2), 4 (2012) 9. Ranta, J.: The current state of FPGA technology in the nuclear domain. In: VTT Technical Research, Vuorimiehentie, Finland (2012) 10. Li, L., Ma, Z.-Y., Zhou, F.: FPGA-based technologies improving the efficiency of point to point communications in safety-related DCSs. In: 25th International Conference on Nuclear Engineering, Shanghai, ASME (2017). https://doi.org/10.1115/icone25-67903 11. Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems, U.S.NRC, Washington DC, (2009)
A Formal Method for Verifying the Ability of a Protocol to Resist Replay Attacks Ru-Mei Shi1(&), Yun-Bo Zhang2, Ya-Dong Zhang1, Qiao-Rui Du1, Xiao-Bo Zhou1, and Xian-Zhu Xu1 1
2
China Techenergy Co., Ltd, Beijing, People’s Republic of China [email protected] Centre for Nuclear and Radiation Safety, Ministry of Ecological Environment, Beijing, People’s Republic of China
Abstract. With the wide application of digital control technology in the nuclear safety control system, cyber security has gradually become an important part of system operation security. Replay attacks are a common form of cyber attack, this attack can bypass software encryption, signatures and other safeguards against information leaks to disguise identity or inject information. This paper describes a formal method to verify the ability of the protocol to resist replay attacks. This method need analyze the network protocol communication process, determine the elements to resist replay attack in the protocol, use formal language to establish the model of attack for the protocol, traverse all states by formal tools, check whether there is a design flaw in the protocol and demonstrate the process and path of replay attack so that protocol designers identify the weaknesses of defensive measures. Keywords: Replay attack
Network protocol Information security Formal
1 Introduction Data of RISI (Repository of Security Incidents) displays that, in recent years, as the nuclear safety control system has adopted more information technology products, incidents of invading the nuclear safety control system have increased significantly [1]. No enough cyber security measures are taken, which provides a channel for hackers to launch malicious attacks [2]. Due to the particularity of the nuclear safety control system, an attack on the nuclear safety system will usually has extremelly serious consequence [3]. For example, the Stuxnet attack at the bushehr nuclear power plant in Iran sounded an alarm for our cyber secirity work. Software vulnerability of the system is the main cause of cyber attack [4]. Replay attack is a common form of cyber attack using software vulnerability, which can bypass software encryption, information signature and other safeguards against information leaks, and cause the failure of work of system. The traditional patching mechanism after the failure can not meet the security requirement of important information system, and timely discovery of protocol vulnerabilities, design of effective defense against protocol weakness and fundamental reduction of information security problems can reduce business system security risk [5]. At present, some researchers focus on the © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 238–247, 2020. https://doi.org/10.1007/978-981-15-1876-8_25
A Formal Method for Verifying the Ability of a Protocol
239
information security problems of the nuclear safety control system, and put forward different measures against replay attack from the point of design according to the characteristics of their own system; for example, adding random number, time stamp, serial number, using one-time password or the combination of different methods in the communication protocol [6–9]. Whether the communication protocol can resist replay attack effectively is not only a concern of protocol designer, but also a concern of system manufacturer and operator. It is really necessary to verify the replay attack resistance ability of system network protocol. If we just rely on the analysis of a person, then the person should have extensive offensive, defensive experience and the analysis should be comprehensive without omitting any process state, which is extremely demanding for practitioners. At present, some evaluation agencies at home and abroad also provide information security evaluation service of the third party, mainly for the whole system or complete products. On the one hand, in the field of security the nuclear safety control, based on security, secrecy and other requirements, the third party organization is invited to evaluate the information security, usually the black-box testing, requiring that the system is operational or the product is fully implemented and testable [10]. But for the system manufacturers, the time and economic cost will be reduced if they can timely verify the effectiveness of defense measures during the life cycle of system development. On the other hand, evaluation agencies only provide evaluation services; even if they have purchased the information security evaluation platform, they can only provide verification results for the verification of replay attacks. For protocol designer, if he can show the attack process, that is, which communication process can be attacked, and reveal the weak points of protocol design, then such verification can be more helpful to protocol designer [11]. This paper presents a method for verifying the ability of protocol to resist replay attacks; what this method uses is a formal tool with precise mathematical analysis and ability to search state. In this method, modeling is based on protocol analysis, and verification is based on system life cycle; the method can also show the attack process, reveal the weak points of protocol design and provide more effective verification information for protocol designer.
2 Overview of Verification Methods Replay attack means that an attacker intercepts and sends packets that have been received by the destination host, this attack can repeatedly maliciously or fraudulently resend a transmission of a once effective data in order to cheat the system, mainly used to disguise identity authorization and realize information injection, traffic attack and fault attack [6, 8, 11]. The main reason for replay attack is that normal communicator receives the data sent by the unexpected communication end and normally processes the protocol. Therefore, as long as normal communicator can receive and normally process the data from unexpected communication end, the replay attack will be possible. When verifying whether the protocol followed by both communicators has the ability to resist replay attacks, this paper uses formal model checking technique, with its characteristics such as rigorous mathematical theoretical basis and easy computer processing, to ensure the objectivity and effectiveness of analysis and uses formal tool to improve the analysis effeiciency.
240
R.-M. Shi et al.
3 Verification Process This chapter presents the process of verifying the ability of resisting replay attack, and detailed description of key parts of the process. The process of verifying the ability of resisting replay attack is shown Fig. 1. Analysis of communication protocol Building of communication model Building of attacker model Detection of replay attacks with tool Evaluation conclusion according to detection result
Fig. 1. Figure of verification process
3.1
Analysis of Communication Protocol
For all interfaces to be verified, the communication protocol used is analysed, the meaning of all protocol fields is clarified, and the rules of inspecting each field are clarified according to the usage requirements of the protocol, that is, the semantic description of protocol fields is clarified, and the protocol elements that can resist replay attacks are analysed, so as to lay a good foundation for protocol modelling. 3.2
Building of Communication Model
The processing in the protocol communication process is described based on protocol description, takingsemantics of each field in the protocol as the smallest unit, and according to semantics of each field, and corresponding message data is output. All semantic units are traversed, and the next communication processing action is determined according to the semantic connotation. Model is described with formal language. Model detection method causes automation and high efficiency, and is used in many fields such as probablity system and quantum [12]. In this paper, the language of Promela is used to describe the model and the tool Spin is used to verify the model. Spin uses Promela as its input language to test the logical consistency of specifications in network protocol design, and mainly verifies whether the information between interfaces can interact correctly rather than the specific calculations within the interaction [13]. The tool Spin is also used by NASA to detect rocket control software [14]. In the model, messages are defined in the form of data structure as follows:
A Formal Method for Verifying the Ability of a Protocol
241
typedefMsg { A,b,c…….; } Where, a, b, c represent the contents of each field in the protocol. Message channels (similar to FIFO, first in, first out) are defined in the form of chan as follows: chan < name >=[< dim >] of {Msg}; where the parameter name is the name of channel, < dim > is the number of messages that the channel can hold (225 at most). Each communication entity has two types of channels: normal message channel and attacker message channel. Communication entity will send data to the normal communicator and attacker at the same time, receive process data from the normal communicator or attacker randomly. The normal communication model is described with the words message, message channel, send, receive and wait according to the protocol; attacker model can receive messages from all the message channels it has access to and forward arbitrary intercepted message to those message channels.
3.3
Building of Attacker Model
Suppose that an attacker has the ability to intercept all data packets of communicators connected to it, and forward arbitrary packets to those communicators. The intercepted data is saved without any processing and sent to normal communicators randomly. Model is described with formal language. 3.4
Detection with Formal Tools
Input the protocol model and attacker model describe by the language of Promela, and describe the definition of replay attack with assertions, search state with the tool SPIN and give state transition path. 3.5
Verification Conclusion
According to the above attacker model, as long as the request-reply is received after replay, the attack is successful. Evaluate the ability of the protocol of resisting replay attack, point out the specific vulnerabilities in the protocol and provide suggestions for reinforcing protocol.
4 Application Practice 4.1
Analysis of Communication Protocol
This paper analyzes and verifies the communication protocol in an actual control system. The protocol format and control description are as follows: this protocol describes the data communication between upper computer and lower computer,
242
R.-M. Shi et al.
mainly the service and protocol of communication. This protocol is a custom network application protocol. Specification of communication process is “request-reply” mode (Tables 1 and 2). Table 1. Custom protocol control structure a Destination address
b Source address
c Function code
d Serial number
e Application data
f Check code
(a) Destination address: describe the identification of communication receiver, and receiving end checks the destination address. (b) Source address: describe the identification of communication sender. During the communication request phase, communication connection process is completed through a handshake between communication sender and receiver. After the communication is received, only the source address information is detected. (c) Function code: represent the functional meaning of the frame. In the process of data interaction, abstract interactions of identical (related) data for each class, define them as several services, and select a combination of some of these services to accomplish a function. In the communication interaction phase, communication sender and receiver complete the data interaction through ask and answer, and identify the communication with different functions through function code. This section mainly describes all the functional services. The function code is checked by receiving end each time. Table 2. Description table of function code Function Command request Parameter tuning Notification message
Function code 3 6 7 8
9
10 11
Service name
Description
Parameter setting command request Setting variable Setting variable reply Exception notification
/
Normal notification
Cancellation notification End notification
/ / After the requester sends the command request, the responder sends a reply message to indicate that the notification received is exceptional; at this point, the exception code should be checked to confirm the specific exception information After the requester sends the command request, the responder sends a reply message to indicate that the notification received is normal, and the next step can be proceeded / /
A Formal Method for Verifying the Ability of a Protocol
243
(d) Serial number: represent the serial number of current frame, accumulate 1 each time, serial number process mechanism. • Correctness of serial number is not checked when connecting command request; • Data of each frame sent by subsequent communicator shall be the serial number of previous frame plus 1; • If send frame check fails to pass, return to B0 function code, and exception code indicates an error in the serial number; • If command request frame or reply frame check fails to pass, then follow the command retransmission mechanism; • If data frame check fails to pass, then follow the packet loss retransmission mechanism. Replay attack defense elements. (e) Application data: represent the total frames of current task, some tasks are sent with multiple frames, and the total frames are used to identify whether the received tasks are complete. It is checked by receiving end. (f) Check code: check the correctness of data packet. It is generated by sending end and checked by receiving end. If the check code is incorrect, then the packet is discarded. 4.2
Building of a Communication Model
A communication model is built according to the above description and is described with a formal method as Fig. 2. 4.3
Building of an Attacker Model
The attacker model can receive messages from all message channels that it has access to, and can forward arbitrary intercepted messages to those message channels. It is described with the language of Promela as Fig. 3. 4.4
Detection with Formal Tools
The search results are as Fig. 4, the “errors: 1” in the figure indicates that there are attacks that can be achieved, that is, there are replay attack vulnerabilities in the protocol. 4.5
Display of Attack Process and Verification Conclusion
Model is checked with the tool SPIN, the running results of attack process are as follows (Fig. 5).
244
R.-M. Shi et al.
Fig. 2. Communication model
According to the above search results, attacks with a difference of 2 or less between serial numbers can be reached; this can confirm that this protocol can not completely resist replay attacks, and the design of the protocol in resisting replay attacks required by information security still needs to be improved.
A Formal Method for Verifying the Ability of a Protocol
Fig. 3. Attacker model
Fig. 4. Detection results
245
246
R.-M. Shi et al.
Fig. 5. Attack process
5 Conclusions This paper introduces a formal method for verifying the ability of a protocol to resist replay attacks; the method presents verification procedures and modelling methods, and can more reliably and objectively present the processing and influence of communication under replay attack with formal function and improve efficiency with formal tools. The use of verification methods in this paper can help to judge the rationality of protocol design at the early stages of system design; necessary basis and direction for improvement can also be provided in the process of system upgrading and rebuilding. Acknowledgement. The authors like to thank all the members of the research team of information security. Thanks for the support of China Techenergy Co., Ltd.
References 1. Pietre-Cambacedes, L., Quinn, E.L., Hardin, L.: Cyber security of nuclear instrumentation & control systems: overview of the IEC standardization activities. IFAC Proc. 46(9), 2156– 2160 (2013) 2. Jaegu, S., Jungwoon, L., Geeyong, P., et al.: An analysis of technical security control requirements for digital I&C systems in nuclear power plants. Nucl. Eng. Technol. 45(5), 637–652 (2013) 3. Piggin, R.S.H.: Development of industrial cyber security standards: IEC 62443 for scada and industrial control system security. In: Conference on Control & Automation: Uniting Problems & Solutions. IET (2013)
A Formal Method for Verifying the Ability of a Protocol
247
4. Jia-fen, L., Ming-tian, Z.: Research on classification of security protocol replay attack. Comput. Appl. Res. 24(3), 135–139 (2007) 5. Bin-bin, X., Yu-ming, X.: A replay attack resistance scheme based on double authentication. Comput. Eng. 24(3), 135–139 (2007) 6. Zheng-fei, X., Yong-mao, L.: A Way to Prevent Replay Attacks: CN (2006) 7. Zheng-cai, W., Shi-ping, Y.: Research on the design principle and method of authentication protocol against replay attacks. Comput. Eng. Des. 29(20) (2008) 8. Lei, M., Wei, Z., Xin-qin, X.: Network security protection of instrument and control system of nuclear power. Inf. Secur. Technol. 7(6), 40–43 (2016) 9. Chang-yu, M., Tao, B., Yi-qin, X., et al.: Research on information security technology of product research and development of digital instrument and control system DCS of nuclear power plants. Electron. Instrum. Cust. (12), 96–100 (2017) 10. Yong-sheng, S., Wei, W., Shan-shan, H.: Research on penetration test method of nuclear instrument and control system based on Kali-Linux. Inf. Comput. 7, 202–204 (2018) 11. An-hong, X., Da-wei, Y., Hui, Z., et al.: Information security protection in the research and development of dcs system of nuclear power plants. Mecha. Des. Manuf. Eng. 47(11), 87–90 (2018) 12. Yan Fei. Research on Formal Modeling and Model Testing Method of Operation Control System of Rail Transit Train [D]. Beijing Jiaotong University, 2006 13. Gang, G., Hua-mao, T., Luo, Yu.: Formal modeling of product functions based on semantics. Comput. Integr. Manuf. Syst. 17(6), 1171–1177 (2011) 14. Yi-dan, S., Gui, L.: Discussion on formal modeling of cyber attack. Comput. Eng. Appl. 40 (23), 135–136 (2004)
Design and Analysis of Safety DCS Cabinet for Small Marine Reactor Based on the FirmSys Zhao-Feng Liu(&), Zhi-Rui Jiang, Xin Zuo, Wei Chen, and Zhao-Long Li China Techenergy Co., Ltd, Beijing 100094, China [email protected] Abstract. FirmSys is the first independently developed nuclear Digital Control System (DCS) platform of China, which has been widely used in many domestic units in service. To meet new requirements of severer ingress protection and new mechanical environment, etc., in the process of applying FirmSys to Small Marine Reactor (SMR) DCS, custom development of cabinet is needed. Firstly, we analysis the new requirements of SMR and identified the technical difficulties of custom product development. Secondly, in order to meet the requirements of new mechanical environment such as shock resistance, we mastered SMR DCS cabinet shock resistance design and analysis technologies by studying shock isolation design methods, and creatively realized double shock isolation design for SMR DCS cabinet. Finally, for ingress protection increased to IP44, we studied the design form of airway and optimized fan unit to meet the performance requirements of heat dissipation and higher ingress protection, thus to realize a highly sealed “chimney effect” heat dissipation design. The cabinet with the above design has successfully passed all test validations and meets the mechanical environment requirements of SMR DCS. The cabinet product for SMR based on FirmSys has a shock isolation efficiency up to 90%, reaching the international advanced level. It lays a solid foundation for the application of FirmSys in SMR DCS and has a good application and popularization value in ship and other related industries. Keywords: SMR
DCS Shock resistant cabinet Double shock resistance
1 Introduction FirmSys is the first independently developed nuclear DCS platform of China, and has been widely used in the modification of inservice units and construction of new units in China, e.g. Units 5 & 6 of Yangjiang NPP, Units 5 & 6 of Hongyanhe NPP, Units 5 & 6 of Tianwan NPP and High Temperature Gas Cooled Reactor NPP Demonstration Project, to realize the application coverage from the second generation to the fourth generation of nuclear power technologies. With the development of nuclear power in the world, more and more coutries, begin to pay attention to the application of SMR. China is currently making efforts to apply small reactors to offshore nuclear power platforms which can provide safe and effective energy for offshore oil exploitation and © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 248–257, 2020. https://doi.org/10.1007/978-981-15-1876-8_26
Design and Analysis of Safety DCS Cabinet for Small Marine
249
remote islands. Safety DCS protection system for SMR is being developed based on FirmSys. The SMR DCS cabinet should meet the relevant standard both nuclear power and ship engineering.
2 SMR DCS Cabinet Demand Analysis To meet new requirements of severer ingress protection and new mechanical environment, etc., in the process of applying FirmSys to Small Marine Reactor (SMR) DCS, custom development of cabinet is needed. Due to the small installation space for SMR DCS cabinet, a 600*600*1600 mm cabinet is to be developed, which involves low technical difficulty, what the designers need to do is just to carry out the development as required. The mechanical environment for SMR is mainly determined with reference to Environmental Condition for Machinery Products—Ocean (GB 14092.4-2009) and GJB150.18A-2009, with main mechanical environment requirements on shock, vibration, inclination and swing and lateral acceleration, etc. Vibration mechanical environment has been considered in FirmSys design and meets the requirement of SMR DCS. As for inclination and swing, for DCS, mainly the installation and reservation of cables and the strength checking of loaded bolts at an inclination angle are to be considered. What the designers need to do is just to carry out development as required. SMR DCS cabinet requires a protection performance of IP44, there is no existing product of this level for FirmSys cabinet; additionally, the heat dispassion performance must be assured. Emphatic design and analysis are required to determine whether the original cabinet heat dispassion is appropriate. The shock requirement of DCS cabinet is changed greatly for FirmSys. This performance requirement has not been considered for existing cabinet products of FirmSys. Emphatic design and analysis are required to determine whether the original cabinet heat dispassion is appropriate. According to the above analysis, the development of SMR DCS cabinet requires emphatic reference to GB 14092.4 and GJB150.30, giving consideration to shock requirement and heat dispassion requirement.
3 Key Design Difficulties of SMR DCS Cabinet To meet new requirements of severer ingress protection and new mechanical environment, etc., in the process of applying FirmSys to Small Marine Reactor (SMR) DCS, the shock resistance and balance IP protection and heat dissipation capability. 3.1
Shock Resistance Design and Input Requirement
Outline of shock resistance design and input method were based on behind.
250
Z.-F. Liu et al.
3.1.1 Shock Resistance Design Requirement Shock is a transient shock excitation ranging from medium frequency to high frequency, and mainly features high acceleration and short action time. The energy of shock vibration is mainly concentrated at medium and high frequency sections [1]. 1. When selecting the shock resistance of equipment shock absorber, its isolation effect in medium and high frequency sections is mostly considered. The shock isolation system frequency is designed in low frequency zone, generally at 3–8 Hz, so that the exciting frequency doesn’t coincide with the natural frequency. 2. In regard to shock resistance, the higher damping ratio, the lower damped natural frequency of isolation system, the lower shock transmissibility, and the higher shock isolation performance. 3. When the input is wide band random vibration excitation, the response is random vibration of amplitude, with a frequency equivalent to the natural frequency of the isolation system. 3.1.2 Shock Requirement Input Requirement According to GB 14092.4 [2], shock requirements are as follows: 1. Shock response spectrum pattern: half sine wave; 2. Peak acceleration: 50 g; duration: 11 ms; According to the ship equipment shock test in GJB150.30 [3], a single cabinet in safety DCS system is estimated to be 0.9–1.4t. With a medium sized shock machine, the max. shock acceleration will be 290 g and the duration will be 2 ms according to a testing organization. A comparison shows that the shock acceleration in GJB150.30 is higher than that in GB14092.4. Therefore, the cabinet for SMR is designed in accordance with the test standard in GJB150.30 to meet requirements. 3.2
IP Protection and Heat Dissipation Requirement
Outline of balance IP protection and heat dissipation method were based on behind. 3.2.1 IP Protection Design Requirement SMR DCS cabinet is required to meet IP44. According to the definition in GB/T 42082017 [4] and IEC 60529:2013 [5], Degrees of Protection Provided by Enclosures, the cabinet must be able to prevent ingress of solid foreign materials with a diameter 1.0 mm, and prevent ingress of water or influence to electric equipment caused by ingress of water. This requires a good sealing performance in structure to prevent ingress of solid foreign materials with a diameter 1.0 mm. 3.2.2 Heat Dissipation Requirement Generally heat dissipation can be designed in two modes, i.e. natural convection and forced air cooling. The power consumption of a single cabinet of SMR safety DCS based on FirmSys is about 300 W. Under IP44 protection condition, the air flows very
Design and Analysis of Safety DCS Cabinet for Small Marine
251
slowly, so heat dissipation by natural convection is impossible, and forced air cooling must be used. 3.2.3
Design Difficulty to Meet Both IP Protection and Heat Dissipation Requirements In the design of heat dissipation channel, air inlet and air outlet are necessary, and both of them require smooth air flow to carry away the heat from electric equipment quickly, but sealing is also required to meet IP44, this is contradictory in nature and constitutes a difficulty to meet the requirements of both IP protection design and heat dissipation design, which must be emphatically solved during cabinet development.
4 Solutions to Key Design Difficulties of SMR DCS Cabinet During the development of SMR DCS cabinet, we have grasped the design and analysis technologies of shock resistance, protection and heat dissipation for SMR DCS cabinet by studying design methods of shock isolation, protection and heat dissipation, etc., and worked out solutions to the key difficulties identified above on the basis of these technologies. 4.1
Shock Resistance Design Scheme
Outline of shock resistance design and input method were based on behind. 4.1.1 Shock Resistance System Design The theoretical model of shock resistant cabinet can be simplified as a single particle system with springs of certain damping and stiffness (as shown in Fig. 1) to determine appropriate frequencies of shock resistance system and shock isolators. According to calculation, the design frequency K2 of shock resistance system is 4 Hz, and K1 is higher than 8 Hz, so the shock resistance performance can be assured.
Fig. 1. Theoretical model of double shock resistance
252
Z.-F. Liu et al.
4.1.2 Shock Resistance Detail Design The detailed design of cabinet is carried out as per the known design dimensions of cabinet, frequency characteristics and shock resistance design rules. 1. Layout of shock isolators There are 9 custom developed wire rope shock isolators under the cabinet, 2 custom developed wire rope shock isolators on the back (as shown in Fig. 2), fixed to building or ship body respectively; additionally there are 8 custom developed wire rope shock isolators in the frame of cabinet.
Fig. 2. Layout of shock isolators for SMR cabinet
2. Shock isolator design Since the energy of shock is mainly concentrated in medium and high frequency sections, to obtain a better shock isolation, the natural frequency of shock isolators is at low frequency, the design frequency of external shock isolators is 4 Hz, the design frequency of internal shock isolators is higher than 8 Hz. With double shock isolation, the shock isolation frequency range is wider [6]. 3. Cabinet design During cabinet design, to prevent the influence on cabinet caused by the amplification of natural frequency of shock isolators, the design natural frequency for cabinets without shock isolator is generally higher than 1.5-4 times of the natural frequency of shock isolators. With the above design, the shock resistance performance of the system can be assured.
Design and Analysis of Safety DCS Cabinet for Small Marine
253
4. Shock resistance analysis A finite element model for cabinet analysis is established on the basis of the 3D model of cabinet [7], as shown in Fig. 3.
Fig. 3. Finite element model diagram of SMR cabinet
According to finite element simulation analysis of shock resistance under shock load, all structural stresses are below yield stress, and the frequency and transmissibility are within the scope of design indices, meeting shock resistance design requirement [8, 9].
Fig. 4. Finite element model diagram of SMR cabinet
254
Z.-F. Liu et al.
5. Shock test verification SMR safety DCS cabinet has successfully passed a test carried out in accordance with GJB150.30, with test equipment communication functioning normally, shock isolators undamaged, and double shock isolation efficiency up to 90% as calculated by test data collecting sensor (Fig. 4). 4.2
Design Schemes of Heat Dissipation and IP Protection
4.2.1 Airway Design On the basis of comprehensive consideration of IP44 protection requirement and heat dissipation requirement, the air inlet is designed at the bottom of cabinet. The air enters from the bottom of cabinet and flows upward, then flows out from the outlet of fan assembly at the back door. If the 19” equipment has a high power consumption, 1U fan unit can be installed under 19” cabinet equipment. See the following Fig. 5 for the design diagram of air way.
Fig. 5. Diagram of airway
Design and Analysis of Safety DCS Cabinet for Small Marine
255
4.2.2 IP Protection Design Cabinet protection is mainly required at the joint between cabinet side panel and frame, vent holes in cabinet doors and the contact surface between cabinet door and door frame, which are important for water proof and dust proof. The cabinet design realizes water proof of joints at doors, side panels and frames with water shielding strips. See Fig. 6 for the protection design.
Fig. 6. Ingress protection schematic diagram
The fan unit is connected by top and bottom cover plates, the connections are sealed by waterproof ring and sealing strip. See Fig. 7 for structural design.
Fig. 7. 3D diagram of fan unit
4.2.3 Heat Dissipation Analysis A cabinet thermal simulation model is established in thermal analysis software to carry out thermal simulation analysis and calculation for the equipment in cabinet considering their power consumption. See Fig. 8 for the model and analysis result.
256
Z.-F. Liu et al.
Fig. 8. Thermal analysis model and result of cabinet
According to simulation calculation, at ambient temperature of 45°, the temperature rise in cabinet is less than 15°, meeting heat dissipation requirement. 4.2.4 Prototype Verification The cabinet has successfully passed IP protection test and prototype long term operation test, with temperature rise in cabinet less than 15°, and water proof and dust proof meeting requirements. According to thermal analysis and testing comparison, the highly sealed “chimney effect” heat dissipation design scheme for SMR has a heat dissipation efficiency 30% higher than that of the existing cabinet of FirmSys, and can ensure the cabinet meeting heat dissipation and protection requirements of IP44.
5 Conclusions On the basis of sufficient design analysis and verification, the development of SMR DCS cabinet based on FirmSys has been successfully completed, with the following conclusions: 1. We grasped the shock resistance design and analysis technologies for marine cabinets by repeated design iteration based on finite element simulation analysis, and realized a breakthrough in shock design technology; 2. We creatively realized double shock resistant cabinet design which has a shock isolation efficiency up to 90%, reaching internal advanced level, and has a wide application scope and popularization value, and laid a solid foundation for the application of FirmSys in SMR DCS;
Design and Analysis of Safety DCS Cabinet for Small Marine
257
3. We realized highly sealed “chimney effect” heat dissipation design, which has a heat dissipation efficiency 30% higher than the existing cabinet of FirmSys while the protection degree is increased to IP44. 4. The development of SMR safety DCS cabinet based on FirmSys has been successfully completed, with indices meeting marine requirements. One principle prototype has been provided to the marine system of an organization. Acknowledgement. We would like to give our gratitude to leaders of the company for their support and instruction during the development of the product, which ensured the correct direction of the project, and to the colleagues of FirmSys product development team for their hard work during the development of the product and their contribution to the success of the project.
References 1. Xiu-ying, H., et al.: Research on high shock test and shock resistance design for ship electronic devices. Equip. Environ. Eng. 4(5), 40–43 (2007) 2. GB/T 14092.4: Environmental condition for machinery products-Ocean [S] (2009) 3. GJB150.30: Laboratory environmental test methods for military materiel Part 30: Ship shock test [S] (1986) 4. GB/T 4208: Degree of protection provided by enclosures (IP Code) [S] (2017) 5. IEC 60529: Degree of protection provided by enclosures (IP Code) [S] (2013) 6. Li-hong, S., Wei, Z., et al.: Application of wire rope shock isolator in vibration and shock isolation design for large mechanical equipment. Vib. Shock 26(4), 78–81 (2006) 7. Zhao-feng, L., Wei, C., et al.: Anti-shock analysis technology for NuclearPower Dcs cabinet. J. Shanghai Jiao Tong University, 52(sup.1), 5–9 (2018) 8. Jian-guo, N., Wei-dong, S., et al.: Response and protection of material and structure under shock load. Chinese J. Solid Mech. 31(5), 22–27 (2010) 9. Jiang Nai-bin, et al.: Research on time history input method for seismic analysis of reactor coolant system. Nucl. Power Eng., 60–69 (2006)
The Design of Safety Control Display Device of Small Modular Offshore Floating Reactor Protection System Based on FirmSys Chun-Lei Zhang, Yu-Nan Fan(&), Xin Zuo, Ji-Kun Wang, and Yi-Qin Xie China Techenergy Co., Ltd, Beijing, China [email protected]
Abstract. The small modular offshore floating reactor is small transportable nuclear power station which combined small nuclear power station with ship engineering. It can be used in marine petroleum exploitation and provide safe and effective energy supply for remote islands. The small modular offshore floating reactor also will be available for high-power ships as well as seawater desalination. The nuclear reactor protection system is crucial of great importance for reliable and safety of nuclear power station. As the system making connection and exchanging information between human and devices, safety control display device is an important component in nuclear reactor protection system. In this paper, a new design of safety control display device applied in small modular offshore floating reactor is introduced, and the new device contains a touch-screen and a customized keyboard which matured the characteristics of devices applied in marine ships. The new designed device features fast operation, protection from misuse, and versatility which is breakthrough innovation in ship and nuclear power industry. This design can popularize on safety display system of marine ships. Keywords: Reactor protection system Customized keyboard
Safety control display device
1 Introduction The small modular offshore floating reactor is small transportable nuclear power station which combined small nuclear power station on land with ship engineering, meeting the highest needs of nuclear safety and ocean users. The nuclear reactor protection system (RPS) is crucial of great importance for reliable and safety of nuclear power station. The RPS is an important component for the safety of the reactor which monitoring the important parameter is related to the safety of reactor [1]. When the parameter exceeding preset values according to safety analysis, RPS will automatically trigger reactor shutdown or engineered safety features actuation which can limit the occurrence of the severe accident and mitigate the consequences, or protect the safety of reactors, equipment and personnel, or minimize radioactive releases to the site or wider environment. © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 258–267, 2020. https://doi.org/10.1007/978-981-15-1876-8_27
The Design of Safety Control Display Device of Small Modular
259
Safety control display device monitoring the important parameters which is related to the safety of reactor, assist operators to monitor parameters and control equipment. Most of land-based nuclear plants use touch screen to achieve safety control display. Owing to swaying environment, narrow space and misoperation in ship, customized keyboard is widely used in information interaction equipment, it can effectively reduce the misoperation caused by ship swaying and leaning. However, the keyboard is complicated, large and complex to operate, the keys utilization is low. In order to solve the problem of existing technology can’t meet the requirement of safety control display of small modular offshore floating reactor. Based on the existing safety control display device of land nuclear power plant, combined with the characteristics of the marine ship, this paper proposes a dedicated safety control display device for ocean, which has the characteristics such as safe, reliable, fast operation, prevention of misoperation and strong versatility.
2 Application Status of Safety Control Display Device The safety control display device of nuclear power station is mostly touch screen operation, and a few use the computer keyboard. The keyboard for safety display system in FangFu nuclear power plant which is similar to a computer universal keyboard is shown as Fig. 1.
Fig. 1. The keyboard for safety display system in FangFu nuclear power plant
In current stage, the electronic equipment information platform used in the marine industry is multi-function display console which has the characteristics of data processing, network communication, comprehensive display and human-computer interaction capability [2]. The multi-function display console is the key and core device which implements a fully distributed system. In current stage, interactive devices normally used in the graphical user interface such as keyboard and mouse are still employed in electronic information equipment of marine military [3]. In addition to the basic input devices configured in multi-function display console, such as universal keyboards and trackballs, at least one software programmable keyboard should be
260
C.-L. Zhang et al.
configured in multi-function display console where the difference of functional keys exists for achieving different functions. Due to different functions achieved, most multifunction display console made by international manufacturer did not employ dedicated switch buttons, but programmable touch keyboards instead.
3 Requirement of Safety Control Display Device Analysis The requirement of safety control display applied in small modular offshore floating reactor has two parts: 1. General requirements The parameters display function of the safety system, the system-level block/reset function of the safety system and the control function of safety system equipment such as safety injection pumps, charging pumps and etc. PAMS parameters display function: realize parameters display of the safety DCS system. According to the IEE-497-2017 [6] post accident monitoring variable belong to class1, 2 variable which shown on safety equipment. Application mode management function: Realize the application mode management function in different position. The SCIDs are commonly mounted on the OWP, BUP and COWP according the functions they performed. The typical application architecture of the SCIDs in YangJiang56 nuclear power plant is shown as Fig. 2 [4].
OWP (NI) NC-VDU B1
B2
B3
B4
SCID A1
B5
OWP (CI)
RSS A
NC-VDU A1
A2
A3
A4
A5
SCID B1
OWP (US)
B1
B2
B3
B4
SCID A5
NC-VDU A2
A3
A1
A2
SCID A7 A4
SCID B5
B1
A1
A1
A2
B1
SCID A6
SCID B6
A5
SCID B7
BUP-Tr.A
Alarm Tiles
SCID B4
SCID A4
OWP (SE)
A1
B5
NC-VDU
NC-VDU
SCID B3
A1 NC-VDU
RSS B
SCID A3
Analog Measurement Actuators Displays Binary Signaling Actuators Displays
BUP-Tr.B Safety VDUs
Safety VDUs
For NI
For NI
SCID A2
SCID B2
For CI SCID A8
Analog Actuators Binary Actuators
Measurement Displays Signaling Displays
Alarm Tiles
For CI SCID B8
Fig. 2. Application Architecture of SCIDs in YangJiang56 nuclear power plant
The Design of Safety Control Display Device of Small Modular
261
2. Custom requirements Without using the touch screen, customized keyboard use cooperatively with screen display which complete the process system navigation, device navigation equipment operation [5]. Mechanical environment: In addition to meeting the requirements of mechanical environment in nuclear power plants, but also to meet the requirements of ship industry such as shock, vibration, incline, swing. Electromagnetic compatibility (EMC) should comply with RG1.180 [8] and IEC 60533 [6] to meet the requirements for equipment in general distribution area, and also comply with < Guidelines for Type Approval Test of Electric and Electronic Product > GD22-2015 published by China Classification Society to meet the requirements for EMC test of automation system. Other: safety class keyboard, dust prevention and water proof, flame-retardant.
4 Safety Control Display Project Design Due to the presence of waggle and misoperation at the marine environment, the safety control display device applied in typical nuclear power plants unable to meet requirements. Therefore, customized keyboard is adopted to protect of misoperation effectively in the shaking environment instead of touch screen. Safety control display device has different requirement in different location modes. For OWP, the function of safety control display device implements the device operate, monitoring and PAMS parameter monitoring. For BUP, the function of safety control display device implements the PAMS parameter monitoring. The design of safety control display device is split into two parts, one part is safety control display screen (SCID) and the other is customized keyboard. Only install SCID when achieves the function of parameter monitoring for saving space. The customized keyboard could cooperate with SCID to achieve all functions of the safety control display system. SCID is used as a display screen and all the operations are performed on the customized keyboard.
5 Safety Control Display Screen Design 5.1
Main Function Design
The SCID has three main functions: 1. Process System Navigation: Realize the navigation function of process system. 2. Device navigation: Realize the navigation function of equipment control page. 3. Equipment operation: Realize the control and monitoring of equipment and the parameters display function of the safety system.
262
5.2
C.-L. Zhang et al.
Man-Machine Interface Design
SCID has different screen system pages for different levels of functionality, including five type pages (Figs. 3, 4, 5, 6 and 7): 1. Initial Page: the initial page used for the SCID starting up. 2. System menu page: the system menu page used for system selecting. Each button represents a system. Click the button to enter the device menu page.
Fig. 3. Theoretical model of double shock resistance system menu page
3. Device menu page: Device menu page is the submenu of system menu page. Pressing the device button of device menu page, the device operation page can be popup. The buttton display the value to meet the customized keyboard.
Fig. 4. Equipment page
The Design of Safety Control Display Device of Small Modular
263
4. Equipment page and PAMS parameter monitoring page: Equipment page display the device operation panels, and realize device operation and monitoring. PAMS parameter monitoring pages realize monitoring of parameters of safety DCS system. 14
14
14 800
108
28.5 38
14 56
23
14
xxx
6
21
7
6
Fig. 5. Equipment page and PAMS page
5. Periodical testing page: Providing user with the periodical testing page.
Fig. 6. Test page
System page has five areas according to the different functions of each area which adopting the uniform interface display style.
264
C.-L. Zhang et al. Title area Mode display area
Status display area
Operating and display area
Navigation button area
Fig. 7. Screen layout
• • • • •
Title area Operating and display area Mode display area Navigation button area Status display area The position of the five areas is fixed with the switch of the pages.
6 Customized Keyboard Design 6.1
Design Features
The key value of the SCID button is set by maintenance software tools and connected with the key of the customized keyboard. The customized keyboard could cooperate with SCID to achieve all functions of the safety control display system without using the touch screen. The feature of the customized keyboard in design is listed as below. 1. Compact: Under the condition of not influence the function of customized keyboard, the number of keys should be minimized as far as possible, and the usage of the keys should be improved. Compliance with the human factors engineering, the size of keyboard and keys should be minimized, and save the space. 2. Quick positioning: From the human factor, the location of device operation should not exceed three times. 3. Protect of misoperation: To avoid misoperation, the type of action button requires a second confirm operation. When multiple keys are pressed at the same time, each of keys do not respond. 4. Personalized customization: The mark of key could be personalized by users to fit the context displayed on the screen, which contributes to navigating to the specific system. 5. Versatility: Considering the possibility of process system changes, the mark of key could be personalized, and the corresponding key value on the screen should also be modified by configuration.
The Design of Safety Control Display Device of Small Modular
265
6. Compatibility: Keyboard should be compatible with the style of SCID touch screen operating. The frame and panel as far as possible to reuse the existing style taking into account the reduction of product development workload. The design allows users quickly know how to operate, but also to quickly set up the corresponding equipment, devices, improve the speed and convenience of input operation. 6.2
Keys Design
Taking into account the factors of rapid positioning of specific equipment and preventing misoperation, the type of adjustment key and the device adjustment key do not require secondary confirmation operate, and the type of switch key require secondary confirmation operate. The design of customized keyboard is shown as Fig. 8.
SYSTEM NAVIGATION
DEVICE NAVIGATION
SYSTEM
A1
B1
C1
D1
E1
F1
G1
H1
A2
B2
C2
D2
E2
F2
G2
H2
XXXX XXXX XXXX POWER
COM
SYSTEM MENU
SPARE OPERATE MENU
PANEL OPERATION COMMAND
A3
B3
C3
D3
E3
F3
G3
H3
A4
B4
C4
D4
E4
F4
G4
H4
A5
B5
C5
D5
E5
F5
G5
H5
A6
B6
C6
D6
E6
SPARE
SPARE
SPARE
A7
B7
C7
D7
E7
SPARE
SPARE
SPARE
PANEL1 ACTIVE
PANEL2 ACTIVE
PANEL3 ACTIVE
PREVIOUS PAGE
NEXT PAGE
F6 EX/IN
F5 M/A
SV
MV
F4
F3 /OPEN
PAMS
F2
F1 /CLOSE
TEST
FAST/ SLOW
EXECU TE
SYSTEM STATUS
Fig. 8. Customized keyboard design drawing
1. System area: Used to select the system pages. System keyboard area has seven system navigation key, the keys are same as system navigation keys of SCID. 2. System navigation area: Used to complete process system navigation. Process system navigation keys are same as the buttons of system menu page. No matter what page is in, when the system navigation is pressed, SCID can pop up the system device menu page in time. 3. Device navigation area: Used to complete device navigation. When press a button in the device navigation keys, the corresponding device page is displayed. 4. Panel operation commond area: Used to complete device operation, such as open, close, block, reset, adjust. 5. Keyboard light: Provide power light, communication light and reserve light of keyboard.
266
C.-L. Zhang et al.
7 Design Verification The scheme is verified and passed by factory test, and the verification scope includes T1 (test implemented with portable signal generator to inject the signals), T2 (test performed with FirmSys maintenance tools), and T3 (test implemented with SCID or testing panel). The scheme is certified with nuclear safety class qualification, and the products are inspected by China Classification Society. The verification is implemented with the type test method, which can prove that in the specified operating environment and limit condition required by the design, it can fulfill the predetermined function and the performance index. Compared with the identification requirements of nuclear power plants, the identification requirements of the small modular offshore floating reactor increases tilt experiment, swing experiment and mechanical shock experiment [7] and take into account the experiment of energy failure and voltage fluctuation immunity. Ensure that its functions are performed under the expected environment, such as temperature, pressure, humidity, vibration, electromagnetic, interference, irradiation or the combination of the above factors. In current stage, the scheme has engineering application condition already.
8 Conclusions The design of safety control display device of small modular offshore floating reactor protection system based on FirmSys matured the characteristics of devices applied in marine ships which has the characteristics such as safe, reliable, fast operation, compact,prevention of misoperation and strong versatility. The scheme overcomes many difficulties and realizes the design innovation and the improvement which successfully passes the nuclear grade appraise and already has engineering application condition, is a breakthrough innovation in ship and nuclear power industry. This design can popularize on safety display system of military ships through appropriate development.
9 Acknowledgement The authors like to thank all the members of the research and development team of FirmSys. Thanks for the support of China Techenergy Co., Ltd.
References 1. Shi,G.-l., Jiang, G.-j., Zhang, B.: The design of ACPR1000 nuclear reactor protection system based on FirmSys. In: Proceedings of the 27th International Conference on Nuclear Engineering (2019) 2. Jinliang, G., Jingdong, L.: The development of shipbuilding multi-function console. Instrum. Technol., 11 (2011)
The Design of Safety Control Display Device of Small Modular
267
3. JianPing, X., Ningsheng, C.: Present situation and developing tendency of abroad ship multifunction console. Ship Electron. Eng., 7 (2007) 4. Zhu, L.-L., Wu, B.: Application research of safety control and information device based on Firmsys platform in ACPR1000 nuclear power plant. In: Proceedings of the 25th International Conference on Nuclear Engineering (2017) 5. IEC 60533: Electrical and electronic installations in ships—Electroma-gnetic compatibility. IEC 6. IEEE 497-2010: criteria for accident monitoring instrumentation for nucl-ear power generating stations. IEEE 7. IEEE 344-2013, Seismic Qualification of Equipment for Nuclear Power Generating Stations. IEEE 8. RG1.180-2003: Guidelines For Evaluating Electromagnetic And Radio-Frequency Interference In Safety-Related Instrumentation And Control Systems. DLA
Research on Maintenance Network Design Based on Nuclear Power Station Safety DCS System Chun-Lei Zhang, Da-Peng Liu(&), Li Peng, Bao-Hua Ren, and Song Liu China Techenergy Co., Ltd, Beijing 100094, China [email protected]
Abstract. During the operation of the safety digitalized instrument and control system of nuclear power plant, it is necessary to monitor the data of online operation in real time. The communication between the engineer station and the safety level shall ensure the real-time, accuracy, reliability and safety requirements of data monitoring. How to design the maintenance network between non-safety engineer station PC and safety instrument and control system is a difficult problem in the industry of nuclear safety DCS research and design. The FirmSys is the first digital nuclear safety instrument and control system platform successfully developed and appraised in China. This paper is based on the networking characteristics of the data communication network in the FirmSys. A data real-time monitoring design based on 802.3 protocol is proposed. The design is based on standard MAC frame structure, and a new data frame format is formed by adding new data segments to meet the real-time requirement of network node interaction. Then, different communication instruction function codes and fixed communication flow are designed to meet the accuracy requirements of the data, and finally, the communication security requirements are met through CRC check, function code check and communication error check. After testing, the method has the characteristics of high real-time performance, high data accuracy and low configuration requirement, and can meet the requirements of real-time data monitoring of nuclear power instrument and control system, and can also be applied to industrial control fields such as ships and thermal power plants. Keywords: Safety DCS The system of harmony Safety DCS Local area network communication Data frame Data monitoring Data enforcement CRC32 802.3 protocol
1 Introduction The digitalized instrument and control system of nuclear power station is a highly reliable safety system. In order to understand the operation of the system, it is necessary to monitor the operation parameters of each system in real time. The state data are analyzed to determine whether the system is operating in a reasonably correct state. The network communication between the engineer station and the safety system must meet © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 268–280, 2020. https://doi.org/10.1007/978-981-15-1876-8_28
Research on Maintenance Network Design
269
the requirements of high reliability, high safety and high reliability. The data monitoring of the instrument control system is to read and display the data of the controller on the maintenance software of the PC terminal through the communication network. In the process of data transmission, the data transmission may be incomplete due to the uncertainty of the network and other reasons. Therefore, a high-reliability data transmission method for LAN is needed. How to design the maintenance network between non-safety level (PC end) and safety level (digital instrument control system of nuclear power plant) must ensure that the operation of safety level system is not affected, so it is always a difficult problem in industry control industry. Based on the research of the current local area network communication method and the characteristic that the local area network node of the nuclear power instrument and control system mainly consists of some host computers and a large number of embedded board modules, this paper adopts 802.3 protocol as the basis of the local area network communication [2]. This paper presents a LAN communication method based on 802.3 protocol. This method makes full use of the advantages of 802.3 protocol and avoids the defects of 802.3 protocol to some extent. It can meet the requirement of high reliability for nuclear power instrument control communication system. This paper mainly discusses the communication network of monitoring data, and the design of controller software and PC application software is not in the scope of this paper. The purpose of this maintenance network is to reflect the integrity, correctness and reliability of the data, and to ensure the maximum possible security requirements.
2 Composition of LAN System and Analysis of 802.3 Protocol FirmSys is the first digital nuclear safety instrument and control system platform successfully developed and authenticated in China, and its communication system is based on the design and development of 100 M industrial Ethernet. In order to ensure that integrity and accuracy of file data transmission between the host and the board module, the data transmission system requires that the communication state is determine and the reliability is high, High ease-of-use and fast communication rate. IEEE 802.3 protocol is an ethernet protocol mainly use to describe that implementation method of the mac sublayer of the physical layer and the data link lay, wherein the ethernet system consists of three basic units: Physical medium, For transmitting Ethernet signals between computers; A media access control rule embedded in each Ethernet interface so that the computer can use the shared Ethernet channel fairly; Ethernet frame consisting of a set of standard bits used to transmit data. Ethernet has no central controller, each node operates independently, and all workstations connected to Ethernet are connected to a shared signaling system, that is, the physical medium mentioned above. When data needs to be transmitted, the workstations first listen to the channel, If that channel is idle, the data can be transmit in Ethernet frame or data frame format. After the transmission of each frame is finis, each workstation must strive for the transmission opportunity of the next frame fairly. Access to the shared channel depends on the medium access control mechanism embedded in the Ethernet interface of each workstation, which is based on Carrier
270
C.-L. Zhang et al.
Sense Multiple Access/Collision Detection (CSMA/CD). The maintenance network described in this paper is an application of Ethernet in the industrial field.
3 Design of Real-Time Data Monitoring Method The scheme design of real-time data monitoring is the core of this thesis, which is explained from the aspects of network model, function instruction, network protocol format, communication security and reliability, exception notification, communication flow and so on. 3.1
Network Model Design
Aiming at the classical OSI seven-layer network model, this paper completes the communication task through the physical layer, link layer and application layer. The addressing function is completed in the data link layer, different stations are different MAC addresses, and the data can be exchanged by using a two-layer switch, and the network layer is not required. The communication network protocol does not
Application Layer
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Data Link Layer
Physical Layer
Physical Layer
Fig. 1. Network model diagram
Research on Maintenance Network Design
271
create and destroy a session, does not use the representation and semantics of a special agreement, and does not have a session layer and a presentation layer in the OSI sevenlayer model [1]. Some of the other layers contained in this communication network protocol are allocated to the application layer or the data link layer, so this protocol is mainly divided into the application layer, the data link layer and the physical layer [3]. The following is the network model (Figs. 1 and 2): Firstly, the main body of the communication party is defined, the engineer station of the data requesting party is defined as the upper computer, and the controller of the data feedback party is defined as the lower computer. The network topology is a star structure by connecting the switch with the lower computer (direct connection with the lower computer is also supported, and the direct connection mode is a special form of the star structure). It should be noted that there is no communication interaction mechanism between engineer stations connected to the same communication network. The schematic diagram of the communication network is shown in the following figure:
Upper Machine
Under Machine
Upper Machine
Under Machine
Fig. 2. Schematic diagram of communication network
272
3.2
C.-L. Zhang et al.
Design of Functional Instructions
In that course of data interaction, we abstract the interaction of each type of the same (relate) data, define them as several services, select a combination of certain service to perform a certain monitoring function, this has the advantage that the flexibility of the communication protocol is greatly enhanced [3]. Here, 11 functional instructions are designed for instruction interaction between the upper and lower computers, of which the upper computer is responsible for sending instructions and the lower computer is responsible for sending instructions. See Table 1 for details. Table 1. Functional instruction set SN 1 2 3 4 5 6 7 8 9 10 11
3.3
Instruction description Connection Connection reply Monitoring command request Response to monitoring order Read variable Reply to read variable Write variable Write variable reply Exception notice Normal notice Disconnect
Instruction code 0 N1 0 N2 0 N3 0 N4 0 N5 0 N6 0 N7 0 N8 0 N9 0 N10 0 N11
Format Design of Network Protocol
This communication protocol complies with the basic Ethernet protocol standard, and the data frame conforms to the Ethernet frame format. This section defines the communication data frame structure. Depending on the destination MAC address, the host computer may send data packets to different stations, and the lower computer may also designate a unique host computer to receive data packets. Depending on the source MAC address, the physical address of the sender can be uniquely determined from the data packet, i.e., one-to-many communication through the switch can be achieved. In the process of data communication, the sending and receiving data should be organized as a complete Ethernet protocol frame with definite format and definite word length [3]. 1. The communication protocol data frame structure is shown in the following figure: Field description
Target MAC
Source MAC
Network type
Reserved
Application data
Number of bytes
N bytes
N bytes
N bytes
N bytes
N bytes
FCS verification code N bytes
Research on Maintenance Network Design
273
(1) Target MAC Represents the physical address of the packet recipient. (2) Source MAC Represents the physical address of the sender of the packet. (3) Network type Use fixed value to define network type (4) Reservation For 4-byte alignment, fill with fixed value “0.” (5) Application data Represents the application data information, as described in detail below. (6) FCS check code The FCS check code is generated by the network card on the upper computer, and the lower computer is generated by the hardware chip. 2. The application data frame is composed of an application data header, application data content, and a CRC check code. Field description The number of bytes
Application data header N bytes
Application data content N bytes
CRC check code N bytes
(1) Application data header Mainly for the transmission of control information. (2) Application data content This is mainly application data information. (3) CRC check code The check range of the CRC check value is the data from the “Application Data Header” to the end of this area field of the “Application Data Content.” 3. Application data header Field Function description code
Reserved Exception code
Total number of frames
Frame SN
Total length of application data
Length of application data in this frame
Version No
Reserved
Number of N bytes bytes
N bytes
N bytes
N bytes
N bytes
N bytes
N bytes
N bytes
N bytes
(1) Function code Indicates the functional meaning of the frame. (2) Reservation Indicates the reserved field, which can be used for subsequent extension, and the default value is 0 when it is not used. (3) Abnormal code Exception information is returned by populating the field with a default value of 0. (4) Total number of frames
274
(5) (6)
(7)
(8)
(9)
C.-L. Zhang et al.
