Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems: The Sixth International Symposium on Software Reliability, ... Notes in Electrical Engineering, 883) 9811911800, 9789811911804

Citation preview

Lecture Notes in Electrical Engineering 883

Yang Xu · Yongbin Sun · Yanyang Liu · Feng Gao · Pengfei Gu · Zheming Liu Editors

Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems The Sixth International Symposium on Software Reliability, Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant (ISNPP)

Lecture Notes in Electrical Engineering Volume 883

Series Editors Leopoldo Angrisani, Department of Electrical and Information Technologies Engineering, University of Napoli Federico II, Naples, Italy Marco Arteaga, Departament de Control y Robótica, Universidad Nacional Autónoma de México, Coyoacán, Mexico Bijaya Ketan Panigrahi, Electrical Engineering, Indian Institute of Technology Delhi, New Delhi, Delhi, India Samarjit Chakraborty, Fakultät für Elektrotechnik und Informationstechnik, TU München, Munich, Germany Jiming Chen, Zhejiang University, Hangzhou, Zhejiang, China Shanben Chen, Materials Science and Engineering, Shanghai Jiao Tong University, Shanghai, China Tan Kay Chen, Department of Electrical and Computer Engineering, National University of Singapore, Singapore, Singapore Rüdiger Dillmann, Humanoids and Intelligent Systems Laboratory, Karlsruhe Institute for Technology, Karlsruhe, Germany Haibin Duan, Beijing University of Aeronautics and Astronautics, Beijing, China Gianluigi Ferrari, Università di Parma, Parma, Italy Manuel Ferre, Centre for Automation and Robotics CAR (UPM-CSIC), Universidad Politécnica de Madrid, Madrid, Spain Sandra Hirche, Department of Electrical Engineering and Information Science, Technische Universität München, Munich, Germany Faryar Jabbari, Department of Mechanical and Aerospace Engineering, University of California, Irvine, CA, USA Limin Jia, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China Janusz Kacprzyk, Systems Research Institute, Polish Academy of Sciences, Warsaw, Poland Alaa Khamis, German University in Egypt El Tagamoa El Khames, New Cairo City, Egypt Torsten Kroeger, Stanford University, Stanford, CA, USA Yong Li, Hunan University, Changsha, Hunan, China Qilian Liang, Department of Electrical Engineering, University of Texas at Arlington, Arlington, TX, USA Ferran Martín, Departament d’Enginyeria Electrònica, Universitat Autònoma de Barcelona, Bellaterra, Barcelona, Spain Tan Cher Ming, College of Engineering, Nanyang Technological University, Singapore, Singapore Wolfgang Minker, Institute of Information Technology, University of Ulm, Ulm, Germany Pradeep Misra, Department of Electrical Engineering, Wright State University, Dayton, OH, USA Sebastian Möller, Quality and Usability Laboratory, TU Berlin, Berlin, Germany Subhas Mukhopadhyay, School of Engineering & Advanced Technology, Massey University, Palmerston North, Manawatu-Wanganui, New Zealand Cun-Zheng Ning, Electrical Engineering, Arizona State University, Tempe, AZ, USA Toyoaki Nishida, Graduate School of Informatics, Kyoto University, Kyoto, Japan Federica Pascucci, Dipartimento di Ingegneria, Università degli Studi “Roma Tre”, Rome, Italy Yong Qin, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China Gan Woon Seng, School of Electrical & Electronic Engineering, Nanyang Technological University, Singapore, Singapore Joachim Speidel, Institute of Telecommunications, Universität Stuttgart, Stuttgart, Germany Germano Veiga, Campus da FEUP, INESC Porto, Porto, Portugal Haitao Wu, Academy of Opto-electronics, Chinese Academy of Sciences, Beijing, China Walter Zamboni, DIEM - Università degli studi di Salerno, Fisciano, Salerno, Italy Junjie James Zhang, Charlotte, NC, USA

The book series Lecture Notes in Electrical Engineering (LNEE) publishes the latest developments in Electrical Engineering - quickly, informally and in high quality. While original research reported in proceedings and monographs has traditionally formed the core of LNEE, we also encourage authors to submit books devoted to supporting student education and professional training in the various fields and applications areas of electrical engineering. The series cover classical and emerging topics concerning:

• • • • • • • • • • • •

Communication Engineering, Information Theory and Networks Electronics Engineering and Microelectronics Signal, Image and Speech Processing Wireless and Mobile Communication Circuits and Systems Energy Systems, Power Electronics and Electrical Machines Electro-optical Engineering Instrumentation Engineering Avionics Engineering Control Systems Internet-of-Things and Cybersecurity Biomedical Devices, MEMS and NEMS