Represents the total number of frames of the current task, some of which need to be sent by multiple frames, specifying the total number of frames to identify whether to receive integrity. Frame SN Indicates which frame this frame is for the current task. Total length of application data The application data total length representing the current task is calculated by calculating the sum of the application data for each frame. Length of application data in this frame Indicates the number of bytes occupied by the valid data of the Application Data Content, starting with the Application Data Content. Version number Represents the current protocol version number used to ensure subsequent compatibility settings. Reservation field
Reserved. This field can be used for the subsequent expansion function to ensure compatibility, and the default value 0 can be filled when it is not used. 3. Application data frame content format The content of the application data is mainly filled with specific information according to the specific definition of the function code, which is specifically described in the description of the function code. Do not use to fill in default value “0.” 3.4
Design of Communication Security and Reliability
(1) Communication encryption mechanism In order to ensure safe and reliable transmission of data, that protocol data is subjected to link encryption proces, that is, all messages are encrypted at the sender and decrypted at the receive. The encrypted data range contains all data frames. (2) Time-out judgment and retransmission mechanism In order to ensure the continuity and validity of communication, a communication timeout judgment mechanism is designed. If there is no data interaction between the two parties within the specified minimum time (3S), it is regarded as timeout. In the communication process, the sender needs to buffer the data packet currently sent, and when it is judged that the timeout occurs, the sender needs to perform the retransmission operation on the current data packet, stop sending after three times of timeout accumulatively, and prompt the user with the timeout information, Disconnect the link. (3) Data CRC check mechanism The type used for CRC is CRC32 [4], which is calculated using the look-up table method, wherein the generating formula of CRC32 is shown in Formula 1:
Research on Maintenance Network Design
275
If CRC check is correct, return download reply instruction or prompt error of CRC check of data frame; after receiving the download reply instruction, the upper computer parses whether the instruction matches the issued instruction and verifies whether the CRC value of the instruction is correct. If the instruction does not match or the CRC value is incorrect, the error instruction and the CRC check error of the data frame are respectively prompted. 3.5
Design of Abnormal Notice
In the course of communication, if an error occurs in the middle and the system does not indicate what the error is, it will affect the system testing and screening, so it is necessary to estimate all possible errors in advance. In this paper, a total of six error notifications are designed, and the specific error design is shown in Table 2. Table 2. Faulty design Connection failed Link _ Failed _ Error
CRC check of data frame failed Link _ Failed _ Error
Reading variable failed Read _ Var _ Error
Failed to write variable Write _ Var _ Error
Communication timeout
Error instruction
Wait _ TimeOut _ Error
Comond _ Error
The connection failure may include the case that the upper and lower computers have no physical connection, and the connection reply instruction is not received beyond the specified time (>3 s); The CRC check error of the data frame means that the CRC value in the data frame acquired by the receiving end is inconsistent with the CRC value re-calculated; File CRC check error means that the CRC value calculated by the upper and lower computers for the entire downloaded file is inconsistent. The read variable command failed (did not return or returned inconsistent data). The write variable command failed (not returned or returned inconsistent data). In that normal communication proces, the time interval between the data frames receive by the receiving end exceeds a prescribed time ( 3 s); Error instruction means that the receiving end receives an instruction that does not match the issued instruction [5]. 3.6
Design of Communication Process
After the basic design of communication model, instruction set, protocol and exception notification is completed, the general flow of monitoring method is as follows: First establish network connection between devices, then the upper computer starts to
276
C.-L. Zhang et al.
subscribe variable data, and the lower computer returns the subscribed data according to the cycle, during this period, The user can start the write variable operation, the upper computer sends the write variable command, the lower computer replies the command synchronously, and the upper computer receives the reply data to judge whether the write operation is successful. Communication is divided into two phases, communication request phase and communication interaction phase. In that communication req stage, both parties establish a communication connection through a connection req and a response. Communication interaction stage: Each function of monitoring is completed by the way of asking and answering or the way of uploading periodically. (1) Communication request stage In that communication req phase, the communication parties complete the communication connection proces by a handshake, as shown in the (Fig. 3):
Fig. 3. Communication request process
At the same time, through this communication handshake process, the switch records the MAC addresses of both parties according to the self-learning mode, and completes the data transmission of the subsequent data interaction. (2) Communication interaction stage After the connection is established, both parties can carry out the real-time data monitoring process, as shown in the chart (Fig. 4).
Research on Maintenance Network Design
277
Fig. 4. Communication interactive process
4 Realization of Data Monitoring Process 4.1
Create Link
Establishing a link is the first step of communication. The upper and lower computers interact with each other through the functional instructions designed in the previous chapter, and transmit the connection instructions to the lower computers. In that concrete proces, the MAC address of the network card of the upper computer is acquire first, and the MAC address of the lower computer is determined by the engineer configuration when the download file is generated, and the MAC address is set only by dialing the board to be downloaded, Next, the upper computer sends a connection instruction to the designated lower computer, and after receiving the instruction, the lower computer analyzes the instruction, acquires the function instruction code, and performs CRC check. After receiving the connection instruction from the upper
278
C.-L. Zhang et al.
computer and analyzing it successfully, the following bit computer returns the correct reply instruction, and the communication connection is established successfully. If the upper computer does not receive the correct reply from the lower computer within the specified time, the connection fails. After the connection is established, the upper computer sends a monitoring command to the lower computer, the lower computer returns important information such as controller station number and version number to the upper computer, and the upper computer can formally start the monitoring task after confirming there is no error. 4.2
Data Monitoring
The popular idea of data monitoring is to read variables, that is, the upper computer sends a request for reading variables, and the lower computer receives the request for reading variables from the upper computer, and transfers the corresponding variable values in the controller back to the upper computer. The response data received by the upper computer is analyzed and displayed in the application software. The upper computer sends a command to read the variable request once, and the lower computer continuously transfers the corresponding data to the upper one. If the read variable request command is changed, the slave computer replies the relevant data according to the latest read variable request command. When the data amount is large and one frame is insufficient to store the monitoring data once, the communication process is divided into frames. In the monitoring flow, the frame number of each request of the upper computer is counted from 1, the maximum frame number is N, and the lower computer judges whether it is a new request according to the frame number 1; The lower computer records the read variable information and periodically replies. Calculation Method of Total Frame Number. 4.3
Data Enforcement
Data force is to write variables, the upper computer to force the data value to the lower computer, the lower computer according to this value to write the corresponding memory value in the controller, so as to achieve the purpose of forcing data. After forced completion of the lower computer, the actual data in the memory is returned to the upper computer for confirmation. The data-forced communication process is different from the data-monitoring communication process only in function. 4.4
Disconnect the Link
The disconnection of the link is initiated by the user. When exiting the monitoring process, the upper computer sends a disconnection command to the lower computer. So far, this monitoring activity has ended. In summary, in the data monitoring instruction interaction process, if the upper computer does not receive the connection reply instruction within the specified time after sending the connection instruction, the connection failure is prompted and the connection is disconnected, and this time is set to 3 S. If that low machine has received the connection instruction, but the upper machine has not receive the connection reply
Research on Maintenance Network Design
279
instruction because of the network and other reasons, the upper machine also considers the connection to be fail and disconnected, The slave computer will automatically disconnect if it does not receive the next instruction within the specified time. In the communication process after the connection is established successfully, whether the upper computer or the lower computer must send or receive an instruction within the time T (3 s), otherwise the communication connection is regarded as timeout, since the sending instruction is determined by the upper and lower computers themselves, In general, it does not occur that an instruction has not been sent beyond the time T after receiving the instruction, but this possibility is not excluded, but it is generally assumed that the communication connection timeout is caused by the failure to receive the instruction. The failure of the upper and lower computers to receive the matching instruction means that the currently received data frame does not conform to the communication flow design. For example, after the lower computer sends the connection reply instruction, the next frame shall receive the monitoring instruction, but if a forced frame instruction is received, the next opportunity identifies an exception, sends an error command and disconnects. In the monitoring process, each step (or process) is strictly defined.
5 Test Results and Analysis of Prototype 4 In that environment of visual studio 2012, the method is implement in C++ language, The upper computer is Intel ® Core ™ i7 cpu; the memory is 8G; the host of operating system Windows 7; the lower computer is the relevant board of the Company, and the connecting line uses the standard network line. The conversion interface uses MOXA EDS-205A-M-ST-T Ethernet switches. In practice, four control stations (A, B, C, D) are established, each control station is configured with more than 200 variables of different data types, and each station is frequently connected, monitored, forced and disconnected, up to hundreds of tests. The statistics of the number of errors in this process are shown in Table 3. Table 3. Error statistics Monitoring error A B C Connection failed 0 0 0 CRC check of data frame failed 0 0 0 The comparison of monitoring data is inconsistent 0 0 0 Communication timeout 1 0 0 Forced data alignment is inconsistent 0 0 0 Error instruction 0 0 0
D 0 0 0 1 0 0
As can be seen from Table 3, the communication timeout is the only error occurring, and it is also known that the frequency of occurrence is not high, if the error occurs, indicating that the data transmission fails, the data can be completely and
280
C.-L. Zhang et al.
accurately transmitted by re-downloading. Other errors, although not present in the test, indicate a lower frequency of occurrence, but once any one of these errors occurs, the error can be detected as much as possible by these error processes to prevent the occurrence of errors that are not detected, it fully embodies the core goal of reliability.
6 Closing Remarks Based on the characteristics of local area network of nuclear power instrument and control system and the requirement of high reliability for local area network data transmission system, this paper studies the current field of local area network communication, this paper presents a design scheme of data monitoring and verification maintenance network based on 802.3 protocol. First, a set of communication instruction sets is designed for interaction, and then a set of error sets is designed by analyzing possible errors to feed back problems and locate problems in time, and finally, through corresponding matching of instruction data frames, The CRC check, monitoring and forced command of the data frame itself are compared with the returned data to ensure the accuracy and integrity of the transmission. The final test results show that the monitoring method can effectively ensure the accuracy and integrity of data transmission in the LAN and meet the reliability requirements of the nuclear power instrument and control system for data transmission, and the method has been successfully applied to the FirmSys.
References 1. Yun-lu, H., Zun-jun: Design and implementation of LAN communication tools based on TCP/IP. Technol. Inf. (21), 13 (2009) 2. Zheng-hao, L.: Research and Implementation of 802.3 Ethernet MAC Protocol. Shanghai: Tongji University, pp. 1–7 (2007) 3. Ming-feng, Z., Ya-jian, Z., Quan, Y., et al.: Research progress in physical layer network coding. Comput. Appl. 31(8), 2015–2020 (2011) 4. Shu-gang, Z., Su-nan, Z., Stan, H.: FPGA implementation of parallel computing of CRC check code. Comput. Technol. Dev. 17(2), 56–62 (2007) 5. Campbell, G., Patane, G., Russo, M.: Parallel CRC realisation. IEEE Trans. Comput. 52(10), 1312–1319 (2003)
Research and Application of RPN Detector Positioning Technologies in Nuclear Power Plants Tian-You Li(&), Rui Zhang, Ya-Jie Tian, Hua-Qing Peng, Jun Tian, Li Zeng, and Jing Shang State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Company Ltd, Shenzhen of Guangdong Prov, Shenzhen 518045, China [email protected]
Abstract. The positioning technology of nuclear instrument system (RPN) detector in nuclear power plant is researched. By analyzing the requirements of radial arrangement, axial arrangement, detector measurement, operation and maintenance, environmental conditions and so on, an advanced detector bucket positioning scheme is studied and independently formed through systematic comparison of the technical characteristics of “push-pull trolley” and “bucket” positioning. The formed positioning scheme can realize the operation and maintenance of reactor plant operation platform of detector assembly, effectively reduce the irradiation of operation and maintenance personnel and greatly reduce the layout space of the reactor plant. The positioning technology has been applied to the advanced three-generation pressurized water reactor in China. The research results have certain reference value for the positioning research and design improvement of RPN detector for other reactor types. Keywords: Nuclear instrumentation Push-pull trolley type
RPN Positioning Bucket type
1 Introduction RPN system, as a critical system related to reactor safety, measures the power, power variation rate and axial power deviation of reactors via a series of neutron detectors that are distributed outside the reactor pressure vessel [1]. Considering that a single type of detectors can hardly cover eleven orders-of-magnitude power monitoring requirements from the reactor start-up to the power operation, the RPN systems are often equipped with three types of detectors, namely source range (SR), intermediate range (IR) and power range (PR), in order to achieve continuous monitoring and protection of reactor power at various operation stages (shut-down, power-up, power operation, etc.). Positioning of the SR, IR and PR detector assembly of the RPN system around the pressure vessel in the reactor building should meet the requirements of neutron flux measurement, which should be as close to the reactor pressure vessel as possible. On the other hand, the positioning, hoisting, operation and maintenance of the detector assembly should be facilitated, and factors like the convenient operation, maintenance © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 281–293, 2020. https://doi.org/10.1007/978-981-15-1876-8_29
282
T.-Y. Li et al.
and lower operator exposure to radiation should be taken into consideration. While the domestic M310 unit detector assembly adopts a push-pull trolley type installation, the internationally advanced third-generation reactor generally adopts a bucket-type installation. In this paper, an advanced scheme for positioning RPN detector assembly is studied and implemented independently by analyzing the requirements for detector positioning technology and systematically comparing various reactor positioning technologies.
2 Positioning Requirements 2.1
Radial Arrangement
Arrangement of detector assembly relative to the reactor core includes radial and axial arrangements at the core. The radial arrangement achieves symmetrical layout according to the number of measurement channels. Generally, PR channel is placed at the radial diagonal position of the reactor core; the SR detector corresponds to the primary neutron source position of the core; while the IR detector can be placed within the same instrument cylinder either with the SR or the PR detector. The AP1000 and VVER are arranged within respective instrument cylinders separately with three range detectors. 2.2
Axial Arrangement
The primary neutron source which is used in the first cycle is placed at the center of the lower core half. When designing the axial arrangement, the SR detector is also arranged at the center of the lower core half along with the position of neutron source, in order to better detect the neutrons emitted by the neutron source. After the end of the first cycle, the primary neutron source is removed from the core, and the subsequent cycle includes only the secondary neutron source. At this point, the optimal position of axial SR detector arrangement should be in the middle of reactor core. However, considering that the detector should be moved as little as possible, SR can also maintain its original position, i.e. the center of the lower core half. Meanwhile, the IR detector should be arranged at the position where the sensor response is less sensitive to the axial power distribution as far as possible, i.e. the axial center of reactor core. By doing so, the detector does not change greatly with the variation of axial power offset. In the event of accidents, in particular, there will be no oscillation of the IR detection signal resulting from xenon oscillation. Regarding the positioning of PR detector, the mechanical conditions and installation constraints of detector should be given full consideration, which should be arranged at the location with most effective detection signal. Given the need for monitoring axial power deviation, the PR is generally installed with a multi-segment detector (Fig. 1).
Research and Application of RPN Detector Positioning Technologies
Height of active part of the core
1/2core position
1×IR
283
4×PR
1×SR 1/4core position
Fig. 1. Schematic diagram of axial arrangement of typical detector
2.3
Measurement Requirements
To satisfy the requirements of reactor neutron flux measurement, the detector assembly should be arranged as close to the reactor pressure vessel as possible. Besides, the reactor refueling channel should be avoided when arranging the instrument guide cylinder. 2.4
Operation and Maintenance Requirements
The instrument cylinder and positioning device of detector should facilitate the accurate positioning and hoisting of detector assembly, as well as its proper operation and maintenance. Moreover, the impact of radiation on relevant operators must be considered to minimize the operator radiation exposure. The detector needs to be installed and positioned during the normal operation of reactor, which should be arranged at the measurement position of reactor core active zone. In the event of fault or routine inspection, the detector can be easily removed for repair. Upon failure of detector fixture (e.g. connector breakage), there should be sufficient means to remove the detector device located inside the instrument guide cylinder.
284
2.5
T.-Y. Li et al.
Environmental Conditions
In the Table 1, the typical environmental conditions of reactor building where the detector is operated are presented. The detector assembly and positioning device need to meet the SSE1 seismic requirements. Table 1. Typical operating environment conditions of RPN detector Environment conditions Temperature Pressure Relative humidity c radiation dose
2.6
Variation range 4 °C–80 °C (60 °C under normal condition) 0.7 Mpa 100%RH 5*103 Gy/h
Engineering Implementation
The layout space of detector positioning device in the reactor building should be given full consideration, as well as its effects on the fixation and installation of civil and mechanical structures. A survey should be conducted around the mature supplier equipment, and constraints like the inner diameter, diameter and positioning requirements of instrument guide cylinder should be put forward. The detector assembly and instrument guide cylinder should be subjected to pass-through verification, positioning verification, source test channel setup verification, connector and connection board design verification, etc.
3 Technological Status There are two common detector assembly positioning technologies for large-scale commercial reactors at home and abroad: “Push-pull trolley type” and “bucket type” positioning. The “push-pull trolley type” pushes the detector assembly as close to the pressure vessel as possible with a push-pull trolley mechanism after hoisting the assembly. The “bucket type” arranges the detector assembly within a guide cylinder instrument tube that resembles a bucket structure by utilizing the self-weight of the assembly. China’s M310 reactor CPR units such as Dayabay, Lingao and Fuqing Phase I all adopt the “push-pull trolley” positioning structure [2–4]. The SR, IR and PR are arranged in 2, 2 and 4 channels. While PR detector is arranged in a separate channel, the SR and IR are arranged within the same instrument guide cylinder. The detector cylinder bracket is unable to be installed at the measurement position due to the presence of pressure vessel support ring. Thus, during detector installation, the detector instrument cylinder must be installed at the pull-out position of movable device first, which is then moved to the measurement position with a push-pull device after installation of the detector assembly [5]. In Fig. 2, the conventional “push-pull trolley” positioning is illustrated.
Research and Application of RPN Detector Positioning Technologies
285
Fig. 2. Schematic diagram of “push-pull trolley” positioning
For the internationally advanced third-generation reactor types AP1000, VVER and EPR, the “bucket type”-like positioning technology is employed. Compared to the CPR reactors, the VVER, EPR and AP1000 have increased number of SR and IR channels, improved system redundancy and higher system reliability. The IR detectors of AP1000 reactors adopt the fission chamber technology, in order to meet the measurement requirements of post-accident neutron measurement [6–8]. The design idea of “bucket-type” installation varies by the type of advanced reactor. For VVER and EPR, the upper hoisting method is adopted, where the detector assembly is installed properly by universal joint means with the help of assembly gravity, and the axial position of the assembly is ensured through accurate calculation [9]. As for AP1000, the detector is fixed between the reactor pressure vessel and the primary shielding layer, and the detector assembly needs to be installed from the lower part [5]. With this method, the maintenance personnel must enter the reactor cavity during the detector replacement or inspection, which results in maintenance difficulty and large radiation exposure [10]. In Fig. 3, typical “bucket type” positioning is illustrated, whereas in Table 2, typical positioning technologies are compared among various reactor types.
286
T.-Y. Li et al.
Fig. 3. “bucket type” positioning schematic diagram Table 2. Comparison of positioning techniques for typical NPP types No. Item
EPR
AP1000
CPR
VVER
1
Range
SR/IR/PR
SR/IR/PR
SR/IR/PR
2
Number of channel Detector
3/4/4
4/4/4
2/2/4
Refueling monitoring/physical start-up/SR/startup/work1/work2 6/4/3/8/8/4
Proportional counter tube/compensated ionization chamber/uncompensated ionization chamber Yes (compensated ionization chamber +lead foil screen)
Proportional counter tube/fission chamber/uncompensated ionization chamber
Proportional counter tube/compensated ionization chamber/uncompensated ionization chamber No
Fission chamber/Proportional counter tube/fission chamber/compensated ionization chamber Yes (fission chamber)
“Push-pull trolley type”
“Bucket-type” (upper hoisting)
3
4
5
Ability of Postaccident monitoring Positioning method
“Bucket-type” (upper hoisting)
Yes (fission chamber)
“Bucket-type” (installed from lower)
4 Implementation of Advanced “Bucket Type” Technology Based on the aforementioned features of advanced reactor technologies and multireactor design experience, we carry out research on the key technologies and engineering applications of RPN “bucket type” installation. Advanced technologies like AP1000, EPR and VVER are benchmarked, and an advanced, safe and reliable “bucket type” installation technology is implemented, which meets the design requirements for the third-generation reactors [11].
Research and Application of RPN Detector Positioning Technologies
4.1
287
Positioning Scheme
The “bucket type” installation and positioning technology is implemented based on the design requirements of third-generation reactors in combination with the analyses of maturity, operation and maintenance space, as well as reactor characteristics. Figure 4 displays the relevant design drawings of guide instrument tubes, whereas Fig. 5 depicts the arrangement of all ten guide cylinders. The installation method features simple structure, convenient maintenance and small layout space, which can better adapt to the requirements of shielding water layer thickening and reactor core low-level arrangement for the third-generation reactors. Guide cylinders, which are about 25 m in total length, are located from the operating platform layer (elevation: approximately 20 m) to the bottom of reactor pressure vessel (elevation: approximately −2 m). We focus on resolving the key technological challenges: (a) Design of guide cylinder and pass-through verification of detector assembly; (b) design of pre-embedded connector; (c) verification of flux rate physical model; (d) active test scheme; and (e) detector connection and positioning.
Fig. 4. Schematic diagram of “bucket type” installation scheme (source range)
288
T.-Y. Li et al.
Fig. 5. General layout of RPN guide cylinder
4.2
Radial Position of Detectors
Detectors are arranged within the biological shielding wall around the reactor pressure vessel: Four PRs are placed at the diagonal position of reactor core, i.e. at 45º, 135º, 225º and 315º; three IR channels are placed at 164.5º, 254.5º and 344.5º; and three SR detectors are placed at 10º, 190º and 280º. The SR channels correspond to the position of primary neutron source (Fig. 6). 4.3
Axial Position of Detectors
In the axial position of detectors, the SR is arranged at the position one-fourth of reactor core bottom, the IR is arranged at the position one-half of reactor core, while the PR four-segment detector is arranged along the core center.
Research and Application of RPN Detector Positioning Technologies
289
Fig. 6. Radial layout of detector
4.4
Connection Box and Junction Board
A pre-embedded connection box is set up on the upper part of each guide cylinder to achieve the detector cable outlet and the prevention of accidental reactor spray protection at the upper guide cylinder part. The connection box is set up with a junction board to realize the integrated cable transfer of detectors, which then enters RPN to measure the special cable bridge. In Fig. 7, the schematic of connection box is depicted.
Fig. 7. Schematic diagram of connection box and junction board design
290
4.5
T.-Y. Li et al.
Detector Assembly Connection
A detector connector is set up to resolve the problems of connection between PR multisegment detectors and detector positioning in guide cylinders. The device has at least two serially connected sleeves and a rotary connecting member for connecting two adjacent sleeves. The sleeves comprise a connecting portion disposed at the terminals and an accommodating portion for installing the neutron flux detector. The rotary connecting member is detachably and fixedly connected to the sleeve connecting portion, while the aforementioned two adjacent sleeves are relatively rotatable. Regarding the RPN connector and its mounting method, the sleeves can be rotated relatively by the action of external forces, so that the testing device is not easily broken. Moreover, upon failure of one of the neutron flux detectors, we only need to remove the faulty sleeve for replacement or open the sleeve and install a new neutron flux detector, without needing to replace the entire detector device [12] (Fig. 8).
Fig. 8. Schematic of the detector assembly connection
5 Technological Advantages 5.1
Pros and Cons Analysis of Positioning Technologies
The “push-pull trolley type” and “bucket type” positioning technologies are generally adopted for large commercial reactors. In Table 3, the two methods are compared in terms of technological maturity, operation and maintenance, restrictions on detector selection and layout. (1) Respecting maturity, the “push-pull trolley type” has been applied to the M310 units in China and most of the nuclear power units in France. The “bucket-type” has been applied to VVER, AP1000, EPR, as well as China’s high-temperature gas-cooled reactors. (2) Concerning the convenience of operation and maintenance, the “push-pull trolley type” easily causes connection loosening due to thermal expansion and
Research and Application of RPN Detector Positioning Technologies
291
contraction since the cable connection board is close to the reactor core. In the “bucket type” mode, the cable connection board is located in the reactor operating platform layer, which is far away from the reactor core, so that the operation is convenient and the personnel are exposed to low radiation dose. (3) Regarding the detector type selection, the “push-pull trolley type” PR/IR/SR detectors are packaged inside a detector assembly and arranged in the same sleeve. The equipment selection is largely restricted and difficult to verify. (4) Respecting the layout design of positioning device, the “push-pull trolley type” requires large space for layout, and opening of hoisting channel in the reactor pool, which affects the pool integrity. The M310 units have suffered leakage of reactor pool resulting from the poor shielding and encapsulation. The “bucket type” guide cylinder attains better pool integrity since it is pre-embedded and does not need to pass through the reactor pool. Table 3. “Push-pull trolley” and “bucket” positioning alignment table Item Maturity Operation and Maintenance Detector selection Layout design
5.2
Push-pull trolley CPR1000, most of the nuclear power units in France Inconvenient operation and high-dose radiation exposure Equipment selection is largely restricted Requires large space for layout, affects the pool integrity
Bucket type VVER, AP1000, EPR, China’s hightemperature gas-cooled reactor The operation is convenient and the personnel are exposed to low radiation dose Facilitating equipment selection Attains better pool integrity
Technological Advantages of “Bucket-Type”
The “bucket type” installation technology achieved through research of the key RPN “bucket-type” installation technologies and engineering applications has the following advantages: (1) It addresses the large space requirements for installation and maintenance of RPN detectors by the “push-pull trolley type” technology, and realizes the bucket type arrangement of detectors. The positioning method is compact and reasonable. The RPN detectors are installed and maintained all in the operating platform layer of reactor building, thus offering large maintenance space. (2) It reduces the effect of thermal expansion and contraction since the junction board is far away from the reactor core, which better stabilizes the tiny signals (10E-11A level) of detectors. In this way, abrupt change or loss of detector measurement signals is less likely, and the signal instability can be avoided to prevent flashing of nuclear power signals effectively.
292
T.-Y. Li et al.
(3) It avoids the drawback (maintenance personnel exposure to large radiation during detector replacement or inspection) of the bucket type installation at the lower part for AP1000 reactors. Maintenance is facilitated as the detector assembly is hoisted from the upper part.
6 Conclusion In this paper, the requirements for detector positioning technology are analyzed, including the radial and axial arrangements, detector measurement, operation and maintenance, environmental conditions and engineering implementation requirements. An advanced “bucket type” positioning scheme for reactor detector assembly is implemented independently after reviewing the positioning technologies for domestic large commercial reactors and internationally advanced reactors and by further systematically comparing the features between “push-pull trolley type” and “bucket type” positioning technologies. The developed positioning scheme can realize the operation and maintenance of detector assembly in the operating platform layer of reactor building reduce the radiation of operation and maintenance personnel effectively, and save the layout space of reactor building substantially, which is in line with the operation, maintenance and radiation protection requirements for the advanced thirdgeneration reactors. The proposed positioning technology has been applied to China’s advanced third-generation pressurized water reactors and to the construction of actual nuclear power projects. The findings of this study have great referential value for the positioning research of other reactor detectors and the improvement of design.
References 1. Su, L.S., Yang, H.Y., Wang, F.Sh. etc.: Devices & Systems of 900 MW PWR [M]. Beijing: Atomic Energy Press, 255–266 (2007) 2. Li, T.Y., Tian, Y.J., Ren, L.Y. etc.: Analysis of the causes of signal abnormality of RPN in nuclear power plant and the improvement measures. Process Autom. Instrum. 36(11), 45–49 (2015) 3. Wang, Y.-l., Luo, W., Zhu, P. etc.: Design of digital nuclear instrumentation system of Fuqing PhaseI NPP. Nucl. Power Eng. 36(2), 73–74 (2015) 4. Zhao, C.-Y., Han, S., Shen, H.Y. etc.: Impact analysis of RPN channel modification for CPR1000+NPP. Nucl. Sci. Eng. 35(2), 250–253 (2015) 5. Mao, H., Xiong, W.-B., Que, J. ect.: The principle and engineering practice of Ex-core nuclear instrumentation system in nuclear power plant. Nucl. Electron. Detect. Technol. 34 (6), 758–762 (2014) 6. Shu, Yi, Tang, Z.-M., Hu, Z.-X.: Discussion of localization of nuclear instrumentation system for CAP series NPP. Process Autom. Instrum. 39(11), 17–26 (2018) 7. U.S. Nuclear Regulatory Commission. RG 1.97 Criteria for accident monitoring instrumentation for nuclear power plants[S].Revision 4. (2006) 8. Artaud, C.J.: SHIDAOWAN HTR Ex-core neutron flux monitoring systems. In: 7th International Topical Conference on High Temperature Reactor. Weihai (2014)
Research and Application of RPN Detector Positioning Technologies
293
9. Zhong-ming, T., Wen-hao, H., Shu-cheng, L. etc.: Design conception analysis of ex-core nuclear instrumentation system between AP1000 and VVER1000. Nucl. Electron. Detect. Technol. 34(5), 671–674 (2014) 10. Xu, X.-N., Liu, G.: Improvements of signal side of NIS of AP1000 NPPs. Instrumentation 21(5), 51–54 (2014) 11. Li, T.-Y., Zeng, L., Zhang, R. etc.: Nuclear Instrumentation System and Method For Locating The Same: CN201510772831 [P] (2017) 12. Peng, J., Jin, S.-Q., CAO Dong-mao etc.: Connecting Device and Installation Method of Neutron Flux Meter Outside Nuclear Power Plant: CN201310198756 [P] (2018)
A Safety Level DCS Symbol Execution Test Optimization Method Yan-Jun Dai1, Zhi-Qiang Wu1(&), Jie Liu1, Zhi Chen2, An-Hong Xiao2, and Hui Zeng2 1
2
School of Computer Science, University of South China, Hengyang 421000, China [email protected] NPIC-LRSDT, Nuclear Power Institute of China, Chengdu 610000, China
Abstract. Nuclear power plant safet-level DCS (Distributed Control System) is the core control system to ensure the normal operation of nuclear reactors. The reliability of DCS system software is of vital importance. The DCS software performs different signal processing processes, each of which represents a different operating condition, corresponding to each control path in the software system. The safety level DCS provides safety protection for the reactor and each control path should meet the expected value. Efficient testing of the path becomes an issue that needs to be studied. Based on the automated test method based on symbolic execution, this paper designs a constraint optimization method based on special variables in safety level DCS software system such as parameter variables and preset variables, which provides a new way for efficient path constraint solving of DCS software system. Keywords: Nuclear safety level DCS Constraint optimization
Symbolic execution Path test
1 Introduction The widespread use of digital instrumentation technology not only improves the reliability of nuclear power plant reactors, but also saves a lot of economic costs. As an important part of the digital instrument control system, the reliability of the DCS software system is crucial. The control algorithm model is the core part of the entire DCS control system. In order to improve its reliability, the test method is widely used. Therefore, a comprehensive and in-depth testing technology can improve the reliability of DCS systems. In the research of DCS test technology, the literature [1] clarified the purpose of DCS of nuclear power plant by introducing the introduction of software V&V activities and the division of software life cycle of nuclear power plant, and summarized the standard system of digital instrument control system software V&V in China. Among them, software testing is an important part of the system. In [2], combined with boundary value analysis, causal map method and equivalent classification method, a set of test case generation methods suitable for nuclear power DCS software is designed. In the DCS test technology research, two main considerations are: black box test and © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 294–303, 2020. https://doi.org/10.1007/978-981-15-1876-8_30
A Safety Level DCS Symbol Execution Test Optimization Method
295
white box test. Among them, the black box test generates test cases according to the requirements description, and the white box test is used to verify the internal logic of the software. The literature [3] designed a simulation plan for the RPS system of Units 5 and 6 of Fuqing Nuclear Power Plant to confirm whether the program meets the requirements. Reference [4] studied the test case generation of interfaces such as input, output and parameters of a single module of Fuqing No.1 and No.2 units. The research on DCS testing in the above literature is divided into two aspects: one is the integration test of the value coverage requirement; the other is to enumerate all possible situations for the algorithm module interface. Related studies have not discussed the internal control path of DCS. In the path test related research, the automated test of the path is an important direction. In [5], the compiler technology is applied to the automated path test, and a conditional protocol automatic extraction technology based on compiler technology and a combination of optimization and automatic generation test case technology are proposed. Literature [6] automatically generates a model algebraic expression of the program by analyzing the program under test, and generates a basic path set based on the model algebraic expression. This method takes into account the inefficiency of relying on program control flow graphs to generate basic path sets. Reference [7] applied the system Angr based on dynamic symbolic execution technology, which loads the binary program to be tested and converts it into an intermediate language symbolization traversal program. A method of classifying the program to be tested according to the characteristics is proposed, and the parameter settings during the traversal are adjusted to pruning the traversal process, thereby alleviating the symbol execution path explosion problem. The safety level DCS software system belongs to the safety-critical system. Its control algorithm is characterized by less loop structure, a small amount of external interaction, and a clear control path structure. Symbolic execution can achieve higher path coverage with fewer use cases. Based on this, we propose a secure-level DCS software system path test method for symbolic execution, and propose a path replacement optimization method for constant replacement. The first part of the text introduces the symbolic execution technique, the second part introduces the test of the nuclear safety level DCS software system, the third part introduces the DCS software symbol execution and path constraint optimization algorithm, the fourth part is the comparative experiment, the fifth part is the summary. The organization of this paper is as follows: Sect. 2 describes the symbolic execution technique, Sect. 3 describes the nuclear safety level DCS software system, Sect. 4 describes the DCS software symbolic execution and constraint optimization algorithm, Sect. 5 describes is the experiment, The last section is concludes this paper with future work.
2 Symbolic Execution Technique The symbol execution replaces the real program variables with abstract symbols (such as x, y, z), expresses the program output with functions that abstract the input symbols, and obtains the execution space of the program according to the semantic simulation executed by the program. Symbolic execution plays an important role in software
296
Y.-J. Dai et al.
testing and program verification. In recent years, symbolic execution has also made breakthroughs in vulnerability mining and software reliability [8]. Symbolic execution is King et al. [9] used in the field of program analysis, and the corresponding development has experienced classical symbolic execution [9], dynamic symbolic execution, and selective symbolic execution. The classic symbol performs an expression that replaces the specific input and exit value with an abstract symbol value, and replaces the actual value of the program with an abstract symbol expression. When the program encounters a branch instruction, it searches the branch and saves the branch condition with the program state b set. After the path condition collection is completed, the constraint solver is used to determine whether the path is reachable. If the constraint is unsatisfiable, the path is unreachable, and the path analysis is ended; otherwise, the path is reachable. The code shown in Fig. 1 uses the above symbolic execution technique to generate six paths and corresponding path constraints as shown in Fig. 2. Dynamic symbol execution combines the advantages of actual execution and classical symbol execution, mainly in the two types of hybrid execution [10] and execution generation test [11]. The advantage of selective symbolic execution is that it handles external environment interactions and is suitable for processing programs with more external interactions [12]. Constraint solving is the basis of symbolic execution, and industrial large-scale applications of symbolic execution are constrained by it. Satisfiability model theory SMT is the basic theory of constraint solving, which is an NP-complete problem [13]. In order to alleviate the difficulty of solving constraints, there are two main researches on related constraint optimization: cache solving and constraint elimination. The cache solving idea caches some of the same constraints and then directly uses the same constraint structure. Constraint elimination reduces the size of the constraint formula by analyzing the system, based on the constraint independent optimization of this idea. Our constraint optimization method uses the preset variables such as parameter variables of the DCS software control algorithm to make constants, and reduces the constraint formula to ease the difficulty of solving the constraints.
1. func(int a,int b,int c){ 2. r=0;p=0;q=0; 3. if(a4){ 5. if(b+c 5) ^ (A4 < 3), there is no public variable between the formula (A1 = A2 +
A Safety Level DCS Symbol Execution Test Optimization Method
299
A3) ^ (A3 > 5) and the formula (A4 < 3), Then, (A1 = A2 + A3) ^ (A3 > 5) and the formula (A4 < 3) can be solved separately. For a large system-generated path constraint, the large constraint formula is decomposed into a small constraint formula, which can greatly improve the speed of constraint solving. However, for the constraint formulas (A1 = A2 + A3) and (A3 > 5), since there are common A3 variables, they cannot be solved independently. (2) Parameter variable elimination The parameter variables of the DCS software system determine the working mode of the algorithm block, and the working mode can be enumerated. The model of a typical algorithm block of an algorithm is shown in Fig. 6. Where I is the input variable, P is the parameter variable, and O is the output variable. Let C(I, P, O) be the constraint formula for the module. If P = {0, 1} is the two operating modes of the algorithm block, the constraint formula after the constant replacement is C1 (I, P = 0, O) _ C1 (I, P = 1, O). For example, P + A+B > C ^ P < D, the SMT general solution method treats P + A+B > C and P < D as two constraint formulas. If P = 1, only 1 + A + needs to be processed. B > C. Similarly, if P = 0, then only A + B>C is processed. The statistics of related parameters are shown in Table 1. Table 1. Partial algorithm block parameters Algorithm DFT FBY CNV LIM MRC THC FI1
Number of parameters Example 1 DFTL 1 INT 4 IMIN/IMAX 2 LL/UL 6 OMIN/OMAX 2 SVAL/HYST 2 G/T1
(3) Preset variable constant The existence of an input variable constraint allows it to preset some values. The algorithm block of the DCS software system is a package of separate signal processing functions. When designing signal processing algorithms, the range of values of variables is often limited. If the value of the threshold T set by the alarm device is {90, 120, 150}, it indicates that the T variable can be replaced with one of three variables. (4) Constraint optimization algorithm Record the path constraint generated by the DCS software system symbol execution as S, Fi is each sub-formula in the constraint, such as S = F1 ^ F2 ^…^ Fn (n is the number of sub-formulas), CFi is the number of elements in Fi If Fi = x + y > 3 contains two variables x and y and a constant, then CFi = 3, and Fij is the jth element of the i-th sub-formula. Let the optimized path constraint be S’, P be the parameter variable set in the S constraint, CP be the number of set elements, Pi is its element, Mi
300
Y.-J. Dai et al.
is the enumeration value set of each parameter in P, and CMi is the enumeration The number of enumerated values of the parameter set Mi, Mij is each element in the set Mi. Let T be the set of preset variables of S in the path constraint, CT is the number of elements, Ti is its element, Ni is the set of enumerated values for each preset variable in S, and Nij is each element in the set Ni. CNi is the number of enumerated values of the enumeration parameter set Ni. The optimization algorithm is shown in Algorithm 1: Algorithm 1: Constraint Optimization Algorithm Input: S,P,T Output: S’ 1. FOR I = 1!N //loop 1…N 2. FOR j = 1!CFi //loop 1…CFi 3. FOR s = 1!CP //loop…CP 4. t = RAND(CMs) //random enum 5. IF Fij IS Ps//is parameter 6. Fij = Mst//Replace parameter 7. FOR s = 1!CT //loop 1…CT 8. t = RAND(CNs) //random enum 9. IF Fij IS Ts//is preset variables 10. Fij = Nst//replace preset constants Algorithm 1 expresses the process of optimizing the path constraints generated by a DCS software symbol execution. In order to improve the solvability of the constraint formula, the replacement value of the constraint variable is selected in a random manner. In the second row, each sub-formula Fi scale is CFi, and the total time is Pn i CFi ,when each formula contains only one element, its time complexity is X(N), when M = max(CF1)…CFN, CT1 …CTN) with a time complexity of O(NM). The random algorithm related research in the fourth line is more common, and the time complexity is recorded as O(RAND(CMs)). Since Algorithm 1 replaces some variables in the constraint with constants, there are two possible effects: one is that the common variables of the two sub-formulas are only the parameter P and the preset variable T, after replacing them with constants, the two sub-formulas Become an independent formula and optimize it using a constraint independent optimization algorithm. The second is that after the two sub-forms are replaced by constants and other public variables are included, the constraints are divided into two types of variables on the basis of the original, reducing the size of the formula. (5) Processing flow The optimized processing is for the constraint formula. The source code of the DCS software system first performs the collection path constraint through the symbol, and then applies the constraint optimization algorithm to confine the parameter variables and the preset variables. The often quantized path constraints are solved using SMT. If it is not possible to solve, use SMT to directly solve the unreplaced constraint formula. The related process optimization process is shown in Fig. 7.
A Safety Level DCS Symbol Execution Test Optimization Method
301
5 Experiment The experimental environment of this experiment: the processor is Intel XeonE5-1 core-2 GB, and the operating system is Ubuntu 16.04.4. The symbol execution related tool is combined with KLEE and Z3 [16] for our SeTool, and the CVC4 solving tool is selected as a comparison. Four functional modules were selected for the experiment, and four longer constraint formulas were selected, numbered M1-M4. The optimization time pair is shown in Table 2. The satisfiability of the constraint formula is shown in Table 3. The time comparison is shown in Fig. 8.
Table 2. Optimization time comparison M CVC4.ms Z3.ms 36 M1 48 M2 81 65 M3 93 78 M4 121 97
CVC4-P.ms 40 63 72 93
Z3-P.ms 30 46 61 81
Table 3. Constraint formula satisfiability M M1 M2 M3 M4
CVC4 sat sat sat sat
Z3 sat sat sat sat
CVC4-P sat sat sat sat
Z3-P sat sat sat sat
Fig. 8. Solving time comparison
The constraint satisfiability after optimization is shown in Table 3. It can be seen from Table 2 that the M1 consumes 48 ms for CVC4 and 36 ms for Z3 without symbol constraint optimization. In the case where M4 is not subjected to symbol constraint
302
Y.-J. Dai et al.
optimization, the time consumed by CVC4 is 121 ms, and the time consumed by Z3 is 97 ms. After M1 uses the optimization algorithm, CVC4 solves for 40 ms, Z3 solves for 30 ms, and solves the average time by 17.50%. For the long constraint M4, the optimization is 93 ms and 81 ms respectively, and the solution time is reduced by 20.18%. The average solution time for M1-M4 is reduced by 21.31%. The security level DCS is developed according to a strict formal method. The Scade synchronous data flow model will ensure the correctness of the control algorithm model. Constant constraint solvability is guaranteed after constant substitution. Constant substitution simplifies the constraint formula and speeds up the solution.
6 Summary This paper first discusses the importance of path testing for nuclear safety level DCS software system, then discusses the symbolic execution static analysis method of DCS software system, and designs a constraint optimization method based on parameter and preset variable substitution. Optimize the effect. Provide a new idea for efficient path testing of DCS software.
References 1. Analysis of the standard system for software verification and validation of digital control system in nuclear power plant. Process Autom Instrum (2017) 2. Binhao, J., Jiaping, W.U., Jin, Y., et al.: Test case design of NPP DCS engineering application software. Energy Res. Manag. (2014) 3. Integration test method for application software of reactor protection system. Nucl. Electron. Detect. Technol. (2017) 4. Zhan, Xu, Danyang, Xia: Software integration test for DCS safety related system of nuclear power plant[J]. Autom. Panor. 6, 103–105 (2015) 5. Jing, S.U.N., Shuo, L.I., Huiqun, Z.H.A.O.: Research on automatic generation of basic path test cases. CEA 54(20), 48–53 (2018) 6. Hui-Qun, Z., Fei, L.U.: Automatic generation of basis path set based on model algebra. Comput. Sci. (2017) 7. Analysis and optimization of Angr in dynamic software test application. Comput. Eng. Sci. 40(S1), 167–172 8. Edalat, E., Sadeghiyan, B., Ghassemi, F.: ConsiDroid: a concolic-based tool for detecting SQL injection vulnerability in android apps (2018) 9. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976) 10. Alston, A.: Concolic execution as a general method of determining local malware signatures (2017) 11. Kouwe, E.V.D., Giuffrida, C., Tanenbaum, A.S.: Finding fault with fault injection: an empirical exploration of distortion in fault injection experiments. Softw. Qual. J. 24(1), 7–36 (2016)
A Safety Level DCS Symbol Execution Test Optimization Method
303
12. Zuo, C., Lin, Z.: SMARTGEN: exposing server urls of mobile apps with selective symbolic execution. In: International Conference on World Wide Web. (2017) 13. Robere, R., Kolokolova, A., Ganesh, V.: The proof complexity of SMT solvers (2018) 14. Cadar, C., Koushik: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013) 15. Martin, A., Raponi, S., Combe, T., et al.: Docker ecosystem—vulnerability analysis. Comput. Commun. (2018) 16. Moura, L.D., Bjørner, N.: Z3: An efficient SMT solver (2008)
Application Research of Fault Diagnosis in Conventional Island of Nuclear Power Plant Based on Support Vector Machine Heng Li, Nian-Wu Lan(&), and Xin-nian Huang State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd, Shenzhen 518172, Guangdong, China [email protected]
Abstract. From the historical data of pump device in conventional island of a certain nuclear power plant, the dataset used for machine learning is selected and established by whether the device is fault. Then the dataset is divided into the training set and the test set. Relying on the powerful machine learning library of Python language, the support vector machine model is constructed by programming. After selecting the appropriate kernel function and hyperparameters, the fault diagnosis accuracy of the support vector machine model on the test set reaches a high level. The generalization ability of the model is strong, which proves the model can be used as an auxiliary means for the fault diagnosis in conventional island of nuclear power plant. Keywords: Support vector machine Machine learning Nuclear power plant conventional island Fault diagnosis
1 Introduction In recent years, machine learning algorithms have become more and more widely used in various industry fields. Their role in optimizing decision-making and assisting judgment has become increasingly prominent. The systems in nuclear power plant (short for NPP as follows) conventional island are multi-level structural systems, and the relation between subsystems may be uncertain. Functionally, there is not a strict quantitative or causal relationship between the input and output between systems. Therefore, there is not a one-to-one simple relationship between the failure of the device and the premonition factor, but a more complex, mutually coupled nonlinear relationship [1]. In the actual device fault detection, the equipment fault data collection is relatively difficult, and the training set data that can be used for the machine learning algorithm is relatively small. Therefore the general diagnosis method is difficult to effectively solve the problem of small data amount. Support Vector Machine (short for SVM) is a kind of machine learning algorithm based on statistical theory for small learning samples.
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 304–312, 2020. https://doi.org/10.1007/978-981-15-1876-8_31
Application Research of Fault Diagnosis in Conventional Island
305
Because of its principle of minimizing structural risk and balancing training error and generalization ability, SVM has its inherent advantages in solving small samples and nonlinear problems.
2 Establishment of Dataset The devices in Conventional Island in NPP are equipped with a large number of sensors that are able to generate rich operational data. From the historical database, the related fault data of the devices is selected and separated into the training set and the test set. The target of the fault diagnose problem is to determinate “whether the device is faulty”, hence the fault diagnosis is a typical binary classification problem within the scope of supervised learning. The characteristic factor affecting the target value may be sensor signals, such as pipe pressure before and after pumps, medium temperature, motor bearing temperature, motor bearing vibration etc. [2]. Due to the complexity of the relationship between equipment failure and sensor, the correlation between the equipment failure and sensor is uncertain. To increase the accuracy of the SVM model, the data of fault characteristics is collected as much as possible within a reasonable range. Although it is possible that a feature or a sensor is not related to the target value i.e. whether the device is faulty, the machine learning algorithm is able to distinguish the correlation of features and the target value. When establishing a dataset, based on the physical analysis of the fault factors, the scale of sensors can be reasonably expanded to make the training result more accurate. 40 of the historical operation data of a certain pump is selected as training set, 20 of which were fault data and 20 were normal data. In addition, 18 sensors were selected as the characteristic factors. The training set is a (40, 18) two-dimension sample space. The feature vector space of the target value has 18 dimensions, labeled from var_0 to var_17. The target value represents whether the device is faulty. The target value is 1, indicating that a fault has occurred; the target value is 0, indicating that no fault has occurred. A part of the training set data is shown in Fig. 1.
Fig. 1. A part of the training dataset
The test set is a (40, 18) two-dimension matrix which has the same eigenvector space as the training set, labeled from var_0 to var_17. The test dataset does not join in the training of SVM model. Instead it’s used to test the generalization ability of the model. A part of the test dataset is shown in Fig. 2.
306
H. Li et al.
Fig. 2. A part of the training dataset
The training dataset and the test dataset have been removed from the unit of each feature, and the mean and variance are uniformized. The purpose is to prevent the problem that the model loss function converges slowly due to the excessive value of some features during machine learning training process. Meanwhile the features can get better statistical distribution.
3 Establishment of SVM Model 3.1
Theory and Mathematical Model
Support vector machine (SVM) is a kind of machine learning algorithm based on statistical learning theory, which can fulfill the data classification by the way of supervised learning. The support vector machine can deal with the classification problem of linear model, and can also perform nonlinear classification by the choice of kernel function. It is one of the most common kernel learning methods [3]. Support vector machines have many advantages and can solve typical problems of machine learning such as nonlinearity, local minimum, over-fitting, etc. The main features of its algorithm implementation are as follows: a. the optimal hyperplane The margin between the optimal hyperplane and the nearest feature points of each category is the largest, which ensures that the model has smaller generalization errors. The construction of the optimal hyperplane is equivalent to solving the global optimal solution, which is the key idea of the support vector machine. b. ability of nonlinear problem process The actual dataset is always nonlinear. When the support vector machine deals with nonlinear problems, the sample space is mapped to the higher-dimensional feature space, and the optimal hyperplane is solved in the feature space. By selecting a suitable nonlinear kernel function, the solution in high-dimensional space is avoided, and the computational complexity is not increased.
Application Research of Fault Diagnosis in Conventional Island
3.2
307
Mathematical Expression
Suppose that the sample space of the training set has m points: ðx1 ; y1 Þ; ðx2 ; y2 Þ. . .ðxm ; ym Þ
ð1Þ
x represents the feature vector of each point, and the value y is 0 or 1. For any hyperplane, the expression can be written as: x xþb = 0
ð2Þ
For the SVM classification algorithm, the loss function is used to estimate the error between the predicted target value and the actual target value. The form of the loss function is [4]: m X 1 min kxk2 þ C ei 2 i¼1
ð3Þ
s:t: yi ðx x þ bÞ 1 ei ði ¼ 1; 2; . . .mÞ ei 0ði ¼ 1; 2; . . .mÞ Where ei is the relaxation coefficient of the ith sample and C is the penalty coefficient. The Lagrange function and the dualized form are: min
m m X 1 X ai aj y i y j K x i ; x j ai 2 i¼1;j¼1 i¼1
s:t:
m X
ð4Þ
ai y i ¼ 0
i¼1
0 ai C Where ai is the Lagrangian coefficient vector and K (xi, xj) is the kernel function. After selecting appropriate kernel function and hyperparameters, the initial parameters in the model are continuously iteratively optimized. The loss function converges and reaches the global minimum, and finally the optimal hyperplane is solved. The optimal hyperplane can well distinguish the different categories of data in the training set, and there is a maximum between the minimum distances of each type in the sample space. 3.3
Programming Language Python
Python is a simple but robust programming language, and the underlying code is written in C language [5].
308
H. Li et al.
Python is extensible and can call many convenient scientific computing APIs, such as Numpy, Scipy, Scikit-learn, Pandas, Matplotlib etc. [6]. There are more and more research institutions using Python for scientific computation. The compiler is chosen as IPython [7], which is characterized by the ability to run code in blocks and is easy to display. The IPython compiler interface is shown below (Fig. 3):
Fig. 3. IPython compiler interface
3.4
SVM Model
In the Scikit-learn calculation package, the main parameters of the support vector machine are as follows: SVC(C = 1.0, kernel = ‘rbf’, degree = 3, gamma = ‘auto’, coef0 = 0.0, shrinking = True, probability = False, tol = 0.001, cache_size = 200, class_weight = None, verbose = False, max_iter = -1, decision_function_shape = ‘ovr’, random_state = None). Some parameters are described as following table (Table 1): Table 1. Parameters in SVM model. Parameters C Kernel Gamma Tol
3.5
Description Default value is 1.0, the penalty parameter in the error term Default value is rbf, the Gaussian kernel function The default value is auto, 1 by sample feature number, hyperparameter in the Gaussian kernel function The default value is 0.001, the tolerance of judgment
Kernel Function Selection
In the scikit-learn algorithm library, there are four kinds of built-in kernel functions the support vector machine model. The linear Kernel expression is K(x, z) = x z, which is the inner product of the vector.
Application Research of Fault Diagnosis in Conventional Island
309
Polynomial Kernel is one of the commonly used kernel functions for solving linear indivisible problems. The expression is K(x, z) = (cx z + r)d, where c, r, d are all super Parameters, there are certain requirements for tuning. The Gaussian Kernel is also called the Radial Basis Function (RBF) in SVM. The expression is K(x, z) = exp(–c||x – z||2). Among them, c is a hyperparameter greater than 0, which has certain requirements for tuning. It is the default kernel function in the scikit-learn model. The Sigmoid Kernel is also one of the commonly used kernel functions in linear indivisible problems. The expression is K(x, z) = tanh(cx z + r), where hyperparameters c and r are to be tuned. In general, to solve the nonlinear classification problem, it’s better to use the Gaussian kernel function. In this classification problem, the relationship between the target value and each sensor is nonlinear. Therefore the Gaussian kernel function is used, which means the parameter kernel of the model is RBF. 3.6
Parameters Tuning and Prediction
There are two key hyperparameters in the SVM model that need to be tuned, namely the penalty coefficient C and the coefficient c of the Gaussian kernel function. The main role of penalty coefficient C in the loss function is to balance the relationship between the complexity of the support vector and the misclassification. It can be understood as a regularization coefficient. When C is large, the loss function is larger, which means that the model is biased towards considering the outliers data, support vectors and hyperplanes become more complex, and models are more likely to be overfitting. Conversely, when C is small, the model tends to give up the outliers data, and the support vector and hyperplane will be simpler [8]. The default value in scikit-learn is 1. The coefficient c of the Gaussian kernel function K(x, z) = exp(–c||x – z||2) mainly defines the influence of a single sample on the entire classification hyperplane. For a small c, the influence of a single sample on the classification hyperplane is smaller. A single sample is not easy to be selected as a support vector. Conversely, for a big c, a single sample is more easily selected as a support vector, and the number of support vector is also increased. The default value in scikit-learn is 1 by sample feature number. To prevent overfitting, the generalization ability of the SVM model is evaluated by test set. The test set also contains target value information, but not used during the training. The model learns and optimizes internal parameters on the training set and evaluates the accuracy of the predictions on the test set. If the accuracy of the test set and the training set are similar, the model proves good generalization ability. If the test set error is much larger than the training set error, the model proves overfitting and the parameters need to be optimized. The python code for the SVM parameter tuning runs as shown below (Fig. 4):
310
H. Li et al.
Fig. 4. Parameter tuning code and output
After running the python code, the SVM model optimizes the build-in parameters on the training set and outputs prediction on test set. When C is chosen as 100 and c is chosen as 0.001, the highest prediction accuracy on test set is obtained (Table 2). Table 2. Best hyperparameters and prediction accuracy C c Fault prediction accuracy 100 0.001 72.5%
3.7
Result Analysis
The test set has 20 fault samples and 20 non-fault samples. From the view of the dataset quantity, the ratio of the fault samples to the non-fault samples in the test set is 1:1. Without any algorithm, the average expectation of accuracy is 50% by the random prediction. By using SVM machine learning algorithm, after tuning and choosing the best hyperparameters, the SVM model learned from the training set and the prediction accuracy in the test set has reached 72.5%.
Application Research of Fault Diagnosis in Conventional Island
311
Compared with the random prediction, the model has definitely learned the fault characteristics in the training set, and the prediction accuracy is much larger than 50%. The fault prediction accuracy is finally increased by 45%, from 50% to 72.5%. Even though the accuracy of SVM model has reached 72.5%, it’s not at a very high level. The result may be related to the scale of fault samples. The sample size is small because of the connection difficulty of faulty data and the fault characteristics of the sample are less likely to be learned by the SVM model (Fig. 5).
Fig. 5. Comparison of prediction accuracy
4 Summary and Discussion The SVM model has a high accuracy of fault diagnosis and shows good generalization ability, and gain its validation of application in fault diagnosis of conventional island devices. The SVM model can be used as an auxiliary means for monitoring the equipment failure by maintenance personnel. The actual online data is used as inputs to the SVM model and the output is the faulty prediction, which helps the maintenance personnel to realize the fault earlier and take measures to avoid the occurrence of the fault.
References 1. XU, J, Chen, W., Tang, Y.: Study on fault diagnosis in nuclear power plant based on rough sets and support vector machine. Nucl. Power Eng. 30(4), 52–54 (2009) 2. HE, Y., PU, J., etc.: Devices and Systems of 900 MW PWR. Nuclear Energy Press (2004) 3. Zhou, Z.: Machine Learning. Tsinghua University Press, Beijing (2016)
312
H. Li et al.
4. XIA, H., DU, X., Zhang, N.: Study on fault diagnosis technology based on support vector machine. Prog. Rep. China Nucl. Sci. Technol. 1, 1068–1076 (2009) 5. Chun, W.J.: Core Python Programming, 2nd edn. Posts & Telecommunication Press (2007) 6. Scipy Lecture Notes (2019). http://www.scipy-lectures.org. Accessed 8 Jan 2019 7. IPython Interacting Computing (2019). http://ipython.org. Accessed 8 Jan 2019 8. Using SVMs with sklearn (2019). http://martin-thoma.com/svm-with-sklearn. Accessed 8 Jan 2019
Software Verification and Validation of Digital Nuclear Instrumentation System Mi Zhang1, Ju-Zhi Wang2(&), Wei-Jie Huang1, and Bing-Chen Huang1 1
Nuclear and Radiation Safety Centre, Ministry of Ecology and Environment of the People’s Republic of China, Beijing 100082, China 2 Wuhan Second Ship Design and Research Institute, Wuhan 430064, China [email protected]
Abstract. With the popularity of digital electronic instruments, more and more attention is paid to the safety-related software quality. RPN (nuclear instrumentation system) is a class 1E protection system. RPN is designed to provide a snapshot of neutron activity within the reactor core. RPN provides the snapshot throughout all operational phases, from start-up to full power and post-accident situations. In order to verify the reliability of the software of the digital RPN, the software verification and validation activities are carried out, according to HAD102/16-2004 and IEC60880-2006. The activities include compiling software verification and validation plan, determining the software lifecycle model, verifying the system specification, verifying software requirement, verifying software design, analying code rule, carrying out software unit test, carrying out software integration test and carrying out validation test. These works show that the reliability of the software of the RPN meets the requirements of HAD102/16-2004 and IEC60880-2006, and the performance meets the requirements of the technical specifications. Keywords: Nuclear instrumentation system Nuclear Safety-related software Software verification and validation
1 Introduction As generally used fuel energy has been consumed rapidly, introducing new types of clean and efficient energy resources is desirable. Nuclear energy, as a safe and clean energy, has been developed in many countries in the world. There are fifty seven nuclear power units in China, applying nuclear energy as an important part of energy resources. Recently nuclear safety-related electronic instruments based on digital technology have been used instead of traditional instrument based on analog technology, and nuclear instrumentation system (RPN) is a typical case. RPN has been used for neutron flux rate monitoring in the reactor core from start-up to 200% full power operation. It measures neutron flux rate by placing a series of neutron detection systems surrounding the reactors. Besides, it monitors the change of reactor power as well as the axial power deviation, and uploads the measured data and alarm signals to the upper system. The © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 313–321, 2020. https://doi.org/10.1007/978-981-15-1876-8_32
314
M. Zhang et al.
structure of RPN is shown in Fig. 1, where the system is composed of eight detectors near the pressure vessels outside the reactor and four nuclear protection cabinets. These instruments are classified as 1E level nuclear safety-related instrument. The nuclear safety-related software, as an important component of digital RPN, its reliability has been a significant factor for ensuring the safe operation of nuclear power plants. Verification and Validation (V&V) is an important procedure for software reliability. This work illustrates the detailed software lifecycle model of RPN according to the verification and validation plan, and introduces the main work of V&V in each stage for the software lifecycle model. Then the result of V&V is provided.
Fig. 1. RPN structure schematic drawing
2 The Software Lifecycle Model The requirements of technology and quality assurance of nuclear safety-related digital electronic instrument design and software V&V have been provided in the nuclear safety laws of China [1–5]. The main standards of nuclear safety-related software V&V are IEC 60880 [6], NB/T 20054 [7] and IEEE 1012 [8], where NB/T 20054 is the modification of IEC 60880 and their operations and process about V&V are the same. The V&V works of digital RPN are carried out mainly based on the requirements of nuclear safety laws HAF003, HAF102, HAD102/16 and standard IEC 60880-2006. Independent software V&V team has been founded and software V&V plans have been established in the RPN project. The plans mainly contains: (1) the standards of V&V works; (2) the safety level of software; (3) the software lifecycle model; (4) the
Software Verification and Validation of Digital Nuclear
315
schedule of the project; (5) the organizational structure; (6) the tools and technical methods of V&V. Based on the requirements of the nuclear power plants specification, RPN software is classified as nuclear category a software and its lifecycle model is presented in Fig. 2. As shown in the software lifecycle model, the software V&V works mainly contains the following seven periods: (1) Verification of RPN equipment specification, verifying the consistency between RPN equipment specification and nuclear power plants specification; (2) Verification of software requirements specification, verifying the conformity between software requirements specification and standards as well as RPN equipment specification; (3) Verification of software design specification, verifying the conformity between software design specification and standards as well as software requirements specification; (4) Verification of software codes, verifying the conformity between software codes and standards as well as software design specification; (5) Unit test, testing the functions and coverage of software unit modules and verifying the consistency between software unit modules and software modules design; (6) Integration test, verifying whether all the modules can operate together correctly based on the software design specification and whether they can operate as expected, as well as the compatibility of software and hardware; (7) Validation test, verifying whether the software can fulfill the requirements of functions and performance in the software requirements specification.
Fig. 2. RPN software lifecycle model
316
M. Zhang et al.
3 The Tasks of Software V&V in Different Stages According to the RPN software verification and validation plan and software lifecycle model, the software V&V team mainly carried out seven stages of work. The main work of each stage is described in detail. 3.1
Verification of RPN Equipment Specification
The purpose of verification of equipment specification is to verify the rationality of equipment specification and whether the technical requirements in the equipment specification cover the corresponding technical requirements in the nuclear power plants specification. Documents evaluation and traceability analysis are carried out. Documents evaluation. The RPN equipment specification is compiled according to the technical requirements of the nuclear power plants specification and referring to relevant industry standards. They should be clear in chapters, clear in order and operable, and meet the requirements of readability, rigor, traceability, verifiability and modifiability. Traceability analysis. Traceability analysis is divided into two processes: forward and reverse. The forward and reverse matrices are established. Forward traceability analysis verifies that the requirements in the nuclear power plants specification are correctly reflected in the RPN equipment specification, and gives corresponding conformity conclusions. Reverse traceability analysis verifies whether the requirements in the RPN equipment specification can find the corresponding requirements in the nuclear power plants specification or related standards, and gives corresponding conformity conclusions. Analysis results. The requirements in the nuclear power plants specification are met in the RPN equipment specification. At the same time, the functional requirements in the RPN equipment specification can fully cover the requirements in the nuclear power plants specification, and some technical indicators are better than the requirements in the nuclear power plants specification. In addition, according to the requirements of relevant standards, a number of parameters needed for identification test are increased in the RPN equipment specification. 3.2
Verification of Software Requirements Specification and Design Specification
Although the verification of software requirements specification and design specification are two stages of work, their working methods are the same. They mainly carry out three aspects: standard conformity evaluation of documents, interface analysis with upstream documents and traceability analysis. In order to avoid duplicate description, they are combined here. The upstream file of software requirement specification is equipment specification and the upstream file of software design specification is software requirements specification. Standard conformity evaluation. Chapter 6 of IEC60880-2006 stipulates that the specification of software requirements should include the following elements: software function, software working mode and corresponding conversion condition, interface
Software Verification and Validation of Digital Nuclear
317
and interaction between software and its environment, software parameters that can be manually modified during operation, software performance, requirements or assumptions related to software environment, constraints between software and hardware, selfsupervision requirements, periodic testing, human-computer interaction and so on. Chapter 7 of IEC60880-2006 stipulates the following requirements for software design and implementation: self-supervision, module decomposition, techniques that should be avoided, Top-down approach, encoding languages, algorithm, data structure, functions, interfaces, constraint conditions, traceability, maintainability, readability, modifiability, testability, compilation tool, test tool and so on. The software V&V team analyzes and evaluates the verification of software requirements specification and design specification according to Chaps. 6 & 7 of IEC60880-2006. On the basis of analysis and evaluation results, the software requirements specification and design specification are modified by the software development team to ensure that they fulfill all of the requirements specified in IEC60880-2006. Interface analysis. Interface analysis checks the consistency of interface definition from the upstream and downstream files using forms and matrixes, to ensure: The interfaces specified by the downstream files cover all the interfaces specified by the upstream files. The downstream files do not specify any interface other than the interfaces specified by the upstream files. The interface name, direction, type and range of the upstream and downstream files are exactly same. Traceability analysis. The forward traceability analysis verifies that the functional and performance indicators specified by the upstream files are correctly expressed on the downstream files, and gives a conclusion of conformity. The reverse traceability analysis verifies that the foundation of the functional and performance indicators specified by the downstream can be found on the upstream files, and gives a conclusion of conformity. The traceability analysis ensures that the interface, function, performance, software fault, hardware fault and self-supervision are consistent between the upstream files and downstream files. Analysis results. After standard conformity evaluation, interface analysis and traceability analysis, the software requirements are consistent between the upstream files and downstream files, the verification of software requirements specification meets the requirements on Chap. 6 of IEC60880-2006 and the design specification meets the requirements on Chap. 7 of IEC60880-2006. 3.3
Verification of Software Code
The requirements of the software written in general-purpose language, which performs category A functions, have been provided in the Sect. 7.1.2 of IEC 60880-2006.
318
M. Zhang et al.
Software development team has compiled the C language coding specifications of nuclear safety-related software and completed the coding work for RPN software only using C language, according to IEC 60880-2006 and MISRA-C: 2004. The technical methods including manual walkthrough and software tool analysis in which the tool is LDRA TESTBED V9.5.8 have been used in RPN software coding verification by software V&V team. The manual walkthrough can verify and ensure the consistency of software coding and software design specification, mainly including the quantity of software modules, interface, logic, function, the invoking relation of software modules, software working mode and corresponding conversion condition, etc. The software tool analysis can verify whether the software coding rules meet the requirements of the C language coding specifications of nuclear safety-related software. 3.4
Unit Test
The requirement of unit test of the software, written in general-purpose language, has been declared in the Sect. 8.2.3 of IEC 60880-2006. The appropriate way to verify the code is doing the unit test after the analysis of software module code. The statement coverage, branch coverage and MC\DC coverage of 87 modules of RPN software has been analyzed and recorded by the V&V team, based on the unit test plan and test specifications. According to the requirements of nuclear category a software, the three types of coverage of unit test should achieve 100% to ensure that each software module has executed the expected functions and has not executed the unexpected ones. The method of Unit test includes manual walkthrough and tool test using LDRA TESTBED V9.5.8. 3.5
Integration Test
Section 8.2.3 and Chap. 9 of IEC 60880-2006 stipulates that the appropriate way to verify the code is doing the integration test after the unit test, in order that all the modules can perform the intended functions collaboratively and correctly at the early stage of development. The software then is installed in the hardware of RPN protection cabinet to verify the compatibility of software and hardware, mainly in the aspect of functions, interfaces and operation environment. According to integration test plan and test specification, the software integration test is performed, in which the statement coverage and branch coverage is analyzed and recorded. An integration test, combining the software and hardware, has been done, including function and interface test, fault insertion test and performance tests, to ensure that the function, performance and the response time of RPN software meet the requirements. In the process of the integration test, LDRA TESTBED V9.5.8 and Code Composer Studio 5.5.0 have been used to monitor the behaviors of the target software embedded in the target hardware.
Software Verification and Validation of Digital Nuclear
3.6
319
Validation Test
Chapter 10 of IEC 60880-2006 stipulates how to perform software aspects of system validation test. Based on the dynamic and static test case indicated by validation test plan and validation test specifications by V&V team, the RPN software validation test has been performed to ensure that the RPN software integrated with hardware conforms to the functions, performance and interfaces required in the software requirements specification, and the overall function and performance of the equipment meet the requirements of the RPN specification. Software validation test are performed on RPN cabinets loaded with the final version of the target software, and the test equipment and instrumentation used in test must be inspected by a qualified institution in accordance with relevant regulations and within the validity period. The test cases, including the range of all input parameters and their logical combinations, cover safety functions test, performance test, fault insertion test, failure test and so on. The results of validation test show that the RPN software correctly performs the functions, performance and interfaces in the software requirements specification, which meets the requirements in Chap. 10 of IEC 60880-2006.
4 Summary The V&V work of RPN software mainly includes seven stages, and the RPN equipment specification verification ensures the consistency of the RPN equipment specification and the nuclear power plants specification. Standard compliance of the software requirements specification and its consistency with the RPN equipment specification is ensured by software requirements verification. Standard compliance of the software design specification and consistency with the software requirements specification is ensured by design verification. Standard compliance of the software code and its consistency with the software design specification is ensured by software code verification. Unit testing ensures the correctness and fraction of coverage of the functionality and interface of the software unit modules and their consistency with the software design specification. Integration testing ensures that the software modules work correctly in accordance with software design specification, as well as the compatibility of software and hardware. The validation test ensures that the RPN software performs the functions correctly specified in the software requirements specification. The Files of V&V works are shown in Table 1.
320
M. Zhang et al. Table 1. Files of the software V&V works
Serial number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
File name H5RPNS01 nuclear instrumentation validation plan H5RPNS01 nuclear instrumentation tools verification report H5RPNS01 nuclear instrumentation verification report H5RPNS01 nuclear instrumentation verification report H5RPNS01 nuclear instrumentation specification verification report H5RPNS01 nuclear instrumentation verification report H5RPNS01 nuclear instrumentation H5RPNS01 nuclear instrumentation H5RPNS01 nuclear instrumentation H5RPNS01 nuclear instrumentation H5RPNS01 nuclear instrumentation specification H5RPNS01 nuclear instrumentation H5RPNS01 nuclear instrumentation H5RPNS01 nuclear instrumentation specification H5RPNS01 nuclear instrumentation H5RPNS01 nuclear instrumentation validation summary report
system software verification and system software development and test system quality assurance system system equipment specification system software requirements system software design specification system system system system system
software software software software software
unit test plan unit test specification unit test report integration test plan unit integration
system software integration test report system software validation test plan system software validation test system software validation test report system software verification and
5 Conclusion In order to verify the reliability of the RPN software, an independent V&V team is formed, and the team carried out the verification and validation works of the software of RPN software, according to IEC 60880-2006, compiled the software verification and validation plan, and carried out the equipment specification verification, the software requirements verification, the software design verification, the software code verification, the software unit test, the software integration test, and the validation testing, etc. The results of these works indicate that the reliability of the RPN software has met the requirements of Chinese regulatory requirements and IEC60880-2006, and the functions and performance indicators of the RPN software have met the requirements of the equipment specification.
Software Verification and Validation of Digital Nuclear
321
References 1. Nuclear Safety Law of the People’s Republic of China (2017) 2. Regulation of the State Council of the People’s Republic of China on the Supervision and Administration of Civil Nuclear Safety Equipment No. 500 (2007) 3. HAF003 Nuclear Power Plant Quality Assurance Safety Regulations (1991) 4. HAF102 Nuclear Power Plant Quality Design Safety Regulations (2004) 5. HAD102/16 Nuclear power plants—Instrumentation and control systems important to safety —Software aspects for computer–based systems (2004) 6. IEC 60880 Nuclear power plants—Instrumentation and control systems important to safety— Software aspects for computer–based systems performing category a functions (2006) 7. NB/T 20054 Nuclear power plants—Instrumentation and control systems important to safety —Software aspects for computer–based systems performing category a functions (2011) 8. IEEE 1012 Standard for Software Verification and Validation (2004)
Research on the Human Factors Integration in Some Third Generation NPP Zhong-Ping Yin(&), Yan-Zi Liu, Xue-Gang Zhang, Jian-Bo Zhang, and Xiao-Mei Xu State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Design Company LTD (Shenzhen), Shenzhen 518045, Guangdong, China [email protected]
Abstract. The human contribution to safety can be positive or negative, and may be made during NPP design, construction, commissioning, operation or maintenance phase. After the accident of Three Mile Island, Human Factors (HF) began to receive high attention in the field of Nuclear Power Plant Safety Design at home and abroad. At present, there are many good practices of human factors consideration in the design phase, which are focus on Main Control Room (MCR) area. Many HF events are still happening in the local area during plant operation and maintenance phase. This paper researches a systematic approach to integrate HF to the whole plant in the design phase of some third generation NPP, which mainly includes HF organization, HF integration frame and good practices. This systematic approach provides an organizing framework to ensure that the HF consideration would be covered the whole plant, and all relevant HF issues are identified and addressed, which could improve the economy and safety of NPP by reducing human error or poor physical interaction. This systematic approach would be used in any new built NPP or NPP modification to guide HFI activities from the design phase. Keywords: Human factors integration HFE guidelines
HF organization HFI activities
1 Introduction With the progress of science and technology, the machine constantly upgrading, its structure and performance has become increasingly complex, and human performance is always limited. So in the design of complex equipment or system the limits of human performance need to be taken into account. Nuclear Power Plant (NPP) is a complex socio-technological system that comprises both automation and human components. The human contribution to safety can be positive or negative, and may be made during NPP design, construction, commissioning, operation or maintenance phase. After the accident of Three Mile Island, Human Factors (HF) began to receive high attention in the field of Nuclear Power Plant Safety Design at home and abroad, and some regulations, standards or guidelines have also been upgraded to put forward requirements or suggestions for human factors in Nuclear Power Plants (NPPs), such as HAF102 Safety © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 322–334, 2020. https://doi.org/10.1007/978-981-15-1876-8_33
Research on the Human Factors Integration
323
of Nuclear Power Plants in China: Design, NUREG0711 in the United States, and Safety Assessment Principles (SAP) in Britain. At present, there are many good practices of human factors consideration in the design phase, which are focus on Main Control Room (MCR) area. And the HF team cooperates with MCR design team to do many HF activities, such as develop HF design guideline and Verification & Validation, to make sure MCR design has a good HF consideration. But the HF consideration is not covered the whole plant, such as local areas. Many HF events are still happening in the local area during plant operation and maintenance phase. According to Statistics and Analysis of WANO Human Factor Events, Reference [1], after analyzing 940 WANO operating event reports from 1993 to 2002, among which 551 were found relative to human errors. Human errors are still one of the major causes of accident in a nuclear power plant (NPP). Human errors in tests, maintenance and calibration leading to the potential failure of the system are the main causes of human factors incidents. And the regulation from the government also expects HF consideration would be covered the whole plant, to minimize the potential for human error. According to Safety Assessment Principles, Reference [2], “the human contribution to safety can be positive or negative, and may be made during facility design, construction, commissioning, operation, maintenance or decommissioning. A systematic approach to understanding the factors that affect human performance, and minimizing the potential for human error to contribute to or escalate faults, therefore needs to be applied throughout the entire facility lifecycle.” According to NS-TAST-GD-058, Reference [3], “HFI is a good practice approach to the application of Human Factors to systems development. As a methodology, it provides an organizing framework to help ensure that all relevant HF issues are identified and addressed. In addition, the HFI approach has a management strategy that aims for timely and appropriate integration of HF activities throughout the project”. This paper researches a systematic approach to integrate HF to the whole plant in the design phase of some third generation NPP, which mainly includes HF organization, HF integration frame and good practices. This systematic approach provides an organizing framework to ensure that the HF consideration would be covered the whole plant, and all relevant HF issues are identified and addressed, which could improve the economy and safety of NPP by reducing human error or poor physical interaction.
2 Human Factors Integration Strategy Analysis In accordance with previously NPP design practice in China, the HF team commonly was located within the C&I design department because of its close association with Human Machine Interface (HMI) in MCR design. This arrangement helps the HF team to be familiar with MCR design team and conduce to integrate HF consideration in MCR design. And this arrangement causes the HF team do not be familiar with other design team, such as electric design, mechanism design, etc. So the HF consideration is not covered the whole plant, such as local areas.
324
Z.-P. Yin et al.
And the regulation from the government also expects HF consideration would be covered the whole plant, and the formerly HF arrangement do not meet this expectation, which could be shown in RO-ABWR-0005. According to Resolution Plan for RO-ABWR-0005, Hitachi-GE Nuclear Energy Ltd. Human Factors Specialist Resource and Organization, Reference [4], “In accordance with Hitachi-GE’s standard practice the GDA HF team was located within the C&I design team because of its close association with Human Machine Interface (HMI). ONR advised this arrangement did not meet its expectations and was unlikely to be capable of delivering the quantity of information in HF (not only HMI) within the required timeframes. In response Hitachi-GE proceeded to form the HF team as an independent organization to the C&I department, recruit external HF specialists in the UK, USA and Japan and also allocate Hitachi-GE’s internal human resources who we consider have adequate experience and competence to undertake HF work.” So for the third generation NPP, a new HF organization is needed, would include related several design areas, such as electric design, mechanism design, safety analysis area, etc. And the HFI frame needs to be developed, covering the main HFI activities.
3 HF Organization For the third generation NPP, a new HF organization is created, which covers many design areas, such as electric design, mechanism design, safety analysis area, etc. In order to guild the whole team to do HFI activities in the correct direction, a goal for HFI activities is set up. And in order to make sure the HF team has suitable Suitably Qualified and Experienced Persons (SQEP), a training plan for HF team is developed. 3.1
HF Team
For the third generation NPP, a dedicated HF team is built, which provides support in terms of any human factors analysis if needed. And the HF team leader needs to get the authorization of influencing the structures, systems and component (SSCs) design in NPP, basing on the related HFI principles. Other engineering disciplines need to apply HF guidelines during design, which needs to be are subject to a verification process by HF Suitably Qualified and Experienced Persons (SQEPs) (Fig. 1).
Fig. 1. HF team
Research on the Human Factors Integration
325
HF issues and concerns are fed to the Probabilistic Safety Assessment (PSA), Safety Analysis, Control & Instrumentation (C&I) and others areas where necessary, to ensure accurate reflection within on-going project discussions and planning. HF team is responsible for organization and implementation human factors area tasks, mainly including: (a) Produce HF safety evaluating reports and support documents. (b) Answer various types of questions raised by the regulator on HF area (c) HF design and review, including the implementation of design modifications and developments (d) Interface with PSA, fault study, C&I and Others areas. The team may be consisted HF technical governance group with HF leader, HF advisors and HF multiple disciplines design group. And a training plan is developed for each HF team member to satisfy the minimum qualification. The suppliers or stakeholders are also contributing to the HFI activities. The suppliers or stakeholders need to follow the general HFI plan or develop a special HFI plan if necessary for managing the HFI activities. A HF team is needed and a training plan is developed and implemented for achieving the SQEP requirement. The suppliers or stakeholders are responsible for implementation HFE guidelines in their equipment design and/or manufacturing, and should have the above SQEP corresponding to their responsibilities. 3.2
Human Factors Integration Goal
HF needs to be integrated in the design phase of the third generation NPP throughout its lifecycle. Before doing HFI activities, the first action is setting up a goal for HFI activities, which is very important and could guild HFI activities to the correct direction. And a good goal could help the HF team to find right person to do right things. The goal is set up based on codes and standards, operation experience and regulation expectation, etc. And the goal could be different in different NPP’s life phase. Normally the goal of HFI throughout the third generation NPP’s lifecycle is suggested as below: (a) HF is integrated into the plant design phase considering the whole of the plant life, including construction, commissioning, operation and maintenance. (b) HF is integrated in all plant operating conditions, including normal, emergency and severe accident conditions. (c) HF is integrated in the user interface and workspace for the nuclear island, conventional island and balance of plant, including the Main Control Room (MCR), Remote Shutdown Station (RSS), Technical Support Centre (TSC), Emergency Operation Facilities (EOF) and other local plant stations where operations and maintenance activities take place.
326
Z.-P. Yin et al.
(d) The HFI activities identify inputs to the development of procedures and training for all operations, accident management, maintenance, test, inspections, and surveillance tasks. (e) The HFI activities consider the required organization of operations staff. 3.3
HF Training
For the third generation NPP, a HF training plan is developed for HF team, which aims to standardize the competency levels with the roles in HF work and the corresponding courses required for each competency level. This plan is applicable to the training of HFE staff. The training mainly includes the following course: (a) (b) (c) (d) (e) (f)
Human factors integration management Human factors engineering basic knowledge and awareness training Function allocation methodology Human factors engineering guidelines Task analysis methodology Human reliability quantification methodology The HFE training plan would be updated for specific competency guides if needed.
4 Human Factors Integration Process For the third generation NPP, in order to make sure the HF consideration is covered the whole plant, such as local areas, the human factors integration process is developed. 4.1
Previously Practice and Regulation Expectation Analysis
In the practice on previously NPPs, several HF activities are very valuable for minimizing the potential for human error, such as operating experience review, HF guidelines developing and implementation, HF verification and validation, etc. Operating experience review is used to identify, analyze and address HF-related problems to ensure that any negative features in the predecessor designs are avoided in the current design while retaining their positive features. HF guidelines developing and implementation is used to make sure the HF consideration is developed and implementation in the plant SSCs design. HF verification and validation is used to verify that the HMIs (Human Machine Interfaces) provides the needed alarms, information, controls, and the design of the HMIs conforms to HFE guidelines, and to validated, using performancebased tests, that the integrated system design (i.e., hardware, software, procedures and personnel elements) supports the safe operation of the plant. And the regulation from the government also expects a human factors integration process. In NUREG0711, in Reference [5], 12 HF elements are requested. These HF
Research on the Human Factors Integration
327
elements contain the criteria for reviewing an applicant’s submittal describing their HFE program and the resulting design. In NS-TAST-GD-058, the human factors integration and several methods are advised. HFI is a good practice approach to the application of Human Factors (HF) to systems development. As a methodology it provides an organizing framework to help ensure that all relevant HF issues are identified and addressed. In addition the HFI approach has a management strategy that aims for timely and appropriate integration of HF activities throughout the project. 4.2
Human Factors Integration Process Development
For the third generation NPP, based on the previously practice and the regulation expectation, the human factors integration process is developed. The HFI process covers several plant phases through the plant life: Planning & Analysis, Design, Verification and Validation and Commissioning & Maintenance & Operation, which is shown in Fig. 2. In the Planning & Analysis phase, Concept of Operation, Target Audience Description and Operating Experience Review are done to found the base for the following HF activities. Function Allocation, Design Basis Analysis (DBA), Several Accident Analysis (SAA) and Probabilistic Safety Assessment (PSA) provide feedback to each other. Treatment of Important Human Actions, including Important Human Actions identification, task analysis and Human Reliability Quantification, gets the input from DBA/SAA/PSA and provides feedbacks to DBA/SAA/PSA and Function Allocation review. In the design phase, there are HFI activities related with HF guidelines developing and implementation, staffing and qualification, training program development, procedure development. The result from treatment of important human actions needs to be provided as feedback to the downstream design. This feedback needs to be considered in staffing and qualification, training program development, procedure development and control facilities & HMIs design. The design results are also provided as feedback to treatment of important human actions for iteration. Staffing and qualification needs to be sufficient to support task requirements and satisfy the applicable standards. The procedures need to be developed by incorporating human factors, along with all other design requirements to make it technically accurate, comprehensive, explicit, easy to use, verified and validated. Besides, HF guidelines are developed as inputs for SSCs design and review, and participation in as Low as Reasonably Practicable (ALARP) assessment. In Verification and Validation (V&V) phase, HF V&V selects appropriate scenarios to validate the important human actions and performs HF review for SSCs design. The result of the HF V&V iterates through the important human actions assessment and the SSCs design.
328
Z.-P. Yin et al.
Fig. 2. HFI activities scope diagram
5 HFI Activities Practices For the third generation NPP, based on the created HF organization and human factors integration process, several good HFI activities practices are appeared.
Research on the Human Factors Integration
5.1
329
Operating Experience Review
Operating Experience (OPEX) is analyzed during the design phase. The HF-related problems from previous designs which are similar to new NPP are identifies, analyzed and addressed to ensure that any negative features in the predecessor designs are avoided in the current design while retaining their positive features. The scope of HF OPEX review includes many areas such as build, commissioning, operation, inspection and maintenance, and decommissioning to identify where human unreliability has been observed and to identify enhancements to the new NPP design. And To obtain the experience review in the areas of operation, inspection and maintenance, the plant workers with experience need to be interviewed by each participating discipline to identify relevant human factor problems. For the third generation NPP, after the operating experience review, several new OPEXs are found by the engineers, and some examples list is seeing in Table 1. The detailed information of the experience feedback would be considered in the related design.
Table 1. Examples list of new experience feedback for the third generation NPP S/N 1. 2. 3. 4.
5.2
Title of experience feedback Equipment maintenance space and hoisting Automatic reactor shutdown due to loss of all power to control rod driving mechanism Overall replacement and maintenance of diesel generator affected by too small diesel generator room gate Iodine filtration function of MCR air conditioning system unavailable as a result of misoperation for damper
HF Guidelines Development and Implementation
HF guidelines are developed and delivered to various design departments, and HF inputs and supports are provided to the SSCs design. The third generation NPP is designed according to standards and Relevant Good Practice (RGP) in HF. The use of HF guidelines is a key method for ensuring inclusion of and compliance with the requirements. In additional, the HF review and HF V&V will be done in an iterative with all the relevant design and safety analysis teams to ensure the timely incorporation of the results, and to be able to track any issues that might be arisen as a result. To support the development of new NPP, and to ensure that HF principles are applied to the design process of the NPP, a series of design guidelines for human factors engineering need to be published, which mainly includes HF guidelines for local area design. HF guidelines for local areas design provides human factors good practice that assists designers when considering the selection, location and layout of controls and
330
Z.-P. Yin et al.
displays outside the MCR. HF guidelines for local areas are used to guide the following objects design: (a) (b) (c) (d) (e) (f)
Work spaces Operating workstations Display devices Control devices Layout of the control and display devices Labels and demarcations Take the work spaces of valves as example, General guidelines as follows:
(a) The location of valves should provide adequate clearance, at least 100 mm, to avoid entrapment of hands and fingers between the valve handles and surrounding obstacles. (b) Sufficient space should be provided to grip the handle with two hands.
Fig. 3. Not good example of the work spaces design for valves
If the work space for valve is not sufficient, shown in Fig. 3, the operation and maintenance for the valve is not easy to be done. And the figures of the worker may be hurt. The HF guidelines are developed by the HF team; they are used as the top level documents, and provide a key reference and evaluation principles for both the design and HF teams. HF team delivers HF guidelines to the necessary design disciplines. Solutions to any discrepancies identified need to be developed and the HF team records
Research on the Human Factors Integration
331
key deviation items into the HF Issue Tracking System. HF review reports covering HMIs and workspaces (including MCR and local area) design needs to be produced. 5.3
HF Review
Certain key elements of the plant are likely to go through an option process as part of the project, such that identified risks can be shown to be reduced to ALARP levels. HF team provides inputs to the decision making process for identifying those SSCs which require option in order to either reduce the risks, or demonstrate the current identified risks are ALARP. For each of the option processes, HF team support is required in order to ensure the option which reduces risks to ALARP levels is selected, and all human factors related issues are identified. HF review mainly includes the assessment of the conformance of the local design outside MCR, and identification the possible improvements that might be made to the third generation NPP design, which would reduce or remove the effect of operator errors on the overall system reliability. For the third generation NPP design, after HF review, several recommendations are raised. Taking the and recommendation scheme for Layout Deviations as example, it includes the following contents: (a) (b) (c) (d) 5.4
Access and space for work Working Environment HMI Equipment Layout. Important Human Actions Identification and Assessment
5.4.1 Important Human Actions Identification For the third generation NPP, the identification of important human actions includes the identification of type A/B/C human errors: (a) Type A: Interactions where errors in Maintenance, Testing, Inspection or Surveillance (MTIS) tasks, made before the occurrence of an initiating event, have the potential to lead to failure or unavailability of a safety related system or mitigating. (b) Type B: Interactions where errors in operation or MTIS tasks have the potential to cause an initiating event. (c) Type C: Interactions that occur following an initiating event where errors have the potential to lead to failures of the safety systems to perform one of the required safety functions. HF team works closely with the PSA, DBA and SAA to identify important human actions, including the safety actions of personnel responsible for monitoring and controlling the plant and of personnel carrying out maintenance, testing and calibration activities. The process to identify important human actions is as follows: (a) Review important human actions list from reference NPP;
332
Z.-P. Yin et al.
(b) Identify important human actions from the Examination, Maintenance, Inspection and Testing strategy, particularly the list of class 1, 2 or 3 components, to get type A human actions identified effectively; (c) Identify important human actions from the PIE, to get type B human actions identified effectively; (d) Identify important human actions through the developing of Fault Studies and SAA, to get type C human actions identified effectively; (e) Identify important human actions through the development of the PSA, as a supplement for type A, B and C human action lists; (f) Categorise and classify all the important human actions into their respective levels based on the equipment safety class or associated consequence. For the third generation NPP, the important human actions list is identified and forms the input for the important human actions assessment and SSCs design. 5.4.2 Important Human Actions Assessment For the third generation NPP, the important human actions assessment includes task analysis and human reliability quantification. Task analysis is a process for understanding the demands on the operator so that improvements could be made to the task design or training requirements identified. Combined with the working experience of the previous nuclear projects, the following aspects need to be performed in the task analysis, which refers to NUREG0711, Reference [2]: (a) Information requirements, such as which alarms and warnings, parameters, action feedbacks, etc. are needed to accomplish a task; (b) Decision making requirements, such as the type of the decision (relative, absolute or probabilistic) and the evaluation to be completed; (c) Response requirements, such as the type of actions, task frequency, fault tolerance and accuracy, time available, the location and method to complete the action, etc.; (d) Communication requirements, such as relevant monitoring information or controlled personnel communication; (e) Work load, such as cognitive and physical work load, etc; (f) Tasks support requirement; (g) Working space requirements; (h) Situation and performance requirements; (i) Hazard identification requirements. And Human Reliability Quantification is carried out for substantiating or deriving estimations of Human Error Probability (HEP). The strategy of Human Error Quantification is summarized as follows: (a) Type A human errors are assessed with Accident Sequence Evaluation Program (ASEP) in NUREG/CR-4772.
Research on the Human Factors Integration
333
(b) Type B human errors are calculated by using the database in NUREG/CR-1278. (c) Type C human errors are assessed with Standardized Plant Analysis Risk Human Reliability Analysis (SPAR-H) in NUREG/CR-6883. For the third generation NPP, several important human actions are assessed. Taking the human actions in the Steam Generator Tube Rupture event as example, the available time the first human actions is very important for the reliability assessment of important human actions. And the results of human reliability quantification for the related human actions are fed back to the appropriate iteration of PSA. 5.5
HF Verification & Validation
The function of the HF V&V activities is to demonstrate that the SSCs design attains a high standard of HF adequacy and that it conforms to the HF principles and requirements of the HF guidelines. For the third generation NPP, a HF V&V methodology is developed, which includes work stream, methodology, organization and schedule. 5.6
HF Issues Register Management
The types of HF issues include and are not limited to: operational experience review, human engineering discrepancy and assumptions. HF issues are determined by the participant in charge of the HFI activities, and the identified issues are entered into the HF issues-tracking system. For the third generation NPP, a human factors issue management method is developed for tracking all the issues.
6 Conclusions After the accident of Three Mile Island, Human Factors (HF) began to receive high attention in the field of Nuclear Power Plant Safety Design at home and abroad. At present, there are many good practices of human factors consideration in the design phase, which are focus on Main Control Room (MCR) area. Many HF events are still happening in the local area during plant operation and maintenance phase. This paper researches a systematic approach to integrate HF to the whole plant in the design phase of some third generation NPP, which mainly includes HF organization, HF integration frame and good practices. This systematic approach provides an organizing framework to ensure that the HF consideration would be covered the whole plant, and all relevant HF issues are identified and addressed, which could improve the economy and safety of NPP by reducing human error or poor physical interaction. This systematic approach would be used in any new built NPP or NPP modification to guide HFI activities from the design phase.
334
Z.-P. Yin et al.
References 1. Li, Z.: Statistics and analysis of WANO human factor events. Nucl. Power Eng. 26(3) (2005) 2. ONR, Technical Assessment Guide: Human Factors Integration, NS-TSAT-GD-058, Rev. 3, March 2017, http://www.onr.org.uk 3. ONR, Safety Assessment Principles for Nuclear Facilities, Rev. 0, 2014, http://www.onr.org.uk 4. Resolution Plan for RO-ABWR-0005, Hitachi-GE Nuclear Energy Ltd. Human Factors Specialist Resource and Organization, Dec. 2014, http://www.onr.org.uk 5. NRC, NUREG0711, Human Factors Engineering Program Review Model, Rev 3, 2012
Development and Application of Closed-Loop Control Performance Evaluation System for Nuclear Power Plant Zhen-Hua Luan1,2(&), Zong-Wei Yang1, Peng Liu1, and Jun Liang2 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, Shenzhen 518172, Guangdong, People’s Republic of China [email protected] 2 State Key Lab of Industrial Control Technology, College of Control Science and Engineering, Zhejiang University, Hangzhou 310027, People’s Republic of China
Abstract. A closed-loop control performance evaluation system is developed to cope with the shortage that evaluation is done merely by manual experience. The system could quantitatively evaluate the performance of common control systems such as single-loops and cascade loops. Performance indicators include Peak value, attenuation ratio, ISE, Harris, etc. The system has been applied in the closed-loop control system test of the third generation nuclear power plants. The performances of the Pressurizer pressure, Pressurizer level and other control systems have been evaluated. The optimization results of the control system for the third generation units have been verified, and the validity and rationality of the evaluation system design and development have also been proved. Keywords: Nuclear power plant
Control system Performance evaluation
1 Introduction The performance of closed-loop control system is the key to the operation of nuclear power plants. Its function design and parameter optimization, performance of control system directly affect the safety of units operation [1–3]. So the test of closed-control system is the most important part of unit start-up. During the normal debugging, the performance evaluation of the reactor control system is mostly achieved by manual checking of the test data, such as overshoot and attenuation ratio, and judging by experience. The shortcoming is without quantitative evaluation index and unable to calculate automatically. In order to solve this problem, one performance evaluation system for closed-loop control system is developed to evaluating the common indexes such as peak value, peak time, residual error, adjustment time, overshoot and attenuation ratio, this system introduces two advanced evaluation indexes which are ISE and Harris to quantitatively evaluate the performance of the control system. Besides [4], it studies the comparative function of multi-unit test results. The application of this system in the nuclear power plants shows that the engineers can use these evaluation results and comparison results to evaluate the performance of © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 335–344, 2020. https://doi.org/10.1007/978-981-15-1876-8_34
336
Z.-H. Luan et al.
the control system comprehensively, and the parameters optimization of control system can be guided, which greatly facilitates the control system testing and improves the efficiency.
2 Key Technologies of Performance Evaluation for ClosedLoop Control Systems 2.1
Classification of Control System Responses of Nuclear Power Units
In order to accurately evaluate the performance of different loops, it is necessary to classify the control loops according to the characteristics of step response and action signals. During tests, the control effect is usually observed by manually adjusting to generate an error or modifying the setpoint value. These operations can be regarded as imposing step signals on the control loop to observe the response characteristic curve of the control system. The model of nuclear unit processes is generally divided to the first-order monotone type and the second-order oscillation attenuation type [5]. The transfer function of the first order process model is GðsÞ ¼ Ts 1þ 1, and the transfer function of the second order process model is GðsÞ ¼ sðTsKþ 1Þ. From the shape of the test data records, the response characteristic curves of different directions can be obtained by applying forward and backward input step signals to these two kinds of processes. In addition, there is a special kind of curve, without external control action signal input, just because of the character of the controller, the control loop often maintains stable or small range of equal amplitude oscillation characteristics. In order to facilitate the application of closed commissioning engineers, this paper classifies the response curves of control loops into five types, i.e. first-order ascending, first-order descending, second-order ascending, second-order descending and stationary. The positive and negative step response curves of each type are shown in Fig. 1.
Fig. 1. Classification of control loop responses
Development and Application of Closed-Loop Control
2.2
337
Evaluation Index and Calculation Method
The quantitative evaluation indexes of performance evaluation for control system include 9 items, such as peak value, peak time, residual, adjustment time, overshoot, attenuation ratio, rise time, ISE and Harris. The following is a brief introduction to the basic principles of these nine indicators. a. peak value, the first extreme value after the system exceeds the setpoint value. b. peak time, the time it takes for the system to reach the first peak value. c. remainder error, the steady-state error of the system after reaching steady-state. It is the last section of the error of average value and setpoint value. If this value is within ±5% of the setpoint value, the loop is stable and the residual error is obtained. Otherwise, the system is unstable. d. adjustment time, the shortest time for the system to reach and maintain the final value of ±%. e. overshoot, the ratio of the difference between the maximum deviation (peak value and the setpoint value) and the setpoint value. overshoot = (peak value - setpoint value) /setpoint value *100%. f. attenuation ratio, the ratio of two adjacent amplitudes (peak-setpoint value)in the same direction. attenuation ratio = (peak - setpoint value)/(sub-peak setpoint value). g. rise time, the time required for the system to rise to a setpoint value for the first time from the start state. h. ISE, is the performance index of square error integral. R1 ISE ¼ 0 ðyðtÞ ysp ðtÞÞ2 dt, y(t) is the measured value of the controlled variable. i. Harris, an index taking the minimum variance control of the system as the control performance reference to evaluate the current control performance [6–8]. The principle of performance evaluation method based on minimum variance control law is shown in Fig. 2. The realization method is as below. (a) pure delay time d of the system needs to be estimated. (b) time series analysis of output yt of closed-loop control loop is carried out, and time series model yt ¼ Fat þ Latd from disturbance at to output yt is established. (c) Estimating the Minimum Variance of Process Output r2MV . (d) Using system output data to calculate actual variance of process output r2y . (e) get the gðd Þ ¼ r2MV =r2y . Though at is unknown, the estimate value ^at of while noise can be get through time series analysis of the output yt . gðdÞ is between [0,1], and the larger the value of gðdÞ means better control effect.
338
Z.-H. Luan et al.
Fig. 2. Harris method schematic diagram
According to the classification principle of control loops mentioned above, Table 1 lists all kinds of evaluation contents. Of course, not all nine indexes need to be evaluated for each type. For example, the first-order ascending and descending models do not need to evaluate such indicators as overshoot and attenuation ratio.
Table 1. Evaluation reference and evaluation contents Variable Peak value Peak time Remainder error Adjustment time Overshoot attenuation ratio Rising time ISE Harris
First-order ascending y y y y y y y y y
First-order descending y y y y y y y y y
Second-order ascending n n y y n n y y y
Second-order descending n n y y n n y y y
Stationary n n y n n n n y y
3 Development of Evaluation System System 3.1
Functional Architecture of System System
The main function units of performance evaluation system include five main parts, data loading, loop information selection, data display, evaluation function selection and results display. a. The data loading mainly completes the loading of the historical data of the evaluation loop. b. The information selection and initialization of the evaluation loop is accomplished through the following four steps. The first step is to fetch the relevant contents of the evaluation loop in the configuration information and give the relevant information of the loop, including the loop type (single loop, cascade loop), the name of the controlled variable and the name of the control variable. The second step is to
Development and Application of Closed-Loop Control
339
screen the data of controlled variables and control variables according to the information in the configuration file, and draw the historical data curve of the main (deputy) loop in the evaluation data display section. The third step is to select the starting and ending time of the evaluation data, and draw the curve again in the evaluation data display section. The fourth step is to input the setting value information of some loops manually because it is default when loading fixed value. The functions of the evaluation function selection part are 4 kinds. After configuring the contents of the information selection part of the loop, selecting the classification type of the control loop and evaluating the calculation. After the calculation, the evaluation results are displayed in the evaluation result display part. Then preserving the evaluation results and clearing all the information contained in the system (this function is used when other loop evaluation is needed). At last exit the system. The flow chart of the system is shown in Fig. 3.
Fig. 3. Performance evaluation flow chart
340
3.2
Z.-H. Luan et al.
Data Storage
The control performance evaluation methods used in system are based on historical data, so there are format requirements for data storage and reading and configuration file storage and reading. The input evaluation data, evaluation results and system configuration information are stored in the EXCEL format file. The storage structure of these three types of files is shown in Tables 2, 3 and 4. Table 2. Evaluation data format Time Controlled variables (main) Control variable (main) Controlled variables (deputy) Control variables (deputy)
Data-1 Data-1 Data-1 Data-1 Data-1
… … … … …
Data-n Data-n Data-n Data-n Data-n
Table 3. Loop information format Loop name Controlled variables (main) Control variable (main) SetPoint (main) P (main) I (main) D (main)
Letdown pressure control Controlled variables (deputy) Control variables (deputy) SetPoint (deputy) P (deputy) I (deputy) D (deputy)
Table 4. Format of evaluation results Evaluation results Peak value Peak time Remainder Adjustment time Overshoot Attenuation ratio Rising time ISE Harris
3.3
Implementation of System System
This system system is implemented using simulation software, which has powerful data processing function, supplying control, statistics, system identification analysis and other toolboxes for users to call and provides a graphical user interface programming
Development and Application of Closed-Loop Control
341
function, enabling developers to develop user interface conveniently, but also can call each other with other toolbox functions.
4 Experimental Result 4.1
Performance Evaluation of Pressurizer Pressure Control
Pressurizer pressure control system is the core control system of nuclear power unit. It maintains the pressure of the primary loop as its setting value to ensure the pressure within regulating region in normal transient state without causing emergency shutdown, and avoids pressurizer safety valve operation to maintain the integrity of primary loop boundary. The evaluation system has been applied in the pressure control test of the third generation unit. The pressure is stable at 153 bar before the test. The control system keeps the automatic state during the test. The set value is modified to 157 bar, and then the pressure is adjusted to the set value by the control system. The response curve of the system is shown in Fig. 4, and the evaluation parameters are shown in Table 5.
Fig. 4. Pressure control after optimization Table 5. Evaluation result of pressure control after optimization Peak value Peak time (S) Evaluation results 157.3604053 947 Adjustment time (S) Overshoot 1328 9.01% Rising time (S) ISE 579 93.32083016
Remainder 0.068117273 Attenuation ratio 24.97%
342
Z.-H. Luan et al.
Compared with the test results of the pressure control system before optimization, the performances have been greatly improved. While testing before optimization, Pressure setting value is kept unchanged during the whole test. The control system is set in manual state, and the system pressure is adjusted to 5 bar higher than the set value. Then it is set to automatic state, and the pressure is adjusted to the set value by the control system. The response curve of the system is shown in Fig. 5, and the evaluation parameters are shown in Table 6.
Fig. 5. Pressure control after optimization
Table 6. Evaluation result of pressure control before optimization Peak value Peak time (S) Evaluation results 153.05 2859 Adjustment time (S) Overshoot 4272 19.00% Rising time (S) ISE 2200 222.4964
Remainder −0.20 Attenuation ratio –
It should be noted that in this experiment, only one peak appears, and the system tends to be stable, so the attenuation ratio can not be calculated, marked as “−”. 4.2
Performance Evaluation of Pressurizer Level Control
Pressurizer Level Control is a control process with large lag, which has the shortcomings of long regulation time and slow attenuation. After the loop optimization, the disturbance test is carried out. The level is stable at 39% of the range before the test,
Development and Application of Closed-Loop Control
343
and the system is kept in an automatic state during the test. The setpoint value is changed to 44%. Then the level is adjusted to the setpoint value by the control system. The response curve of the system is shown in Fig. 6, and the evaluation parameters are shown in Table 7. The evaluation results show that the rapidity and stability of the optimized system have achieved a good level of the control system.
Fig. 6. Level control after optimization
Table 7. Evaluation result of level control after optimization Peak value Peak time (S) Evaluation results 44.96419 993 Adjustment time (S) Overshoot 1939 19.28% Rising time (S) ISE 564 55.77036
4.3
Remainder 0.232815 Attenuation ratio 18.73%
Contrastive Analysis Unit and Reference Unit
This system develops the function of data comparison and analysis among multiple units. After completing a control system test, the historical unit data can be directly selected for comparison and analysis. The system will automatically complete the alignment and adjustment of the time axis. As Fig. 7 shows, after the load rejection to house load test of unit B, it is found that the pressure of the primary loop is a little high. Using this function, data of unit a (reference unit) is selected for comparison, which confirms the fact that the pressure is high, and the change trend is basically consistent. So the subsequent analysis is carried out rapidly.
344
Z.-H. Luan et al.
Fig. 7. Comparison with the results of reference units
5 Conclusion Aiming at the problem that manual experience is often used to evaluate the control performance in the testing of closed-loop control system, a system for the evaluation of control system is developed. The system can evaluate 9 indexes such as peak value of single loop or cascade loop control system. The utility model has the advantages of simple operation and fast running speed. The evaluation results of this system system can provide engineers with reference for performance evaluation of control system and parameter adjustment of control system. The validity of the system is verified by the Pressurizer pressure, level and other control loops. At present, the system developed in this paper has been successfully applied to the third generation nuclear power plant, and has achieved satisfactory results.
References 1. Yang, Z.-W., Huang, T.-M., Feng, G.-Y. Luan, Z.-H., Lin, M., Zhu, L.-Z.: Application of nuclear power plant simulation technology in reactor control system debugging. Nucl. Power Eng. 30(6), 49–53, 59 (2009) 2. Guangdong Nuclear Power Training Center. 900 MW PWR Nuclear Power Plant System and Equipment (Volume 1) [M]. Atomic Energy Publishing Press, Beijing (2005) 3. Ji-long, P.: Course on Operation of Guangdong Daya Bay Nuclear Power Station. Atomic Energy Press, Beijing, Beijing (1999) 4. Harris, T.J.: Assessment of control loop performance. Can. J. Chem. Eng. 67, 856–861 (1989) 5. Shou-song, H.: Principles of Automatic Control, 6th edn. Science Press, Beijing (2013) 6. Li, G., Wang, Q.-L.: Performance evaluation and regulation of PID controller based on tracking step response. J. Syst. Simul. 20(14), 3763–3766, 3771 (2008) 7. Zhao, H.-z., Zhao, Z., Zhu, L.: Multi-index performance evaluation of closed-loop control loop. Chem. Autom. Instrum. 44(11), 1019–1022 (2013) 8. Luan, Z.-h., Liu, D.-g., Qiu, S.-s., Yang, Z.-w., Feng, G.-y.: Instrument control debugging analysis and research of PWR nuclear power plant based on Simulink simulation technology. Nucl. Power Eng. 34(5), 87–89 (2013)
Research on Typical Fault Diagnosis of Nuclear Power Plant Based on Weighted Logical Inference Arithmetic Yi-Peng Fan(&), Hong-Yun Xie, and Chao Lu State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd, Shenzhen 518172, China [email protected]
Abstract. The safety of nuclear power is the main problem that the nuclear power plant (NPP) has been trying to solve since its production. Especially after the Fukushima accident, the safety of nuclear power plants has attracted wide attention all over the world. However subject to the requirements of economy, it is impossible to improve the safety of nuclear power plants only by increasing the redundancy of the system or by improving the safety level of equipment. NPP fault diagnosis provides another direction to improve the safety of nuclear power plant. Under the NPP fault condition, although the signal changes rapidly and the fault modes are various, this fault diagnosis method on weighted logical inference arithmetic can still carry on the evidence reasoning. Furthermore, based on this fault diagnosis method we do not need to collect numerous fault samples that the number of fault samples is very small. This study production can provide auxiliary support for NPP operators when dealing with accident. Keywords: Fault diagnosis Nuclear power plant Weighted logical inference arithmetic
1 Introduction 1.1
Research Background
At present, especially after the Fukushima incident, most of the major nuclear power countries in the world have greatly improved the safety of nuclear power units by improving the design concept and the operation mode of nuclear power. The steady growth of nuclear power generation and the continuous improvement of energy efficiency have contributed to the solution of the energy crisis to enhance the social and economic interests of human beings. However, due to the fact that the cost and reliability of the equipment cannot reach 100%, it is difficult to improve the safety of the new NPP by increasing the redundancy of the equipment and improving the safety level of the equipment. Moreover, the method of increasing equipment redundancy is not suitable for nuclear power units that have been put into operation early in the world. In order to further improve the safety of nuclear power and improve the utilization rate of nuclear power units, an important means is to monitor the in-transit system © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 345–355, 2020. https://doi.org/10.1007/978-981-15-1876-8_35
346
Y.-P. Fan et al.
condition, to help the operators to accurately identify the faults, and to give the methods to eliminate the faults. At present, for the classification of fault diagnosis, the common classification methods are as follows [1]: (1) The method based on mathematical model; (2) The method based on signal processing; (3) The method based on knowledge [2–5]. The research of NPP fault diagnosis is based on expert knowledge and graph theory to diagnose the main faults of NPP. In addition, HPR1000 engineering simulator can simulate system characteristics completely, synthetically and in real time. The dynamic operation characteristics and operation state of equipment and components in each system, such as motor, pump, valve, regulator and so on, are simulated by engineering simulator. Therefore, HPR1000 simulator can be used as the basis of fault diagnosis in NPP, which can be used to debug fault diagnosis software and verify the effect of fault diagnosis. 1.2
Research Contents
Through the investigation of the fault diagnosis method, the knowledge-based method uses the prior knowledge of the diagnostic object to carry out qualitative analysis and reasoning on the actual situation. The mathematical model of the analysis object is not needed to be known. So the method is easy to realize, and is suitable for fault diagnosis of a non-linear system, but the bottleneck of the application is also very obvious, such as difficulty in obtaining knowledge. The fault diagnosis method based on graph theory is a diagnostic method that does not depend on the exact mathematical model, has obvious advantages in the speed of establish the diagnosis model and the ability to recognize the new fault, so it is worth further development and research. The structure of the system refers to the relationship between the components of the system and the way of action, and the correct grasp of the structure of the system is the key to the understanding of the fault and the propagation of the fault. Graph theory is a well-developed theory that the structure of the system is described by a directed graph, and it has been proved to be an effective method, the application time of the fault tree is relatively early. The method of other graphs, such as event tree, fault tree, etc., explains the fault propagation relationship among the components, but because of the restriction of the tree structure, it is not convenient to handle the complex system. The model of the directed graph fully considers the structural characteristics of the system, and the method can be used for reasoning all the fault modes in theory. This subject adopts the method of combining the knowledge theory and the graph theory to study and establish a set of expert database, and verifies the fault diagnosis effect combination with the HPR1000 engineering simulator. The research content is divided into the following parts: 1. Study of fault diagnosis method based on the graph theory and knowledge theory, a typical fault of the NPP is selected to establish a brief expert database;
Research on Typical Fault Diagnosis of Nuclear Power Plant
347
2. A typical fault diagnosis system is developed; 3. Verifies the fault diagnosis effect combination with the HPR1000 engineering simulator;
2 Research and System Development Based on Weighted Logical Inference Arithmetic The difficulty of establishing expert diagnosis system lies in the establishment of expert knowledge base. Furthermore, because nuclear safety is the highest criterion of NPP, nuclear power plant has set up multiple safety barriers from the beginning of design, there are very few fault samples in real NPP. The method of obtaining expert knowledge base based on machine learning theory is not suitable for the establishment of NPP diagnosis system. In addition, the theory based on weighted logical inference arithmetic is mainly based on human thinking mode for fault analysis. Therefore, the collection of fault samples in this study needs to analyze the typical faults of NPPs manually, select the parameters that can be monitored when the faults occur, and establish the causality between the parameters [6–8]. 2.1
Fault Diagnosis Reasoning Logic
Nuclear power plants using RCC-P, that is, according to the expected frequency of events and the potential radioactive consequences on the public, the operating conditions are divided into the following four categories: • • • •
I conditions: normal operation and normal operation transient; II conditions: medium frequency events; III conditions: rare accidents; IV conditions: extreme accidents.
Among them, we analyze and establish expert knowledge database for conditions II, III and IV. For the typical faults of nuclear power plants, we have established some expert databases. The database is divided into the following parts: 1. 2. 3. 4.
the the the the
typical accident; key parameter change triggered by the accident; secondary parameter caused the accident; device action prediction;
Here, we select the secondary circuit heat over discharge to build the fault diagnosis model. The secondary circuit heat over discharge of the reactor coolant system (RCP) is an enveloping failure.
348
Y.-P. Fan et al.
Events that may cause the secondary circuit heat over discharge from the Reactor Coolant System (RCP) include: • • • • •
The system fault of the feed water system causes the feed water temperature to fall; The feed water system failure causes the feed water flow to increase; The steam flow rate of the secondary circuit is excessively increased; The main steam system accident pressure relief; Steam system pipeline is broken;
The causal relationship between the parameters is obtained by the expert analysis as shown in the following Fig. 1:
0-Normal
1
Occur
Temperature reducƟon of main feedwater in loop A
0-Normal 1 Low ARE1327MT-
0-Normal 1 Low RCP1882MT-
0-Normal 1 Low RCP6811MP-
Main feedwater temperature
Primary circuit average temperature
Pressurizer press
Main feedwater heater failure
Reactor state
Feedwater bypass valve misopened 0-Normal 1 High ARE1311MD-
0-Normal
1
High
Overdischarge of main feedwater flow in loop A
ARE system failure Feedwater flow
Steam water quality of SG
SI
Feedwater control valve misopened 0-Normal 1 Low RCP1731MN-
Load increased too much
Main feedwater isolaƟon
SG level
Steam accident discharge
Steam turbine speed control malfuncƟon
0-Normal 1 Low 2 High VVP2001KM-
0-Normal 1 Low 2 VVP2004KM-
Overdischarge of steam flow in loop A
Steam flow in loop A
SG press in loop A
0-Normal 1 High VVP2002KM
0-Normal 1 High VVP2005KM
Steam flow in uninfluenced loop
SG press in uninfluenced loop
High
Main steam isolaƟon
Steam turbine inlet valve misopened
Main steam bypass valve misopened
MSSV misopened
0-Normal 1 High RIS1860MPSteam line break Containment press
Fig. 1. Causality between parameters
2.2
Obtaining the Set Value of Expert Database
In this paper, the envelope condition of over discharge of steam flow in the secondary circuit is studied, and the accident simulation is carried out by using HPR1000 engineering simulator, so as to obtain the changing trend of each parameter, and then obtain the normal interval and the accident interval of the key parameters (Fig. 2).
Research on Typical Fault Diagnosis of Nuclear Power Plant
349
Fig. 2. Schematic diagram of the second loop of a NPP
The flow diagram of the main steam system of HPR1000 unit is shown in the figure. When the steam flow rate of loop A is over discharged, the water level of steam generator SG1 decreases, but the false water level leads to the increase of wide range water level ARE3001KM, ARE3003KM, ARE3006KM. the flow VVP2001KM-, VVP2002KM-, VVP2003KM- on the main steam pipeline of loop A, B, C increases, resulting in the increase of the number of pressure transmitters on the three pipelines, sending out the pipeline isolation signal, and making the main steam isolation valve VVP1220VV-, VVP2220VV-, VVP3220VV- closed. At the same time, the pressure difference of the pipeline increases, and the pressure transmitter sends out safety
0-Normal
1
Occur
Temperature reducƟon of main feedwater in loop A
Main steam bypass valve misopened B1 0-Normal
1
1
0-Normal 1 Low RCP6811MP12.5MPa
Main feedwater temperature X2
Pressurizer press X3
Reactor state X10
Occur
MSSV misopened B2 0-Normal
0-Normal 1 Low RCP1882MT279.8
Occur
Steam line break B3
0-Normal 1 Low ARE1731MN-0.28m
SI X11
Feedwater flow X4
0-Normal 1 Low 2 VVP2001KM1324.1t/h
High
0-Normal 1 Low 2 VVP2004KM4.54MPa
High
Main feedwater isolaƟon X12
Steam flow in loop A
SG press in loop A
X5
X6
0-Normal 1 High VVP2002KM 1139.5t/h Steam flow in uninfluenced loop X7
0-Normal 1 High VVP2005KM 5.01MPa
Main steam isolaƟon X13)
SG press in uninfluenced loop X8
0-Normal 1 High RIS1860MP0.217MPa Containment press X9
Fig. 3. Reasoning relationship of over-discharge parameters of steam flow in second circuit A
350
Y.-P. Fan et al.
injection signal. On the other hand, due to the over discharge of steam flow rate in loop A, the primary circuit temperature RCP6240KM decreases, which leads to the pressurizer pressure RCP2001KM- decrease and also sends out an injection signal. After the injection signal is sent out, the RT signal is triggered. The above cause and effect of excessive discharge failure of steam flow in the secondary circuit is shown in the Fig. 3. When the excessive discharge of secondary loop steam flow occurs, the key parameters include: primary circuit average temperature, pressurizer pressure, SG water level, affected loop steam flow, affected loop SG pressure, unaffected loop steam flow, unaffected loop SG pressure, and containment pressure. Some of the key parameters obtained from the simulator are as follows (Figs. 4 and 5):
Fig. 4. Average temperature of primary circuit and pressure of pressurizer
Fig. 5. SG water level and containment pressure
From the figure above, we can get the range of the key parameters as follows (Table 1):
Research on Typical Fault Diagnosis of Nuclear Power Plant
351
Table 1. Range of key parameters Name Definition
State
Empirical parameter value set
B1 B2 B3 X2 X3 X4 X5 X6 X7 X8 X9 X10 X11 X12
0:Normal; 1:Misspending 0:Normal; 1:Misspending 0:Normal; 1:Misspending 0:Normal; 1:Low; 2:High 0:Normal; 1:Low; 2:High 0:Normal; 1:Low; 2:High 0:Normal; 1:Low; 2:High 0:Normal; 1:Low; 2:High 0:Normal; 1:Low; 2:High 0:Normal; 1:Low; 2:High 0:Normal; 1:Low; 2:High 0:Closed; 1:Open 0:Closed; 1:Open 0:Closed; 1:Open
NA NA NA [280,330]; 330 [12.5,17.5]; 17.5 [−0.1,0.1]; 0.1 [2100,2300]; 2300 [5.5,7.5]; 7.5 [2100,2300]; 2300 [5.5,7.5]; 7.5 [0.08,0.12]; 0.12
2.3
A loop steam pipeline large break SG safety valve misspending Main steam bypass valve misspending Average temperature of primary circuit Pressurizer pressure SG water level A loop steam flow A loop SG pressure Uninfluenced loop steam flow Uninfluenced SG pressure Containment pressure SG safety valve position Main steam bypass valve position Main steam bypass valve position
Fault Diagnosis Interface and Logical Inference Design
The diagnostic scheme is designed as follows: Diagnosis
Data sources
Database
Simulator
Communication
Graphic interface design
Knowledge base
Fault interpretation and development forecast
Inference engine
Fault alarm
Fig. 6. Diagnosis scheme design
First, the initial interface of the fault diagnosis tool shows a summary diagram of the first and second loop system of the NPP. When a fault is diagnosed, a red flicker alarm is displayed at the location of the fault. The alarm is used to remind the operator of the location of the fault and the basis on which the fault diagnosis depends, and to remind the operator of the development direction of the unit based on the change of the parameters (Figs. 6, 7 and 8). The initial interface is shown in the following figure:
352
Y.-P. Fan et al.
Fig. 7. Initial interface
When diagnosing the fault of the unit, click on the corresponding alarm and display the current alarm reason through the pop-up window. As shown below. The red indicates that the probability of the fault is large based on probability analysis, and the light-color indicates that the probability of the fault is small. Green indicates that the parameter or device will change or act accordingly currently detected parameter change.
Fig. 8. Fault reasoning interface
Based on expert experience, we define causality between parameters as an;k . On other hand, we define operational weight variables based on the uncertain relationship r between the B variable and X variable as rn;in .
Research on Typical Fault Diagnosis of Nuclear Power Plant
353
a1;2
0:99 0:99 0:99 b1 ¼ ; b2 ¼ ; b3 ¼ 0:01 0:01 0:01 2 3 2 3 0:01 0:01 ¼ a2;2 ¼ a3;2 ¼ 4 0:98 5; a2;3 ¼ 4 0:98 5 0:01 0:01 2
a1;4 ¼ a2;4 ¼ a3;4
a1;5 ¼ a2;5 ¼ a3;5
a1;7 ¼ a2;7 ¼ a3;7
3 0:01 ¼ 4 0:98 5 0:01
2
3 2 0:02 0:01 ¼ 4 0:49 5; a5;6 ¼ 4 0:9 0:49 0:09
3 0:01 0:09 5 0:9
2
3 0:01 0:09 5 0:9
3 2 0:02 0:01 ¼ 4 0:49 5; a7;8 ¼ 4 0:9 0:49 0:09 2
a1;9 ¼ a2;9 ¼ a3;9 a3;12 ¼
3 0:01 ¼ 4 0:01 5 0:98
0:01 0:99 ; a2;10 ¼ 0:99 0:01 a2;11 ¼
0:99 0:01
When the following failure evidence is detected: X2;1 ; X3;1 ; X4;1 ; X5;1 ; X6;1 ; X7;1 ; X8;1 ; X9;2 : The causes of the failure to explain these evidences include: B1;1 , B2;1 and B3;1 . Based on weighted logical inference arithmetic,calculation results of probability of accident occurrence of B1;1 ; B2;1 and B3;1 : E1 ¼ A2;1;1;1 A2;1;3;1 A4;1;1;1 A5;1;1;1 A5;1;6;1 A7;1;1;1 A7;1;8;1 A9;2;1;1 B1;1
ð1Þ
E2 ¼ A2;1;1;1 A2;1;3;1 A4;1;1;1 A5;1;1;1 A5;1;6;1 A7;1;1;1 A7;1;8;1 A9;2;1;1 B1;1 A11;1;2;1 A12;1;2;1 ð2Þ E3 ¼ A2;1;1;1 A2;1;3;1 A4;1;1;1 A5;1;1;1 A5;1;6;1 A7;1;1;1 A7;1;8;1 A9;2;1;1 B1;1 A10;1;3;1
ð3Þ
354
Y.-P. Fan et al.
When we entered the value of each parameter, we canget the calculation results of PrfE1 g, PrfE2 g and PrfE3 g. In the hypothetical space: H1;1 ; H2;1 ; H3;1 , the probability of each event is sorted as: hr1;1 = 98.04%, hr2;1 = 0.98%, hr3;1 = 0.98%.
3 Typical Fault Diagnosis – Excessive Discharge of Steam in the Second Loop After establishment the communication between HPR1000 simulator and fault diagnosis tool, we inserted a fault in the second loop steam pipeline into HPR1000 process model, and observed the fault diagnosis software. The fault diagnosis showed as follows: when the change of the corresponding key parameters is detected, the corresponding position can send out the flicker alarm in time, click on the corresponding alarm, and the corresponding fault causality display can be popped up. As shown in the following figure, and the current fault diagnosis probability can be calculated (Fig. 9).
Fig. 9. Reasoning result interface
The location of the fault can be diagnosed by the changing of the key parameters through many tests, and the fault probability of software diagnosis is consistent with the calculated fault probability.
4 Conclusions Under the NPP fault condition, although the signal changes rapidly and the fault modes are various, this fault diagnosis method on weighted logical inference arithmetic can still carry on the evidence reasoning. Furthermore, based on this fault diagnosis method we do not need to collect numerous fault samples, and the number of fault samples is
Research on Typical Fault Diagnosis of Nuclear Power Plant
355
very small. This study production can provide auxiliary support for NPP operators when dealing with accident. This method can relieve the pressure of operator for fault diagnosis in the case of accident and improve the accuracy of fault diagnosis.
References 1. Ying-wei, Z., Joe Qin, S.: Fault Detection of Complex Industrial Processes. December 2007, Shenyang, Northeast University Press 2. Can, Y., Qi, C., Gang, L.: Expert system fault diagnosis for primary circuit of nuclear power plant based on neural network. Atomic Energy Sci. Technol. 48(Suppl.), 485–490 (2014) 3. Wei, M., Ren, Y., Meng, Z.: ANN based on an improved PSO algorithm and its application to fault diagnosis in NPP 26(3), 104–107 (2014) 4. Meng, C., Da-fa, Z., Yu-sheng, Z., Ren-xi, J.: Design of nuclear power plants real-time intelligent fault diagnosis expert system based on FTA. Atomic Energy Sci. Technol. 44 (Suppl.), 373–377 (2010) 5. Yan, Z., Zhi-wei, Z., Xiu-chen, D.: Design and implementation of real-time diagnostic expert system in nuclear power plant. Atomic Energy Sci. Technol. 40(4), 420–423 (2006) 6. Yue, Z., Qin, Z., Hong-chen, D., Chun-ling, D.: Application of DUCG in fault diagnosis of nuclear power plant secondary loop. Atomic Energy Sci. Technol. 48(Suppl.), 496–501 (2014) 7. Chun-Ling1, D., Qin, Z.: Research on weighted logical inference for uncertain fault diagnosis. Acta Automatica Sinica, 2766–2781 (2014) 8. Jia-jing, Y., Qin, Z., Qun-xiong1, Z.: Application of dynamic uncertain causality graph to fault diagnosis in chemical processes. CAAI Trans. Intell. Syst. 9(2), 154–160 (2014)
Information Security Risk Analysis and Countermeasures of Digital Instrumentation Control System in NPP Jian-Zhong Tang1(&), Zi-Yin Liu2, Hui-Hui Liang1, Peng-Fei Gu1, and Wei-Jun Huang1 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, I&C Equipemnt Qualification and Software V&V Laboratory, Nuclear Power Engineering Co., Ltd., Shenzhen of Guangdong Prov., Shenzhen 518172, China [email protected] 2 College of Nuclear Science and Technology, Harbin Engineering University, Haerbin of Heilongjiang Prov., Harbin 150001, China
Abstract. Under the background of actively adjusting energy structure, promoting energy conservation and emission reduction, and enhancing energy security capability, the rapid development of nuclear power has become an inevitable trend. As a national high-security technology, nuclear power is directly related to the interests of the country. In recent years, with the deep integration of nuclear power plants (NPPs) and information technology, the information security of NPPs has become increasingly important. The digital instrument control system is a typical representative of the integration of NPPs and information technology. The paper mainly analyzes and evaluates the information security of the digital instrument control system of NPPs, and discusses the countermeasures. This paper analyzes the systems, equipment and components that may have information security risks in the digitized instrument and control system of NPPs, and puts forward countermeasures and management measures for new and operational power plants in view of the possible information security risks. Keywords: NPP Digital instrument and control system Information safety Risk analysis
1 Introduction Against the backdrop that the technology in digitalization and informatization has been developing and popularizing in the industrial domain, the study and application of an intelligent and informational NPP have been accelerated in both new NPPs and operating power plants. Stuxnet in Iran, Trojan Virus Have X, A and Worm in Ukraine and many other advanced persistent threats (APT) targeting the control system in recent years have shown that information security has rapidly expanded from the traditional information technology field to the control system. Virus invasion for the control system can lead to © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 356–366, 2020. https://doi.org/10.1007/978-981-15-1876-8_36
Information Security Risk Analysis and Countermeasures
357
paralysis of the entire system, and the severe invasion will even affect the security of the entire industry and even the country. As a national high-security technology, nuclear power has the direct bearing on the interests of a country. As a typical product of intelligent and informational NPPs, the digital instrument control system controls the entire NPP to operate safely and reliably, and its information security will directly affect the safety of the entire power plant. At the same time, the digital instrument control system is gradually becoming nationalized as the key to the development of nuclear power. Therefore, the analysis and evaluation of possible information security risks of nuclear power digital instrument control system can not only improve the safety and reliability of NPPs, but also provide reliable guarantee for the digital instrument control system to be independent. As the NPP has increasingly becoming digitalized and networked in recent years, the NPP has been confronted with more threats for information security at the same time when it has been making efforts to improve the accuracy control, simplify the operation and make more maintenance.
2 Introduction to the Information Safety of Digital Instrument Control System in NPPs 2.1
Information Safety
The first “worm” was placed on the network on November 3, 1988. Thousands of machines were infected and the network was paralyzed in just a few hours. Robert Morris Jr., who produced the “worm”, was arrested for three years of custody and fines. The emergence of “worms” has changed the way people think about the network security. A simple program destroyed hundreds of machines, and that day marked the beginning of internet security research [1]. The concept of information security is constantly changing with the development of network and information technology. Prior to the 1970s: The design in the computer system leaked the confidentiality of data in the control box communication system. In the 1990s: Measuring the information security with confidentiality, integrity, and usability. Now: Making research on the science of protection, detection, and recovery of information and its system based on specific security policies in a specific application environment. Information security includes data security and system security. Information security is threatened in four aspects: • Interrupt threat: Destroying the information that is being used or making the information unusable, destructing the availability of information. • Monitor threat: Unauthorized parties intervene in the system and undermine the confidentiality of information. • Modification threat: Unauthorized parties enter the system to carry out destructive attacks, destroying the integrity of the information. • Fabrication threat: Unauthorized parties put the fabricated object into the data, destroying the authenticity of the information.
358
J.-Z. Tang et al.
System security is attacked in four aspects: • Attack of pretending: An attacking entity pretends to be another entity. • Replay attack: Obtaining a valid data segment of the information and replay it to gain the trust of the other party. • Modification attack: Information is modified, delayed, rearranged in order to produce unauthorized effect. • Attack of denial of service: Destroying the normal operation and management of the equipment. Such attack tends to have targeted and specific target. The information security industry in China started relatively late. Since the beginning of this century, it has experienced three important stages of development (sprout, boom and popularization), and the scale of the industry has gradually expanded, putting in motion the market’s continuously growing demand for information security products and services. In addition, thanks to the government attention and policy support, China’s information security industry has been promoted to develop rapidly. 2.2
Digital Instrument Control System in NPPs
The instrument control system used in the Qinshan NPP and the Dayaway NPP early built in China mainly use analog signals, while the domestic Tianwan NPP was the first NPP to adopt a fully digital DCS system. The DCS system has already been widely used in other industrial fields for a long time. Considering the conservative design requirements for reliability and safety, the nuclear power industry has been fully verified in the DCS system before it is applied to the nuclear power field. In recent years, the great advantages and reliability of digital control have been widely recognized in the industry. The fully digital instrument control system has not only been adopted by new power plants, moreover, the operating NPPs have also begun to gradually transform the system and partially apply it to power plants. The NPP digital instrument control system is the control center and information system of the NPP. It is used to control and monitor the major and auxiliary processes generated by the thermal energy and electric energy of the NPP. In all operating modes, including the emergency situation, the system can guarantee the safety, operability and reliability of the power plant in order to ensure the NPP to run safely, stably and economically. The digital instrument control system of a NPP is generally divided into the following four levels according to its functions: • Level 0 (Red zone in Fig. 1): Process system interface layer (sensors, actuators, etc.); • Level 1 (Green zone in Fig. 1): Automatic control and protection level (logic processing cabinet, cabinet for collecting field data); • Level 2 (Blue zone in Fig. 1): Control and monitoring level (data processing system, man machine interface system, etc.) • Level 3 (Purple zone in Fig. 1): level of information management of the whole plant (emergency command center, real-time information monitoring system, etc.).
Information Security Risk Analysis and Countermeasures
359
Fig. 1. Schematic diagram of digital instrumentation control system in NPP
2.2.1 Level of Information Management of the Whole Plant This level is mainly responsible for non-real-time functions and overall processing of information of the entire power plant, and receiving necessary information of the power plant through the network interface equipment, so that the manager (power plant management, superior management authority, national emergency center or relevant safety authority) can well understand the condition of the power plant. The following systems are included: Data Display and Processing System (DDS), Operation and Control Center System (OCS). The transmission of information is unidirectional. The operation and management information network provides the main information of the operation of the nuclear power unit to the relevant departments or units in the factory or outside the factory by connecting to the whole plant- level or remote network and other equipment through the gateway. 2.2.2 Control and Monitoring Level The control and monitoring level, mainly based on the digital man- machine interface design, is consisting of the safety information and control system (SICS) of the main control room, the process information and control system (PICS), and the remote shutdown station and technical support center. The main function provides the operator with process information and real-time transfer control commands (some NPPs are non-real-time transmission), and transmits the necessary important information to the superior management network. Besides, the main functions also includes printing recording, archiving, and querying information data, and providing such supports as diagnosis, maintenance, up-to-date configuration, security parameter display, performance calculation, alarm and digitization procedures, and clock synchronization to the hardware and software of the system.
360
J.-Z. Tang et al.
2.2.3 Automatic Control and Protection Level This level mainly realizes such functions as data acquisition and preprocessing, logic processing, protection control operations, and communication. This level mainly includes: Power Plant Standard Automation System (PSAS), Reactor Protection System (RPS), Dedicated Instrument Control Subsystem, BOP system, and public system (except field devices). The network in the automatic control and protection level mainly adopts the Ethernet communication, and the network transmission protocol conforms to ISO 8072/8073, and the network transmission speed is 100 Mbps or more. 2.2.4 Process System Interface Layer This level is an interface device for the processing equipment, and is mainly composed of field devices such as sensors, actuators, power supply devices, and power amplification components. The main function is to monitor the process parameters of the process system and equipment, control the craft process, and provide or control the power of the process equipment. 2.3
Current Situation of Information Safety of Digital Instrument Control System in NPPs
In view of the rapid development of digital instrument control system and network technology and China’s operating national conditions, the information safety of digital instrument control system of NPPs in China is confronted with the following important issues [2]: • Some instrument control systems of the early NPPs in China were designed in a closed environment, and the information security defensive mechanism was not fully considered in those systems. With the gradual deepening of digital application and the continuous enrichment of hacking means, the instrument control system of early NPPs could not meet the requirements of information security; • The industrial control systems used in China generally adopt the systems and equipment of foreign electronic equipment manufacturers because domestic manufacturers lack core intellectual property rights and key technologies, which is not conducive to the deepening of information security prevention; • As domestic research on network security and industrial control system security started relatively late, it needs to be further improved in terms of products, technologies, operating systems, network architecture, enterprise management level, and the technology literacy of operators working in the front line. Therefore, we need to be highly vigilant about the information safety of NPPs.
Information Security Risk Analysis and Countermeasures
361
3 Risk Analysis on Information Safety of Digital Instrument Control System in NPPs 3.1
Risk Analysis on Information Safety of Digital Instrument Control System in NPPs
3.1.1 Risk Analysis on Process System Interface Layer The process system interface level collects the data of the process system through the sensor and transmits the data to the controller of L1; the controller transmits the control command to the actuator. The following risks are existed involving the collection of data and the transmission of commands: • When the sensor is collecting data, it may be artificially interrupted, modified, or fabricated, resulting in the inability to transmit the correct data, so that the process system cannot be monitored in an effective way; besides, it may be artificially monitored, resulting in theft and illegal use of system data. • When the sensor transmits control commands to the actuator, it may be artificially interrupted, modified, or fabricated, resulting in failure to transmit the correct control commands, so that the process system cannot be controlled in an effective way. Data collection and control command transmission have independent data transmission channels, and they are not connected to the outside. These data can only be destroyed by physically destroying the transmission channel. That is, the data are artificially interrupted, monitored, modified, fabricated. • Only by strengthening the management for personnel and ensuring that non-safety personnel cannot enter the nuclear power control area can the interface layer of the process system be secured. 3.1.2 Risk Analysis on the Automatic Control and Protection Level The automatic control and protection level receives the data transmitted by the level L0, filters it, and transmits it to the L3 to display; the level converts the control command transmitted by L2 into a control command and transmits it to the actuator of L0; if the received data are not within the range of set value, an alarm signal will be generated and passed to L2. The following risks are existed involving data transmission, filtering, conversion, and alarming: • When the alarm signal is transmitted, it may be artificially interrupted, modified, or fabricated, causing the alarm signal to be transmitted incorrectly, so that L1 cannot give the correct command, which will create more serious consequences; it may be artificially monitored, resulting in theft and illegal use of system data. • When filtering and converting data, the security of the system software needs to be ensured in order to prevent it from being attacked. As the system software exists in the controller and is independent of the external environment, it is destroyed only because it is artificially pretended, modified, and attacked by denial of service.
362
J.-Z. Tang et al.
• On the one hand, we should strengthen personnel management to ensure that L1 equipment is not maliciously damaged; • On the other hand, we should update the system software in time to avoid the old bugs to be utilized. 3.1.3 Risk Analysis on Operation and Information Management Level The operation and information management layer receives the data and signals filtered by L1 for display and archiving; the level transfers the operator’s manual command to L1. When it comes to the transmission, display and archiving of data, there are the following risks: • When data are transmitted, it may be artificially interrupted, modified, or fabricated, resulting in that data cannot be correctly transmitted, so that L2 can not give correct commands, leading to more serious consequences; it may be artificially monitored, resulting in the theft and illegal use of system data. • The data are collected to L2 to be displayed, archived and operated at background. The L2 equipment shall be guaranteed to be safe so as to prevent it from being attacked. Even though the L2 equipment is independent of the external environment, domestic manufacturers are controlled by others in technology and equipment due to the industrial control systems used in domestic NPPs generally adopt the systems and equipment provided by Western electronic equipment manufacturers and domestic manufacturers lack core intellectual property rights and key technologies. If the imported device has a internally installed wireless communication module, it is difficult to find out. • On the one hand, we should strengthen personnel management to ensure that L2 equipment is not maliciously damaged; • On the other hand, the equipment used in NPPs should give priority to domestic products so as to eliminate the hidden dangers of imported equipment. 3.1.4 Risk Analysis on the Level of Information Management of the Whole Plant The level of information management of the whole plant receives the non- real- time functions and information of the NPP through L2, and it provides the information to the relevant units or departments in the factory or outside the factory through the gateway. When it comes to the reception of data and one- way transmission of the network, there are the following risks: • When the data are transmitted, it may be artificially interrupted, modified, or fabricated, resulting in that the alarm signal cannot be correctly transmitted, making L3 unable to receive correct data, misleading to the outside world; it may be artificially monitored, resulting in the theft and illegal use of system data. • The data are collected to L2 and transmitted to the inside and outside of the field in one direction. It is necessary to ensure the security of the transmission environment in order to prevent it being attacked.
Information Security Risk Analysis and Countermeasures
363
Although network isolation has been achieved, it is still possible to be attacked artificially and disrupt the network isolation environment. • We should strengthen personnel management to ensure that L3 equipment is not maliciously damaged; to ensure that network isolation is not destroyed. 3.2
Risk Analysis on the Information Safety of Digital Instrument Control System in NPPs
Probabilistic Safety Assessment (PSA) has been widely applied in the field of nuclear power, but it has not been applied and promoted in the field of nuclear power information security. Domestic institutions have carried out related research works. With the strengthening of informatization of NPPs, the demand for information safety in the field of nuclear power will certainly be strengthened. We should adhere to implement the periodic information security assessment work and continuously improve the methods and technologies for nuclear power information security assessment [3, 4].
4 Discussion on Responses to the Information Safety of Digital Instrument Control System in NPPs Thanks to the excellent design of the three generations of nuclear power in terms of functional safety, it is almost impossible for hackers to invade to cause the reactor explosion. However, destroying the environmental monitoring system promotes the nuclear power to start the contingency plan, causing confusion in the plant and invading the NPP, which creates a more serious physical attack. Such risk is very real. Considering this point, it is very urgent to build the overall defense of information security of the digital instrument control system in NPPs [5, 6]. 4.1
Operating Power Plants
For the information security protection of operating power plants, the following aspects should be mainly considered: 4.1.1 Management (a) System: Establishing an information security protection mechanism, setting up such posts as security supervisor, system administrator, network administrator, security administrator, and developing files to clearly define the responsibilities, division of labor and skill requirements for each job. (b) Personnel: The recruitment of personnel in a NPP shall be undertaken by a special department and the personal information and professional information of the hired personnel shall be reviewed. Implementing safety education and safety technical training for the hired personnel, and clarify the safety responsibilities for their respective positions.
364
J.-Z. Tang et al.
When the hired person leaves the post, he or she shall promptly revoke the authority, software and hardware equipment, certificates and keys of the resigned personnel and clarify his or her obligation of maintaining confidentiality. (c) Equipment: Checking the stability of the hardware equipment regularly to confirm the non- essential ports to be blocked. In the “Stuxnet” incident happened in Iran, insiders used unblocked ports and inserted a USB flash drive containing Stuxnet virus. 4.1.2 System Software Windows is a common operating system, there are many computer viruses for Windows on the network, most of the software are developed based on Windows system, which will increase the probability of computer poisoning; while a small part of software are developed based on Unix/Linux system, which has greatly reduced the probability of wrongly suffering from a Windows virus, however, it is easily to be studied separately to create a bug because of its uniqueness. Moreover, if the NPP pays insufficient attention to such system, the user will mistakenly considers it safe and will generate an negligent attitude so that the user will not update the software for a long term, leading to that the safest place changes into the most dangerous place. Therefore, the software should be updated timely in order to avoid the old bugs in the software to be utilized; if possible, we should develop our own safe operating system [7]. 4.1.3 Internet The digital instrument control system in the NPP is a safety level system, and data can only be transmitted to the non- safety level in one direction. Network isolation has been achieved through “hard setting” and “soft setting”. However, it is still necessary to avoid illegal external connections, one machine with dual networks, mobile media attacks, Wifi connections and other similar situation to emerge. 4.1.4 Monitor and Response Effectively monitoring the information and establishing an information security linkage mechanism. The emergency response system which is indispensable for the whole NPP can make a minimum response in time - the recovery of the safety state when an information security incident occurs in a NPP. 4.2
New Power Plants
New power plants need to take into consideration equipment purchasing issues compared to operating power plants. As an industrial energy facility involving the national security, NPPs should follow the following principles when purchasing the equipment:
Information Security Risk Analysis and Countermeasures
365
• Independence: The equipment used in NPPs is preferred to domestically produced products in order to prevent potential safety hazards embedded in the imported equipment. • Reliability: The equipment used in a NPP must be able to adapt to the working environment in which the NPP operates, the equipment should be equipped with excellent electromagnetic compatibility and continuous uninterrupted working capability. • Practicality: The equipment used in a NPP should meet the safety requirements of the configuration targets, and do not blindly pursue the maximum performance and maximum capacity. Instead, the performance and capacity should be correspondingly configured based on the security requirements, meanwhile taking into account the redundancy required for the development. • Maturity: The equipment and products used in the NPP should be mature in technology and applied to many projects.
5 Conclusion The digital instrument control system is a typical representative of the integration of NPPs and information technology. This paper analyzes the equipment, components and systems that may have information security risks in the digital instrument control system in NPPs, and puts forward coping approaches and management methods for new and operating power stations in order to deal with the potential risks in information safety. With the gradual in- depth use of intelligent technology and information science in NPP control systems and equipment, the control methods are becoming more and more integrated and intelligent, and the functions of control systems are becoming more and more powerful. Moreover, the industry has become increasingly concerned about the information safety, we have reasons to believe that with the efforts of industry colleagues, the researches and practices related to information security of NPPs will certainly contribute to the realization of China’s “nuclear power dream.”
References 1. Jie, C., Xueqin, Q., Changzhi, H.: Research on information security of digital instrument control system in NPPs. Instrum. User 24(02), 42–44 (2017) 2. Tao, B., Weihua, C., Zhen, L., Feng, G.: Software hazard analysis for nuclear digital protection system by colored petri net. Ann. Nucl. Energy, 110(2017) 3. Pengfei, G., Weihua, C., Feng, G., Suyuan, Y.: Analytical research on the safety of system software of nuclear security level digital instrument control system. Report on China’s Progress in Nuclear Science and Technology (Volume IV). 5 (2015) 4. Huihui, L., Pengfei, G., Jianzhong, T., Weihua, C.: The software security analysis for digital instrumentation and control systems of NPPs. NPPs: Innovative Technologies for Instrumentation and Control Systems, Lecture Notes in Electrical Engineering 455
366
J.-Z. Tang et al.
5. Baojuan, Y., Yixing, D., Wangqiang, S., Youyuan, L., Yunfei, Z., Jianming, C.: Research on analytical methods of security and confidentiality of digital instrument control system in NPPs. Nucl. Sci. Eng. 36(03), 430–434 (2016) 6. Qiqing, H., Weijun, C.: Analysis and strategy of information security of digital control system in NPPs. Inf. Secur. Comput. (13), 133–135+138 (2015) 7. Liang Huihui, G., Pengfei, T.J., Weihua, C., Feng, G.: Discussion on aging management of NPP digital control system. SpringerPlus 5, 2092 (2016)
The Research and Development of Digital General Operating Procedure Chuang-Bin Zhou1(&), Qing-Wu Huang2, Ji Shi1, Wei-Hong Cui3, Xian-Min Li1, Wen-Bin Liu4, Yi-Xiong Luo4, and Shao-Shuai Qiu1 1
3
State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd, Shenzhen of Guangdong Prov., Shenzhen 518172, China [email protected] 2 CGN Power Company Limited by Shares, Shenzhen 518124, China Daya Bay Nuclear Power Operations and Management Co., Ltd, Shenzhen 518124, China 4 CGN LuFeng Nuclear Power Co., Ltd, Shanwei 516600, China
Abstract. Since the CGN CPR1000 nuclear power plant adopted DCS control system, the new main control room (MCR) with advanced digital control system replaced the traditional one with analog circuit instrument control system. To match new MCR, it is necessary to develop a series of newly digital procedures. On the basis of the study to the advanced concepts of French N4 and EPR, as well as the independent innovation of our country, a whole set of digital operating procedures have been developed, which separated procedure body and digital operating sheets apart. The control display, situation monitoring display and structured navigation matched with this system have been designed, too. The utilization of these procedures can improve the efficiency of the execution, and overcome the insufficient lacking of direct visual field of vision and response of the digital main control room, has great significance on the mass construction and standardization of CPR1000. Keywords: Nuclear power plant DCS Operator workstation Digital General operating procedure Digital operating sheet The matched man-machine interface of control system Structured navigation
1 Foreword Led by the CGN CPR1000 nuclear power plant of Lingao nuclear power plant phase II, the control and instrumentation system have been greatly improved. The digital control system (DCS) is used as the general operation system, and the computerized main control system has replaced the traditional main control room with conventional analog control and monitoring equipment of Lingao nuclear power plant phase I, to integrate the power control and supervision of the power plant into the operator workstation in main control room. Although the adoption of DCS brings many benefits, compared with the traditional main control room, the operator is unable to gain enough information he needs at a © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 367–378, 2020. https://doi.org/10.1007/978-981-15-1876-8_37
368
C.-B. Zhou et al.
glance, and loses the visual field and direct response. In order to match the digital main control room, it is necessary to develop a series of new digital general operating procedures, which are used for starting, stopping and running transient control of the unit, to overcome the deficiency of the digital main control room. Based on the advanced concepts of French N4 and EPR and independent innovation, a whole set of digital operating procedures for CPR1000’s start-up and shutdown have been developed through the independent innovation. These procedures separated procedure body and digital operating sheet apart. Matched with the man-machine interface of industrial control system, situation monitoring display and structured navigation. The utilization of these procedures improved the efficiency of the execution, strengthened the captain’s ability to monitor the units and execution, reduced the rate of people working failure [1, 2], improved the safety of nuclear power plant, has great significance on the mass construction and standardization of CPR1000.
2 General Planning of the Digital General Operating Procedure 2.1
The Concept of Digitalization
In the DCS control room, all the work of the operator is completed in the operator’s workstation. Compared with the traditional main control room, operator lost the direct vision. If the paper working procedure is still adopted, when the operator executes some certain procedures, they need to look for the corresponding control screen on DCS according to the label in the procedure book, the process is quite tedious. As a result, the execution efficiency will be low and the advantages of DCS will be not fully showed. In order to improve the procedures’ execution efficiency, it is necessary to digitize the operating procedures [3]. By analyzing each task carried on the operating procedures, to project a combination of monitoring display, operation display and supporting follow-up display which are needed to complete the task, this process is called digitalization of the operating procedures. 2.2
The Feedback of N4 and EPR
The French N4 unit is the only digital control process in service in France at present. The core digital procedure of N4 is relatively complex, the main part of it adopts the form of logic block diagram to execute the procedure process through the judgment of YES or NO by the operator. The procedure is connected with the controller of the field equipment to realize the purpose of issuing instructions from the procedure. In addition, part of the control displays is also displayed in the procedure. In general, the N4 crew digital procedure provides the operator with a wealth of information. This digital procedure is very convenient for operator, which is rich in information and simple in operation with high automation. But more than four years of utilization of N4 also shows that fully digitalized procedures can’t handle all situations, as operators still need a guidance paper to guide them. Without paper documents (such as procedure body),
The Research and Development of Digital General Operating Procedure
369
the operator is prone to the maze effect, and this situation is not conducive for the shift of operators. Compared with the N4 digital procedure, the digital procedure of EPR is relatively simple. Based on N4, simplified processing is done. The procedure is relatively easy to write and modify, and the flexibility of execution is greater. 2.3
General Guidelines for Digitalization of Operating Procedures
The general operating procedures are mainly used for the operation of unit overhaul, start and shutdown, involved multiple systems of monitoring and operation. The digitalization of this general operating procedures will play an important role in the operator’s searching flexibly for information and the convenient calling for screen shots, which is also meaningful for improvement of working efficiency and overcoming the shortage of DCS direct vision. On the basis of absorbing the design concepts of N4 and EPR, combined with our own practical needs, the following digital guidelines are made [4]: (1) separation of procedure body and digital operating sheet. Paper procedure and digital procedure each have their own advantages, combined with the advantages of two aspects to design a comprehensive procedure using digital analysis, to maximize the efficiency. On the premise of maintaining the basic consistency of format and content, analyze the paper procedure to separate suitable parts for operation on workstation, form the corresponding “digital operation sheet” according to different goals and tasks. The remaining main part is taken as the “procedure body”. In this way, on the basis of absorbing the advantages of N4 and EPR procedures, the original advantages of the Lingao nuclear power plant phase I can be maintained without much changes in its format and content, so as to reduce the workload of operators and the error rate of program writing, conversion and execution, and reduce the risk of digitalization. (2) matched displays design with task-oriented operating principle The operating procedures is the execution process of the operation task, taking the operation tasks as the main responsible objects to design the man-machine interface displays. At a certain stage or a certain state of the unit’s starting or stopping, the operator must switch the screens frequently in case of cross-system monitoring and operation. If using the system displays, the operator has to switch the screen frequently, this leads to inefficient execution and low response for rapid intervention. Therefore, it is necessary to taking the operation task as the guide, analyze starting and stopping tasks, design some cross-system-task display, complete the general operating procedures to facilitate operating and overcome the shortcoming of DCS’s lacking of intuition. (3) design of structured navigation The main body of the procedures after the separation of digital operating sheet lacks a clear logical relationship. Therefore, a procedures guidance display is need to be added, to describe the logical structure of the procedures main body, which is called the
370
C.-B. Zhou et al.
structured navigation display [5]. It can help operators to establish the overall view of the procedures, and call the digital operating sheets and the required displays with the display links. To sum up, the design process of digital general operating procedure structure is as follows (see Fig. 1).
Fig. 1. General procedure digital structure design process
3 Design Scheme of Each Module’s Structure of the General Operating Procedure The digital general procedure adopts the structure of separated procedure body and digital operating sheet, the control display, situation monitoring display and structured navigation matched with this system have been designed too, as which form a whole structure to complete the operation task. 3.1
“Procedure Body” and “Digital Operating Sheet”
The main body page of the procedure includes “operation/confirmation” column, “identification” column, “location” column and “remarks” column, requirement and format are consistent with the Lingao nuclear power plant phase I. Digital operating sheet page includes “operation/confirmation” column, “identification” column, “remarks” column and “link definition” column is added. Compared with the main body page, the “location” column is not set. The ‘link definition’ column: in the interface of a digitalized procedure, the operator issues instructions by manipulating the command display. At this point, the link definition column is called to enter the corresponding command display. In addition, the
The Research and Development of Digital General Operating Procedure
371
operator can also call other digital operating procedures through the link definition column, or the corresponding pre-designed state monitoring display and function follow-up display. An example of digital operating sheet format of the general procedures is shown in Fig. 2:
Fig. 2. Format of “digital operating sheet” of general operating procedure
3.2
Supporting Display Design According to the Task-Oriented Principle
In a certain case when the unit starts or stops, through the analysis of frequent and cross-system monitoring and operation, a matching display is designed to work together with the general operating procedure to facilitate operation and make up for the deficiency of DCS control system’s intuition. The supporting display of the general operating procedures includes the status monitoring display and the function follow-up display. (1) status monitoring display The status monitoring display requires explicit instructions at the top in the “operation/confirmation” column in the main body of the procedure, to call out the corresponding status display display(excepted display without status indication). The function follow-up display is applied where the produces need. Requirements for status monitoring display are as follows: – The display should meet the general criteria of digital supporting display design, and can be divided into different functions; – Important parameters are expressed by trend (curve with coordinates), general parameters only need to be displayed by means of numerical value; – Ensure that the real-time status of important equipment is monitored all the time; – Watch for signs of accidents.
372
C.-B. Zhou et al.
Status monitoring displays are generally designed in accordance with the operation mode, and allowed to make corresponding status monitoring display according to other specific monitoring tasks. According to the standard operating conditions and standard status of the reactor, there are six operating modes: Reactor Power Operation (RP), Normal Shutdown Cooled by Steam Generator (NS/SG), Normal Shutdown Cooled by RRA(NS/RRA), Maintenance Cold Shutdown(MCS), Refueling Cold Shutdown (RCS) and Reactor Complete Discharge (RCD). Since each operation mode has similar conditions and objectives, as well as similar thermodynamic and physical characteristics, the monitoring tasks are formulated according to the operation mode. Based on task analysis, design suitable monitoring displays accord with the monitoring operating tasks, special status monitoring displays according to other specific monitoring tasks are allowed too. Take the maintenance cold shutdown mode as an example, the analysis of status monitoring tasks is as follows: (1) Reactivity monitoring: counter in source range and boron concentration of primary loop (2) The cooling: Water volume: water level of primary loop; level and pressure of RCV (Chemical and Volume Control system) tank: level of the boron acid storage tank. Circulation: pumps state of RRA (Residual heat removal) system, flow rate and pressure, pumps state of PTR (spent fuel storage pool) system. Cooling source: state, flow rate and temperature of the RRI (Component Cooling Water) system pump; pumps condition and pressure difference of heat exchanger of SEC (Important plant water) system. Cooling effect: the wide range temperature of the primary loop, the temperature of the RRA system, and the temperature of PTR. (3) Reflective shielding and radioactive monitoring. (4) Supporting function: navigate to function judgement display by link (5) Other important monitoring: flow rate of injection of shaft seal; important safety system actuation signal, automatic make-up signal and equipment status of primary loop. (6) Link to the following system displays for further monitoring or operation: link to RCV system to adjust the primary loop level and flow rate of injection of shaft seal; link to the RIS (safety injection) system, making up for primary loop, etc. On the basis of task analysis, the monitoring display of MCS mode designed with task-oriented principle is shown in Fig. 3:
The Research and Development of Digital General Operating Procedure
373
Fig. 3. Monitoring in MCS mode
(2) function follow-up display According to the analysis of normal operating, parts of the unit operations are completed directly through the system display, and the rest are completed through the status monitoring display and system display. There are also some operational tasks that need to design corresponding function follow-up displays. Requirements of function follow-up display are as follows: – Monitoring parameters required for the same task are on same display; – The same task required means of operation on same display. Function follow-up display uses the same frame as the YST display, and can be used flexibly according to different operating task [6]. By analyzing the starting and stopping operation task, some function follow-up displays should be provided for the following operations tasks: control of steam generator level, control of primary pressure/water level, start and stop operation of secondary loop, house-load switchover, control of turbine start and stop, etc. Taking the steam generator level control as an example, the operation tasks are decomposed as follows: (1) on the display, the key parameters required for the regulation of steam generator level can be monitored: the level of each steam generator (including wide and narrow range); setpoint value of steam generator level; steam flow rate and the main feed water flowrate of each steam generator; pressure difference between steam and water of steam generator; blow down flow rate of steam generator; flow rate of each auxiliary feed water pump; level of auxiliary feed water tank; highlevel and low-level alarm of each steam generator. (2) when it is necessary to adjust or intervene, the display can provide sufficient operation support: main regulating valve and bypass regulating valve for main feed water of each steam generator; speed control of main feed water pump;
374
C.-B. Zhou et al.
setpoint adjustment of pressure difference between steam and water of steam generator; regulating valve of feed water priming pump. (3) it can monitor the running state of the main feed water pump, the feed water priming pump and the auxiliary feed water pump, and can start or shut down in case of emergency. On the basis of task analysis, the steam generator level control display designed with the task-oriented principle is shown in Fig. 4:
Fig. 4. Steam generator level control
3.3
Format and Content of Structured Navigation Display
In order to describe the relationship between the tasks and objectives of the general procedure, and increase the sense of integrity between the unit start-up/shutdown and each procedure, the structured navigation display of the procedures is specially added to show the interrelationship of the procedures and the logic structure inside the procedures. It can help the operator establish the integrated sense of the procedures, and call out “digital operating sheet” and other required displays from the navigation display link to assist the operation. Structured navigation display is a HTML-format page, function and format are different from the other general display (such as YCD, YFU). An example of structured navigation display: I5, house loading rejection (Fig. 5)
The Research and Development of Digital General Operating Procedure
375
Fig. 5. I5 structured navigation display of house loading rejection
3.4
Alarm Monitoring for Unit Start and Shutdown
There are too many alarms during the start-up and shutdown of unit during commissioning and overhaul progresses, especially in the shutdown state when RRA is connected. In the past, it was required to use multiple screens to display the alarm completely, which made the important and safety related alarms not easy to be noticed, which may lead to failure or accident expansion. During the start-up and shutdown of the unit, in order to make the important alarm become conspicuous in the numerous alarms caused by the integrated shutdown of the equipment, the “unit start-up and shutdown” alarm monitoring display needs specially design. The alarms that are critical to the safety of the unit during start-up and shutdown can be divided into five types according to the important alarms during overhaul: cooling, reactivity, containment integrity, level of the pressurizer, and compressed air. By setting a special alarm display, the operator can monitor and deal with it to avoid the important alarm being ignored.
4 The Verification of Digital General Operating Procedures 4.1
Simulation Verification
Approximately 20 or more general procedures (D/G/GS/I procedures) are required, and the corresponding digital operation sheets, navigation displays and supporting displays, involving a number of signals, operations, links and other parts, as required to verify and ensure its correctness [7, 8]. The verification content shall include the following aspects: – Check the consistency and integrity of the digital procedures and the paper procedures. – Check the navigation display (logic, link, operation permission).
376
C.-B. Zhou et al.
– Check the supporting display (equipment information, trend group, alarm indication, link) [9]. – Check the digital operating sheet (content description, link, operation control). – Executability of the procedure (check if it can be properly and completely executed). The procedure can be executed on the simulation platform after passing the above verification, so as to find problems in advance and shorten the time taken by solving problems in the critical path. 4.2
Application Validation During Commission Start-up
The commissioning start-up validation of digital general operating procedures is to detect errors by executing the procedures during commissioning, so as to improve the quality of the operating procedures and lay a solid foundation for the long-term stable operation of the plant. Combined with the situation of each commissioning stages, the corresponding relationship between the cold function test and hot function test procedure and the operating procedure was found out. During the commissioning process, some available operating procedures are executed for application validation. During the cold function test, the digital general operating procedure D26, primary hydraulic test, was partially verified. During the hot function test, the corresponding relationship between the commissioning procedure and the general operating procedures is found, and some procedures are applied for verification. Commissioning application verification of the general operating procedures can not only improve the quality of the digital general operating procedures, but also make up for the fact, that the commissioning program is mainly based on comprehensive instructions, without considering the impact of the shortcomings of digitalization. Operating procedure forms complementary operation files with the commissioning procedure.
5 Usage of the Digital General Operating Procedures Digital general operating procedures are used to start and shutdown the unit, call the structured navigation display according to the paper procedure, then call out the situation monitoring display, digital operating sheet and command display, function follow-up display or system procedure. The digital operating sheet calls out the control display through its link (part of the displays can be linked out through the structured navigation display directly). Operations are carried out on command display, and checked on the digital operating sheet or papery general procedures. In general, the operator needs 4 screens to complete each operation task. The logic structure of usage of the general operating procedures is shown below (Fig. 6):
The Research and Development of Digital General Operating Procedure
377
Fig. 6. Logic structure of usage of the general operating procedures
6 Conclusion The development and research of the digital general operating procedure of nuclear power plant, combined with more than ten years of operation experience and culture of Daya Bay nuclear power plant and the fully absorbing of the external practical experience, is a road of China-dominated digital method development. A set of digital general operating procedures with the characteristics of Daya Bay have been developed, and these procedures passed the unit commissioning start-up verification. These procedures adopt the separation of procedure body and digital operating sheet, the command display, situation monitoring display and structured navigation are designed to match with them. The utilization of these procedures can improve the efficiency of the execution, and overcome the DSC’s insufficient of lacking of direct visual field of vision and response, giving full play to the advantages of DCS. A complete set of digital general operating procedures for CPR1000 start-up and shutdown have been successfully developed, which covers the whole process of unit start-up, shutdown, fueling and unloading, house load rejection, turbine tripping without reactor tripping and hydraulic pressure test, providing reliable guarantee for the safe operation of subsequent newly built power stations, and have great significance for the standardization development of CPR1000.
References 1. Liu, S., Tian, R.C.: Design of man-machine interface in main control room of nuclear power plant based on human factors engineering. Autom. Appl. (6), 49–51 (2014) 2. Gao Z.Y., Zhang, X.G.: Design strategy for digital displays used in the main control room of nuclear power plant. Nucl. Sci. Eng. (S1), 62–67 (2010)
378
C.-B. Zhou et al.
3. Wang, Z.F., Gu, P.F., Zhang, J.B.: Human factor engineering analysis for computerized human machine interface design issues. Nucl. Sci. Eng.(4) (2010 ) 4. Zhou, C.B.: Digitalized control system (DCS) of nuclear power unit, information processing method and device for DCS: Europe, 2650884 [P]. 2011-06-03 5. Zhou, C.B.: The entry method and system of a digital overall operation procedure of nuclear power unit: CHINA, 201010582866.X [P]. 2010-12-10 6. Zhang, X.G.: Computerized human-machine interface operation technology in nuclear power plant. Nucl. Sci. Eng. (S1), 58–61 (2010) 7. Jia, M., Liu, Y.Z., Zhang, J.B.: Verification and validation of human-machine in-terface of the main control room in CPR1000 nuclear power plants. Nucl. Sci. Eng. (S1), 21–25 (2010) 8. Gong, Z., Lin, M., Liu, P.F., Yang, Y.H.: Study on nuclear power plant simulator for digital I&C system commissioning. Nucl. Sci. Eng. 32(1), 79–84 (2012) 9. Xie, H.Y., Xu, X.Z., Zhang, H.X.: Study on CPR1000 nuclear power plant DCS design validation technique. Nucl. Sci. Eng. (S1), 132–135 (2010)
Research on Hybrid Communication System for Nuclear Power Plants Safety-DCS Zhi-Qiang Chen(&), Qi Chen, Min-Jie Lei, and Yan-Qun Wu Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu 610213, China [email protected]
Abstract. To guarantee the human and facilities safety during emergency states in Nuclear Power Plant(NPP), numerous detectors and sensors are used in the Safety Distributed Control System(Safety-DCS) to prevent the equipments and operators from the further damages that may happened in the unexpected situations. Together with the detectors and sensors, various cables and switches are involved in the entire system. Those security interfaces and cables increase the complexity and volume of the spatial arrangements of the system. Hundreds of Reactor Protection Cabinets (RPC) are used in the Safety-DCS, and the various of cables are even more in typical Safety-DCS of NPP. Currently most of the efforts on the system optimization are focus on the hardware upgrade, while the system framework stands still. This paper chooses to work on the direction of decreasing the complexity of the entire system by using wireless communication devices to replace part of the wired connection equipments, like the tons of electric cables and interfaces. Based on this guideline, a hybrid communication strategy is presented and discussed in both of the feasibility and benefits. In this structure, the general system can be simplified in the overall arrangement with some extra attached benefits. Keywords: Nuclear power plants Safety distributed control systems Wireless communication Hybrid communication
1 Introduction The Nuclear Safety Distributed Control System keeps monitoring the operation status of the nuclear reactors. It will make adjustments to drive the reactors back to safe status to secure them once the DCS detects the unusual events happen in the reactors. In this way to protect the staff, nuclear power plant devices and nuclear reactors [1]. The construction of the Safety-DCS is always a complicated process because of the various function boards in hundreds of cabinets. In order to connect all the devices and equipments of the system together, currently, considering the stability and reliability of the Safety-DCS in NPP, wired communication is still the first choice in system design and realization, like coaxial cable or fiber optics connected networks used among distributed devices. To keep the reliability from physical layer, anti-vibration ability is strongly required to the cable interfaces. For example the aerial plugs are widely used in the tough environments. These kinds of interfaces take costs on both the space © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 379–386, 2020. https://doi.org/10.1007/978-981-15-1876-8_38
380
Z.-Q. Chen et al.
volume and weight in the enclosure area of NPP. As the communication technology develops, wireless communication has improved quite a lot in transmission stability, speed and quality. The industrial wireless communication protocols together with the multi-interfaces sensors bring the potential capabilities for the wireless applications in industrial control area. For example, the Comanche Peak NPP, the High-Flux Isotope Reactor of ORNL and Arkansas No. 1 NPP all are using wireless technology to transmit the sensor data from the field. Compared with the wired communication, the largest advantage of wireless is the exactly free on overall layouts. Considering the special requirements, the wireless communication can promote the safety DCS of NPP to smaller and lighter version. The standard wireless interfaces improve the extendibility of the whole system. At the mean time, the corrosion and vibration resistance abilities of the safety DCS can also be improved by reducing the application of various interfaces and wires.
2 Development of Industrial Wireless Communication Technology Industrial wireless communication technology develops with the new requirements of flexibility, reliability and cost-control. As the addition of industrial wire communication, it frees the entire industrial system out from the limitation on communication wires layouts. This can also largely decrease the costs on future maintenance of the system. Currently, Wireless HART, McWiLL, ZigBee and WIA-PA are the most popular technologies in industrial wireless communication. Wireless HART is a kind of technology which combines the Direct Sequence Spread Spectrum and Channel Hopping based on data frames. With the characters of advanced, stable and safe [2, 3], it applies the encryption, verification, anti-interference and key management technologies to keep the communication safe. McWiLL is the multi carrier waves wireless message local loop technology, which is independently developed and owned by our country on the intellectual properties. With the characters of channel tracing and prediction, dynamic channel arrangements, hyper secrecy and extreme magnetic resistance, it becomes the new generation of wireless accessing technology. ZigBee is a full duplex wireless communication technology with high reliable, short distance, low costs and extremely low power consumption (less than 1 mW) characters. But the transmission effects are low is the significant disadvantage. It is mainly applied in the auto control systems with low operation speed requirements [2, 3]. WIA-PA is a industrial processing automation wireless standard network developed by our country independently based on IEEE802.15.4 stands. With the characters like auto construction, auto maintenance, high reliability and low power consumption, it is
Research on Hybrid Communication System for Nuclear Power
381
widely used in the wireless communications between the field instrumentations and the controllers to realize the function of hot plug-in. It also use multi-level safety technologies to guarantee the safety of the wireless communication, which include accessing authentication, communication verification, attack recognition and key management [3–5]. Wireless communication technology can meet the common requests of safety, stability, interference resistance and encryption in NPP safety DCS. At the same time, it can also guarantee the transmission capabilities of speed and latency at the same level compared with the wired communication in the systems. Generally considering the independently controllable request and safe and stable requirements, WIA-PA wireless technology is much better in the key indexes like stable transmission in short distance, strong interference resistance and low power consumption than other technologies. Besides, it can largely increase the extendibility of the instrumentations in safety DCS with the auto construction of network function. In this way to satisfy the different instrumentations and devices requirements in different NPP safety DCSs.
3 Design of Hybrid Communication System 3.1
Construction of Hybrid Communication in DCS
To reach the targets of volume decreasing, improving the anti-vibration ability and increasing the extendibility by optimizing the interfaces of safety DCS in NPP and reducing transmission cables and protocol switches, an hybrid communication system is designed in this paper. The framework of the system is as shown in Fig. 1. Two wireless networks are included in the hybrid communication system. 1. WIA-PA wireless network 1 for the communication between the field control station and control center. The control center includes the engineer stations and operator stations. 2. WIA-PA wireless network 2 for the communication between the field control station and field instrumentations and devices. In single field control station, traditional wired communications are still applied between different modules in the safety DCS of NPP. The different modules run common functions to handling the concurrent transmission tasks to avoid the interference of data exchanges on wireless channels between different stations. Between different field control stations, WIA-PA network can automatically adjust the antenna’s transmitting power consumptions to make sure the data exchanges are successful between different stations.
382
Z.-Q. Chen et al. Operator Station
Engineer Station
Wireless Transmit Module
Other Stations
Wired Network
Wireless Transmit Module
Wireless Transmit Module
FCS 1
FCS N
MCU
MCU
Instrumentation 1
Wired network
Wired network
Instrumentation 2
WIA-PA wireless network
………
WIA-PA network 1
I O
…
I O
W i r e l e s s
I O
…
I O
W i r e l e s s
. . . .
Instrumentation N
w i r e l e s s
WIA-PA network 2 WIA-PA
WIA-PA
Fig. 1. The structure of wired and wireless hybrid communication
3.2
The Advantage of Hybrid Communication in DCS
WIA-PA network 2 can solve the inconformity problems caused by different interfaces on various instrumentations. At the mean time, anti-vibration and corrosion resistance abilities are also improved with less hardware interfaces. For example the aerial plugs may break off over tens of milliseconds when vibration, shocking or corruption occurs in some cases. This will leave less reacting time for the safety DCS which improves the difficulty of designing and manufacturing. In this case, the wireless communication can absolutely avoid the system issues caused by the physical interfaces problem happened in the situation of outer conflicts. Besides, WIA-PA network 1 can clear the restrictions of physical cables between field control stations and control centers, which makes the overall arrangements and layouts more convenient and flexible and increases the extendibility of the system. Wired connections are still exist inside the field control stations, like the pin-type differential backboard communications. Each field control station contains two wireless access modules, one for the connection with various wireless sensors to gather the raw data, and the other for the connection with control center to submit the processed data. The scheme of data transmission hierachy is shown as in Fig. 2.
Research on Hybrid Communication System for Nuclear Power
383
Control Center Engineer Station, Operator Station
WIA-PA between FCS and CC
...
FCS
FCS
WIA-PA between FCS and FS
Sensor1
FS
Sensor2
FS
Sensor3
...
FS
SensorN
FS
Fig. 2. The structure of data transport layer
Using the hybrid communication structure of Figs. 1 and 2 which promotes the wired communications inside the stations and wireless communications between the stations when uploading or downloading data can realize the reasonable and scientific space arrangements of the Reactor Protection Cabinet (RPC). Wireless devices are convenient to access and adjust, it will be quite easy to maintain or even completely change of a certain module of the entire system. As mentioned above, the compatibility and extendibility are largely improved because the extension of the system is out of the restriction of one or several hardware. 3.3
Feasibility Research of Hybrid Communication in Safety DCS of NPP
3.3.1 Electromagnetic Properties of Wireless Communication Channels As the safety DCS of NPP has some requirements for the electromagnetic radiation intensity, the electromagnetic properties of the wireless channels are analyzed in this chapter. The WIA-PA wireless network runs in the 2.4 GHz ISM spectrum segment. The costs of wireless signal transmission in noisy space are usually studied by the Cost-2Walfish-Ikegami method, which is a radio attenuation transmission method promoted by European Electronic Information Science Research Union [6–8]. The power loss can be calculated with below Eq. (1): Ls ¼ 42:6 þ 26 lg d þ 20 lg f
ð1Þ
d is the distance between two wireless modules, which uses kilometer as the length unit. f is the transmission frequency of the wireless signal, which uses mega Hz as the frequency unit. To make sure that the whole field control stations and field sensors are covered by wireless network channels, the couplers and ceiling antennas are used together in this
384
Z.-Q. Chen et al.
design, in which the power consumption of the wireless module antenna is less than 15 mW. In this situation, the electronic field intensity of the antenna is listed in Eq. (2): Lð0Þ ¼ 10 lg P ¼ 11:76 dBm
ð2Þ
Here P is the wireless module antenna transmitting power consumption, which uses mW as the power unit. Then the electronic field intensity from the antenna with d distance is calculated by below Eq. (3): LðdÞ ¼ Lð0Þ Ls
ð3Þ
According to above analysis, the relationship between the electronic field intensity and the distance is listed in Table 1: Table 1. Corresponding relationship between distance with field intensity Distanced 2 m 1 m 0.5 m 0.1 m 0.036 m Electronic field intensity (V/m) 0.017 0.042 0.104 0.847 3
It can be figured from Table 1 that to avoid the affections on the environment and equipments of NPP from wireless communication channels, the antennas just need to be located out of the sensitive equipment or key I&C modules over 36 mm away. The electronic field intensity will be less than 3 V/m, which meets the radiation requirements of the NPP. 3.3.2 Reliability Assurance of Hybrid Communication DCS Compared with the wired communication system, wireless communication system is extremely flexible and easy for the future upgrading or maintenance. However, the security and uncertainty of the wireless environments are the born weakness. To solve these problems, several assurance operations are designed into the hybrid communication system. 1. Stability All wireless communication channels are redundant structure. Same data is transmitting on two independent and separate wireless communication channels to backup for each other. Once one of the two channels is interfered or in unexpected condition, the other channel can still deliver the complete and correct data. In this way to enhance the risk resistance ability of the wireless modules. As for better strategies for the redundant operations, there already are many researches on the system reliability. In future upgrades for the hybrid system, this will be the key to improve the quality of the system. This paper is just a prototype of the design, so two channels redundant is quite enough for the basic verification.
Research on Hybrid Communication System for Nuclear Power
385
2. Security Except the safety standards that is used on WIA-PA wireless communication technology itself, extra security measurements are adopted in the hybrid system design, like multiple identifications accessing authentication using SSID/MAC/IP/WEB, intrusion detections and abnormal user or data validation. When illegal intrusion or illegal data occur, the system will defense itself by the security modules and record the detail process into its log system. These multi-protect precautions not only improve the safety property, but also make contributions to the convenience management on the wireless network. 3. Data Integrality In terms of the possible issues occurred in common communication, like data loss, data duplicate, data disorder, data tamper and illegal data insertion etc., several security operations are taken to prevent them, including frame sequence number checking, Cyclic Redundancy Check (CRC), and special designed frame head and rear segments. All the operations are targeted on the increasing of reliability of the communication and data integrality, at the same time decreasing the risks of illegal tamper.
4 Conclusions According to the analysis and research, the hybrid communication network DCS can be designed by using some of the wireless modules which support WIA-PA wireless standards to replace the corresponding wired parts. This hybrid DCS can make significant improvements on the space layouts by decreasing the applications of multiple physical interfaces and transmission cables. In the hybrid system, lots of the original cables and interfaces used to connect different cabinets and devices are removed. With the same or even better communication behavior, hybrid solution can decrease the complexity of the system quite a lot, compared with the wired-only system. In the situation that most of the safety DCSs running in NPP are wired communication framework, this paper figures out a new structure of hybrid communication system and theoretically verifies the possibilities to use it in NPP environments which have special requirements on the radiation protections. Besides, the advantages of using hybrid system like vibration and corrosion resistance improvements are discussed. As for the possibilities of using hybrid system in NPP, multi-protection measurements are applied, including redundant transmission modules and encryption accessing methods. All the security operations are aimed at the assurance on the safety and reliability of the hybrid communication system.
References 1. Quan, M., Qi, L., Xiao-ming, S., Yan-yang, L.: Research on heap control system at home and abroad. Electron. Instrum. Cust. 26(03), 40–43, 47 (2019) 2. Qing-yuan, L.: The application of wireless communication technology in the distribution control system is discussed in detail .Chem. Enterp. Manag. 485(14), 74–75 (2018)
386
Z.-Q. Chen et al.
3. Zhang, Hu, Hui-yun, Xiao: Application of wireless technology in the industrial field. Autom. Panor. 35(11), 136–142 (2018) 4. Yan-long, C.: Design of wireless communication system for nuclear power station based on McWiLL Technology. School of Electr. Electron. Eng. (2016) 5. Xin, Zhao: Feasibility analysis of AP1000 Wireless communication system and selection of technical solutions. China Nuclear Power 5(4), 335–339 (2012) 6. Yu-tuo, Yang, Xiao-ling, Zhang, Wei, Liang: Long distance of wireless video transmission system based on WIA-FA. Instrum. Standardization Metrol. 45, 24–27 (2015) 7. Dong-liang, Z., Li-ting, Z., Shi-chao, L.: The application of WIA_PA in oil recovery monitoring and optimization analysis in LiaoHe oilfield. Instrum. Standardization Metrol., 17–20 (2017) 8. Cheng, X., Guan, J., Chao, K.A.: WCDMA propagation model based on Cost-231 Walfishikegami pattern for typical residential areal. Int. Conf. Wirel. Commun. (2012)
Analysis of Analog Circuit Error in Reactor Control System Qi-Chang Huang, Shun Wang(&), Xu-Feng Tian, and Zhi-Qiang Wu Science and Technology on Reactor Design Technology Laboratory, Nuclear Power Institute of China, Chengdu, China [email protected]
Abstract. The reactor control system contains many kinds of analog conditioning circuits. The major factors that affect the precision of each circuit are different. In the actual design process, in order to increase the accuracy of each conditioning circuit purposefully, the source of error and calculation method of different circuit shall be discussed separately. Based on an error model of inverting op-amp circuit, this paper describes the error distributions and combinations in detail, and figures out the proportion of each error and the total error after combination. To verify the error model, the Monte-Carlo simulation of the same circuit is implemented with PSPICE in this work. Then, the precision of three types of circuits usually used in reactor control system is calculated with the error model. According to the results of the calculation, the proportions of different error in each circuit are presented obviously. The error model provide directions to improve the precision of each circuit in reactor control system. Keywords: Control system Error analysis
Analog circuit Precision calculation
1 Introduction In the reactor control system, analog conditioning circuits has strict requirements on processing various signals. For instance, the accuracy of analog isolator in DCS (Distributed Control System) should be less than 0.1% when processing 4 mA*20 mA signals, the accuracy of RTD conditioning circuit should achieve 0.2% when collecting mV stage signals. To calculate and improve the precision requirements of each analog circuits in different application purposefully, this paper establishes an universal error model. The model stems from operational amplifier circuits. Because, op-amp circuits are widely used in various analog designs, such as analog isolator, RTD conditioning circuits and electrometer amplifiers. In this model, the inverting operation amplifier circuit is used to calculated proportion of different error. The rest of the paper is organized as follows. The error model of inverting operation amplifier circuit is described in Sect. 2. In Sect. 3, a combination method of the error model is presented, and the method is verified by Monte-Carlo simulation. Then, Sect. 4 outlines three kinds of circuits in reactor control system, and compares calculation results of each circuits. Finally, the conclusion is drawn in Sect. 5.
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 387–397, 2020. https://doi.org/10.1007/978-981-15-1876-8_39
388
Q.-C. Huang et al.
2 The Error Model of Op-Amp Circuit 2.1
Offset and Temperature Drift of Op-Amp
When calculating the precision of operational amplifying circuit, most literatures first pay attention to the errors introduced by the inherent offset and its temperature drift [1–3], including five important error parameters, such as input offset voltage and its temperature drift, input offset current, input offset current and its temperature drift. In addition, the gain of the actual op-amp is also affected by the resistance network around the amplifier [4]. The error sources that affect the precision can be regarded as the inherent error voltage at amplifier’s input. The advantage of this method is to simplify the calculation process and to effectively compare the influence of errors on the actual gain under different circumstances. Usually, in transistor amplifying circuit, common-made error is caused by the power supply, component stability and temperature drift, etc. For example, in transistor amplifying circuit, the power supply, component stability, temperature drift and so on will produce zero drift phenomenon, while the differential structure can effectively suppress similar common mode signal by using symmetric transistor. However, there is asymmetry in the differential input stage of op-amp, which leads to when the input voltage is 0, the output Vo is not equal to 0. We used OPA140 indicators to calculate the gain error caused by maladjustment [5], and took a simple inverting computing circuit as an example, as shown in Fig. 1:
Fig. 1. Inverting operation circuit and peripheral resistance parameters.
The calculation process follows Eq. 1: 1 1 dVos RF Ios DVi ¼ 1 þ DT RF þ Rp 1 þ Vos 1 þ D A A dT R 2 j j j j F F 1 RF RF Rp 1 þ Ib R1 ð1Þ
Analysis of Analog Circuit Error in Reactor Control System
389
Where: DVi : input error caused by maladjustment and temperature drift; AF : ideal open loop gain; VOS : input offset voltage; dVos dT : offset voltage temperature drift; DT: assumes a temperature change of 40 °C; IOS : input misaligned current; Ib : input bias current; Comparing the parameters in the datasheet of OPA140, offset m current temperature drift can be ignored; The influence of input bias current can be effectively reduced by proper configuration of balance resistance Rp . Assume that the difference ode gain and resistance are all ideal indicators, the offset and temperature drift are all in the same direction (the worst result). The calculation result shows that the absolute value of the input error in Fig. 1 is about 0.32 mv (worst case), when only considering the bias and temperature drift. If the input signal amplitude is 5 V, the output is −5.00032 V, and the output gain change introduced by maladjustment and temperature drift is about 0.0064%. 2.2
Open Loop Gain, Input and Output Impedance in Op-Amp 0
For the actual op-amp, its open-loop gain AF , input impedance rid of differential mode and output impedance ro are not ideal values, especially its non-zero output impedance seriously affects the actual open-loop gain. If CMRR (Common Mode Rejection Ratio) is large, it can be approximately considered that CMRR in inverting op-amp is negligible. Continue using the parameters given in OPA140 and assuming the peripheral resistance as an ideal indicator. Circuit structure in Fig. 1 is used to calculate the gain 0 error AvF , as shown in follow equation: 1
0
Avf ¼
1 þ A 1F' F
Avf
ð2Þ
Where: 0
F ¼ R1 jjRf rþid FRp þ rid : the actual feedback coefficient of the op-amp;
F ¼ R1 Rþ1 Rf : ideal feedback coefficient; R
Avf ¼ R1f : ideal voltage gain; The gain error is calculated to be about 0.001%. When input signal is 5 V, the absolute value of output error is 0.05 mV.
390
2.3
Q.-C. Huang et al.
Peripheral Resistance Error and Temperature Drift
Due to the precision and temperature drift of the actual resistance, the effect on the arithmetic circuit should also be considered. Select precision resistance, its relative error is 0.01%, temperature drift is 5 ppm. The actual voltage gain which is directly affected by R1 and Rf is calculated as follows: f Rf þ Rf ef þ Rf DT dR dT Avf ¼ 1 R1 R1 e1 R1 DT dR dT 0
ð3Þ
Where: ef , e1 : relative error; dRf dR1 dT , dT : resistance temperature
drift.
When the errors and the temperature drift of these two resistances follows opposite direction, calculated gain error is about 0.06% (worst case) with A temperature range of 40 °C. If the input signal is 5 V, the absolute value of the output error is 3 mV. 2.4
Op-Amp Noise and Resistor Noise
Op-amp mainly contains shot noise, 1/f noise and thermal noise. This has been discussed in detail in the noise model of op-amp [6, 7]. OPA140 also provides the noise merging model of the inverting op-amp circuit, as shown in follow equation: E20 ¼ 6:62 ð1 þ
Rf 2 2 Rf Rf Þ en þ ð Þ2 e21 þ e2f þ ð1 þ Þ2 e2p R1 R1 R1
ð4Þ
Where: E0 : total noise; en : Gaussian white noise formed by the combination of shot noise and 1/f noise; pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi e1 ; ef ; ep : the thermal noise of the corresponding resistance, e ¼ 4 k T R f . Assuming that the anti-aliasing filter bandwidth before ADC is 300 kHz, the calculated total noise level is about 0.06 mV. If the input signal is 5 V, the gain error is about 0.0012%. It can be seen that the influence of noise level in the whole circuit unit is negligible compared with the first three parts at 300 kHz bandwidth. Because the low pass filter designed here has low bandwidth. If in the application of RF field, the signal bandwidth usually reaches several GHz, 4 to 5 orders of magnitude higher than the current calculation parameters, then the contribution of noise to the error cannot be ignored. 2.5
Comparison of Error Sources
Among the four parts that affect the precision of op-amp circuit, Resistance precision and temperature drift contribute the most to the total error. The proportion of each error are shown in Fig. 2:
Analysis of Analog Circuit Error in Reactor Control System
391
Fig. 2. Percentage of errors
In the above calculation process, in order to avoid the influence of the resistance precision and temperature drift on the other error sources, the default resistance value is the ideal value when calculating the gain error caused by other parameters. In fact, if the resistance precision is taken into account, it can be seen that the resistance precision will play a dominant role in all error calculation formulas, so that the contribution of the resistance precision in the calculation results overlays the contribution of other error sources. At the same time, in the calculation process, each part takes the worst case. If considering the opposite directions and the mutual cancellations exist in each error part, the total error should be smaller than the algebraic sum of all errors. In the practical application process, although Fig. 2 cannot accurately represent the contribution of each part, it has enough reference value. For the transmitter signal, thermal resistance signal and nuclear detector signal involved in the nuclear reactor control system, the proportion of each error can be calculated and the total error can be optimized. The statistical results show that when the input voltage signal is 5 V, the resistance precision and temperature drift constitute the main components of the total error. When the input signal decreases, the contribution of the resistance precision gradually decreases, while the contribution of the op-amp maladjustment as well as the noise increases. For instance, when the input voltage signal is 0.5v, the proportion of the resistance precision in the total error decreases to 43.8%, while the contribution rate of op-amp maladjustment increases to 46.9%, and the circuit noise contribution increase to 8.8%.
3 Error Combination 3.1
A General Model of Inverting Op-Amp Circuit
In the calculation process of the previous section, only the worst state of each part is considered, and the part where each error parameter cancels each other needs to be taken into account the actual calculation process. All error terms are equivalent to the input, and these independent error terms are combined with the actual op-amp
392
Q.-C. Huang et al.
parameters to obtain the equivalent output error. The ratio of the equivalent output voltage to the input voltage is the actual gain, and the gain error is further calculated. Taking the inverting operation circuit as an example, the equivalent circuit diagram involving input voltage errors and current errors is shown in Fig. 3:
Fig. 3. Equivalent circuit of inverting operation circuit
In the figure, both rid and ro are input and output resistors. AF ðVI þ VI Þ is the amplification result of the differential mode gain at the output end. VOS , Ib , and Io are input offset voltage, input bias current, and offset current, respectively (temperature drift is taken into account, and the temperature range is 40 °C). The expression of VO can be easily obtained as follows: Rf Rf 1 Rf vo ¼ ½ vs1 þ 1 þ vs2 þ 1 þ 1 Vos CMRR R1 R1 R1 1 þ A1b F F Rf Rf Ios ðRp Ra Þ Ib 1 þ ðRb Ra Þ 1 þ R1 R1 2 1
ð5Þ
Where: bF ¼
rid Ra 1 1 ðrid þ Ra Þ þ Rp ð1 CMRR Þ Rf
ð6Þ
R1 Rf R1 þ Rf
ð7Þ
Ra ¼
Rb ¼ Rp ð1
1 Þ CMRR
Rp ¼ R1 jjRf
ð8Þ ð9Þ
We can use MATLAB to calculated the result of Eq. 5. Parameter values such as bias and resistance precision are directly substituted into Eq. 5 to solve the problem. Before substituting into the expression, all parameters should be included in the influence of temperature drift.
Analysis of Analog Circuit Error in Reactor Control System
3.2
393
Calculation Results
As mentioned at the Eq. 5, Vs2 is the positive input signal. In the inverting op-amp circuit, the positive input is grounded by Rp , so the current flowing through Rp is the sum of three currents including Ib , Io , the current flowing through rid . It is assumed that ðVI þ VI Þ is amplified to 500 mV after open loop amplifier, while rid is a few million ohm so that the current flowing through rid is negligible, then the current flowing through Rp is the sum of Ib and Io . Using the OPA140 parameter, Vs2 is calculated to be 20 nV. Using Eq. 5, VO is equal to −499.999 V, and the gain error is 0.002%. The Eq. 5 is a complex function which considers the errors induced by resistance. Assuming that the resistance precision is 0.01%. When R1 ¼ 1999:8X , Rf ¼ 2000:2X, Rp ¼ 999:8X, the worst value of VO is equal to −499.899 V (the gain error increased to 0.02%). When considering the general model including resistance precision and OPA140, the worst value of VO is equal to −499.679 V (the gain error increased to 0.07%). 3.3
PSPICE Simulation
The Monte-Carlo simulation of OPA140 inverting op-amp circuit is conducted with PSPICE circuit simulation software. The simulation is conducted for 1000 times, and the op-amp parameters and resistance parameters are randomly selected each time. The statistic results are subject to Poisson distribution after counting 1000 output result. As shown in Fig. 4, the mean is −499.6779 V. The simulation produces result in agreement with calculation result.
Fig. 4. Statistical spectrum of output voltage amplitude
394
Q.-C. Huang et al.
4 Analog Circuits in Reactor Control System To highlight the impact of op-amp performance on different analog circuits, OPA140 is used to construct the three kinds of analog circuits. 4.1
Analog Input Circuit
In the field control station, the analog input circuit usually collects 4 mA*20 mA standard industrial signals [8]. The input current signal is converted to a voltage signal by sampling resistance. The circuit structure is shown in Fig. 5:
Fig. 5. Analog signal input circuit
The amplitude of the voltage signal should match the ADC input range. The input range of commonly used ADC is about 2 V, so it is assumed that the output signal range of op-amp circuit is 400 mV*2 V. The signal range is put into the error model in Sect. 1, and the error of each part is calculated respectively. The calculation results are shown in Table 1. 4.2
RTD Conditioning Circuit
As shown in Fig. 6, the RTD conditioning circuit collects the resistance value from the RTD sensor. Pt100 platinum thermal resistance is 100X at 0 °C, and 313.71X at 600 °C [9].
Fig. 6. RTD conditioning circuit
Analysis of Analog Circuit Error in Reactor Control System
395
Suppose A four wire connection is used and the excitation current is 200 lA, The excitation current is converted to 20 mv*627.42 mv after passing through the RTD (corresponding to 0 °C*600 °C). The calculation results of error distribution are also shown in Table 1. 4.3
Fission Chamber Preamplifier
The fission chamber is often used as the detector in the RPN middle range [10], its output current ranges from 10 pA to 100 lA. Low current signal is converted into voltage signal by means of trans-impedance amplification. The circuit structure is shown in Fig. 7:
Fig. 7. Trans-impedance amplifier circuit
As shown in figure, 10pA*1nA is converted into 10 mV*1 V by 1 Gohm. Its error distribution is also shown in Table 1. 4.4
Comparison of Three Circuits
All of three kinds of analog circuits use OPA140, and the errors of each circuit are shown in Table 1: Table 1. Error distribution in three types of circuits Circuit
Offset and temperature drift 11.21%
Analog input circuit RTD conditioning 41.31% circuit Trans-impedance 70.79% amplifier circuit
Input impedance and Resistance precision output impedance and Temperature drift
Noise
0.56%
84.03%
4.20%
0.29%
42.91%
15.49%
0.02%
2.65%
26.54%
396
Q.-C. Huang et al.
It can be observed from Table 1, with the decrease of signal level, the influence of op-amp parameters on the precision increases gradually. In practical applications, highperformance operational amps must be used, such as instrument amplifiers, differential amplifiers, and electrometer amplifiers. The instrument amplifier and differential amplifier need less peripheral resistance, which can reduce the influence of resistance error; Electrometer amplifiers have high input impedance and very low input bias.
5 Conclusions The error model points out that the errors of analog circuit stems from the precision of the op-amp and the resistance network. In the op-amp, errors involve offset, input resistance, and noise level. In the resistance network, errors include resistance precision and temperature drift. The calculation results show that: for 4 mA to 20 mA current signal, the error caused by the peripheral resistance accounts for 84.03% of the total error; for RTD signals of 20 mV to 277 mV, two errors caused by the peripheral resistance and opamp offset account for 41.31% and 42.91% of the total error, respectively; for pA stage current, the error caused by op-amp offset contributes 70.79% of the total error. Based on the above results, the directions to improve the accuracy are organized as follows. When using the analog isolator, the influence of the circuit noise is negligible, while the resistance precision seriously affects the accuracy of circuits. Using highprecision resistance can increase the isolation accuracy of the analog isolator. In RTD circuit, both op-amp and resistances seriously affect the precision of circuit. Therefore, both high-precision resistances and low offset op-amp can be used to improve the sampling accuracy of the RTD circuit. In trans-impedance amplifier circuit, op-amp error is a major constituent of the total error. Electrometer Amplifier provides ultralow input bias currents (10−15A) that satisfies the need of such applications.
References 1. Wang Kuang-shen, F., Sun Liang, S.: An investigation on the modification of temperature drift in the IC operational amplifier. Chinese J. Sci. Instrum. 1(4), 71–82 (1980) 2. Shi Shutien, F.: Error analysis and compensation method of integrated operational amplifier. J. Naval Acad. Eng. 3, 56–60 (1992) 3. Liu Wen-ke, F.: Analysis of the main parameter affecting the input error signal of integrated operational amplifiers. Microelectron. Basic Product. 3(27), 54–56 (2001) 4. Zhang Xue-wen, F., Zou Mei, S.: The error analysis of integrated operational amplifier circuit and selection of element parameters of peripheral. J. Hubei Normal Univ. (Nat. Sci.) 2 (21), 50–56 (2001) 5. TI. High-Precision, Low-Noise, Rail-to-Rail Output, 11 MHz JFET Op Amp[S] (2010) 6. Xie Jie-yi, F.: Study on Improving the Precision of Analog Measurement Circuit. Zhejiang University (2012) 7. Huang Qi-chang, F., Dong Chun-hui, S.: The digital of the FADC circuit for EAS thermal neutron detector array. Nucl. Electron. Detect. Technol. 38(1), 1329–1333 (2018)
Analysis of Analog Circuit Error in Reactor Control System
397
8. Huang Wei-jie, F., Yin Bao-juan, S.: A high-precision AI module for I&C system in nuclear power plants. Nucl. Electron. Detect. Technol. 34(11), 1330–1333 (2014) 9. Li shu-xiao, F., Hao Chi, S.: Research on high precision measurement of 3-wire thermal resistance. Chin. J. Sci. Instrum. 29(1), 135–139(2008) 10. Luo Ting-fang, F., Zhu Hong-liang, S.: Simulation study on fission chamber wide-range electronics. Nuclear Power Eng. 38(6), 99–102 (2017)
Reliability Analysis of Safety Class Analog Output Module Based on FFTA in Nuclear Power Plant Xu-Feng Tian, Cheng Yang(&), Qi-Chang Huang, and Xu Zhang Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu, China [email protected]
Abstract. Analog output module is an important part of safety DCS system in nuclear power plant, which is mainly used to output 4 mA–20 mA current signal. Based on the fuzzy fault tree analysis method, the fault tree model of analog output module of safety DCS system is established. According to the fuzzy theory, the probability of various faults and the fuzzy significance of bottom events are calculated, the weak links of the module are qualitatively analyzed, and the optimal design measures are put forward for the weak links. Keywords: Reliability
Analog output module DCS system FFTA
1 Introduction With the rapid development of nuclear power industry, the proportion of nuclear power in power grid is increasing day by day, to ensure the safe and reliable operation of nuclear power plants has become the focus of people’s attention. The safety DCS system of nuclear power plant provide a strong support for nuclear power plant running safety and effectively, which ensure the nuclear power plant to perform the corresponding safety behavior when accident occur, so that we can minimize damage to the environment and people caused by nuclear leakage. Based on the fuzzy fault tree theory, this paper analyzed the reliability of the analog output module of safety DCS system of nuclear power plant, quantitatively analyzed the probability of various faults, which is significant on optimization design of analog output module of safety DCS system of nuclear power plant. In addition, the failure of safety class DCS system in nuclear power plant usually caused by underlying basic events, so this paper studied the basic event that lead to the failure of the module, and analyzed the weak links of the module, which is very necessary and effective.
2 Fuzzy Fault Tree Analysis (FFTA) Method The fuzzy fault tree analysis method constructs the tree structure by analyzing the causal relationship among the faults of the system, takes the system fault as the root node, and subdivides according to the fault type from top to bottom until the leaf node © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 398–405, 2020. https://doi.org/10.1007/978-981-15-1876-8_40
Reliability Analysis of Safety Class Analog Output Module
399
(basic events) [1]. The influence of basic events on the system is reflected by logical relations, in order to analyze the reliability of the system, the probability of bottom events is expressed by fuzzy probability and the probability of top events can be obtained by logic gate interval operator [2]. At the same time, the weak link of the system can be analyzed by fuzzy significance of the bottom events reflecting the influence of the bottom events on top events, which provide the key optimizations for subsequent iterations [3]. 2.1
Fuzzy Probability
The bottom events of the fuzzy fault tree usually has randomness and uncertainty. In order to describe the bottom event as close as possible to the reality, the fuzzy number theory is used to blur the event probability [4]. Triangular fuzzy number [5] is adopted to represent event probability, and its membership function is show in Fig. 1, which can be expressed as Eq. 1.
Fig. 1. Triangular fuzzy number
8 > >
> l : 0
xm l m l\x m m\x m þ l m þ l\x
ð1Þ
Where: m: exact probability; m + l: upper limit of triangular fuzzy number; m - l: lower limit of triangular fuzzy number; k: membership, k 2 ½0; 1. when k ¼ 1, ignoring the fuzzy factors, the failure probability is a certain value: F = m. when k 6¼ 1, failure probability id a confidence interval: F = ½m l þ kl; m þ l kl.
400
2.2
X.-F. Tian et al.
Logic Gate Fuzzy Operator
Fuzzy fault tree analysis method can get the failure probability of top event by logic combination of fault events with logic gate. Basic logic gate include and gate and or gate [6], as shown in Fig. 2. If the probability of bottom event is expressed as follow: Pi ¼ ðmi li ; mi ; mi þ li Þ
ð2Þ
Its cut-off set under membership k is: Pki ¼ ½mi li þ kli ; mi þ li kli
ð3Þ
The fuzzy operator of and gate and or gate is: PkAND ¼
n Y i¼1
Pki ¼ ½
n n Y Y ðmi li þ kli Þ; ðmi þ li kli Þ i¼1
"
PkOR
n n Y Y ¼ 1 ð1 mi þ li kli Þ; 1 ð1 mi li þ kli Þ i¼1
ð4Þ
i¼1
# ð5Þ
i¼1
In fuzzy fault tree analysis method, the root node fault probability can be obtained according to the occurrence probability of leaf nodes and the structure of fuzzy fault tree, so as to evaluate the reliability of the system.
Fig. 2. logic gate diagram
2.3
Fuzzy Significance
In the fuzzy fault tree, the influence degree of each bottom event on the top event is different, which is called the fuzzy significance degree of the bottom event [7]. The weak links can be quantitatively evaluated by analyzing and calculating the fuzzy significance of each bottom event, and the improvement direction of the reliability of the system can be obtained. If the failure probability of the top event is PT, when the bottom event Xi does not occur, the failure probability of the top event is PTi, ZT and ZTi is the median of PT and PTi, the fuzzy significance of the bottom event Xi is [8]: Di ¼ ZT ZTi
ð6Þ
Reliability Analysis of Safety Class Analog Output Module
401
3 Reliability Analysis of the Analog Output Module 3.1
Fuzzy Fault Tree of the Analog Output Module
Safety DCS system analog output module output 4 mA–20 mA current signal to drive the nuclear power plant on-site equipment such as pump, valve according to DCS system control logic, which is a 1E equipment and is used to implement the safety functions of nuclear power plant. Therefore, it has strict requirement on safety and reliability. The topology of analog output module is shown in Fig. 3, which is consisted of processors, power management module, output channel and communication circuit. Processors include calculating ARM, communication FPGA and watch dog FPGA. Power management module provide power for processors and channel, and diagnose the power supply. Output channel realized 4 mA–20 mA current output and diagnose the channel. Communication circuit is used to perform the communication functions with upper controller, receive control data and upload the fault messages.
Fig. 3. Analog output module topology diagram
According to the module structure, the module faults are divided into four categories: processor fault, output channel fault, communication fault and power fault. The various failures consist of the basic events that cause the failures. The fuzzy fault tree is shown as Fig. 4, there are 7 intermediate events and 12 basic events from the root node to the leaf node. The meaning of every node is listed in Table 1. The minimum cut set of the top event can be obtained by ascending method, which can be expressed as follow: T¼
4 X i¼1
Mi ¼
12 X i¼1
Xi
ð7Þ
402
X.-F. Tian et al.
Fig. 4. Fuzzy fault tree of analog output module
Table 1. The meaning of nodes Node types Leaf node
Node code Event X1 Software program failure of ARM X2 Hardware program failure of ARM X3 Software program failure of communication FPGA X4 Hardware program failure of communication FPGA X5 Software program failure of watch dog FPGA X6 Hardware program failure of watch dog FPGA X7 Open-circuit failure of output channel X8 Precision failure of output channel X9 Communication failure with upper controller X10 Communication failure in module X11 System supply failure X12 Channel supply failure Intermediate node N1 ARM failure N2 Communication FPGA failure N3 Watch dog FPGA failure M1 Processor failure M2 Output channel failure M3 Supply failure M4 Communication failure Root node T Module failure
3.2
Quantitative Analysis of Reliability of Analog Output Module
3.2.1 Analysis on the Probability of the Module Failure The fuzzy fault probability of the bottom events are listed in the Table 2, the value of m, l and l are obtained from experimental data and expert experience. Calculated
Reliability Analysis of Safety Class Analog Output Module
403
module failure probability and failure probability of intermediate events in extreme cases of k = 0 and k = 1 according to expression (5), the results are recorded in Table 3. If k = 1, which means the fuzzy factors are ignored and the probability of each event is a certain value, the failure probability of the module is 0.15356 10−6 based on calculating, it can be seen that the module is very reliable. If k = 0, which means the failure is random and uncertain and the failure probability of each event is a interval value that conforms to the fuzzy triangle number distribution, the failure probability of the module is between 0.12744 10−6 and 0.17896 10−6 based on calculating. At the same time, the result show that the failure probability of output channel is highest and the failure probability of communication is lowest. Table 2. The failure probability of bottom events Event code m (10−6) l; l (10−6) Fuzzy fault probability Pk (10−6) X1 0.01 0.0025 [0.0075 + 0.0025 k, 0.0125 – 0.0025 X2 0.005 0.0025 [0.0025 + 0.0025 k, 0.0075 – 0.0025 X3 0.01 0.0025 [0.0075 + 0.0025 k, 0.0125 – 0.0025 X4 0.005 0.0025 [0.0025 + 0.0025 k, 0.0075 – 0.0025 X5 0.01 0.0025 [0.0075 + 0.0025 k, 0.0125 – 0.0025 X6 0.005 0.0025 [0.0025 + 0.0025 k, 0.0075 – 0.0025 X7 0.02 0.0025 [0.0175 + 0.0025 k, 0.0225 – 0.0025 X8 0.04 0.0025 [0.0375 + 0.0025 k, 0.0425 – 0.0025 X9 0.01 0.0025 [0.0075 + 0.0025 k, 0.0125 – 0.0025 X10 0.01 0.0025 [0.0075 + 0.0025 k, 0.0125 – 0.0025 X11 0.02 0.0025 [0.0175 + 0.0025 k, 0.0225 – 0.0025 X12 0.02 0.0025 [0.0175 + 0.0025 k, 0.0225 – 0.0025
k] k] k] k] k] k] k] k] k] k] k] k]
Table 3. The failure probability of intermediate events and top event Event code Failure probability (k = 1) Failure probability (k = 0) [0.12744 10−6, 0.17896 10−6] T 0.15356 10−6 −6 M1 0.04418 10 [0.02964 10−6, 0.05855 10−6] −6 M2 0.0592 10 [0.05434 10−6, 0.06404 10−6] M3 0.0199 10−6 [0.01494 10−6, 0.02484 10−6] −6 [0.03469 10−6, 0.04449 10−6] M4 0.0396 10 −6 N1 0.01495 10 [0.00998 10−6, 0.01991 10−6] −6 N2 0.01495 10 [0.00998 10−6, 0.01991 10−6] −6 N3 0.01495 10 [0.00998 10−6, 0.01991 10−6]
The calculated results indicates that the analog output module has high reliability, the probability of the module failure conforms to the fuzzy triangle number distribution, which is more closer to the actual situation compare with the traditional reliability analysis method. The failure probability of intermediate event were calculated in order
404
X.-F. Tian et al.
to analysis the reliability of module, so the fault situation of all level events can be located quickly so that we can recognize the severity levels of module failure clearly. 3.2.2 Analysis of the Weak Link According to the conception of the fuzzy significance, the fuzzy significance of the bottom events are calculated through expression (6), which is listed in Table 4. As shown, the order of the fuzzy significance of each bottom event is: X8 > X7 = X11 = X12 > X1 = X3 = X5 = X9 = X10 > X2 = X4 = X6, the fuzzy significance of the channel precision failure is highest, then the supply failure and channel opencircuit failure, which means the channel precision failure has the greatest influence on the reliability of the module. So, the troubles can be quickly checked according to the order of the fuzzy significance of the bottom events. During the design stage, the channel output precision, module supply and channel open-circuit can be optimized and adding the corresponding diagnostic circuit, which is a quick indicating of the failure and can effectively improve the reliability of the module.
Table 4. The fuzzy significance of the bottom events Event code Significance X1 0.00855 10−6 X2 0.00425 10−6 X3 0.00855 10−6 X4 0.00425 10−6 X5 0.00855 10−6 X6 0.00425 10−6
Event code Significance X7 0.01727 10−6 X8 0.03527 10−6 X9 0.00855 10−6 X10 0.00855 10−6 X11 0.01727 10−6 X12 0.01727 10−6
4 Conclusion According to fuzzy fault tree theory, this paper established fuzzy fault tree of analog output module and analyzed the reliability of this module. When the fuzziness of the basic failure event is not considered, the failure probability of the module is 0.15356 10−6. Otherwise, the failure probability of the module is between 0.12744 10−6 and 0.17896 10−6. This paper also analyzed the weak links of the module through the fuzzy significance value of the basic events and put forward the optimization design measures, which could indicate failure quickly and improve module reliability effectively. This paper analysis the module level reliability of DCS system in nuclear power plant, which proved FFTA is a very effective method to analysis the reliability and can provide reference for system level reliability of safety class DCS system in nuclear power plant.
Reliability Analysis of Safety Class Analog Output Module
405
References 1. Zhu, J.Z.: Principle and Application of Fault Tree. Xi’ an Jiaotong University Press, Xi’an (1989) 2. Cheng, S.R., Lin, B.S., Hsu, B.M., et al.: Fault-tree analysis for liquefied natural gas terminal emergency shutdown system. Expert Syst. Appl. 36(9), 11918–11924 (2009) 3. Mohit, K., Shiv, P.Y.: The weakest t-norm based intuitionistic fuzzy fault-tree analysis to evaluate system reliability. ISA Trans. 51(4), 531–538 (2012) 4. Ross, T.J.: Fuzzy logic with engineering application. Qian, T.H., Shen, Q.C., trans. Publishing House of Electronics Industry, Beijing (2001) 5. Yan-feng, L.I., Li, D.U., Ning-cong, X.I.A.O.: Fuzzy fault tree analysis for auto drive axle system. J. Xi’an Jiaotong Univ. 43(7), 110–114 (2009) 6. Wilfried, H., Nickolaj, K.: Famo cutn & cutqn: programs for fast analysis of large fault trees with replicated& negated gates. IEEE Trans. Reliab. 44(3), 368–376 (1995) 7. Huang, L.P., Gong, Z.L., Dang, C.M.: Reliability analysis of scraper conveyer based on fault tree. Mineral Eng. Res. 26(2), 49–52 (2011) 8. Li, Q., Lu, T.J.: The study on the methods of fuzzy significance analysis. Fuzzy Syst. Math. 14(1), 89–93 (2000)
Research on Instrument Channel Uncertainty of Nuclear Power Plant Shun Wang, Qi-Chang Huang(&), Zhi-Qiang Wu, and Ming-Xing Liu Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu, China [email protected]
Abstract. The instrument channel uncertainty is related to the safety and economic performance of nuclear power plants. In this paper, two kinds of uncertainty calculation methods which commonly used in the industry are summarized. The Monte Carlo Method is proposed to calculate the uncertainty of instrument channel in nuclear power plant. Three methods are utilized respectively to calculate the uncertainties of a simplified model that abstracted from safety DCS analog input channel. The results indicate that when the channel model contains abnormal distribution factors, the Monte Carlo method will be more effective than traditional methods. Keywords: Nuclear power plant carlo method
Instrument channel Uncertainty Monte
1 Introduction The operation of nuclear power plant depends on the measurement results of instrumentation equipment. However, due to various factors, the measurement results of instrumentation equipment cannot always reflect the real situation of measurement. The industry uses “uncertainty” to express the error probability of measurement value to the real value [1]. Accurately calculating the measurement uncertainty of important instrumentation channels in nuclear power plants will provide a strong support for the reasonable determination of safety system setpoints in the design process of nuclear power plants. However, there is no general standard for calculating measurement uncertainty of instrumentation channels in nuclear industry. This paper investigates and summarizes two commonly used methods and detailed steps for calculating instrumentation channel uncertainty in nuclear power plants, and applies Monte Carlo method to calculating instrumentation channel uncertainty in nuclear power plants.
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 406–414, 2020. https://doi.org/10.1007/978-981-15-1876-8_41
Research on Instrument Channel Uncertainty of Nuclear Power Plant
407
2 The Traditional Method of Calculating Uncertainty 2.1
Preparation for Calculation
Before calculating the uncertainty of instrument channel, it is necessary to determine the specific structure of instrument channel and classify the uncertainty items in the model [2]. Figure 1 shows a typical structure model of instrument channel. Usually, instrument channel is composed of process engineering, process measurement, signal conditioning and signal processing modules. Transfer errors will generate in each module of instrument channel, and ultimately affect the measurement results.
Process engineerting
Process meaurement
Environment A
Environment B
Signal conditioning
Signal processing
Actuator
DCS 4
1
Process 1 uncertainties
2
3 2
2 Instrument uncertainties
3
2 3
3
Calibration uncertainties
4
Others uncertainties
Fig. 1. Typical instrument channel model
After determining the structure of instrument channel, the influencing factors of process measurement should be determined in channel [3]. The influencing factors in process measurement mainly include instrument uncertainty and calibration uncertainty. The signal conditioning and signal processing include instrument uncertainty and calibration uncertainty; and cable part is affected by other uncertainties. In addition, when the equipment is in different environments, it will be affected by temperature, pressure, humidity and other factors distinctly. Specifically, the main influencing factors of each uncertainty item are shown in Table 1. Table 1. The main factors of uncertainty Categories Process uncertainties
Factors 1) Fluid stratification 2) Fluid density change 3) Fluid fluctuation Instrument uncertainties 1) Environmental temperature change 2) Environmental humidity change 3) Environmental vibration 4) Irradiation 5) Voltage fluctuation of power 6) Processor accuracy Calibration uncertainties 1) Calibration equipment 2) Calibration method Others uncertainties 1) Insulation 2) Cables
408
S. Wang et al.
The allowable uncertainties of the main influencing factors come from the analysis reports, product specifications, test reports and actual power plant data provided by the suppliers [4]. When the data source is not trusted, the maximum boundary condition of the allowable value should be assumed to ensure the validity of the calculation results. Finally, on the basis of obtaining its allowable value, the allowable values of uncertainty are classified according to all the classification methods in Fig. 2.
UNCERTAINTY
RANDOM APPROXIMATELY NORMALLY DISTRIBUTED
INDEPENDENT
NONRANDOM TERMS (BIAS,SYSTEMATIC)
DEPENDENT
CORRECTION
BIAS (KNOWN SIGN)
BIAS (UNKNOWN SIGN)
DISTRIBUTED
Fig. 2. Classification method of uncertain items
2.2
Uncertainty Calculating Method Based on SRSS
The uncertainty calculation method based on Square Root of the Sum of the Squares (SRSS) is a statistical and algebraic combination method. SRSS methods is endorsed by ISA67.04.02, the American nuclear power method class standard, which consist with the guidance method of uncertainty synthesis in EJ799 standard. This method has been widely applied to the uncertainty evaluation of instrument channel by Westinghouse Company. The formula for calculating the uncertainty of SRSS is shown in formula (1). Z¼
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi A2 þ B2 þ C 2 þ ðD þ E Þ2 jF j þ L M
ð1Þ
In the formula: A, B, C——independent and random variables with zero as the center, approximately normally distributed. D, E——random dependent uncertainty terms independent of terms A, B and C, which interrelated random uncertainty terms. F——abnormally distributed uncertainties and/or biases (unknown sign). L, M——biases with known sign. Z——resultant uncertainty. It is noteworthy that in this method, the variables (such as A, B, C) synthesized by square and root are required to be normal and independent random variables with a confidence of more than 95%. Non-normal or non-independent random variables (e.g. F) require algebraic methods. The formula (1) can be used not only for calculating the uncertainty of a single link in the instrument channel, but also for calculating the uncertainty of the whole
Research on Instrument Channel Uncertainty of Nuclear Power Plant
409
instrument channel. Specifically, SRSS method is implemented in the specific channel calculation process. ISA PR67.04.02 standard gives the calculation method of uncertainty of the whole channel. U¼
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi module21 þ þ module2n þ Bias
ð2Þ
In the formula: U——channel uncertainty. modulen——total random uncertainty of each link. Bias——system Error. Combining the uncertainty of the influencing factors of each module in Table 1, the uncertainty module of each link can be calculated by formula (1), and then the uncertainty of the whole instrument channel can be calculated by formula (2). 2.3
Uncertainty Calculating Method Based on GUM
The algorithm of extended uncertainty calculation comes from Gudie to the expression of uncertainty in measurement (GUM) [5]. GUM method transfers the distribution of measurement mathematical model based on the law of uncertainty propagation, and then provides the inclusion interval of output. It can provide more accurate evaluation results for the measurement model which is approximately linear and whose probability distribution of output is normal distribution or scaled displacement t distribution. AREVA-Siemens applied GUM method to the uncertainty calculation of instrument channel of EPR unit. GUM contains two different concepts: standard uncertainty and extended uncertainty. The relationship between them can be expressed as formula (3). U ¼ K uc
ð3Þ
Among them, K represents the inclusion factor, which is the ratio coefficient of extended uncertainty U and standard uncertainty uc . Generally, what we call uncertainty of instrument channel is extended uncertainty. In the calculation of instrumentation channel uncertainty, the uncertainties of each influencing factor are divided into normal distribution and uniform distribution. K takes 1.96 for normal distribution with pffiffiffi 95% confidence in interval while 3 for uniform distribution. The basic formula for calculating the extended uncertainty with both normal and uniform distributions can be expressed as formula (4). sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 2 2 2RB2 2 RA1 2 ¼ 1:96 þ . . . þ pffiffiffi 1:96 3 In this formula,: 2RA1 ——Extended Uncertainty of RA1 subjected to normal distribution 2RB2 ——Extended Uncertainty of RB2 subjected to uniform distribution 2——Total expanded uncertainty
ð4Þ
410
S. Wang et al.
When calculating the uncertainty of the whole instrument channel, the extended uncertainty of each module is calculated by formula (4), and then the extended uncertainty of the whole channel is calculated by formula (2). Considering the input channel of DCS as a whole, the calculation process is shown in Fig. 3. Modules involving in the channel
Error type
···
u1 u2
···
u3
U Quadratic sum
Linear sum
Fig. 3. Uncertainty calculation of DCS input channel
Firstly, the uncertainty u1 is obtained by calculating the square and root of the influencing factors subjected to the normal distribution or uniform distribution of each module in the channel. Then, uncertainties such as u2 and u3 subjected to other distribution are obtained by calculating the algebra. Finally, the uncertainty of DCS input channel is obtained by calculating the quadratic sum of u1, u2, u3, etc.
3 Uncertainty Calculation Method Based on Monte Carlo Monte Carlo method (MCM) is a numerical method to realize the probability distribution propagation. By sampling the probability distribution of the input, the probability distribution of the output is obtained by calculating the distribution of the input propagated by the measurement model [6]. The optimal estimate, standard uncertainty and inclusion interval of output are obtained directly from the discrete distribution value of output. In view of its wide adaptability and simple calculation process, JF1059, 2-2012 was token as a supplement to JJF1059.1 [7]. In addition, the standard EJT799-4.5 also explicitly states that’probabilistic method or random simulation method can be used to replace the method’ in uncertain synthesis, so it is feasible to calculate the uncertainty of nuclear power instrument channel by MCM. MCM achieves uncertainty calculation by following steps: A) Define output Y as the total uncertainty of instrument channel. B) Set the distribution type for each influencing factor Xi by using the available information. The probability density function (PDF) is usually determined by Bayesian method or maximum information entropy principle.
Research on Instrument Channel Uncertainty of Nuclear Power Plant
411
C) Establish the model Y ¼ f ðX1 ; X2 ; . . .; XnÞ between the output Y and the influencing factors X1, X2, … Xn. D) Select the size M of the sample size of Monte Carlo test, generate the random number x according to the probability distribution ð xÞ, and calculate the model value ym of the output Y according to the function model. E) Sort ym incrementally, and obtained distribution function G of output Y by ranking results. F) Calculate the estimated value y and standard uncertainty u(y) of Y by distribution function G, and calculate the inclusion interval of Y when the probability equals p. For MCM, the choice of experiment number M is a key factor. Reasonable value of M can simulate the real situation of the experiment well under the premise of ideal calculation. According to the recommendation of GUM Sup 1 [8], the value of M can be determined by 104/(1−p), where p is the output containing probability.
4 Comparisons Between MCM and Traditional Methods Taking the analog input channel of a safety DCS as an example, its structure is shown in Fig. 4. This channel includes input conditioning module, analog input module and processor module.
X
Input conditioning module
Analog input module
Y
Processor module
Base uncertainty A1 Base uncertainty A2 Temperature coefficient B1 Temperature coefficient B2
Fig. 4. Analog input channel of a DCS
Uncertainty influencing factors are mainly generated in input conditioning module and analog input module, where the supplier has unified the factors such as calibration error, load adjustment, power fluctuation, digital signal processing error and other factors into the basic uncertainty Ai. In addition, the module is also affected by the ambient temperature. With 25 °C as the reference temperature, there is no temperature drift error under this working degree of the module. If the module temperature drift coefficient is Bi while the maximum change of the environment is 30 °C, the maximum uncertainty of the temperature will be 30 °C* Bi. The basic uncertainties A1, A2 and temperature drift coefficients B1 and B2 provided by the supplier determine channel uncertainties together. The probability distribution is shown in Table 2.
412
S. Wang et al. Table 2. The probability distribution of A1, A2, B1, B2 Factors Values A1 0.1%Span A2 B1 B2
Distribution 2 N 0; ð5:1 104 Þ 2 0.1%Span N 0; ð5:1 104 Þ ±70PPM/ °C U 7 105 ; 7 105 ±60PPM/ °C U 6 105 ; 6 105
The calculation results of SRSS, GUM and MCM are as follows: A) Calculation result based on SRSS qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi U ¼ ðA1 þ B1 30Þ2 þ ðA2 þ B2 30Þ2 ¼ 0:418%: B) Calculation result based on GUM sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ffi A1 2 A2 2 u1 ¼ 1:96 ¼ 0:1414% þ 1:96 1:96 30 B1 þ 30 B2 pffiffiffi ¼ 0:4413% 3 r ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi u1 2 u2 2 ¼ 0:463%: þ U ¼ 1:96 1:96 1:96 u2 ¼ 1:96
C) Calculation result based on SRSS For the input channel shown in Fig. 4, the mathematical model is established as shown in formula (5). 8 Y ¼ X G1 G2 > > < G1 ¼ ð1 þ A1 Þ ð1 þ 30B1 Þ ð5Þ G2 ¼ ð1 þ A2 Þ ð1 þ 30B2 Þ > > : XY U¼ X Formula (5) is simulated according to the MCM calculation process described in Sect. 3. Taking the number of experiments M = 200000, the MCM output is plotted as probability distribution histogram in Fig. 5, compared with the probability distribution of SRSS method and GUM method.
Research on Instrument Channel Uncertainty of Nuclear Power Plant
413
12000 MCM SRSS GUM
10000
Amount
8000
6000
4000
2000
0 -0.01 -0.008 -0.006 -0.004 -0.002
0
0.002 0.004 0.006 0.008
Total Uncertainty
0.01
Fig. 5. Comparison of MCM and SRSS and GUM
The results of three methods above are shown in Table 3. Table 3. Inclusion interval of SRSS, GUM and MCM Methods MCM SRSS GUM
95% probability inclusion interval [-0.353%, 0.353%] [-0.418%, 0.418%] [-0.463%, 0.463%]
From the evaluation steps of GUM and SRSS, it can be inferred that the probability distribution obtained is more approximate to the standard normal distribution because only the standard deviation of the influencing factors is involved in the calculation, while other kinds of information of the distribution are ignored. Based on the results above, it can be concluded that compared with GUM method and SRSS method, the uncertainty margin estimated by MCM is smaller, and the instrument channel uncertainty determined by GUM method is the most conservative. According to the evaluation steps of SRSS method and GUM method, the traditional methods simplifies the distribution of input variables in the calculation process, and calculates the output value as a normal distribution. It can be considered that only the standard deviation of input distribution is involved in the calculation, and all other information of distribution is ignored. Therefore, the traditional methods reduce the credibility of the results. Considering that MCM randomly extracts a large number of input samples and calculates their distribution strictly according to the probability model, it can be considered that MCM credibly reflects the whole situation of output. Therefore, on the premise that the parameters provided by suppliers are reliable enough, the application of MCM in uncertainty calculation of instrumentation channel is conducive to determining setpoints that would benefit the safety and economy of nuclear power plant.
414
S. Wang et al.
5 Conclusion The calculation of instrumentation channel uncertainty is an indispensable link in the design of instrument control system of nuclear power plant. This paper introduces the SRSS method and GUM method, and puts forward the application of MCM in the calculation of instrument channel uncertainty in nuclear power plant. From the above examples, it can be concluded that SRSS and GUM methods are suitable for evaluating the uncertainty of measurement when the probability distribution of input is symmetrical while output is approximately normal distribution. When the channel model is non-linear or the input contains abnormal distribution, SRSS method and GUM method may not be able to accurately evaluate the channel uncertainty. Considering the high reliability of MCM results, MCM can be used as a supplementary verification means of SRSS or GUM to make the calculation results of instrumentation channel uncertainty in nuclear power plants more reasonable.
References 1. NRC. Regulatory Guide 1.105-1999. Setpoints for safety-related instrumentation (1999) 2. ISA 67.04.02-2000.Methodologies for the Determination of setpoints for Nuclear Safetyrelated instrumentation (2000) 3. IEC 61888-2002. Nuclear power plants–Instrumentation important to safety Determination and maintenance of trip setpoints (2002) 4. Xu-sheng, Ma.: Calculation method for uncertainty of important instrument measurement channels in nuclear power station. Process Autom. Instrum. 33(7) (2012) 5. GUIDE 98-3. Uncertainty of measurement-Part 3: Guide to the expression of uncertainty in measurement (GUM: 1995). ISO/ IEC (2008) 6. Siebert, B.R.L., Sommer, K.D.: New developments of the GUM and Monte Carlo techniques. Techn. Mess. 71(2), 67–80 (2004) 7. JJF 1059. 2-2012 Monte Carlo Method for Evaluation of Measurement Uncertainty. (2012) 8. Chen, H.Y., Cao, Y., Han, J.: Evaluation of uncertainty in measurement based on a Monte Carlo method. J Electron. Meas. Instrum. 25(4), 301–308 (2011)
Research and Analysis on 1E Distributed Control System Priority Logic Module Zong-Hao Yang(&), Quan Ma, Ming-Ming Liu, Zi-Peng Zhang, and Kai Wang Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu, China [email protected]
Abstract. The nuclear reactor 1E DCS priority logic module is one of the very important components of the nuclear reactor I&C (Instrument and Control) system. Its main function is to prioritize different DCS control command, and then drive especial safety facilities and related support systems (pumps, valves and other related equipment). Driven devices such as pumps, valves, etc. need to execute related functions according to the drive signals issued by the priority logic modules. The characteristics and advantages between seven kinds of domestic and international priority logic modules are analyzed by comparing their function and implementation mode. Comparison shows that different manufacturers’ products also have their own characteristics. At present, many companies at home and abroad have designed different priority logic modules based on their own ideas. However, the public literature about priority logic modules is very limited, let alone summary analysis about it. Therefore, this paper has important engineering significance and reference value for the design of priority logic module. Keywords: Nuclear reactor Instrument and control 1E DCS Priority logic module
1 Introduction Distributed Control System (DCS) is the central key system of a nuclear reactor. It plays an important role in controlling the normal operation of the nuclear reactor, ensuring that the nuclear reactor can operate safely and reliably under any working conditions. The safety level nuclear reactor Distributed Control System (1E DCS) is an important control system related to nuclear reactor safety. The definition of Class 1E is that the safety classification of the electric equipment and systems that are essential to emergency reactor shutdown, containment isolation, reactor core cooling, and containment and reactor heat removal, or are otherwise essential in preventing significant release of radioactive material to the environment. On the other hand, the definition of class NC is that the separation of equipment that is safety classified from equipment that is not safety-classified. 1E DCS is mainly used to deal with design basis accident conditions and some serious accident conditions. Moreover, 1E DCS will ensure that
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 415–429, 2020. https://doi.org/10.1007/978-981-15-1876-8_42
416
Z.-H. Yang et al.
the safety system can be started, the reactor can run into a safe state and the key parameters can be continuously monitored in the event of an accident [1, 2]. The nuclear reactor control system is progressing with the development of industrial technology. For example, nuclear power plants built in the middle and late 20th century mainly use analog instruments to realize the control of analog signal, and the relay frame is used to control the logic signal. With the popularity of distributed control system DCS technology in the field of conventional industrial control, DCS control technology is beginning to be used gradually in the nuclear power control field. Since the 21st century, digital instrumentation systems have been widely used in new nuclear power plants worldwide. Since the beginning of the Ling Ao Phase II nuclear power plant in China, a full range of digital instrumentation control systems have been adopted in entire domestic newly built nuclear power plant. DCS has many advantages compared with the previous generation of instrument control technology (analog instrument and relay), such as strong processing capability, self-diagnosis, high reliability, strong design and configuration flexibility, etc. [3, 4]. However, DCS also has some aspects that need attention. For example, if the function is concentrated too much, software common cause failure (SWCCF) may occur. After the Chernobyl and Fukushima accident, the world realizes the serious consequences of the loss of control of nuclear power plants. For the newly-built nuclear power plant, the world puts forward higher and stricter standards, and the same is true with the instrument and control system of nuclear power plant. For example, in order to cope with the SWCCF of the digital safety level instrument control system, a variety of reactor shutdown methods were designed; in order to cope with the serious accidents similar to the Fukushima nuclear accident, a serious accident control system was also designed. However, the execution equipment of newly added system is mostly shared with that of the original system. Therefore, it is necessary to design a priority logic control module to solve the control problem of the same execution equipment for different control systems. At present, with the development of DCS, there are many kinds of priority logic modules, every priority logic module has its own characteristics and advantages. And the safety and reliability become the theme in the design of priority logic module.
2 Priority Logic Module Analysis of Different Platform This article describes seven different kinds of priority logic modules for six platforms, including CommonQ’s CIM, NASPIC’s PLM and ACM, Firmsys’s CIM, MELTAC’s PIF, Tricon’s PLM, and Txs’s AV42. 2.1
CommonQ
AP1000 is a third-generation nuclear power reactor introduced from Westinghouse. The priority logic module which CommonQ platform uses is called Component Interface Module (CIM). AP1000’s CIM acts as an intermediate device, accepts commands from the Protection and Safety Monitoring System (PMS) and the Plant Logic Control System (PLS) to manage priorities and pass commands to the field device.
Research and Analysis on 1E Distributed Control System
417
CIM is a 1E DCS device interface module. It is a hardware logic module based on Field Programmable Gate Array (FPGA). And CIM mainly performs the following three major functions: (1) CIM can integrate device commands from different safety level systems, acting as an interface for drive control. CIM can also feed back the actuator device status to DCS system. (2) CIM can manage priorities of device commands, which means to receive commands from the Automatic Depressurization System (ADS) Trigger Blocking Module, PMS and PLS, and send the highest priority to the field device. (3) CIM can provide field device control. The device’s control can be switched from remote to field via the switch button on the CIM module. Switch button can provide signal isolation for logic testing and control capacity to device in case of emergency.
CIM Module Instructions OUT K1/K2 Output on/Output off
PLACE LABEL HERE
INPUT O ON C CLOSE TO Torque ON TC Torque CLOSE R Ready OL Overload
COMPONENT INTERFACE MODULE
BLOCK X/Y X/Y Channel Block
OPEN
STOP
OUT
1
K1 K2
O C TO TC R OL
INPUT
6
BLOCK X Y
CLOSE
Y
LOCAL
REMOTE
X1/2 1E Commands 1/2 Y NC Commands Z ADS Blocking Signal
X
Z
LOCAL
24V
1 2
O C
O S C LM
A B
LOCAL O ON C CLOSE S Stop LM Local Mode Indicator 24V A/B Redundant power A/B
Fig. 1. CIM of the CommonQ platform
The schematic diagram of CIM is shown in Fig. 1. At the front of CIM, there is an field logic control interface consisting of a toggle switch and three button switches. The toggle switch consists of a local and remote switch. The three push button switches (OPEN, STOP, and CLOSE) are used for local device control. The X port is an instruction from the PMS (security level), the Y port is an instruction from the PLS (non-security level), and the Z port is from an instruction independent of the computer system (manual control) for ADS trigger blocking. The order of priority from high to low is Z, X, Y. The 1 and 2 below X column indicate two redundant logic input signals. When the signal qualities are good, the logic is two out of two. When one signal quality is bad, the logic is one out of one. Otherwise, the safety level signal cannot be successfully outputted to the field device. The indicator lamp under the INPUT column indicates the feedback of the field device. For example, if the O lamp is on, it means that the field device is turned on. There are four indicators in the LOCAL column. When the toggle switch is set to LOCAL, the local indicator LM will light on. The S lamp is the indication of the button STOP. Generally before the execution of next command, the previous command will be cleared by pressing the STOP button. This way can prevent the situation that after
418
Z.-H. Yang et al.
the disappearance of the executing command, the device will be under the command of automatic control, which may cause false triggering. 2.2
NASPIC
NASPIC platform is a safety level platform independently developed by the Nuclear Power Institute of China (NPIC) under China National Nuclear Corporation (CNNC). Currently, there are two kinds of priority logic modules under NASPIC platform. One is the Actuation Control Module (ACM), which is planed to be used in the China engineering experimental reactor. The other is the Priority Logic Control Module (PLM), which is intended to be used in the China demonstration fast reactor. The schematic diagrams of ACM and PLM are shown separately in Fig. 2(a) and (b). The design of ACM is very different from that of other priority logic modules. The input and output wiring modes of ACM are all hardwired, and there are only “AND”, “OR” and “NOT” logical gates in ACM. There is no microprocessor, FPGA and CPLD which other priority logic module have. The hardwire structure not only reduce the module response time, but also reduce the SWCCF between priority logic module with Reactor Protect Cabinet (RPC) and Especial Safety Facility Actuation Cabinet (ESFAC). And this design will effectively improve the reliability of the system. In addition, due to the criticality of the priority logic module that prioritizes multiple control commands, the idea of this kind of pure hardwire logic structure is exactly put forward based on the consideration of nuclear reactor safety control. At present, in the newly built nuclear power plant in UK, the idea of pure hardwire logic structure is well applied in the priority logic control module of I&C system.
(a)
(b)
Fig. 2. a ACM of NASPIC platform b PLM of NASPIC platform
Research and Analysis on 1E Distributed Control System
419
ACM not only provides control interface with driven device, but also prioritizes different ways of hard logic commands and soft logic commands. In addition, there are field blocking commands, DCS blocking command, NC command and T3 tests command which are the tests of output channels and associated drives (Reactor trip breakers and especial safety facility actuation cabinet). Need to mention that the DCS blocking command can block 1E soft logic command and NC command. T3 test refers to the output channel and related driver test. The order of priority from high to low is: T3 test signal, field blocking signal, 1E hard logic signal, 1E soft logic signal, and NC signal. 1E soft logic command refers to the commands accepting from ESFAC. And 1E hard logic command refers to the manual on-off command mainly from safety operation panel (SOP). In contrast to ACM, the structure of Priority Logic Module (PLM) in NASPIC is based on Complex Programmable Logic Device (CPLD). The PLM contains two CPLDs which diagnose priority logic with each other. When the logics of two CPLDs are the same, the command will be output, otherwise CPLD will report an error. The control signals which are send to PLM via hardwire for priority judgment have five categories, which are classified into high-to-low priority: safety level automatic signal 1E (A), safety level manual signal 1E (M), backup panel signal (BUP), diverse actuation system (DAS), non-safety level signal (NC). The inputs of the PLM are divided into three categories: control instructions for the device, test enable signals, and field device status feedback. There are also two local buttons below the PLM’s local switch: local on and local off. The local button will be effective when the local switch is in the local state. In addition, the local command and the safety level automatic command have the same priority. That is, the priority relationship between the local command and the safety level automatic command is “Latecomer is preferred”, the command priority of them is higher than the rest of the instructions. And FO/FC, ALM, and UNA are all local device status feedback signals, which indicate Full Open/Full Close, Alarm, and Unavailable. 2.3
Firmsys
Firmsys is a 1E DCS platform from China Techenergy Co., Ltd. Its priority judgment function is implemented in CIM (Component Interface Module). There are two kind of CIMs, and only one supports local control functions. Figure 3 shows the schematic diagram of the Firmsys CIM. Firmsys’ CIM has been applied to Units 5 reactor of Yangjiang Nuclear Power Plant in Guangdong, China. The CIM of Firmsys platform accepts the following control commands: 1E commands, SR (Safety Related) commands, automatic commands from the Safety Related Cabinet (SRC), DAS commands, severe accident commands and NC commands. 1E commands include 1E automatic control commands and ESFAC manual operation commands on the Emergency Control Panel (ECP). SR commands include manual commands on the BUP and manual operation on the Safety Control Indication Device (SCID). DAS commands include automatic and manual operation commands [5–7]. When a severe accident occurs, except the monitoring and serious accident operation related equipment, other equipment will lose power. Therefore, the severe accident operation command won’t exist at the same time with the 1E commands, DAS
420
Z.-H. Yang et al.
commands, and SR commands. Under normal working conditions, the priority relationship won’t be considered between severe accident operation command and other commands. On the other hand, the abnormality of severe accident operation command won’t affect the output of other commands when there is no severe accident. Therefore, according to the priority from high to low, it is divided into: 1E commands, DAS commands, SR commands, severe accident operation commands and NC commands. The high priority commands will reset the opposite operation of the low priority commands. This design will prevent the opposite operation of actuation when the high priority commands disappear. In addition, CIM can also implement periodic test functions.
PWR RUN LINK ERR LCS BYP-1 BYP-2 OUT_1 OUT_2 FO FC UNA
CIM Module Instructions
PWR Power RUN Run LINK Communication ERR Error LCS Reserved Port BYP 1/2 Bypass 1/2 OUT 1/2 Output 1/2 FO Full On FC Full Close EPWR UNA Unavailable Remote Local EPWR External Power ON/OFF Local on/Local off
ON OFF
Fig. 3. CIM of Firmsys platform
CIM of Firmsys is also designed based on CPLD. CIM contains two CPLD logic judgment modules for redundancy. The calculation results of the two CPLDs will be filtrated by 1oo2 logic, and the final result will be transmitted to driven actuators and MCU. The field device feedback signal collected by the CIM will also be transmitted to the MCU, displayed by the LED light and uploaded by communication. In addition, according to the type of field device actuator, the priority output command in CIM can be divided into dual command output and single command output. The single command output can also be divided into reset priority and set priority logic. However, one interface board can only perform one kind of priority logic at the same time.
Research and Analysis on 1E Distributed Control System
2.4
421
MELTAC
MELTAC is a 1E platform under Japan’s Mitsubishi Corporation. Its 1E priority logic module is called power interface (PIF) card. At present, the instrument and control system of MELTAC has been applied into the Guangdong Yangjiang Nuclear Power Unit 1-4. PIF card is placed in the SLC (Safety Logic Cabinet), which receives control input signals from ESFAC, ECP, BUP, SVDU, etc. The hardware and software control of almost all 1E DCS devices must be processed by PIF card before being output to the field actuator. The schematic diagram of PIF card is shown in Fig. 4 [8].
PIF Module Instructions DIS
EN
DIS DISABLE EN ENABLE
POWER LINE-1 Communication with LINE-1 BLOCK0-1 Sys tem-1 CPU BLOCK1-1 BLOCK0-1 OUT0 Blocking BLOCK1-1 OUT1 Blocking LINE-2 BLOCK0-2 BLOCK1-2 LINE-2 Communication with Sys tem-2 CPU ERR BLOCK0-2 OUT0 Blocking OUT0 BLOCK1-2 OUT1 Blocking OUT1 BYP0 BYP1 ERR Error OUT0/1 Output 0/1 PS0 PS1 BYP0/1 Output 0/1 Blocking PS0/1 Auxiliary Power Supply IN0 IN1 IN0-IN7 Eight Input Signals IN2 IN3 IN4 IN5 IN6 IN7
Fig. 4. PIF card of MELTAC
On the front plate of the PIF card, power is on at the switch EN. On the other hand, power is OFF at the switch DIS. LINE-1 lamp lights up when the connection between PIF and System-1 CPU. PS0/1 lamps are used to monitor whether the auxiliary power supply is working properly. BLOCK0-1 lamps are used to instruct that the command from System-1 CPU to OUT0 is blocked, and in the normal situation the BLOCK0-1 lamp is always dark. BYP0/1 lamps indicate that the commands from System-1 CPU and System-2 CPU are blocked. As shown in Fig. 5, BLOCK0-1 light indicates that A signal is blocked, while BYP0 indicates that A and C signals are both blocked.
422
Z.-H. Yang et al.
System-1 CPU B A
OUT0
System-2 CPU C D
OUT1
Fig. 5. The output logic of CPU in the PIF card
MELTAC’s 1E DCS priority logic judgment function is mainly executed in PIF card. There are also a few priority logic judgment functions which are executed in the CPU of SLC, and this design has some differences from other platforms. The command accepted by PIF can be divided into three categories. (1) The first category is the control commands from SLC. These commands will transfer from ESFAC or SVDU to SLC-CPU. For example the main feed-water signal (ARE). These commands will be sent to field execution devices via PIF card after being processed by the SLC-CPU. (2) The second category is hardwired commands. These commands will be directly sent to the PIF card via hardwire to control the field execution devices after judging by the Auxiliary Relay Logic Cabinet (ARC). For example the safety injection (SI) hardwire signal from ECP plate. (3) The third category is the actuator status signals fed back by the field execution devices. These signals will be injected into PIF card by IN4/5 channel. The logic control priority in PIF card from high to low is: Anticipated Transient Without Trip (ATWT), automatic control commands from RPS to ESFAC, manual control commands from ECP, manual control commands from BUP, NC commands. 2.5
Tricon
Tricon is a 1E DCS platform under Triconex Corporation of Invensys, USA. The priority logic module is shown in the Fig. 6. Tricon platform is currently applied in Fujian Fuqing and Zhejiang Fangjiashan nuclear power plant. Tricon’s PLM has two 24 V DC power supplies for redundancy. There are four pairs (A and B) of prioritized inputs and a pair of test enabler inputs. There are one pair of switch outputs (A and B) to actuating device and one pair of test switch outputs (A and B). Group A in each pair of signals is a shutdown command, and group B is a startup command. Command A and B represent shutdown and startup command respectively. And the priority of command A in each pair is higher than that of command B. The four pairs of input signals will be described in detail below [9]. (1) The highest priority is the ESFAC signals from the 1E Tricon Reactor Protection System (RPS). The RPS consists of 4 channels of Reactor Trip Systems (RTS) which input to 2 Trains of ESFAC.
Research and Analysis on 1E Distributed Control System
423
(2) The second priority is the Emergency Control Panel (ECP) Actuation Switches. Operation from the ECP is provided to allow for manual operator actuator of critical safety systems using hardwired logic that duplicated the logic implemented in the DCS. But not every piece of equipment being operated from a PLM will be manually operated from the ECP system level actuation switches. Therefore, not all PLMs should be expected to have an ECP input. (3) The third priority is the Diverse Actuation System (DAS) and Anticipated Transient Without Trip (ATWT). DAS and ATWT are essentially NC backup systems to the 1E Tricon. In the unlikely event that the 1E Tricon RPS failed to actuate, the lower priority DAS and ATWT systems would be capable of operating their equipment through this lower priority actuation signals. Likewise, if the 1E Tricon was performing its design function, the lower priority DAS and ATWT would not be capable of adversely affecting the safety related Tricon actuation signals.
I nv e n sy s
Triconex POWER1 POWER2 INPUT 1A INPUT 1B INPUT 2A INPUT 2B INPUT 3A INPUT 3B INPUT 4A INPUT 4B TEST EN1 TEST EN2
PLM Module Instructions INPUT 1A/B 1E DCS Commands A/B INPUT 2A/B ECP Commands A/B INPUT 3A/B DAS/ATWT Commands A/B INPUT 4A/B NC Commands A/B TEST EN1/2 Test Enable 1/2 OUTPUT 1A/B Driven Output 1A/1B TEST OUT 1A/B Test Output 1A/1B
OUTPUT 1A OUTPUT 1B TEST OUT 1A TEST OUT 1B
PRIORITY LOGIC MODULE
Fig. 6. The PLM of Tricon platform
(4) The lowest priority is the NC command, which needs to be isolated before being input to the PLM. The PLM also provides a method of blocking the equipment from actuating while at the same time verifying that a test actuation signal is received just prior to the output of the PLM. Specifically, the PLM has two test enable inputs. The first test enable signal is a manual switch located on the baseplate directly under the PLM. Feedback
424
Z.-H. Yang et al.
status of this manual switch position is also provided back to the 1E Tricon and operated from the SVDU. When both test enable inputs are active, the output of the PLM is blocked from actuating. The separate “SVDU/1E Tricon” and “manual test switch” test enable inputs assure that no single test enable input failure or inadvertent operation can place the PLM to the “blocked” condition. 2.6
TXS
TXS platform of Siemens AG of Germany performs priority control functions by the AV42 module. TXS platform has been applied in the Jiangsu Tian Wan and Guangdong Ling Ao nuclear power plants. In AV42 control mode, the AV42 processes commands from the following five areas: 1, Simulation commands via coding plugs on the front plate. 2, Commands from the safety I&C. 3, Manual commands from 1st control room. 4, Manual commands from 2nd control room. 5, NC commands via fieldbus. The 1st and the 2nd control room are also called main control room and standby control room separately. The priority of these five signals from high to low is: field control commands, commands from the safety I&C, manual commands from control room, NC commands. The ON/OPEN and OFF/CLOSE on the front plate are used to control two types of field equipment. ON/OFF is used to control the motor, solenoid valve, etc. OFF/CLOSE is used to control open loop and closed loop control equipment (for isolation valves, plug valves, control valves, etc.). And the two buttons of DIAGNOSIS
ON/OPEN OFF/CL OSE DIAGNOSIS OK !
TELEPERM XS
AV42
FAULT ON/ OPEN OFF/ CL OSED
AV42 Module Instructions ON/OPEN Local On/Open Input OFF/CLOSE Local Off/Close Input ON/OPEN Local On/Open Indicator OFF/CLOSE Local Off/Close Indicator
Fig. 7. The AV42 of TXS platform
Research and Analysis on 1E Distributed Control System
425
on the front panel represent “diagnosis” and “stop diagnosis” respectively. OFF/CLOSE has the highest priority, DIAGNOSIS has the lowest priority. There commands are generally used to support maintenance measures. Since these commands have the highest priority, they can be used to control or inhibit the actuator even if the upstream I&C system is not available. There are several main control tasks of the AV42. First, AV42 can collect control input signals from several control areas, perform priority comparison, and generate drive control commands to control actuation of drives. Second, AV42 can generate 1E and NC signal feedback commands. Third, AV42 can generate termination in the event of sluggishness (torque protection for open-loop control actuators). The 1E signals and power supply are connected to the back plate of the AV42 by hardwire. The NC commands are connected to the connector of the AV42 front panel via fieldbus. The field signals are connected to the AV42 front plate via coding plugs. There are three kinds of commands that AV42 send to the field devices: CMDOFF (CLOSE command to switchgear), CMDON (OPEN command to switchgear) and the control blocking command. When output of control blocking binary command is 1, then CMDOFF and CMDON commands are both invalid. Otherwise the CMDOFF and CMDON commands are valid (Fig. 7). 2.7
The Reliability of Priority Logic Module
This paragraph will mainly analyze the reliability calculation method of the priority logic module by Failure Mode and Effect Analysis (FMEA). This paragraph takes the ACM of NASPIC platform for an example. Figure 8 is the schematic of 1E DCS interface. As we can see that ACM can collect the computerized logic processing information and the manual commands. It plays an important role in control the field facility. In this paragraph we will analyze the impact of ACM on the field facility by analyzing the reliability of ACM. The failure rate of electronic component is k. And the other related concepts are shown in the Table 1. As we can see in the Table 1, None Effect Failure means that electronic component failure has no effect on the execution of safety function (Such as failure of LED lamp or parameter drift of some resistances, etc.). Safety failure is when an electronic component fails, causing the module to enter a safe state, but does not place the module in a state of potentially dangerous or loss of function. For example, when the power chip fails, whether the failure mode is a short circuit between any two connections or a fixed fault output, eventually the module outputs its preset value, that is, a safety failure occurs. Dangerous failure refers to the state of placing the module in a state of potentially dangerous or loss of function. When the Field Effect Transistor (FET) of the protection switch is short-circuited, it will cause the circuit to be burnt due to excessive voltage, resulting in dangerous failure. ktol ¼ kNE þ kSD þ kSU þ kDD þ kDU
ð1Þ
The mean time between failure (MTBF) is the reciprocal of the ktol. The calculation methods of kS, kD, DCS and DCD are shown in the following formula [10].
426
Z.-H. Yang et al. Irradiation test loop Display operating unit
Main control room
Conventional operation panel
Operator workstation
Assistance control room Conventional operation panel
Sop/Bup
Operator workstation
Gateway(NC)
Process instrument processing system(1E)
Gateway(1E)
Manually hard logic(1E)
Computerized signal acquisition and logic processing (1E)
ACM(1E) 1E DCS Network connection Field sensor
Field facility
Reactor trip breaker
Hardwire
Fig. 8. The 1E DCS interface schematic Table 1. The nomenclature of related concepts Failure rate, k Dangerous failure rate, kD Diagnosable dangerous failure rate, kDD Diagnosable safety failure rate, kSD Dangerous coverage rate, DCD Safety failure fraction, SFF
None effect failure rate, kNE Safety failure rate, kS Undiagnosable dangerous failure rate, kDU Undiagnosable safety failure rate, kSU Safety coverage rate, DCS Fit, 1Fit = 10−9 h
kS ¼ kSD þ kSU
ð2Þ
kD ¼ kDD þ kDU
ð3Þ
DCS ¼ kSD =kS
ð4Þ
DCD ¼ kDD =kD
ð5Þ
The safety failure fraction is calculated by the data above.
Research and Analysis on 1E Distributed Control System
SFF ¼ ðkSD þ kSU þ kDD Þ=ðkSD þ kSU þ kDD þ kDU Þ
427
ð6Þ
Substituting data for calculation, the detailed data are not shown here, and finally the ACM has an MTBF of 67 years and an SFF of 98%. Due to the totally hardwired structure of ACM, the reliability calculation method of ACM is not that complicated then the other priority logic modules. However, for the limitations of article length and references, this paper only takes the ACM of NASPIC platform for an example.
3 Summary Analysis This paper compares seven kinds of 1E priority logic modules of six manufacturers at home and abroad. By comparison, we summarize the features of several priorities logic modules. The brief characteristics is shown in Table 2.
Table 2. The comparison of priority logic module CommonQ-CIM NASPIC-ACM NASPIC-PLM Firmsys-CIM MELTAC-PIF TRICON-PLM TXS-AV42
Microprocessor NO NO NO YES NO NO YES
CPLD/FPGA FPGA NO 2CPLD 2CPLD FPGA FPGA PLD
Feedback YES NO YES YES YES YES YES
I/O wiring mode Communication/Hardwire Hardwire Communication/Hardwire Communication/Hardwire Hardwire Hardwire Communication/Hardwire
Redundancy YES NO YES YES NO NO NO
1. The CIM of CommonQ platform is a little complex. In addition to the basic functions, there are also some functions related with the safety. The control commands are divided in detail by the categories of field devices. The STOP function is added to prevent false triggering. Some important device is controlled by two CIM cards for redundant control. In addition, the separate blocking function is also set in order to prevent the SWCCF. 2. NASPIC’s ACM is exactly designed based on “AND”, “OR” and “NOT” logical gates. There is no microprocessor and FPGA or CPLD which other priority logic module have. The hardwire structure not only reduce the module response time, but also can avoid the SWCCF. However, the designs of pure hardwire logic also cause the module’s function relatively simple. 3. NASPIC’s PLM is based entirely on CPLD and contains two CPLDs as redundancy. In PLM, the priority relationship between field command and the 1E automatic command is “Latecomer is preferred”. 4. The CIM of the Firmsys platform includes an MCU and two CPLDs. The feedback signal is reported after being processed by the MCU. The priority output commands can be divided into single instruction and dual instruction.
428
Z.-H. Yang et al.
5. MELTAC’s 1E DCS priority logic judgment function is mainly executed in PIF card. There are also a few priority logic judgment functions which are executed in the CPU of SLC, and this design has some differences from other platforms. 6. The PLM of Tricon provides a method of blocking the equipment from actuating while at the same time verifying that a test actuation signal is received just prior to the output of the PLM. 7. The AV42 module of TXS platform is also very complicated. AV42 contains microprocessor and PLD, which are divided into different functions according to the safety level. The diagnostic function is added in the field control. And AV42 can provide multiple self- diagnosis to hardwire circuit. In addition, AV42 can generate termination command in the event of sluggishness. 8. The priority logic module plays an important role in controlling the field facility. The failure of priority logic module may lead to the refused or unwanted operation of field facility. Taking the ACM of NASPIC platform for an example, the reliability calculation method is introduced. And the ACM has an MTBF of 67 years and an SFF of 98%.
4 Conclusions The nuclear reactor 1E DCS priority logic module is one of the very important components of the nuclear reactor I&C (Instrument and Control) system. Its main function is to prioritize different DCS control command and then send commands to drive the field devices. The safety and reliability directly affect the safety of the reactor. The characteristics and advantages between seven kinds of domestic and international priority logic modules are analyzed by comparing their function and implementation mode. And the reliability calculation method is introduced briefly. Therefore, this paper has important engineering significance and reference value for the design of priority logic module. Acknowledgments. The work is supported by Science and Technology on Reactor System Design Technology Laboratory Nuclear Power Institute of China.
References 1. Std IEEE. 603-1998. IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations. 1998 2. Std RCC-E 2016 AFCEN. Design and Construction Rules for Electrical and I&C systems and equipment. 2016 3. Liu, B., Liu, M., et al.: Study on priority logic module of nuclear power plants. Instrumentation (12), (2017) 4. Wang, S., Li, X.: Nuclear power plant priority control system based on FPGA. Sci. Technol. Vis. (13), (2018) 5. Guo, F., Sun, Na., Zheng, Z., et al.: A kind of priority management module of nuclear power plant: CN104409123A. 2015
Research and Analysis on 1E Distributed Control System
429
6. Zheng, W., Zhu, Y., Li, X., et al.: A kind of multifunctional driven module: CN102394117B. 2013 7. Zhang, L., Zhang, Yu., et al.: Research on the component interface modules of safety class DCS in nuclear power plant. Process Autom. Instrum. (38), (2017) 8. Wang, Q., Zhang, L., et al.: The study for character of safety priority interface card test loop and troubleshooting for test problem. China. Instrum. (7), (2007) 9. Feng, W., Luo W., et al. Research and Design on Priority logic Control Module of Nuclear Power Plant. Sci. Technol. Vis. (18), 2015 10. Wu, L., Ma, Q., et al.: Study on availability of nuclear power security DCS based on markov. Instrumentation (12), 2017
Design and Optimization of Communication in Nuclear Safety Class Emulation System Xu Zhang, Quan Ma(&), Qi Chen, Kai Wang, Hao Peng, and Guo-Hai Liu Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu, China [email protected]
Abstract. The nuclear power plant full scope simulator (FSS) is very important in science research and operators training. The safety class I&C (instrument and control) emulation system emulates the behavior of 1E DCS (Distributed Control System) in the FSS. Design of the communication for the safety class I&C emulation system which is routed on the virtual embedded system includes inner communication and outer communication. Inner communication includes the communications between Data Management Service (DMS) and Virtual Control Station (VCS), VCS and Virtual Main Processing Unit (VMPU), and VCSs themselves. Based on the widely used TCP protocol network, in order to make the emulation system as accurate as the real one, the communication framework of the entire system should be optimized. As for the issue that there is slightly time latency on I&C emulation system, event-triggered based information schedule method is developed to optimize the response speed of the system. As an example, a shutdown on the reactor caused by over-pressure on the reactor containment is simulated to verify the effects on the optimization of communication structure. Keywords: Emulation system
Communication DCS
1 Background The nuclear power plant FSS is shown in Fig. 1, which includes safety class I&C emulation system, non-classified I&C emulation system, process model and teaching and operation (T&O) platform, etc. Safety class I&C emulation system emulates the behavior of safety class DCS, which is a series of application processes in one or several emulation hosts. The communication module provides the data and instruction interaction channels between these processes. Process model is the simulation of reactor process system under transient condition. Some parameters of the process model are sent to safety class I&C emulation system as inputs. The outputs of safety class I&C emulation system are used to output drive commands, display information and send information to other systems. The communication and architecture between each system and the communication mode of each subsystem play an important role in the design of nuclear power plant safety class I&C emulation system [1–3].
© Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 430–440, 2020. https://doi.org/10.1007/978-981-15-1876-8_43
Design and Optimization of Communication in Nuclear Safety Safety class I&C emulation system
Safety class emulation host VCS
VCS
VMPU
VMPU
DMS
Safety VDU
Maintenance station
Non safety I&C emulation system
Emergency control panel
Back-Up panel
Softwarehardware interface
Remote shutdown station
Non Safety emulation host
History, alarm server
431
Operator station
Communication Maintenance station server
Gateway
T&O platform
Process module
I/O interface
Process module and T&O platform
Fig. 1. Structure of nuclear power plant FSS
2 The Communication Framework of Virtual Nuclear Safety DCS Based on TCP Protocol Considering the safety issue, most of the communication in nuclear safety DCS currently are customized protocols, while peripherals just support standard ones. In order to make the emulation as approach as the physical system, two different methods are usually adopted in the emulation system design, considering both the compatibilities and the convenience of operation. The first method is to use a certain protocol to imitate the customized safety protocols, to develop special applications to support the safety protocols in the application layer of the standard protocol which is chose in the emulation system. The second method is to use the high speed communication protocols to package the safety protocols. To make customization development in the application layer of the standard protocols is a huge and difficult work. The compatibility of this method is also very weak, the customization development must be restart once the safety protocol is changed. Besides, the risk of the safety protocol leakage is the most critical issue in this method, because the details of the safety protocol must be known to development the customization application. Considering all the issues in the first method, the second one is much better. In the most critical issue of safety information leakage, the details of the protocol are unnecessary in the package, the high speed communication protocols will pack the safety components as its payload during the transmission. What is needed is just the transmission model in the physical system, like transmission latency time and transmission speed. Just because the package does not care about the details in its payload, this method can be widely used in different safety protocol systems, which means a strong compatibility. In this paper, the very popular and developed communication protocol, transmission control protocol (TCP) is chose to make the communication framework of the entire emulation platform. 2.1
Brief of TCP
TCP is a connected oriented high reliable transmission layer protocol [4]. This protocol uses a special 3-times handshake and error handling strategy to guarantee its reliability.
432
X. Zhang et al.
Because the transmission layer protocol lays above the network layer, TCP could adjust the transmission speed by adapt the lower transmission layer protocol, like 100 or 1000 Mbps. Both of the two points above make the TCP protocol widely used in those environments where high speed transmission and reliability are required. As mentioned above, connected oriented means that before the two sides can communicate, TCP needs to build a connection between them firstly. As shown in Fig. 2, 3-times handshake strategy is used to build the channel. The process starts from sending SYN information by the side which has the communication desire. The destination side will reply ACK and SYN together to the source side. The last step is to reply the ACK from the source side to the destination side. Source
Destination
Fig. 2. 3-times handshake
3-times handshake guarantees the build of the communication between the source and the destination, while error handling strategy guarantees the transmission reliability during the communication. To make the communication channel stay in highly reliable transmission quality, several error handling tasks are executed when errors happened. One typical method is to re-send the error information. Once a over-time or error check not passing situation occurs, the destination side will not reply the ACK for these error frames. Then the source side will re-send those frames to make sure the absolute correct in the destination side. The physical layer and data-link layer defines the transmission speed of the whole protocol structure. TCP protocol is mostly running on the Ethernet, which is popular in high speed communication with 100 M/1000 Mbps. 2.2
Emulation Framework Design of Safety Communication Protocol Based on TCP
Using the high-speed and reliable features of TCP protocol, it can make the emulation system identical with the real ones, through packaging and un-packaging the safety data created by the emulation applications and according to the communication rules of the actual environment, the lower layer is used to realize the emulation.
Design and Optimization of Communication in Nuclear Safety
Emulation system
Emulation applications
Emulation applications
Safety protocol TCP layer Network layer Communication platform
433
Safety communication
Network communication
Link layer
Safety protocol TCP layer Network layer
Link layer
Link
Physical layer
Fig. 3. Communication structure of the emulation system
Protocols below TCP are all standard protocols in Fig. 3. The communication platform can choose different transmission speed according to the transmission requirements of the safety protocol which is simulated. When the new communication requirements occur, the package module will pack the private data from DCS emulation applications into the payload segment of TCP frames. By transparent transmission, the un-package module on the other side will receive the standard TCP frames and unpack the payload to the emulation applications. To make the emulation more realistic, emulation applications can set some transmission latency time to imitate the real safety DCS system according to the actual environments. Because of the transparent transmission, communication platform will send and receive data through the safety protocol. To the lower layer of the communication platform, the transmission rules and components are not cared. In this way, the privacy of the safety communication protocol in safety DCS are protected and the risks of leakage are avoided.
3 Design of the Communication 3.1
Design of the Communication in I&C Emulation System
The nuclear safety class I&C emulation system based on the virtual embedded system moves the embedded software of physical control system to Microsoft Windows platform, uses VMPU to imitate the calculation functions on physical Main Processing Unit. The framework of nuclear safety class I&C emulation system based on virtual embedded system is as below (Fig. 4).
DMS DMS
VCS-1 VCS-1 VMPU VMPU
Communication Communication between between stations stations
VCS-N VCS-N VMPU VMPU
Fig. 4. Structure of nuclear safety class emulation system based on virtual embedded system
434
X. Zhang et al.
As the core of data and instruction scheduling, DMS is connected to every VCS. It runs the functions of outer systems like human-machine interfaces and mathematical models in technological systems, executes tasks like data transmission and instructions allocation. VCS acts like the physical control stations in physical DCS, the main job is to build the communication route for data and instructions between them and VMPU. A VCS receives the data and instructions from DMS, and transfer them forward to VMPU for calculation, and exchanges the results between different VCSs. Thus the communications between DMS and VCS, VCSs themselves, VCS and VMPU must be carefully considered when designing the inner communication network of the emulation system. Besides, in multi-targets emulation system, the identifications of each target should be made, so be the space allocation. VCSs only communicate with the DMS which belongs to the same project with them. 3.1.1 Communication Design Between DMS and VCS TCP is used to communicate between DMS and VCS. Firstly DMS boots as a server. After a VCS starts, it establishes socket connection with DMS as a client. The data sent by VCS includes output data, status data, etc. The received data includes input data, emulation instruction (data operation, malfunction settings, etc.), emulation operation instructions (running, freezing, etc.), exiting instruction, etc. 3.1.2 Communication Design Between DMS and VCS A VCS communicates with a VMPU by means of shared memory and event kernel object. A VCS creates periodic event and data synchronization event. Through periodic event, a VMPU can be scheduled to run, freeze and other emulation states, and can also be scheduled for more complicated instruction including stepping for constant step numbers or stepping for constant time. A VCS informs a VMPU to synchronize data by creating data synchronization event. The shared memory of VCS and VMPU contains the state data and control instructions, including emulation state, mode of VMPU, name of current condition and whether the VMPU is running, etc. They transfer input and output data values through shared memory, which simulates the behavior of functional boards when sending or receiving data. 3.1.3 Communications Between VCSs VCSs communicate by TCP protocol. A virtual station that establishes first works as a server, and the virtual station that establishes later works as a client, which makes socket connection. The real-time data and state data of virtual stations synchronizes every cycle. 3.2
Communication of Process Model
The process model is used to calculate the transient working condition of the process system in nuclear power plant. During the calculation, some data to be displayed will be generated. An interface program needs to be designed to synchronize between process model and T&O platform. The T&O platform can realize the interaction with the process model through the interface program. The calculation results of the process model can be transmitted to
Design and Optimization of Communication in Nuclear Safety
435
the platform and displayed through the designed interface [5]. The T&O platform can intervene in the process model. The operation order of valves and pumps in the reactor system can be transmitted to the process model through the interface program. Moreover, the T&O platform also has the functions of start, pause, continuous operation, restart, snapshot, etc. [6]. The interaction process between T&O platform and process model is shown in the Fig. 5. When the program is started, the T&O platform calls the process model to run the execution program. (If this is the first time to start the platform, the platform will create a shared memory area to the process model.) The platform reads the mapping file and writes the data to the shared memory area according to the rule of mapping file [7]. Then the process model reads the mapping file and reads the shared memory data according to the mapping file rules. The process model is calculated using shared memory data as inputs. After one step is completed, the process model writes the output data to the shared memory area according to the mapping file, waiting for the platform to read. Next, the platform reads the shared memory area data according to the mapping file, and the control system starts to run. If the next step is required, the results of the teaching and control platform are written into the shared memory area again
Process model
Teaching and control operation platform
START
START
If this is the first start?
No
Yes
Yes
Create a shared memory data
No
Create a shared memory data
Read map file
Platform data writes to shared memory data
If this is the first start?
Read map file
Share memory data1
Read map file
Platform data writes to shared memory data
Data calculation
Yes
Yes Platform data writes to shared memory data
Data calculation
Whether to perform operation?
Read map file
Share memory data2
Process model writes to shared memory data
Whether to perform operation?
No
No
END
END
Fig. 5. Communication between process model and T&O platform
436
X. Zhang et al.
through the mapping file, so that the data interaction between the platform and the process model can be realized. When there is no need to continue the operation, the platform can exit directly. 3.3
Communication Between I&C Emulation System and Other Parts of FSS
The I&C emulation system is instructed by the T&O platform. Common dispatch instructions include start, run, freeze, step process, stop etc. In these instructions, start, run, freeze and stop do not need any parameter, while step length is required as the parameter for step process instruction. The data of the process model exchanges between I&C emulation system and the FSS is realized by the IO list, which is managed by both of them. The emulation system and process model read and write the IO list separately and periodically, to update the input data of local side and send out the computed data to the other side. The data which is created by safety class I&C emulation system and used by non-classified I&C system goes through the gateway station [8–10]. As described in Sect. 3.1, in the situation of running TCP protocol inside the I&C emulation system, the communication between I&C emulation system and the other parts of the FSS will be easier to realize if the other parts of the FSS are also use TCP protocol. If they do not use TCP protocol, like OPC protocol, the OPC Server can be used as the bridge between the I&C emulation system and the other parts of the FSS, which are connected with the OPC server.
4 Signal Transmission Optimization in Emulation System 4.1
Signal Transmission Difference Between Emulation System and Physical System
The schedule on signal transmission of emulation system affects the emulation results. It is worth to optimize the schedule strategy on signal transmission of emulation system. The signals of the emulation systems which are applying virtual embedded system are transmitted between DMS, VCS and VMPU. Because of the existence of DMS in emulation system, the emulation states and data exchange with outside shall be arranged together. The transmission period of data and instructions may be slightly longer than that in the physical system. 4.2
Optimization
Communication path of the emulation systems based on virtual embedded system is shown in Fig. 6.
Design and Optimization of Communication in Nuclear Safety
437
External system sampling time
DMS
Period of DMS
TDMS
Calculation and waiting time of TVMPU VMPU
TRES Response time of VCS
VCS-1
Communication between stations
VMPU VMPU
TCOM
VCS-N
VMPU VMPU
Fig. 6. Communication channels of I&C emulation system based on embedded system
As shown in the Fig. 6, a complete calculation period is constructed by TDMS which means the latency time of signal transmission from DMS to VCS, TVMPU which means latency time of calculation and waiting time of VMPU, TCOM which means communication latency time between stations and TRES which means the feedback time from VCS to DMS. Among the 4 processes, TVMPU is the same in emulation system and real one and TCOM is so short that can be ignored in the whole latency time. Thus the way to decrease the I&C emulation system response time is reducing TDMS and TRES. TDMS is hard to reduce in normal conditions, so it shall be as small as possible in the situation of data staying steady. There are two ways on the feedback from VCS to DMS, periodically and event-triggered. TRES is a constant in the periodical type, while it can be reduced almost to 0 ms in the situation of eventtriggered type every time when a VCS needs to feedback to DMS, without the waiting time to the end of the period. 4.3
Analysis of Optimization Case
In order to prove the effect of the optimization method described in Sect. 4.2, the reactor trip of containment pressure high is set as an example, and the optimization effects are analyzed. The diagram shows the logic schematic diagram of the reactor trip caused by the containment pressure exceeding the upper limit. The upper limit of the containment pressure is set as 122 kPa, and the gap is set as 1% of full range. The containment pressure signal collected by the sensor is sent to the control system as an analog input, which is compared with the set value of upper limit value, and finally determines whether the trip signal of this channel will be generated (Fig. 7).
438
X. Zhang et al. Containment pressure AI High limit value 122kPa SP
High limit judgment
High limit judgment result from other channels
SP Gap 1% of full range 2/4
DO
2 out of 4
Reactor trip
Fig. 7. Logic diagram of containment pressure high trip
The logic diagram of reactor shutdown is as follows: assuming that there is a large loss of coolant (LOCA) [11, 12] in the reactor, the experiment is recorded as-20 ms at the beginning of the experiment. At 0 ms, the pressure of the reactor containment exceeds 122 kPa. The incoming real-time pressure from the pressure sensor exceeds the upper limit threshold. Through the threshold comparison logic, the excessive signal is generated and the signals from other channels perform a “2 out of 4” logic judgment, which generates the reactor trip signal of this channel. Considering the waiting time between the main control module and the next main control module, the calculation time of the main control period, the communication time between the stations, and so on. The signals sending to the next main control module requires waiting time, which is a range within a main control cycle. According to industry regulations, the maximum reactor trip response time shall not exceed 200 ms. The simulation experiment was divided into two groups, and each group was done for several times, the maximum response time was recorded, the cycle of DMS was 50 ms, and the main control cycle was 45 ms. In the first group, the feedback of the VCS to the DMS takes the form of periodic feedback, and the cycle is set to 50 ms. While in the second group of experiments, the feedback of the VCS to the DMS takes the form of the event feedback. As shown in the figure, the results of the first group are recorded as “the results before optimization” and the second group is recorded as “the results after optimization”.
Design and Optimization of Communication in Nuclear Safety 124
1 Reactor Trip Signal(Before Optimization) Containment Optimization) Reactor Trip Pressure(After Signal(After Optimization) Containment Optimization) Containment Pressure(Before Pressure(After Optimization)
123.5
Containment Pressure(Before Optimization)
Reactor Trip (Bool)
Containment Pressure /kPa
439
123
122.5
122
121.5
0
50
100 Time /ms
150
200
0 250
Fig. 8. Result of containment pressure high trip emulation verification
The first group of experiments generated a reactor trip signal at a time of 218 ms, while the second group of experiments generated a reactor trip signal at a time of 164 ms. For the accident mitigation, the optimized containment pressure value is lower than experiment results before optimization, and the risk of the reactor is relatively small, which is more beneficial to the operation of the protection system subsequently (Fig. 8). The response time of feedback to DMS can be shortened by using eventtriggered based VCS, and it can make a more realistic simulation effects.
5 Conclusion (1) In the process of communication designing of nuclear safety class I&C emulation system routed on the Embedded System, the communications between DMS and VCS, between VCS and VMPU, and VCSs themselves need to be considered. (2) The speed of Ethernet running TCP as the application layer protocol is fast enough to satisfy the communication requirements of the whole emulation system. (3) In the form of sharing memory, the data transferring on process model and T&O platform can be synchronized, in this way to offer synchronized IO signals to safety class or non-classified platforms. (4) Reducing the periods of DMS and reducing the feedback time from VCS to DMS are two ways to reduce the time of response for the I&C emulation system based on embedded system. The event-triggered feedback strategy can reduce the time of feedback from VCS to DMS.
440
X. Zhang et al.
References 1. Lin, M., Hou, D., Liu, P., Yang, Z., Yang, Y.: Main control system verification and validation of NPP digital I&C system based on engineering simulator. Ann. Nucl. Energy 240, 1887–1896 (2011) 2. Gao, H., Qu, M., Li, Q., Jing, Y.: Research and design on virtual DCS process control platform in nuclear power plant. Comput. Integr. Manuf. Syst. 34(2), 144–149 (2017) 3. Sun, Y., Zhang, Y., Pang, Z.: A validation and verification method of I&C software of nuclear power station based on FSS. Comput. Integr. Manuf. Syst. 31(4), 147–150 (2014) 4. Hollot, C., Misra, V., Towsley, D., Gong, W.: Designing improved controllers for AQM routers supporting TCP flows. IEEE Trans. Autom. Control 47(6), 945–959 (2002) 5. Exel, L., Frey, G., Wolf, G., Oppelt, M.: Re-use of existing simulation models for DCS engineering via the function mock-up interface. In: Emerging Technology & Factory Automation (2015) 6. Lin, M., Hou, Z.Y.D., Liu, P.: Applying engineering simulator to verification and validation of digital I&C in nuclear power plant. In: 17th International Conference on Nuclear Engineering, pp. 729–733. ASME, Brussels (2009) 7. Li, Z., Zhang, X.: Nuclear power plant safety DCS virtual system design and development. Manuf. Autom. 34(7), 154–156 (2012) 8. Shi, J., Jiang, M., Ma, Y.: Research on real-time simulation test for upgrades of digital I&C system in nuclear power plant. Nucl. Tech. (2005) 9. Hou, D., Lin, M., Xu, Z., Yang, Y.: Development and application of an extensible engineering simulator for NPP DCS closed-loop test. Nucl. Eng. Des 38, 49–55 (2010) 10. Shi, J., Jiang, M., Ma, Y.: Technical study of real-time simulation system for digital I&C system of steam generator in nuclear power plant. Nucl. Power Eng. (2004) 11. Maji, A., Rao, D., Letellier, B., Bartlein, L., Marshall, B.: Transport characteristics of selected pressurized water reactor LOCA-Generated debris. Nucl. Technol. 139(2), 145–155 (2002) 12. Liao, J., Kucukboyaci, V.N., Wright, R.F.: Development of a LOCA safety analysis evaluation model for the Westinghouse Small Modular Reactor. Ann. Nucl. Modul. Energy 98, 61–73 (2016)
Reliability Allocation Based on Importance Measures Ming Xu1, Duo Li2, Shu-Qiao Zhou2(&), and Xiao-Jin Huang2 1
Department of Automation, College of Intelligence Science and Technology, National University of Defense Technology, Changsha 410073, China 2 Collaborative Innovation Center of Advanced Nuclear Energy Technology, Key Laboratory of Advanced Reactor Engineering and Safety of Ministry of Education, Institute of Nuclear and New Energy Technology of Tsinghua University, Beijing 100084, China [email protected]
Abstract. How to properly assign the reliability to the components is a key process for a system design, especially for a system in nuclear installations with high reliability requirements. Previously the reliability allocation process for such a system with high availability requirements is done based on the failure mode effects and criticality analysis (FMECA) and fault tree analysis (FTA). The results from FMECA are just qualitative. The analysis based on FTA needs to be iterative and probably can only get the sub optimal solution. In this paper, a theoretical model is proposed based on importance measures (IMs) and it is competent to allocate the reliability indices to its different composed components quantitatively. Moreover, the optimal assignment result can be obtained directly without any iterative processes. Thus, the proposed method is theoretically valuable and is also much beneficial to the design of the related complex systems and devices of the nuclear power plants. The control cabinet design, as a typical example, is introduced and the proposed method is demonstrated to be effective. Keywords: Importance measure Reliability allocation Cost-related importance measure Reliability and risk Risk-informed decision making
1 Introduction The general goal of risk-informed applications is to make requirements on operation and maintenance activities more risk-effective and less costly by better focusing on what is risk-important [1–4]. To this aim, importance measures (IMs) are used to quantify the risk- or safety-significance of components or, more generally, basic events, according to specific views of their role within the system [5–7]. However, for most of the time, we get the IMs from the designed system (with fixed structure and parameters) for risk-informed decision making. In a certain sense, this is a passive method. As we know, IMs of components or basic events depend, to a great extent, on the stage of system design (maintenance strategy will also affect the IMs), and once the system design is determined the task left for us is using the information of © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 441–454, 2020. https://doi.org/10.1007/978-981-15-1876-8_44
442
M. Xu et al.
IMs for risk-informed decision making. This means different system designs will affect the methods of risk-informed decision making, and there must be some good or bad methods in the view of system operate or maintenance. So it is necessary for us to design the system (includes structure and parameters) according to the subsequent factors that benefit the risk-informed decision making. This paper mainly focuses on the aspect of parameters, which means to allocate system reliability in accordance with the relationships among IMs. In previous work, IMs do not be considered in reliability allocation [8–11]. It is a new idea by taking the IMs into reliability allocation, and to our knowledge, this problem is proposed for the first time. During the design of the complex systems and devices for high temperature gas cooled reactor nuclear power plants and other nuclear installations, the reliability allocation processes for such systems and devices with high availability requirements are usually done based on the failure mode effects and criticality analysis (FMECA) and fault tree analysis (FTA). The results from FMECA are just qualitative and the analyzing processes based on FTA are required to be iterative. The proposed reliability allocation method based on IMs are expected to assign the reliability indices quantitatively without iterative processes. The remainder of the paper is organized as follows. In Sect. 2 a simple example is introduced, and we explain the necessity of taking IMs to reliability allocation. Section 3 introduces the general model of reliability allocation based on IMs and several relationships among IMs. The relationship between reliability allocation based on cost optimization and IMs is discussed. Section 4 analyzes a simple case to illustrate the usage of model that is mentioned in Sect. 3. Section 5 provides some remarks and conclusions.
2 Why Reliability Allocation Based on Importance Measures Is Needed? 2.1
A Simple Example
Let’s consider a very simple example first. Figure 1 shows a pretty simple system which composes of component 1 and component 2 in parallel. Let R be the risk of the system, x1 is the mean failure probability of component 1 and x2 is the mean failure probability of component 2. We assume that component 1 and component 2 are independent with each other. Then the risk of the system can be easily obtained by Eq. (1). R ¼ x1 x2 1
2
Fig. 1. A simple system with two parallel components.
ð1Þ
Reliability Allocation Based on Importance Measures
443
The partial derivative (PD) importance measure [12] of component 1 can be derived by Eq. (2). PDðx1 Þ ¼
@R ¼ x2 @x1
ð2Þ
And the PD importance measure of component 2 can be derived by Eq. (3) PDðx2 Þ ¼
@R ¼ x1 @x2
ð3Þ
We assume there are two situations of the system which are listed in Table 1. Table 1. The parameters of two situations PDðx1 Þ PDðx2 Þ Situation x1 x2 R 1 0.1 0.9 0.09 0.9 0.1 2 0.3 0.3 0.09 0.3 0.3
In the view of the system level, the two situations are identical, which means that the risks of the two situations are both 0.09. But we also find in Table 1 that the two situations have significance difference in importance measure with each other. In situation 1, we find PDðx2 Þ PDðx1 Þ which means that the component 2 is much more important than component 1. While in situation 2, component 1 and component 2 are equal in PD. Now, a trouble appeared. If you are a system designer, which situation of this system will you choose in the view of partial derivative importance measure? When considering the maintenance frequency of the system, you may prefer situation 2. Because you will tire yourself out by fixing the system in situation 1 all the time if you choose it. So which situation is better? It may depend on many facts, such as system operational environment, maintenance strategy or even your person preferences. 2.2
One Fact
From the discussion in Sect. 2.1 and no matter which situation you choose, we learn that one fact seems always true, that is the system in situation 1 and 2 are different in IMs. Because of these differences, the different activities such as maintenance strategy and human actions should be taken. And these differences are crucial for risk-informed decision making. 2.3
An Idea
The differences truly exist and may make the options different from each other, and there must be one option better than the rest. So we can choose a better one for our system. It may be easy in the situation when we face only two options. But if there are
444
M. Xu et al.
hundreds and thousands of options, how do we select the right situation, and moreover, how can we find the best one among infinite options? In this case, we should formulate a rule for telling us what is better. And following this rule, we can find the optimal option. So what can we actually do? We formulate a rule for the IMs which we want, and following the rule we can decide the failure probability or reliability of every component in the system under the constraint of the system risk. This means that we are dealing with the problem of reliability allocation based on the importance measure. This is the problem in which this paper focuses on. To our knowledge this has never been introduced before.
3 The Model of Reliability Allocation Based on Importance Measures 3.1
The General Model
In Sect. 2, we have discussed the necessity of dealing with the problem of reliability allocation based on IMs. The purpose of this section is to formulate the general framework of the reliability allocation based on importance measure. Let R be the risk metric of the safety system, I(xi) be the generic importance measure of component i, f ðÞ be the generic relationship among the IMs, xi be the failure probability of component i, ri be the reliability of component i which is equal to 1 − xi, lowi be the lower bound of the failure probability of component i and upi be the upper bound of the failure probability of component i. The general framework can be express as f ðI ðx1 Þ; Iðx2 Þ; ; Iðxn ÞÞ;
ð4Þ
8 gðx1 ; x2 ; ; xn Þ ¼ R; > > < lowi \xi \upi ; i ¼ 1; 2; ; n; > 0\lowi upi \1; > : r i ¼ 1 xi :
ð5Þ
under the constraint
I(xi) is the generic importance measure of component i, such as the partial derivative (PD), risk reduction (RR), Fussell-Vesely (FV), risk reduction worth (RRW), criticality importance (CI) and differential importance measure (DIM), which are extensively studied in literature [12–15]. In practice, the conditions under which one should be applied depend on the purpose of the designer. The lowi and upi should strictly more than 0 and less than 1, and the exact values depend on the system requirement or the purpose of the designer. The form of generic relationship f () also depends on the designer, and some forms of f () will be discussed in Sect. 3.2.
Reliability Allocation Based on Importance Measures
3.2
445
The Forms of f()
The forms of f ðÞ vary from the relationships among the IMs of the components, which depend on the purpose of the designer. We will discuss some of the relationships, such as minimum sum, minimum variance, fixed order and equivalence of the IMs in this section. • Minimum sum It can be expressed as f ðI ðx1 Þ; Iðx2 Þ; ; Iðxn ÞÞ ¼ min
n X
I ð xi Þ
ð6Þ
i¼1
• Minimum variance Sometimes we expect the values of component’s IMs close enough to each other, and then the Minimum variance of IMs is needed. We can express the relationship as n P
f ðI ðx1 Þ; Iðx2 Þ; ; Iðxn ÞÞ ¼ min i¼1
where I ¼
n P i
2
I ð xi Þ I n
ð7Þ
I ð xi Þ
n is the average of IMs.
• Fixed order In a system, there may be many components, and we consider component is more important than the others. Then, the fixed order relationship of component IMs is needed. We can express the relationship as I ð x1 Þ [ I ð x2 Þ [ . . . [ I ð xn Þ
ð8Þ
As Eq. (11) is a qualitative relationship of the IMs, there are infinite solutions in this situation, and which solutions should be used belong to the requirements of the system designer or extra rules. • Equivalence It can be express as f ðI ðx1 Þ; Iðx2 Þ; ; Iðxn ÞÞ ¼ I ðx1 Þ ¼ I ðx2 Þ ¼ . . . ¼ I ðxn Þ
ð9Þ
We find that when all IMs are equal to each other, it also satisfied the relationship of minimum variance. This means the equivalence of IMs is a special case when the value of minimum variance equals to zero. Moreover, the relationship of equivalence does not always meet because of the constraint of 0\ xi \1. But it is necessary for us to
446
M. Xu et al.
discuss the relationship of equivalence particularly. The relationship of equivalence is much easier than minimum variance, and if we make sure the IMs meet the relationship, the method of solving this model would be greatly simplified. • Other relationships In this section we have discussed four relationships of IMs, and there may be many other relationships which depend on the purpose of the designer. However, we do not know the functions of some forms of relationships clearly, and also the relations between different forms of relationships, so further research on these points are needed.
4 Relation with Conventional Models of Reliability Allocation 4.1
Traditional Models of Reliability Allocation
Existing methods of reliability allocation fall roughly into 2 categories [16]: (1) use weighting coefficients to distribute the target value of the overall reliability on the components of the system [17, 18]; (2) use optimization techniques to solve – redundancy allocation [19], minimization of system cost subject to reliability constraint [13–15], maximization of system reliability under cost constraint [10, 11], or (more generally) system reliability optimization [20]. Let Cmin be the minimum cost to attain R. The problem can be express as minimize Cmin ¼ min
n X
! ci ðxi Þ
ð10Þ
i¼1
under the constraint 8 gðx1 ; x2 ; . . .; xn Þ ¼ R; > > < lowi \xi \upi ; i ¼ 1; 2; ; n; 0\lowi upi \1; > > : r i ¼ 1 xi :
4.2
ð11Þ
Cost-Related Importance Measure
At the beginning of discussion the relationship between reliability allocations based on IMs and optimal cost, let’s review the cost-related importance measure (CIM) [21] first. CIM can be used to get cost related information about the importance of proposed changes that affect component properties. The definition of CIM is PDðxi Þ dc 0
c ðxi Þ
i CIMðxi Þ ¼ P n PDðxk Þ 0
k¼1
ck ðxk Þ
i
dck
;
ð12Þ
Reliability Allocation Based on Importance Measures
447
where ci (xi) is the cost function of component i, xi is the mean failure probability, PDðxi Þ ¼ @Rðxi Þ=@xi is the IM of partial derivative, dci ¼ ci ðxi þ Dxi Þ ci ðxi Þ is the fraction change of the cost in component i. And the CIM has the following properties: Property 1: CIMs are additive. The joint CIM of a set of components is the sum of the individual component. Suppose that the group is composed of components i, j, …, k. The CIM of the group is CIM xi ; xj ; . . .; xp ¼ CIMðxi Þ þ CIM xj þ þ CIM xp
ð13Þ
Property 2. The sum of the CIMs of all components equals unity, that is, CIMðx1 ; x2 ; xn Þ ¼
Xn k¼1
CIMðxk Þ ¼ 1
ð14Þ
Property 3. We consider uniform changes in the parameters (C1), i.e., ðC1Þdci ¼ dcj
8i; j
ð15Þ
If Eq. (15) holds, then PDðxi Þ 0
c ð xi Þ
i CIMðxi Þ ¼ P n PDðxk Þ
ð16Þ
0
k¼1
ck ðxk Þ
Under C1, CIM measures the parameter importance due to a small change that is the same for all components. Property 4. We consider uniform percentage changes in the parameters (C2), i.e., ðC2Þ
dci dcj ¼ ci ðxi Þ cj ðxj Þ
8j; k
ð17Þ
If Eq. (17) holds, then PDðxi Þ c ðx Þ 0
c ðxi Þ
i
i CIMðxi Þ ¼ P n PDðxk Þ 0
k¼1
ck ðxk Þ
i
ð18Þ
ck ðxi Þ
Under C2, CIM changes the parameters by the same percentage according to the effect on R. 4.3
Relationship of the Two Reliability Allocation Methods
Let us consider the relationship between reliability allocation based on IMs and optimal cost in this subsection. Consider ci ðxi Þ, the cost function of the component i, where xi
448
M. Xu et al.
denotes failure probability. Three reasonable conditions are imposed on ci: (1) ci is a positive definite function; (2) ci is non increasing; (3) ci increases rapidly as xi gets close to 1. We find that the reliability allocation based on optimal cost is the special case of the reliability allocation based on IMs, when CIM is taken and all of the CIMs have minimum variance. The problem (P1) of reliability allocation based on optimal cost can be express as Cmin ¼ min
n X
! ci ðxi Þ
ð19Þ
i¼1
under the constraint 8 < gðx1 ; x2 ; . . .; xn Þ ¼ R; 0\xi \1; i ¼ 1; 2; ; n; : r i ¼ 1 xi :
ð20Þ
where Cmin is the minimum cost of the system at the constraint of risk R. The problem (P2) of reliability allocation based on minimum variance of CIMs can be express as n P
Hmin ¼ min i¼1
CIMðxi Þ CIM
2
n
ð21Þ
under the constraint 8 < gðx1 ; x2 ; . . .; xn Þ ¼ R; 0\xi \1; i ¼ 1; 2; ; n; : r i ¼ 1 xi :
ð22Þ
P1 and P2 are the same problems and we will prove in the following discussion. To solve P1, we can use the Lagrange method. The optimization problem is equivalent to finding the minimum of F ðx1 ; x2 . . .xn ; hÞ ¼
n X
ci ðxi Þ þ hðR gðx1 ; x2 ; . . .; xn ÞÞ:
ð23Þ
i¼1
It can be solved by solving (
@F ðx1 ;x2 ;...;xn ;hÞ @xi @F ðx1 ;x2 ;...;xn ;hÞ @h
¼ 0; i ¼ 1; 2; . . .; n; ¼ 0:
ð24Þ
Reliability Allocation Based on Importance Measures
449
The solution is
ci ðxi Þ h @gðx1 ;x@x2i;...;xn Þ ¼ 0; i ¼ 1; 2; . . .; n; gðx1 ; x2 ; . . .; xn Þ ¼ R: 0
ð25Þ
Then h1 ¼
PDðxi Þ 0 ci ðxi Þ
ð26Þ
We find that h is a constant, so Eq. (27), the relationships of CIMs under C1, can be derived by Eqs. (16) and (26). CIMðx1 Þ ¼ CIMðx2 Þ ¼ ¼ CIMðxn Þ ¼
h1 1 ¼ nh1 n
ð27Þ
Equation (27) is also the solution of the P2, because Hmin equals to 0 has minimum variance while all the CIMs are equal. So in this case, the reliability allocation based on optimal cost is a special case of the reliability allocation based on IMs. This is a very meaningful result which makes us consider the reliability allocation problem with optimum cost in the view of the problem based on IMs. Moreover, the reliability allocation problem based on IMs contains more contents.
5 Case Study Control system is the brain of a nuclear facility. Reliability is a key factor during the system and device design of a control system. The system and device need to be designed carefully to achieve the goal of high availability. This section demonstrates that the proposed method in this paper can be used to allocate the reliability to different parts suitably without any iterative processes. The basic structure of a typical control cabinet is shown in Fig. 2, which is composed of controllers, a power supply component and N I/O components. Two controllers work in a mutually redundant way. A controller contains different components, such as power board, network interface controller (NIC), redundancy supporting module and the central process unit (CPU) board. The power supply component is also composed of two redundant power modules, which provide the power simultaneously and are mutually redundant. Each I/O component contains a coupler module and Mj I/O modules. I/O modules connect to different field devices and sensor transmitters respectively. The fault tree of the control cabinet is given in Fig. 3. The top event of the
450
M. Xu et al.
control cabinet is the failure of the control function, which can be introduced by power supply failure, controllers’ failure and the failure of the I/O modules. The related symbols and the basic events (BEs) are described in Tables 2 and 3 respectively.
Power Supply Component Power Module 1
Controller 1
Controller 2 Power Board
NIC
CPU Board
CPU Board
Redundancy Supporting Module
Power Module 2
M1 I/O Modules
Heartbeat
NIC
Data Sync
Power Board
Redundancy Supporting Module
Coupler
I/O
I/O I/O
I/O
MN I/O Modules
I/O
I/O
Coupler
I/O
I/O I/O
I/O
I/O
Power
Dual Redundant Controller
N I/O Components
Fig. 2. The structure of the control cabinet.
Top
N I/O Components
E1
E2
E01
E0j
E0N
1
j
N
The j th I/O component
E0j
j
E4
E3
X1
X2
X3
X4
X5
X7
X8
E5
X9
X6
X10
Yj0
Yj1
Yj2
Mj I/O modules
Fig. 3. The fault tree of the control cabinet.
YjMj
I/O
Reliability Allocation Based on Importance Measures
451
Table 2. List of the symbols related to the BEs of the control cabinet NO. 1 2 3 4 5 6 7 8 9 10 11 12
BEs X1 X2 X3 X4 X5 X6 X7 X8 X9 X10 Yj0 Yji
Meaning Power module 1 fails Power module 2 fails The CPU board of controller 1 fails The power board of controller 1 fails The NIC of controller 1 fails The redundancy supporting module of controller 1 fails The CPU board of controller 2 fails The power board of controller 2 fails The NIC of controller 2 fails The redundancy supporting module of controller 2 fails The coupler of the Mj th I/O component fails The ith I/O module of the Mj th I/O component fails
Table 3. List of the events for the control cabinet. NO. 1 2 3 4 5 6
Events E1 E2 E5 E3 E4 E0j
Meaning Control cabinet loses power The dual redundant controller fails One of the two redundancy supporting modules fails Controller 1 fails Controller 2 fails The j th I/O component fails
The minimal cut sets (MCS) are {X1, X2}, {X3, X7}, {X3, X8}, {X3, X9}, {X4, X7}, {X4, X8}, {X4, X9}, {X5, X7}, {X5, X8}, {X5, X9}, {X6}, {X10}, {Y10}, {Y20}, …, {YN0}, fY11 ; Y12 ; . . .; Y1M1 g, fY21 ; Y22 ; . . .; Y2M2 g, …, fYN1 ; YN2 ; . . .; YNMN g. The system unavailability R, as a function of component failure probabilities, is written as (using the rare event approximation) R ¼ x1 x2 þ x3 x7 þ x3 x8 þ x3 x9 þ x4 x7 þ x4 x8 þ x4 x9 þ x5 x7 þ x5 x8 þ x5 x9 þ x6 þ x10 þ
N X j¼1
yj0 þ
Mj Y
! yji
i¼1
We assume the system unavailability R = 10−5.
ð28Þ
452
M. Xu et al.
The reliability allocation problem based on minimum variance of PD importance measure can be expressed as: 8 > > > > > > > > > > > > > > > >
8 3
> > > 1 106 \xi \10 3 >
> > >
2 10 \yj0 \10 > >
2 106 \yji \103 > >
> > >
ri ¼ 1 xi > :
rji ¼ 1 yji
j¼1 i¼0
PDðyji ÞPD
ð1 þ M j Þ i ¼ 1; 2 i ¼ 3; ; 10 j 2 ½1; N j 2 ½1; N ; i 2 1; Mj i ¼ 1; 2; ; 12 j 2 ½1; N ; i 2 1; Mj
ð29Þ
The problem can be solved by a nonlinear programming method and the failure probabilities of BEs are in Table 4. The IMs of BEs, which are calculated by the logarithmic function, are shown in Fig. 4. The BEs Yj0 and Yji are with highest importance measures as they are with no redundant counterparts. The BEs X6 and X10 are also with higher importance measures than that of other BEs, because that the controllers will lose the redundancy and introduce a conflict of both of the two controllers working in the master state. The results in Table 4 also show that the components with higher importance measures are allocated with higher reliability indices. The results of this typical example show that the proposed method can allocate the reliability suitably to different components quantitatively. Moreover, in a practical project, different IMs (e.g. CIM) can be flexibly chosen by a system designer according to a particular problem.
Table 4. Probability of BEs allocated based on PD. NO. 1 2 3 4 5 6 7 8 9 10 11 12
Mean failure probability (1−ri) 1.00 10−5 1.00 10−5 1.00 10−5 2.00 10−5 2.00 10−5 2.00 10−6 1.00 10−5 2.00 10−5 2.00 10−5 2.00 10−6 1.43 10−6 1.68 10−6
Reliability Allocation Based on Importance Measures
453
Fig. 4. PD importance measures of each BE
6 Conclusion IMs play an important role in risk-informed application. It provides useful information for risk-informed decision making. We propose that the relationship among IMs which may affect the risk-informed decision making should be taken into account at the stage of system design. IMs should not just used for system analysis that has been designed, but also should take part in the process of designing. By carrying out the positive method to affect IMs through the process of adaptive design, in that case, we would benefit a lot through the process of implementing the system in risk-informed decision making. To the best of our knowledge, traditional methods have not taken IMs into consideration during the reliability allocation. In this paper, the problem of reliability allocation based on IMs is proposed. The general model of the problem is formulated, and the relationships among IMs are analyzed. We also discuss the relationship between traditional reliability allocation method based on optimum cost and reliability allocation method based on IMs, and we find that the prior one is a special case of the latter one in some condition. In this aspect, we can use the model of reliability allocation based on the IMs to replace the traditional reliability allocation model. Finally, a typical case is studied by using the model, and we find that he proposed method can allocate the reliability suitably to different components quantitatively. Moreover, no iterative process is needed.
References 1. Vesely, W., Apostolakis, G.: Developments in risk-informed decision-making for nuclear power plants. Reliability Eng. Syst. Saf. 223–224 (1999) 2. Zio, E., Podofillini, L.: Importance measures and genetic algorithms for designing a riskinformed optimally balanced system. Reliability Eng. Syst. Saf. 92(10), 1435–1447 (2007) 3. Podofillini, L., Zio, E.: Designing a risk-informed balanced system by genetic algorithms: comparison of different balancing criteria. Reliability Eng. Syst. Saf. 93(12), 1842–1852 (2008)
454
M. Xu et al.
4. Vesely, W.: Principles of resource-effectiveness and regulatory effectiveness for riskinformed applications: reducing burdens by improving effectiveness. Reliability Eng. Syst. Saf., 283–292 (1999) 5. Use of probabilistic risk assessment methods in nuclear activities: final policy statement. Federal Register, US Nuclear Regulatory Commission, (Aug, 1995), vol. 60, pp. 42622 6. Caruso, M., Cheok, M., Cunningham, M., Holahan, G., King, T., Parry, G., et al.: An approach for using risk assessment in risk informed decisions on plant-specific changes to the licensing basis. Reliability Eng. Syst. Saf., 231–242 (1999) 7. Cheok, M., Parry, G., Sherry, R.: Use of importance measures in risk informed applications. Reliability Eng. Syst. Saf. 60, 213–226 (1998) 8. Charles, A., Chu, C.: Reliability allocation through cost minimization. IEEE Trans. Reliability. 52(1), 106–111 (2003) 9. Kuo, W., Prasad, V.R.: An annotated overview of systems reliability optimization. IEEE Trans. Reliability 49(2), 176–187 (2000) 10. Lyu, M.R.: Optimal allocation of test resources for software reliability growth modeling in software development. IEEE Trans. on Reliability 51(2), 183–192 (2002) 11. Yalaoui, A., Chu, C.B., Chatelet, E.: Reliability allocation problem in a series–parallel system. Reliability Eng. Syst. Saf. 90(1), 55–61 (2005) 12. Van der Borst, M., Schoonaker, H.: An overview of PSA importance measures. Reliability Eng. Syst. Saf. 72(3), 241–245 (2001) 13. Borgonovo, E., Apostolakis, G.E.: A new importance measure for risk-informed decisionmaking. Reliability Eng. Syst. Saf. 72(2), 193–212 (2001) 14. Andrews, J.D.: Birnbaum and criticality measures of component contribution to the failure of phased missions. Reliability Eng. Syst. Saf. 93(12), 1861–1866 (2008) 15. Epstein, S., Rauzy, A.: Can we trust PRA? Reliability Eng. Syst. Saf. 88(3), 195–205 (2005) 16. Charles Elegbede, A.O., Chu, C.B., Adjallah, K.H., Yalaoui, F.: Reliability allocation through cost minimization. IEEE Trans. Reliability 52(1), 106–111 (2003) 17. Misra, K.B.: Reliability analysis and predictions. Elsevier (1992) 18. Nakagawa, Y., Nakashima, K.: A heuristic method for determining reliability allocation. IEEE Trans. Reliability 26(1), 31–38 (1977) 19. Billonnet, A.: Redundancy allocation for series-parallel systems using integer linear programming. IEEE Trans. Reliability 57(3), 507–516 (2008) 20. Kuo, W., Xu, Z., Lin, H.H.: Optimization limits improving system reliability. IEEE Trans. Reliability 39(1), 51–60 (1990) 21. Xu, M., Zhao, W., Yang, X.: Cost-related importance measure. In: Proceedings of the IEEE International Conference on Information and Automation, pp. 644–649 (2011)
Discussion on Traceability Analysis Method of Safety Software in Nuclear Power Plants Peng-Fei Gu, Ya-Nan He, Jian-Zhong Tang, and Wang-Ping Ye(&) State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, I&C Equipemnt Qualification and Software V&V Laboratory, China Nuclear Power Engineering Co., Ltd., 518172 Shenzhen, China [email protected]
Abstract. Nuclear power plant safety grade software performs important safety functions in nuclear power plants, and the consequences are very serious once the failure occurs. In order to ensure the safety and reliability of such software, software verification and validation of the entire life cycle is required in accordance with standards and regulations. Traceability analysis is an important method for software verification and validation. How to use this method correctly in engineering practice is one of the difficulties of software V&V. In the industry, requirements are often split and itemized according to document chapters, and then traceability analysis is performed. This can lead to poor results in retrospective analysis and is time consuming and labor intensive. Based on the experience of engineering practice, this paper discusses in detail the advantages and disadvantages of different requirements items methods, the main points of traceability analysis, traceability analysis and other V&V tasks. Finally, the itemization method based on quality attribute is proposed, and the execution method and suggestion of traceability analysis are given, which provides a technical reference for the traceability analysis of the safety software of nuclear power plants. Keywords: Safety software Requirements items Software verification and validation
Traceability analysis
1 Introduction With the progress of localization of nuclear power, many software equipment and hardware equipment that originally relied on foreign procurement have been changed to independent research and development. Due to the lack of experience in design, development and operation, the reliability of self-developed equipment has always been the focus of internal and external attention, especially for safety-critical equipment. The software required to perform safety functions is called safety-level software. The Nuclear Safety Regulations “Nuclear Power Plant Design Safety Regulations” (HAF 102:2004) sets forth requirements for the design and development of safety-grade software, including the technical means to ensure software quality and reliability. The Nuclear Safety Guide “Computer-based Safety Critical System Software for Nuclear Power Plants” (HAD 102/16:2004) proposes the life cycle of safety-critical system software, which divides the design, development, operation and maintenance of safety-critical system software into © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 455–462, 2020. https://doi.org/10.1007/978-981-15-1876-8_45
456
P.-F. Gu et al.
different At the stage, the general requirements and recommendations for system design and software development are detailed in terms of computer system requirements and design, software requirements design and implementation. Safety-level software plays an important role in ensuring the safety of nuclear power plants. It must be verified and confirmed by software before being put into use in nuclear power plants. Software verification and validation throughout the lifecycle of safety-level software, including user requirements, system requirements, software requirements, software design, software implementation, system integration, and system validation. Traceability analysis is one of the important tasks of software verification and validation. It is an important means to ensure that the final software correctly implements the expected functions without any unexpected functions. However, regulations and standards do not specify and recommend specific implementation methods for traceability analysis, which leads to very different methods and effects. In the engineering practice, it is found that there are some shortcomings in the method of itemizing the requirements according to the chapters, and then carrying out the traceability analysis, such as large granularity and poor traceability. Based on this, we propose a requirement-based method based on quality attributes through research, and explain the specific implementation steps, and finally form a set of reasonable and feasible and effective traceability analysis methods. This article contains six sections. The first part is the introduction, introducing relevant backgrounds, such as safety software development and V&V requirements, traceability analysis status, etc. The second part is software verification and validation, introducing software verification and validation, traceability analysis and requirement items. Relationships and introduction of related requirements; the third part is the requirement items, introduces the advantages and disadvantages of different requirements items methods; the fourth part is the traceability analysis, combined with the previous analysis results to propose traceability analysis programs and examples; The fifth part is a summary, summarizes the advantages and disadvantages of the proposed method, and proposes the future research direction. The sixth part is the reference literature, which lists the reference materials in the paper writing process.
2 Software Verification and Validation The development of safety-level software is generally based on the waterfall model. The relationship between the development stages is clear, and the transformation of software requirements between the various stages needs to be correct and consistent. Software verification and validation ensures that the initial requirements of the software are consistent with the final implementation, for example the development process and results are correctly implemented to meet the initial requirements. The relationship between software development, software verification and validation is shown in Fig. 1. As can be seen from the figure, software verification and verification ensure that each development process of the software correctly implements the upstream requirements, which is a closed-loop control process. The standards for nuclear power plant safety grade software V&V are mainly IEC 60880, IEC 62138 and IEEE 1012, of which IEEE 1012 is widely used for its better
Discussion on Traceability Analysis Method of Safety Software
Requirements of nuclear power plant and system
System Requirements based on computer
Validation when required
457
Operational and postdelivery modifications
Installation and debugging
Installation and debugging
Verification and analysis (validation)
Computer system integration
Validation Computer system requirements Verification Computer system design Verification Software requirements Verification Software Design
Verification and analysis
Software Implement
Fig. 1. Nuclear power plant safety critical system life cycle
operability [1–3]. IEEE 1012 divides software verification and validation into different phases, such as Concept V&V, Requirement V&V, Design V&V, Implement V&V, etc. Each phase contains different V&V tasks. Traceability analysis is required for each V&V phase of software with integrity levels of 2, 3, and 4 (highest). Requirement item is the basis for performing traceability analysis. By sub-dividing the upstream and downstream development documents, several relatively independent requirements are obtained. For example, the software requirements phase disassembles to obtain X requirements, the software design phase obtains Y requirements, and X and Y are forward-reverse mapping. Then establish a requirement trace matrix.
3 Requirement Items Due to the ease of operation, the method of itemizing requirements according to the chapter structure of the development document has been widely used. Development documents written by experienced developers in a standard format are suitable for itemization by chapter structure, for example the content of each chapter of the development document is highly cohesive and low-coupling [4]. However, due to cost, schedule and technical constraints, it is difficult to have an ideal development environment in the development work, that is, the lack of an experienced development team. As a result, it is difficult to achieve the desired effect by itemizing the requirements according to the chapter structure.
458
P.-F. Gu et al.
The ideal case of enrolling documents according to the chapter structure is shown in Fig. 2. Each of the upstream requirements is fully implemented. Each downstream design is also derived from upstream requirements, and there is a clear mapping between upstream and downstream. Upstream Requirement-1
Downstream Design-13
Requirement-5
Design-25
Fig. 2. Ideal traceability between upstream requirement and downstream design
When the traceability analysis was actually performed, it was found that the items requirements were made according to the chapter structure, and there was a case where the requirement granularity was too large. A requirement that is often split will include normal requirements, redundant or useless information, content of other requirements, and sometimes even parts of multiple chapters can be combined into one requirement, as shown in Fig. 3. There are positive and negative traces at each stage. Different designers will write different ideas, which will result in different testers dividing the entries of the same file when the stages are entered. Generally, when dividing, if it is divided according to chapters, it is difficult to have a detailed and feasible division rule Section X.x An other requirement
A part of requirement A
Some useless requirement
A complete requirement A
Section Y.y An other requirement
An other part of requirement A Some useless requirement
Fig. 3. Relationship between chapter structure and functional requirements
Discussion on Traceability Analysis Method of Safety Software
459
as a judgment. For example, the division unit is a subsection, a subsection or a chapter, and it is likely that the same requirement is divided into different chapters. In this case, the requirements of the upstream SRS have been completed, for example, SRS-03 contains 3 contents, and SRS-14 contains 3 contents. The upstream requirement is fixed, and it is easy to appear “one-to-many” when it corresponds to the requirement of downstream SDS, and it is not “all-correspondence”. For example, part of the requirement of SRS-03 corresponds to a part of SDS-12, which will lead to traceability. The relationship is mixed and unclear, and there is also redundant or useless information in the requirement items. If the requirement for SRS in the figure is not further subdivided, on the surface, the requirement items are traced back to the point that the traceability relationship is not complete (Fig. 4). If traced back according to such granularity, the traceability relationship seen in the DOORS tool view is complete, but it is actually incomplete and will lead to retroactive failure [5].
SRS-14
SDS-12
requirement1
Design for other requirement
A part of requirement2 Design for requirement2
requirement3 Design for requirement1
SRS-03 An other part of requirement2
SDS-29 Design for requirement4
Design for requirement3 requirement4
Useless info.
Useless info.
Fig. 4. Actual traceability of upstream requirement and downstream design
4 Traceability Analysis Method According to Fig. 5, the development documents of each stage, first sort out the requirements, then optimize the requirements, and then sort out the requirement table, and finally use the DOORS tool to manage, which is a good method. Of course, the process of splitting and merging can also be retained as a process record or an analysis record, as a basis for upstream and downstream traceability. For the separation,
460
P.-F. Gu et al.
integration and refinement of requirement is the key point, on the one hand can refer to the regulatory standards or industry recommendations, on the other hand can refer to the experience feedback in the project development, such as the items requirements for general requirements, such as the quality assurance level, etc.
Concept phase V&V tasks
Requirement phase V&V tasks
Design phase V&V tasks
Implements phase V&V tasks
V&V check list
V&V check list
V&V check list
V&V check list
System technical specificaƟon
System design specificaƟon
SoŌware requirements specificaƟon
SoŌware design specificaƟon
SoŌware implements
Split and Combine
Split and Combine
Split and Combine
Split and Combine
Split and Combine
User requirements Items
Trace
System requirements Items
Trace
SoŌware requirements Items
Trace
SoŌware design Items
Trace
SoŌware implements Items
Fig. 5. Development documentation, requirements entries, and V&V tasks
In the process of retrospective analysis, V&V tasks in the corresponding stage can be performed, such as concept document evaluation and hazard analysis [6]. This not only covers the V&V tasks required by IEEE 1012, such as document evaluation, hazard analysis and traceability analysis, but also facilitates the items of traceability. This may have new problems. For example, the detailed requirements of the IEEE 1012 VV tasks are difficult to be reflected in the traceability process, because the requirement at this time is not the need of VV personnel optimization. In fact, 1012 gives a solution, such as the output of the concept document evaluation as a “concept document evaluation report”, but in engineering practice, on the one hand, it is found that there is overlap between each VV task at each stage, and on the other hand, it is limited by The ability of the V&V team and the professional competence of the designers, the understanding and understanding of each clause is not in place, as well as cost and time factors, it is difficult to strictly enforce the requirements according to the standards. The traceability method proposed in Fig. 6 has some problems to be solved, for example, some of the system requirements may not be reflected in the software requirements. For example, system requirement 1 may be a hardware-related requirement. For software, this requirement will inevitably not enter the software requirement, that is, it ends early (Fig. 6). For this type, it can be described in an “annotation” or other way in an itemization tool (such as DOORS), and it still does not affect traceability.
Discussion on Traceability Analysis Method of Safety Software
System requirem ent 1
461
SoŌware requirem ent 1
User requirem ent 1
System requirem
SoŌware requirem
ent 2
ent 2
SoŌware design 1
SoŌware requirem System requirem
ent 3
ent 3
Fig. 6. Feature-based requirement items traceability
After the formal input document is ready, the steps for conducting traceability analysis are as follows: 1. Exclude content in the input document that is not related to quality attributes, such as an overview description and background description; 2. Divide the content of the document according to quality attributes (such as function, performance, ease of use, reliability, etc.) and split it into independent requirements; 3. Consolidate and delete the split requirements to get the final requirement items; 4. Forward and reverse mapping between upstream requirement entries and downstream requirement entries; 5. Find out the defects of the mapping relationship, such as upstream requirements are not implemented downstream, or downstream requirements have no design basis; 6. Get a traceability relationship matrix and a questionnaire, and form a test record.
5 Summary The itemized splitting of the development document based on function conforms to the modular design idea, which can achieve better traceability analysis effect, and then play a very good role in ensuring the quality of the software. Here are a few suggestions that can be referenced when the actual work is carried out in order to make better use of this method: 1. At the beginning of development, establish documentation requirements, and put forward specific requirements and recommendations for the development of development documents, such as modular design; 2. The V&V team intervenes as early as possible to conduct a joint review with the development team before each development document is published; 3. When the V&V team conducts the requirement splitting, the development team needs to cooperate to make more reasonable splitting needs.
462
P.-F. Gu et al.
References 1. Software Engineering Standards Committee of the IEEE Computer Society. IEEE 1012. IEEE Standard for Software Verification and Validation. Institute of Electrical and Electronics Engineer, New York (2004) 2. International Electrotechnical Commission. IEC 60880. Nuclear power plants Instrumentation and control systems important to safety Softwares aspects for computer based systems performing category a functions (2006) 3. International Electrotechnical Commission. IEC 62138, Nuclear Power PlantsInstrumentation and Control Systems Important for Safety-Software Aspect for Computerbased Systems Performing Category B or C Functions (2004) 4. Wang-Ping, Y.E., Jian-Zhong, T.A.N.G., Wei-Hua, C.H.E.N., et al.: Analysis of the method of verifying and confirming software of nuclear safety digitized instrument control system. At. Energy Sci. Technol. 49(zengkan1), 377–381 (2015) 5. Gu, P.F., Wang, S.C., Chen, W.H., et al.: A study about safety I&C system software V&V in nuclear power plant. International Conference on Nuclear Engineering. 2016:V001T04A005 6. Gu, P.F., Liu, Z.M., Liang, H.H., et al.: Evaluation measures about software V&V of the safety digital I&C system in nuclear power plant. Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems (2018)
The Application of LSTM Model to the Prediction of Abnormal Condition in Nuclear Power Plants Jing-Ke She1(&), Shi-Yu Xue1, Pei-Wei Sun2, and Hua-Song Cao2 1
College of Computer Science and Electronic Engineering, Hunan University, Changsha 410000, China [email protected] 2 School of Energy and Power Engineering, Xi’an Jiaotong University, Xi’an 710049, China
Abstract. The Long Short-Term Memory (LSTM) model is investigated in this work, as a proposed prediction method for the abnormal condition in Nuclear Power Plants (NPPs). Its advantage of processing long timeline data is utilized to overcome the limitation of the traditional Recurrent Neural Network (RNN). With the assistance of the Rolling Update (RU) method, the LSTM model is trained using historical NPP operation data to obtain the capability of predicting abnormal trends. Such prediction ability is validated using simulated accident data, which demonstrates its prediction accuracy with a loss value of 3.7 10−6. Moreover, it is verified in this work that LSTM can predict the trends of accidents that belong to same category but differ in certain parameters. Keywords: Nuclear safety
Operation prediction Deep learning LSTM
1 Introduction The large demand for clean and regeneratable energy during the Chinese economy boost has made the development of nuclear energy a must [1]. Nuclear safety, which is critical to the NPP operation, is always the paramount. The focus of most accomplished nuclear safety work is put on the fast response of the safety control systems and their performance [2, 3]. While in recent years, applying Artificial Intelligence (AI) methods to nuclear safety has gathered great attention [4]. Considering the enormous amount of historical data accumulated in the past decades, nuclear industry does have the desire and support for conducting AI-based nuclear safety exploration. Since the traditional safety control measures are based on the “detect-respond” principle, control actions are taken only when abnormal situation has been detected. Valuable time needed for protecting the plant is spent in the response process. On the other hand, it is hard for the traditional statistical methods or neural networks to fetch effective features from the nonlinear data captured from abnormal processes. With the rise of the third tide of AI technology, deep learning turns to be a possible solution for the abnormal condition prediction in NPPs. Given the huge amount of historical data, the deep learning-based prediction method can be built on a firm base that guarantees © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 463–476, 2020. https://doi.org/10.1007/978-981-15-1876-8_46
464
J.-K. She et al.
adequate model training, parameter tuning, and model testing. The so trained deep learning model can then predict the operation trends according to the real time data. The abnormal condition prediction made in advance allows the safety systems to step in before actual accidents happen. Consequently, the safety margin of the plant is kept. The prediction method proposed in this paper is based on the deep learning principle. When utilizing huge amount of data becomes possible, deep learning has made great achievements in multiple areas, such as computer vision, natural language processing, search engine, etc. It is discovered that Recurrent Neural Network (RNN) [5], as one of the classic deep learning methods, can effectively solve problems related to sequential data sets, which inspires the research of making precise prediction with RNN for timeline-based processes. The LSTM model used in this work is a modified RNN [6]. It establishes the dependency between long timeline data sequences such that the model is more sensitive to deep features hidden in the huge historical data. Critical information is captured and kept within the model even the process goes far along the timeline. These are the properties needed when making accurate prediction for nonlinear process such as the abnormal conditions in NPPs.
2 Prediction Methods: Past and Present There have been different attempts trying to provide prediction solution for abnormal conditions in NPPs. However, neither the traditional statistical one nor the basic RNN can fully address the issue of long timeline data dependency. The reason lies in their interior structures lacking ability of storing and tracing historical features. The LSTM model, on the other hand, was developed specifically for the timeline data dependency, which gives it the advantage to produce more accurate prediction results. 2.1
A Traditional Statistical Attempt: Kalman Filter
There are multiple statistical ways that can make future estimation using historical data. The accuracy of these estimations depends on two major factors: 1) an accurate model of the system for which the prediction is made; 2) adequate data values that are near the time step where the “future estimation” is going to be decided. Rankin and Jiang offered a solution for reactor trip prediction using Kalman filter [7]. The Kalman filter is a recurrence filter for time-variant linear system, which is described by differential equations that contain variables of orthogonal status. It estimates the future error by combining and analyzing measurement errors both from past and present. With Rankin’s estimation, the estimated future trend allows the shutdown decision to be released one second prior to the conventional trip occurrence. Since Kalman filter was proposed originally for linear system, the trip prediction performance is limited. 2.2
Traditional RNN Attempts: Struggling Against the Timeline
Recurrent Neural Network, as shown in Fig. 1, is one of the neural networks used in AI application. Differing from the Feed-forward Neural Network (FNN), RNN uses its internal memory to deal with various sequential inputs. However, with the increase of
The Application of LSTM Model
465
o o1
V
W
C U x
(a) Standard RNN
o2
V C0
W
C1
V
V W
C2
U x1
o3
U x2
W
C3
W
C4
U x3
(b) RNN Unfolded by Time Fig. 1. RNN structure
the recurrence, the parameter weights rise exponentially, and the gradient vanishes [8]. When RNN is applied to prediction applications, it is difficult to capture the information connection within a long timeline. X, C, and o are input, memory cell, and output, respectively. U, W, and V are corresponding weights used for internal computations. Fang et al. constructed a traditional RNN model with two hidden layers to predict the electric current within a nonlinear microwave circuit [9]. Due to the natural limitation of RNN, the model lost the ability of retrieving information saved in the memory cell after certain number of iterations. Zhang et al. made a data-reconstruction phase space using Mackey-Glass equation [10]. An RNN model takes the reconstructed data from the phase space as inputs and generates the prediction for the next stage. The limitation of this work is that ideal results can only be obtained when the sample data is within three dimensions. As what has been discussed, RNN keeps all the information from previous stages and passing them forward together with the current stage results. Within a short period, RNN takes the advantage of abundant information. But for a timeline lasts long enough to cause vanishing gradient, RNN loses the quality required for prediction purpose. 2.3
The LSTM Model: Keeping Critical Info for Prediction
In this section, model and methods used in this work, including the LSTM model, the Rolling Update (RU) method for data set refinement, the normalization function, the Dropout method for over-fitting solution, and the Mean Squared Error (MSE) for result error estimation, are introduced respectively. 2.3.1 LSTM Model Although the traditional RNN does have the prediction ability, it cannot effectively learn the long timeline sequential information due to limited memory and storage. The LSTM, however, enriches the traditional RNN by adding “gates” to its memory cell. These gates, including the input gate, the forget gate, and the output gate, can determine the proportion of the information transferred to next stage, i.e. important information can last long during the recurrence while unnecessary information can be
466
J.-K. She et al.
discarded right away. By this means, the LSTM model keeps information critical for condition prediction long enough as needed. As a modified RNN model, LSTM consists of an input layer, multiple hidden layers, and an output layer. Memory cells in each layer contain the above mentioned three gates. A sigmoid function, as part of each gate, generates a value as gate activation. The generated value ranges from 0 to 1, representing the percentage of transferred information. For example, a value 0.6 generated by the sigmoid function in the input gate indicates that 60% of the incoming information will be accepted by current memory cell. Similarly, 0.6 at the forget gate leads to a discard percentage 60%, and 0.6 at the output gate means 60% of the information in current cell will be passed to the next stage. The LSTM structure is illustrated in Fig. 2.
Fig. 2. LSTM structure
Within the LSTM, the actual inputs of the input gate, the output gate, and the forget gate, are calculated using the input vector X and related weights. The central memory unit C is responsible for saving the information needed for long timeline prediction, which makes C a crucial component of LSTM. The interaction between C and other LSTM components is simply linear, such that the saved information will be stable for a considerable period. Therefore, the problem of gradient explosion or vanishing is avoided during the training and testing. 2.3.2 Rolling Update Mechanism Wang et al. applied RU to the prediction of electricity load, where it was demonstrated that the new data sets generated from RU are more typical for the application scenarios [11]. Figure 3 shows how RU mechanism works.
The Application of LSTM Model
467
Fig. 3. Rolling update mechanism
Data are in the table and large rectangles represent the rolling windows. Considering the first input vector as D = [x (1), x(2),…, x(j),…, x(i)], where x(j) is the sequential value at moment j; i is the width of the rolling window; and current time moment as s. Then the current input vector is Ds = [x(s−i + 1), x(s−i + 2),……, x(s)]. At time moment s + 1, the input vector is updated as Ds+1 = [x(s−i + 2), x(s−i + 3), ……, x(s + 1)]. The rolling mechanism applies to every attributes of the input data such that the data are kept in original sequential order and updated to appropriate sequential value timely. Experiments are conducted to test the benefits of using RU method, where the test vectors are generated in two different ways, i.e. with or without RU. Such two test vectors are fed to the LSTM model separately and the loss value is compared as below in Table 1. Table 1. Loss comparison with and without RU Input vector Loss Without RU 0.012 With RU 0.0003
As what can be seen, test vectors obtained by RU method lead to a result that has much smaller loss value (0.0003) than another one (0.012). 2.3.3 Data Normalization When being applied to deep learning, the data sets may not be suitable for the process being investigated. At this circumstance, data sets need to be mapped into a range, normally [0, 1], where the original data are scaled. With the normalized data sets, the model can still obtain the dependency between sequential data sets. Two major normalization methods are taken into consideration, Z-Score and MinMaxScaler. Both are widely used as effective normalization functions. The principle of choosing the right one for this work is whether it can help the model produce more accurate prediction, i.e. less loss value.
468
J.-K. She et al.
The normalization function is chosen via a comparative experiment. The experiment is carried out by feeding two normalized data sets to the LSTM model and comparing the loss value of the results. The two normalized data sets, each is normalized by either normalization function, are abnormal condition data from NPP accident simulations. Recommended method, as shown by the results in Table 2, is MinMaxScaler due to a loss value way below that of Z-Score. It must be mentioned that above comparison is reasonable only with the specific case presented in this work. With different deep learning cases, the loss value comparison may be different. Table 2. Loss comparison between normalization functions Normalization function Loss Z-score 0.76 MinMaxScaler 0.02
2.3.4 Dropout Method A neural network model becomes over-fitting when it has many parameters to be trained while only a small training data set is available. In this case, no matter how well the model is trained, the test data set is going to cause big loss value. In 2012, Hinton raised the so called “Dropout” method to prevent over-fitting from model training process [12]. Dropout method can disable certain amount (depending on the model and data set size) of the feature detectors in the neural network, such that the interaction between these detectors is reduced. In other words, the generalization of the trained network increases and the model is more independent to local features. The accuracy and robustness of the model are then enhanced. The principle diagram of Dropout is provided in Fig. 4 below. In Fig. 4, a standard neural network is presented on the left side, while a network using Dropout method is shown on the right. This figure illustrates the basic principle of Dropout, i.e. certain proportion of the neural cells, normally the feature detectors, are randomly disabled to reduce the cell interactions. In this work, the proportion is set to 20%.
(a) Standard Neural Network
(b) Dropout-based Neural Network
Fig. 4. The principle diagram of dropout
The Application of LSTM Model
469
2.3.5 MSE The Mean Squared Error (MSE) is a statistical benchmark used to describe the difference between the estimation and the real value. Since it is convenient to estimate the “average error”, this work uses MSE for the result evaluation. The error between the original value and the predicted value is calculated by MSE, which is the “loss value” used as the performance benchmark for the LSTM model.
3 Experiment Preparation: Data, Parameters, and Training Two scenarios are investigated in this work to examine the prediction performance of the LSTM model. The pressure adjustment process of a Steam Generator (SG) is chosen for a performance comparison between traditional RNN and LSTM. System behavior after a small Loss of Coolant Accident (LOCA) is also illustrated with the prediction from the LSTM model. Furthermore, during the investigation of the small LOCA, an LSTM model trained using data set from 7 mm-break case is used to predict the system condition after an 8 mm-break LOCA. The adaptation of the LSTM model to similar accidents is then validated and verified. Before the experiments are carried out, preparation tasks, including data normalization, parameter configuration, and model training, are arranged. Details are provided below. 3.1
Data Normalization
As discussed in Sect. 2.3, data normalization makes the data set more suitable for the investigated process and keeps the sequential data dependency. Thus, both the training data set and the testing data set are normalized before applied to the LSTM model. 3.1.1 Steam Generator Pressure Adjustment In this scenario, the pressure of an SG is experiencing an adjustment process and approaching the stable state. Since SG control is of crucial importance in nuclear safety, such process represents typical phenomena concerned by regulators. The data set contains values from 172 redundant sensors that monitor the SG pressure. Due to the different installation locations, such data set brings differential and diversity to the LSTM model, which reduces the over-fitting risk and enhances the prediction performance. Four out of 172 sensors, No. 30, 31, 32, and 33, are picked up for the training purpose while another four, No. 34, 35, 36, and 37 are used for prediction test. The normalization of the training sensor values is presented below in Fig. 5.
470
J.-K. She et al.
(a) the Reading of Sensor No. 30
(c) the Reading of Sensor No. 32
(b) the Reading of Sensor No. 31
(d) the Reading of Sensor No. 33
Fig. 5. Normalized SG pressure sensor values
3.1.2 Small LOCA The occurrence of a LOCA is nonpredictable since parameters remain normal till the break takes place. However, the development trend of a LOCA can be predicted, offering the system and operators an opportunity to judge the type, situation, and consequences. Parameters vary dramatically in a nonlinear manner during a LOCA, which gives LSTM the chance to apply its prediction ability when traditional methods are not suitable for this scenario. During a LOCA process, flowrate of the coolant pump and the pressure of the pressurizer are two key parameters. Both are chosen in this scenario investigation and the LSTM produces the prediction results showing the development trends of flowrate and pressure. As discussed, a data set from 7 mm-break LOCA simulation is adopted for the model training. The normalization results are shown in Fig. 6.
The Application of LSTM Model
471
(a) Pressure Reading of Pressurizer during a Small LOCA
(b) Flowrate Reading of Coolant Pump Outlet during a Small LOCA Fig. 6. Normalized pressurizer pressure and coolant pump flowrate values
3.2
Model Configuration
The LSTM network must be configured with proper parameters before being applied to an actual scenario. In this work, the LSTM structure has one input layer, two hidden layers, and one output layer. The reason for two hidden layers is that the precision hardly increases when there are more than two hidden layers. Each of the two hidden layers contains different number of LSTM cells, 128 in the first one and 64 in another,
472
J.-K. She et al.
according to repeated test results. Hyperparameters are chosen for these two hidden layers as shown in Table 3.
Table 3. Parameters of LSTM model Hyperparameters Input layer size LSTM_1input shape Activation function 1 Dropout_1 LSTM_2 input shape Activation function 2 Dropout_2
Value [4, 5] [4, 128] Tanh 0.2 [128, 64] Tanh 0.2
Adam optimizer [13] is chosen to be the training optimizer for this work due to its proven performance in the RNN model training [14]. The Batch size is set to be 50 with an iterative number 500. The model is constructed using Keras deep learning framework. 3.3
Model Training
To avoid the over-fitting caused by multi-dimension redundant data, the model is trained using No. 30, 31, 32, and 33 sensor values and tested using No. 34, 35, 36, and 37 sensor values in the SG pressure case. In the small LOCA case, the model is trained using values from a 7 mm-break LOCA and tested using values from an 8 mm-break LOCA. The RU method expands the 2-dimension data set, size (1710, 4), to 3dimension data set, size (1696, 6, 4), which greatly enhances the training result. During the training process, the learning rate is set to 0.01 and the iterative number is 500.
4 Results and Analysis The experiment results for both the SG pressure adjustment and small LOCA are presented in following subsections. 4.1
Comparison Between RNN and LSTM
One RNN model and one LSTM model are trained using the same SG pressure sensor values. During the prediction test, sensor value from No. 34, 35, 36, and 37 are fed to both models. The two prediction curves representing the SG pressure development are plotted together with the original value in Figs. 7 and 8, showing how the predictions match the actual value.
The Application of LSTM Model
473
Fig. 7. SG pressure prediction with RNN model
Fig. 8. SG pressure prediction with LSTM model
As the experiment results indicate, the prediction from LSTM matches the original value better than that from RNN. The loss value from RNN is 1.343 10−4, which is two orders of magnitude greater than the loss value of 3.711 10−6 from LSTM model. Nevertheless, it is noticed that RNN has better performance at the early stage of the prediction but loses the accuracy as time passes by. This is because RNN keeps all the information from previous iterations and thus has better resource for the prediction at the beginning. With the timeline goes far, RNN is not able to capture the sequential data dependency, leading to unprecise prediction results. The LSTM model, which discards unnecessary information and keeps those needed for prediction, can reserve the sequential data dependency and generates better prediction. Although the LSTM prediction encounters result drift when the process starts, the time it takes to adapt the
474
J.-K. She et al.
process is several milliseconds, which is considerably short comparing to the whole process. Moreover, result at the far end of the prediction is more meaningful since it provides a practical buffer for the safety system and operators. It is then concluded that LSTM is an option worthy of consideration in nuclear safety prediction process. 4.2
Prediction of Small LOCA Accident
The small LOCA data set is from a simulated accident. It has 120 successive time points with a time step 100 s. The pressurizer pressure and coolant pump outlet flowrate are selected from 22 features in this data set as the objects to predict. The prediction results are shown in Figs. 9 and 10.
Fig. 9. The prediction of pressurizer pressure during a small LOCA
Fig. 10. The prediction of the coolant pump outlet flowrate during a small LOCA
The Application of LSTM Model
475
Both the pressurizer pressure and the coolant pump outlet flowrate drop dramatically when the LOCA occurs. With the actions of the safety control system, both parameters rise back and then approach to stable state. Such nonlinear process is a challenge to the prediction objective, but LSTM handles it well. Although the underfitting does exist, especially at the beginning of the process, the prediction soon finds its way back to the track. As introduced, the LSTM model is trained using a data set from a 7 mm-break LOCA and the process to be predicted is an 8 mm-break LOCA. That is the major reason why the prediction drifts obviously at the beginning. The purpose of such attempt is to verify that predictions based on LSTM model are not limited to the process which provides the training data. What has been proven is that the LSTM model can adapt to a similar process and “learn” the way it develops. An LSTM-based predictor, which can serve different processes belonging to one category, is possible.
5 Conclusion An LSTM-based deep learning model is applied to the operation trend prediction of NPPs. Well-directed measures such as RU and Dropout are conducted to make the model more suitable for nonlinear process prediction. During the SG pressure prediction process, LSTM proves itself to be a better prediction method than RNN with a much smaller loss value 3.711 10−6. While in the small LOCA case, LSTM model shows good adaptability to processes with different parameters. Although the underfitting appears during the prediction process, LSTM model has demonstrated its prediction quality of being a reliable method used in the nuclear safety aspect.
References 1. Ye, Q., Zhang, T., Pan, Q.: The Report of China Nuclear Power Development. Social Sciences Academic Press, Beijing (2019) 2. She, J., Jiang, J.: On the speed of response of an FPGA-based shutdown system in CANDU nuclear power plants. Nucl. Eng. Des. 241(6), 2280–2287 (2011) 3. She, J., Jiang, J.: Potential improvement of CANDU NPP safety margins by shortening the response time of shutdown systems using FPGA based implementation. Nucl. Eng. Des. 244, 43–51 (2012) 4. Hossain, A., Islam, S., Hossain, T., Salahuddin, A.Z.M., Sarkar, A.R.: An intelligent approach for thermal-hydraulic studies on safety and efficiency of nuclear power plant. Energy Procedia 160, 436–442 (2019) 5. Rumelhart, D.E., Hinton, G.E., Williams, R.J.: Learning representations by backpropagating errors. Cogn. Model. 5(3), 1 (1988) 6. Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997) 7. Rankin, D.J., Jiang, J.: Predictive trip detection for nuclear power plants. IEEE Trans. Nucl. Sci. 63(4), 2352–2362 (2016) 8. Hochreiter, S., Bengio, Y., Frasconi, P.: Gradient flow in recurrent nets: the difficulty of learning long-term dependencies. In: Kremer, S.C., Kolen, J.F. (eds.) A Field Guide to Dynamical Recurrent Neural Networks. IEEE Press (2001)
476
J.-K. She et al.
9. Fang, Y., Yagoub, M.C., Wang, F., Zhang, Q.J.: A new macromodeling approach for nonlinear microwave circuits based on recurrent neural networks. IEEE Trans. Microw. Theory Tech. 48(12), 2335–2344 (2000) 10. Zhang, J., Man, K. F.: Time series prediction using RNN in multi-dimension embedding phase space. In: SMC’98 Conference Proceedings. IEEE International Conference on Systems, Man, and Cybernetics, pp. 1868–1873 (1998) 11. Wang, S., Wang, X., Wang, S., Wang, D.: Bi-directional long short-term memory method based on attention mechanism and rolling update for short-term load forecasting. Int. J. Electr. Power Energy Syst. 109, 470–479 (2019) 12. Hinton, G. E., Srivastava, N., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.R.: Improving neural networks by preventing co-adaptation of feature detectors (2012). arXiv preprint arXiv:1207.0580 13. Kingma, D.P., Ba, J.: Adam: A method for stochastic optimization. In ICLR (2015) 14. Bottou, L., Curtis, F.E., Nocedal, J.: Optimization methods for large-scale machine learning. Siam Rev. 60(2), 223–311 (2018)
Development and Application of Undisturbed Online Downloads in the FirmSys Gui-Lian Shi, Bao-Hua Ren(&), Zhi-Hui Zhang, Xing-Xing Sun, and Le Li China Techenergy Co., Ltd, Beijing, China [email protected]
Abstract. Modification for the application software, also known as ‘configuration’, is required as normal need in digital control systems applied in nuclear power plants. The system is considered as supporting the ‘Online download’ function if the unmodified part of the logic is not affected by the new configuration during the new configuration modification and validation. The system that supports the online download function can effectively reduce human error and shorten the configuration modification period, so that the system users have a strong demand for this function. However, because of the online download function involving a wide range of products, the complexity of implementation, and the difficulty in assessing the impact of safety functions, there is no current literature on the issue of nuclear safety digital instrument control. This feature is also not supported on most safety digital instrumentation system. The FirmSys is the first nuclear safety digital control and protection system for research and development and application in China. In this paper, through the requirement analysis of the online download function of the FirmSys, an online downloading design scheme is proposed, which identifies the factors affecting the function realization from the perspective of safety analysis and carries out the safety design in a targeted manner. The designed system has been applied in many nuclear power plants in China currently. Keywords: FirmSys
React protect system Online download Safety
1 Introduction As the ‘central nerve’ of nuclear power plants, the instrument and control system whose reliability is directly related to the overall safety and economy of nuclear power plant is an important indicator of system design. At the design level of safety instrument and control system, a variety of design measures state by the standards and regulations to ensure reliability, such as single fault, independence, software verification and validation, reliability analysis and evaluation, and so on [1]. Safety instrumentation and control systems are achieved by digital control systems (DCS) normally by one particular manufacturer. Obviously, the reliability of DCS equipment is also one of the basic factors of the reliability of the entire instrumentation and control system. In addition, redundancy is an effective and important method to improve the reliability of DCS equipment. Specifically, the redundancy technology improves the fault tolerance © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 477–491, 2020. https://doi.org/10.1007/978-981-15-1876-8_47
478
G.-L. Shi et al.
of instrumentation equipment, reducing downtime and supporting online fault repair. Taking the protection system of ACPR1000 series as an example, the DCS control equipment also adopts redundant configuration in the channel and sequence of the multiple redundant protection system [2]. On this basis, the stuff working in the construction and operation in the power plant advises a requirement for the maintainability of DCS. It relates to the control and protection scheme being changed during the commissioning and operation of the power plant. The process is using the tools provided by the DCS to configure where the object code is compiled and generated. The object code will be downloaded through the tool and installed into the controller to run. In the downloading process, the controller is required to withdraw from the operation state, accept the new configuration, and then put it back into operation state after loading the new configuration. In this process, the controller no longer controls the equipment, and its output is in fault-free state, where this downloading method is called as offline downloading. In this case, a further requirement is advised that the controller also maintains function and control during downloading process. According to relevant requirements and operation rules of power plants, the following benefits should be achieved before and after fuel loading. Firstly, the on-site equipment is continuously controlled by online downloading, which can save a lot of on-site equipment isolation work, avoid human error, and save the construction period, before the nuclear power plant reactor is loaded [3]. Secondly, according to the function distribution of the control station, the first group of IO events will occur when the control station is shut down, after the station reactor is loaded. Therefore, the unit must be withdrawn. If the online downloading is feasible, it is not necessary to be withdrawn. In a word, online downloading contributes to the safety and economy of power plants. Because of the technical complexity, it is difficult to conduct the safety impact assessment. Meanwhile, most nuclear DCS products do not support the online downloading function, such as spinline-3 (France), HFC-6000 (Korea), Radiy (Ukraine), TXS (France). Although Mitsubishi Meltec-N platform made in Japan has able to apply this function and the use of the online downloading function has been discussed in public literature, its key design technology has not been studied. The FirmSys is the first digital control and protection system platform of nuclear safety field developed and applied China. The online downloading scheme of hot-standby redundant control station in the FirmSys is discussed in this paper.
2 Requirement Analysis of the Online Downloading Through the analysis of the application scenarios and standards and regulations of online downloading of DCS in nuclear power plants, the key requirements of online downloading function are identified as below. 2.1
Configuration Modification Supported by Online Download
There are many configurable contents of a DCS control station, including hardware configuration, database, control logic, protection logic, setting value and so on. Under
Development and Application of Undisturbed Online Downloads
479
each category, there are many specific configurable elements. If every modification of configurable elements supports online downloading, the system will become very complex, and even impossible to achieve. In addition, online downloading is more for partial modifications of the system that is already in operation. In this case, it is not necessary to support all of them. It is very important to clearly define which configuration elements can be modified to support online downloading. In other industrial control systems, it has caused malfunction due to insufficient understanding of whether the modification supports online downloading. Some research points out that an operator modifies some database parameters and has mistaken the modification can support online downloading. It leads to the manual interlocking signals before downloading has been cancelled automatically after new software is downloaded. Consequently, the air compressor burning tile major accident occurred [4]. The operator made many modifications to DCS, which resulted in the inactivation of the oxidizing fan in a power plant after online downloading [5]. In order to determine whether the configuration elements support online downloading, various configurable elements of the system should be first identified. The possibility of modification of the configuration elements on site should be analyzed, combined with the complexity of implementation and other factors. After analysis, the support of configuration elements modification for online functions of FirmSys is shown in Table 1. Table 1. Configuration elements that support online downloads. Category
Element
Attribute
Modification possibilities
Hardware configuration
Main processing card I/O communication card Point-to-point communication card Ring Network communication card I/O card Priority management card I/O variables Network variables Parametric variables Stateful logic Stateless logic
Hardware architecture Hardware architecture Hardware architecture Hardware architecture Hardware Hardware
Low
Support online downloading No
Low
No
Low
No
Low
No
Medium Medium
Yes Yes
Software Software Software Software Software
High High High High High
Yes Yes Yes Yes Yes
Setting value
Software
High
Yes
Database
Control protection logic Parameter tuning
480
2.2
G.-L. Shi et al.
Control Station Function Requirements During Online Download Process
DCS control station generally performs data acquisition, control and protection logic operation, data output, network communication, equipment self-diagnosis, response to maintenance commands and other functions [2]. The core requirement for online downloading is to keep the control station in normal operation during the downloading process, which means the unchanging part of the configuration should not cause disturbance, and the newly configured part is executed as expected. The clear definition of no disturbance in the unchanged part of configuration is the key point, where disturbance refers to the output of DCS control station. However, the input of DCS control station and the data inside the control station will affect the output. Since DCS control station processes multi-data, it is necessary to specify the processing requirements of each type of data in order to achieve online downloading. Figure 1 shows common dataset processed by a controller.
Fig. 1. Data processed by the controller.
2.3
Online Downloading Tool Requirements
Tools are an important part of the DCS platform, as the usability and efficiency of a DCS platform are highly determined by the capacity of tools. The DCS tool functions for the control station contain device configuration, database configuration, control protection logic configuration, screen configuration, configuration compilation, download, offline simulation, online monitoring and debugging. This paper focuses on the configuration compilation discussion, where its directly related to online and offline download functions. Compiling is the process of converting the engineer’s configuration into the object code and the related data that the controller can run. HAD102-16 [7] stipulates that the tool shall be fully secure and credible to ensure that the tool does not endanger the safety of the final product in any circumstances. Therefore, software development tools for output without further review should have the highest level of credibility. In practical applications, it is difficult to review the object code, so compiler tools need to
Development and Application of Undisturbed Online Downloads
481
be developed according to the nuclear quality level assurance process and take technical measures to ensure its security. In terms of downloading specific functions online, compilation tools are able to provide the data changes and the corresponding relationship between the different versions to the control station, in order to achieve no disturbance in the unchanged part of the configuration. Since a control station deals with a large number of data types and a huge number amount, when compiling and processing, the following four factors need to be considered: (1) How to correctly judge the change and unchanged; (2) The data generated for the control station should be convenient for the use of the control station. Meanwhile, the data processing efficiency should be high, or else it cannot meet the performance index of the CPU load in the control station; (3) The efficiency should also be considered in the process of generating download data, in which an appropriate compilation time of a control station should be completed in 5 min; (4) With the accumulation of configuration changes, a large number of placeholder symbols and storage fragments should be avoided. Otherwise, after a certain period of time, it will be impossible to download online, and the efficiency of the controller will be destined to be low. Downloading is the process of downloading the object code and its related data compiled by the engineering department that the controller can run to the controller. Downloading tool design should ensure the security of downloading and the integrity of downloading data, because downloading data directly determines the functionality the controller. In addition, according to the previous requirement analysis 2.1 and 2.2, it is very important for the successful implementation of online downloading to enable the configuration personnel fully and accurately identify the changes, thereby selecting the appropriate downloading method, evaluate the scope of non-disturbance after downloading, and do the relevant equipment isolation and protection. Configuration personnel usually record changes manually by drawing and annotations (clouds), but this method is incomplete, inaccurate and inefficient. It is recommended to use corresponding automatic tools. 2.4
Performance Specifications
In the process of online downloading, the control station performs its functions normally, so the related performance indicators of the control station need to meet the relevant requirements in order to guarantee the function of the control station. Generally, the performance indicators of control stations during downloading are required to be consistent with its normal operation. These indicators include CPU load of control stations, storage margin, network load and so on. Another performance indicator that needs to be defined is the online loading time. Considering the operation and its related steps of nuclear power plants, the entire online loading should be completed within thirty minutes [3].
482
2.5
G.-L. Shi et al.
Safety Requirement
Comply with the relevant requirements of the nuclear level instrument control standard regulations, including the general requirements, as well as the requirements related to the “safety software modification” specified in the standards related to online downloading. • After modification implemented by software, the generated code should be checked by V&V process, according to IEC60880; • In the process of online downloading, personnel operations are involved, and the design of the plan should analyze the human risk and carry out corresponding design; • The online downloading process involves the interaction between the control station and the tool. In general, the safety level and quality level of the tool are lower than the control station, and the influence of the tool on the control station should be considered. • In the process of downloading, the superposition of equipment failure factors should be considered, and the corresponding design should be carried out to avoid the occurrence of erroneous output. At the very least, the fail-safe should be ensured.
3 Schematic Design This chapter analyses the online downloading scheme of the general industrial control system. On this basis, the online downloading scheme of the nuclear safety controller is proposed in this chapters. 3.1
The Online Downloading in General Industrial Control System
In the field of general industrial control systems, advanced industrial control systems support the online download function, such as the software called MULTIPROG made by Phoenix Contact and Software GmbH, and CodeSys made by 3S-Smart Software. The MULTIPROG is taken as example in this paper, which analyzes the online downloading scheme of general industrial control systems and the suitability for safety controllers [8]. After the algorithm configured by the MULTIPROG, only the “downloading” operation is performed on the master device of the redundancy system. The software will automatically judge whether to perform offline download or online download according to the configuration change. When the online download is performed, the master device is in the normal state. The software will be compared with the previous version of the algorithm project and only the part of the modification will be downloaded to the master device, follow by the modified part of the master mode will loading and affected. Once the download is launched, all the remaining processes are done automatically. This method is considered as a fast and efficient process, and is suitable for general industrial control systems. Applying to the nuclear safety level controller, however, it is
Development and Application of Undisturbed Online Downloads
483
difficult to deal with the following issues. First, IEEE 7-4.3.2 stipulates that the controller must not perform online modifications when performing security functions. Second, once the entire process of starting the download is completed automatically, there is no opportunity to perform relevant checks and confirm the operation. 3.2
Overall Design of the Downloading
According to the analysis stated as Sect. 3.1, a design solution to online downloading is proposed which is called as ‘First form Slave Device with Time Management’. In this method, the slave device that does not perform the control function is downloaded first, followed by synchronizing with the master devices. After checking the slave data is correct, it switches to the host operation which means the device operates as master devices, and finally downloads the other CPU. Table 2. Configuration elements that support online downloads Step
Operation
Device A Status Start Master S1-B Download VC to B Master S2-B Switch B to RUN Master S3-B B Synchronize with A Master S4-B B operates as Slave Master SWAB Switch master-slave Slave S1-A Download VC to A Downloading S2-A Switch A to RUN Booting S3-A A Synchronize with B Synchronizing S4-A AA operates as Slave Slave
Device B Ver. Status VB Slave VB Downloading VB Booting VB Synchronizing VB Slave VB Master VC Master VC Master VC Master VC Master
Remark Ver. VB VC VC VC VC VC VC VC VC VC
Manual Manual
Manual Manual Manual
The online download process is designed to be completed in 9 steps in Table 2. As illustrated in the table, the basic configuration version of the control device is defined as VB and the configuration version of the control device that complete online downloading is defined as VC. In addition, the CPU with lower slot number in the control station is marked as Device A, and the CPU with higher slot number is marked as Device B. The Device A and Device B are static and constitute redundant control stations. There are two redundant status for the CPU in control stations where Master is defined as the CPU with control function, and Slave is the device operating in the hot standby state in the control station. Due to Master and Slave being dynamically switched, the Master could be either Device A or Device B. The operating status contain downloading, boating, synchronizing and fail-safe. Assume that the current status of the control station A is in the Master state, the Device B is in the Slave state, and the configuration version of both devices is VB. Both Device A and B had been upgraded to VC version, through the above 9 steps. In the download process, only one CPU is in the Master state. The two-step
484
G.-L. Shi et al.
synchronization ensures that the system is undisturbed during the entire download process. There are 5 steps that require manual intervention, and other steps are done automatically by the CPU. The content of S1-B to S4-B equals to S1-A to S4-A in the table, and are uniformly represented as S1, S2, S3, S4. In actual design, the software of Device A and B is totally same. 3.3
Implementation of Each Step
The description of each sub-step is shown as following, giving the processing flow of each sub-step, especially considering the security requirements. Analyze errors caused by human factors, tools, and equipment failure factors involved in this step, and give corresponding preventive measures in the design. 3.3.1 S1: Download VC The new version of the configuration VC is download to the CPU in this step. The control station switches to the Downloading mode to start, and the maintenance tool connects with the control station to communicate and interact, which indicates the two parties complete the interaction of the downloaded data through a question-and-answer manner. The communication of different functions is identified by the function code, and the control device completes the internal downloading data update storage through a series of checks and confirmations which is followed by completing the downloading operation. The risk and countermeasures mainly considered in this step are shown in Table 3.
Table 3. Risk analysis for S1 No 1
Risk Wrong version
Type Human
Source Multiple configuration versions of multiple control stations on the same computer
2
Incomplete data
Tool
Disk file corruption
3
Incomplete downloads
Equipment
CPU device failure, network connection error
Measure Confirm the correspondence between the version and the CPU: determine the version number of the downloaded file, the controller station number, the slot number, and the operation mode. Confirm the relationship between the new version and the base version Check download data integrity through CRC before downloading Read back, the entire download process is finally completed with the correct result
Development and Application of Undisturbed Online Downloads
485
3.3.2 S2: Switch B to RUN The CPU downloaded with the new configure vision VC is switched to the running mode and started in this step. The CPU is initialized after startup, and the correctness of the new configuration is checked by the CRC check code, the version unique identification code, etc. After that the CPU operation information is initialized according to the configuration information, and send the configuration information to the daughter board to check the configuration feedback information of the daughter board. The initialization operation is then completed. The risk and countermeasures mainly considered in this step are shown in Table 4. Table 4. Risk analysis for S2 No 1
Risk Incomplete data
Type Equipment
Source Download error that has occurred
2
Initialization not completed
Tool
CPU device failure
3
Wrong version
Human
Select wrong version
Measure The controller will detect the download file station number, version number, slot number, operation mode, download file integrity, master-slave version number matching, etc. If any mismatch occurs, the controller enters the fault mode The controller will perform selfdiagnosis of key devices during the initialization phase, and an error will enter the fault mode The controller detects the match of the master and slave versions, and if any mismatch occurs, the controller enters the fault mode
3.3.3 S3: Synchronize with the Counter-Partner Before and after the download, the configuration of the two versions has changed. How to ensure that ‘the unconverted part of the configuration does not cause disturbance’? The processing in S3-B and S3-A is the key to ensuring undisturbed. First, the tool should identify ‘change’ and ‘unchanged’ (see 3.5.1), generate relevant download data index. The controller based on index to consider 2.2. All need to process data; the data processing scheme is as shown in Table 5.
486
G.-L. Shi et al. Table 5. Data processing requirements for slave Data category Real-time input Instantaneous input Stateful algorithm Stateless algorithm Internal storage of data Real-time output Request output
Unchanged item Changed item Synchronize with Master Real-time acquisition Real-time processing Synchronize with Master Real-time operation Real-time operation Synchronize with Master Real-time output Available on request
In each configuration change, the amount of change is rare, so the controller needs to process a large amount of synchronous data every cycle. The execution efficiency of the controller is an important issue to be considered in the design. In this method, the following design is mainly used to ensure processing efficiency. (1) Synchronous processing adopts “block-by-block processing” instead of the default “variable-byvariable processing”, which needs to be processed when the tool is compiled. For details, see 3.4.1. (2) Optimize data addressing and copying schemes, including replacing memcpy by direct assignment, reducing program branches, replacing array pointers with array subscript addressing, etc. The risk and countermeasures mainly considered in this step are shown in Table 6. Table 6. Risk analysis for S3. No 1
Risk Wrong base version
Type Human
Source Download error that has occurred
2
Synchronization not successful
Equipment
3
Data not aligned 4 bytes
Tool
Synchronization network connection error, etc. Compilation error that has occurred
Measure The unit enters fail-safe, stops running and indicates The unit enters fail-safe, stops running and indicates The unit enters fail-safe, stops running and indicates
3.3.4 S4: Operate as Slave The CPU that is downloaded the VC configuration has been synchronized successfully, and enter the Slave status in this step. The algorithm operation will be executed from the data synchronized to follow the Master operation. the diffident data, including the changed variable or algorithm, will be executed in the newly configured configuration according to the initialized data. The risk and countermeasures mainly considered in this step are shown in Table 7.
Development and Application of Undisturbed Online Downloads
487
Table 7. Risk analysis for S4. No 1
Risk Slave failure
Type Equipment
Source CPU device failure, network connection error
Measure The unit enters fail-safe, stops running and indicates
3.3.5 SWAB: Switch Master-Slave In this step, the CPU with the old configuration VB is manually switched to the Slave, and the CPU with the new configuration is upgraded to the Master. The CPU with the old configuration VB receives the user’s manual switching instruction, and judges whether the CPU of the new configuration VC is running without failure. Under the condition of ascending the master, if the master can be upgraded, the master-slave redundancy switching mechanism will be started. After switching, the CPU of the old configuration VB is switched to slave operation, and the CPU of the new configuration VC is upgraded to Master operation. The risk and countermeasures mainly considered in this step are shown in Table 8. Table 8. Risk analysis for SWAB. No 1
Risk Key multiplexing
Type Human
Source Switch button is misleading
2
Slave failure
Equipment
CPU device failure, network connection error
3.4
Measure The controller will display the corresponding dot matrix according to the time of the artificial button to prevent the user from using the button incorrectly The unit enters fail-safe, stops running and indicates
Tool-Related Design
3.4.1 Compiling According to the requirements stated in the Sect. 2.3, the compilation needs to be developed according to the nuclear quality assurance process, and relevant measures are adopted in the design, including formal technology ss, commercial C compiler applicability confirmation. For the online download function, in order to realize “the configuration does not change the disturbance in the configuration” in the Sect. 2.2. The compiler tool needs to generate the corresponding relationship between the data before and after the download version of the VC and the VC for the control station, for synchronous data. D is used to represent the data in the configuration and each data has four attributes: name, type, length, and data area, which are represented as D [Name, Type, Len, Zone]. If the four attributes of the two data D1 and D2 are totally identical, then D1 = D2. After the configuration is completed, the set of Ds is determined, which shows the data set DB {DB1, DB2,… DBn} corresponding to the VB version and the
488
G.-L. Shi et al.
data set DC {DC1, DC2,… DCm} corresponding to the VC version exist. For Sect. 2.3 (1) how to correctly judge “change” and “unchanged”. There are two possibilities for data DCk in a VC version. If DCk2DB, DCk is considered to be unchanged data, otherwise DCk is the new data in VC. There are two possibilities for data DBk in VB version. If DBk2DC, DBk has not changed, otherwise DBk is deleted in Vc.
Fig. 2. Variable-by-variable processing VS Block-by-block processing.
The data configuration generated for Sect. 2.3(2) should be convenient for the control station and the hundreds of thousands of variables cannot meet the performance requirements of each cycle. The ‘defragmentation and compression algorithm’ automatically recognizes the variables of consecutive addresses to form a block and ‘Combined together’ will be optimized for data item processing to be processed by data block. Assume that DB {D1, D2, D3…D98, D99}, DC {D1, D3, D4…D98, D99, D100}, that is, the new configuration deletes D2 and increases D100 data. It shows the change in efficiency, from 98 times to 2 times in Fig. 2. For the efficiency of generating the download data stated in Sect. 2.3(3), the ‘Times33’ hash algorithm is introduced to perform the search during the compilation process. To avoid generating a large number of “placeholders” and “storage fragments” for Sect. 2.3(4). No placeholders are used in this design, and no space is allocated depending on the data ID. In this case, fragmentation and loss problems can be avoided. 3.4.2 Download The download is the process of downloading the target code that can be run by the engineer station and the related configuration data to the controller, in order to meet the security requirements of the download process and the integrity requirements of the download data. The download is the process of downloading the target code that can be run by the engineer station and downloading the relevant configuration data to the controller. To meet the security requirements of the download process and the integrity requirements of the download data and the download tool is designed with the following features. (1) downloading software running permission control; (2) downloading data integrity check before downloading; (3) checking the controller to ensure that
Development and Application of Undisturbed Online Downloads
489
it is installed in the appropriate state to ensure the download to the correct control (4) loading; (5) loading data readback after downloading to ensure the integrity of the data downloaded to the controller. 3.4.3 Version Comparison In the process of application software change control in nuclear power plants, in order to prevent human error from introducing unintended content and it is necessary to fully verify and confirm the changes. For more effectively helping designers and nuclear power plants to correctly identify the changes in time, version comparison tool design the following characteristics which contain (1) could cover all configuration elements of the control station; (2) could identify all configuration changes, and cannot be missed; (3) the comparison results should be intuitive and graphical, and efficient integration with the configuration tool; (4) the comparison results can generate reports for easy archiving and analysis; (5) the comparison time of one station configuration should be less than 5 m. 3.5
Design Standard Compliance Analysis
The online downloading design only involves software, and is designed to comply with IEC 60880-2006, IEEE 7-4.3.2-2010 regarding safety software related requirements. The specific requirements related to online downloading are as below. • IEEE 7-4.3.2: ‘The safety system software configuration shall not change while the safety system’s division is performing its safety function. Changes shall be processed using the same rigorous process as the original software.’ [9] • IEC 60880-2006: ‘Software modification activities shall be systematically prepared taking into account potential security threats.’ [6] The above requirements emphasize that safety software modification needs to follow the same process as the original process. It must not be modified when running security functions and consider preventing unintended modifications. To meet the above requirement, safety software modifications must comply with the defined strict process, must undergo strict V&V, conduct safety analysis and implement strict approval procedures before proceeding. In addition, this design meets this by “first from the back”, and the nuclear safety controller has proximity control measures and can only be downloaded in the DOWNLOADING mode.
4 Implementation and Application As the proposal in Sect. 3, design implementation, software verification confirmation and changing identification are carried out according to the safety product development process. At present, the FirmSys which supports the online downloading function has been applied in large-scale applications of large nuclear power units such as Yangjiang Unit 5 and 6, Hongyanhe Unit 5 and 6, Tianwan Unit 5 and 6, and Fangchenggang Unit 5 and 6. The total implementation of online downloading is more than 500 times, and the function is as expected. An important feedback in the application process is that the
490
G.-L. Shi et al.
online download is complex to operate. Hence, we must pay attention to the quality of the instruction manual, in which the manual must be complete and detailed, and sufficient principle description and risk warnings are provided for the user to use it correctly.
5 Conclusion This paper comprehensively analyses the historical and forecasted problems to be solved and the detailed requirements for the online downloading function of the digital nuclear safety controller. For a nuclear safety controller, multiple factors need to be combined to support the configuration elements of online downloads, while the data processing requirements for undisturbed configuration of the unchanged parts need to be accurately defined. This paper also analyses the implementation scheme of the industrial control system online downloading and its applicability for the nuclear safety controller. Moreover, the online downloading scheme, first form Slave Device with Time Management, is proposed and meets the relevant requirements of the nuclear standards. This scheme has been implemented on FirmSys platform, which is China’s first digital control and protection system. Meanwhile, the scheme has been used in many nuclear power projects. The implementation demonstrates that the program functions, performance, safety and reliability has meet the nuclear safety regulations and nuclear power plant. Also, the application successfully solved problems during the upgrade period, which are the nuclear power plant system must be isolated from the field equipment, takes a long time and affects the main time-constraint project. Consequently, the implementation avoids the I0 event and meets the safety technical specifications of the nuclear power plant. At present, the online downloading of the FirmSys has been applied to the majority of nuclear power projects. In particular, the No. 5 unit of the Yangjiang Nuclear Power Plant has been officially transported and connected to the grid for power generation. The online download of the FirmSys has been successfully developed and gained valuable experience for China’s nuclear power autonomy. This experience has also greatly enhanced the international core competitiveness of the FirmSys and laid a solid base for China’s nuclear power digital technology to achieve the global strategy.
References 1. Institute of Electrical and Electronics Engineers, IEEE std 7-4.3.2: IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (2003) 2. Shi, G.L., Jiang, G.J., Zhang, B., et al.: The design of ACPR1000 nuclear reactor protection system based on FirmSys. In: ICONE27 Proceedings. 27th International Conference on Nuclear Engineering, Tsukuba (2019) 3. Xu, J.F., Luo, H., Chen, T., et at.: Research on software online downloading technology based on MELTAC 1E-DCS system. Nucl. Power Eng. 34(S2), 70–72 (2013) 4. Wan, H.W.: The equipment accident analysis caused by DCS program download. Prog. Controll. Fact. Automa. 4, 61–62 (2011)
Development and Application of Undisturbed Online Downloads
491
5. Zhao, S.B., Chen, X.Q.: The treatment and prevention of failure during the download of the ovation. Autom. Panor. 8, 90–91 (2008) 6. IEC, Nuclear power plants–Instrumentation and control systems important to safety–Software aspects for computer-based systems performing category A functions, IEC60880 (2006) 7. NNSA, Nuclear Power Plant Computer-Based Security Critical System Software, National Nuclear Security Administration, 2004 8. KW Software, MULTIPROG User Guide, KW Shanghai (2013) 9. Yan, X., Zhang, Z.H., Ren, B.H., et al.: Application research of translation validation in nuclear safety-level graphic code generator. Autom. Panor. 4, 71–75 (2018)
The Study on Automatic Control of Pressure and Temperature for the Pressure Water Reactor Nuclear Power Plant Jia-Lin Ping(&), Hong-Yun Xie, Chao Lu, Lin Tian, and ChunBing Wang Sate Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd, 518172 Shenzhen, Guangdong Provine, China [email protected]
Abstract. This paper is studying on The start and stop unit lifting automatic pressure and temperature control of PWR nuclear power plant, the development of the temperature control algorithm module, designed the shutdown process in nuclear power plant on the Turbine Bypass System automatic control logic, and designed the Normal Residual Heat System of nuclear power plant automatic control logic; the pressure and temperature test in HPR1000 engineering simulator and verify the automatic control logic of the new design have better control performance, and can effectively reduce the burden of operators. Keywords: Nuclear power station Automatic control on pressure and temperature Design validation
1 Introduction The operating modes of PWR nuclear power plants are generally divided into six modes: power operation, normal shutdown with steam generator cooling, normal shutdown with residual heat removal cooling, maintenance shutdown, etc. [1]. In these 6 modes, the normal shutdown with steam generator cooling and with residual heat removal cooling covers reactor coolant pressure from 15.5 MPa to 2.7 MPa, temperature from 292.5 °C to 80 °C. The main parameters of the two modes vary widely, and the involved units need more operations. As a result, the safety of the units is greatly affected, and the control of the increase and decrease of pressure and temperature becomes a key factor in the control of the unit operation. During the normal start-shut process of a nuclear power plant, the temperature change rate of the primary reactor coolant is generally controlled within ±28 °C/H [2], and the maximum cannot exceed ±56 °C/H. This is mainly because the temperature changes so fast that the creep of the metal material of the equipment is intensified, the aging of the metal parts is accelerated, the service life is reduced [3], and the reliability of the key components and the performance level are affected [4], resulting in a decrease in safety. If the temperature changes too slowly, the start-stop time will be prolonged, which will affect the economy. Therefore, the temperature control should be within the appropriate © Springer Nature Singapore Pte Ltd. 2020 Y. Xu et al. (Eds.): SICPNPP 2019, LNEE 595, pp. 492–501, 2020. https://doi.org/10.1007/978-981-15-1876-8_48
The Study on Automatic Control of Pressure and Temperature
493
range. The pressure control of the primary circuit needs to cooperate with the temperature control so that the parameters do not exceed the limit and the unit is safety. Most CPR units use operators to manually control the increase and decrease of temperature and pressure. This paper describes the investigation on the primary circuit of the reactor in the case of the normal start-stop unit.
2 Algorithm Analysis and Development of Temperature Control Module The core of the temperature control is that the change rate of temperature is within the controllable range. This paper introduces the calculation of dynamic set value to control the change rate of temperature. In the algorithm logic of the dynamic set value, there are 4 input variables: the temperature target value, the temperature rate value, the measured temperature value, and the start command; The output value is the temperature set value, and the internal parameters are the calculation period, the temperature upper and lower limits, etc. The algorithm is divided into tracking mode and operation mode. In the tracking mode, the module does not participate in the adjustment, the output signal is equal to the measured value, and is used track the measured value in the condition of temperature neither rise nor fall, and realizes the bump less transfer when switching to the operation mode. The operation mode is used for the condition of temperature rise and fall. When the start command is 1, the algorithm switches into operation mode. After the temperature target value and the temperature set value are set, the calculation period of the module can be internally set. The step size is calculated by the temperature rate value and the module calculation period through the rate calculation formula, and performs
Temperature rate
Measured temperature
Temperature target
Start command
Tracking mode Rate calculation
Comparator
Start
Absolute Calculation
comparator >
Heating
Operation
command
Selection
Selection
=1,