For general information about this book series, comments or suggestions, please contact leontina. [email protected]. To submit a proposal or request further information, please contact the Publishing Editor in your country: China Jasmine Dou, Editor ([email protected]) India, Japan, Rest of Asia Swati Meherishi, Editorial Director ([email protected]) Southeast Asia, Australia, New Zealand Ramesh Nath Premnath, Editor ([email protected]) USA, Canada: Michael Luby, Senior Editor ([email protected]) All other Countries: Leontina Di Cecco, Senior Editor ([email protected]) ** This series is indexed by EI Compendex and Scopus databases. **

More information about this series at https://link.springer.com/bookseries/7818

Yang Xu Yongbin Sun Yanyang Liu Feng Gao Pengfei Gu Zheming Liu •

•

•

•

•

Editors

Nuclear Power Plants: Innovative Technologies for Instrumentation and Control Systems The Sixth International Symposium on Software Reliability, Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant (ISNPP)

123

Editors Yang Xu Department of Engineering Physics Tsinghua University Beijing, China Yanyang Liu Nuclear Power Institute of China Chengdu, Sichuan, China Pengfei Gu China United Heavy Duty Gas Turbine Technology Co., Ltd Shanghai, China

Yongbin Sun China Techenergy Co., Ltd. Beijing, China Feng Gao China Nuclear Power Design Co., Ltd. Shenzhen, Guangdong, China Zheming Liu Product Information Committee of China Instrument and Control Society Beijing, China

ISSN 1876-1100 ISSN 1876-1119 (electronic) Lecture Notes in Electrical Engineering ISBN 978-981-19-1180-4 ISBN 978-981-19-1181-1 (eBook) https://doi.org/10.1007/978-981-19-1181-1 © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd. The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore

Contents

Two-Warehouse Inventory Models: Considering Lead Time and Continuous Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Qiang Zhang, Yong Wang, Rong Guo, and Jing Ye

1

Cause Analysis and Improvement of Abnormal Triggering Event in Radiation Monitoring Channel of NPP . . . . . . . . . . . . . . . . . . . . . . . Xu-Tao Bai, Dan-Dan Sun, and Hai-Rong Lu

14

Discussion on Hydrogen Economy Solution Under Carbon Peak and Neutrality Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wen-Zhen Mi, Ying Cao, Tu-Nan Huang, and Peng-Fei Gu

25

Introduction of Network Architecture for Real-Time Information Management System in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . Guo-Bin Xu, Bing-Zhuo Zhang, and Jian-Wei Li

34

Seismic Analysis and Qualification of Nuclear Safety Axial Flow Fan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shi Hong, Wang Yan, Qiang-Sheng Zhang, and Yi-Wei Chen

42

Application Verification of Wireless Sensor Network in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Zhi-Guang Deng, Qian Wu, Mei-Qiong Xiang, Chen-Long Dong, Yue Qin, Zhuo-Yue Li, and Yong-Sheng Sun

50

Treatment of Flashing Primary Alarm of Scintillator Radiation Monitoring Device in NPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Xu-Tao Bai and Ming Chen

63

Research on Cyber Security Standards of Nuclear Power Industry Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . An-Yi Yang

75

v

vi

Contents

Analysis and Treatment of Accidental Drop of Shutdown Bank . . . . . . Chao Wang, Wen-Qing Yang, Zheng-Dong Huang, Xiao-Fei Li, Sheng-Xin Yuan, Dong-Liang Liu, Yu Wang, Xiong-Wei Cheng, and Jing Xiao The Software Modeling and Sensitivity Study of Computer Based I&C System in Probabilistic Safety Assessment of Nuclear Power Plant . . . . Chu-Hao Xi, Wei Sun, and Li-Ming Zhang

85

97

Research on Sensitivity of Axial Inductive Displacement Sensors with Constant Flux for Magnetic Bearings . . . . . . . . . . . . . . . . . . . . . . . 104 Chun-Yi Wang, Yang Xu, and Kai Zhang A Primary Review on Team Performance in Automated Systems . . . . . 124 Xiao-lu Dong Economic Analysis of PROFIBUS Fieldbus Control System in Conventional Island of Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . 135 Xiao-Yu Liu, Sheng-Feng Liu, Xu-Feng Wang, Hai-Ying Fan, and Li-Yong Ren Reliability Analysis of Tripping Solenoid Valve Power System Based on Dynamic Fault Tree and Sequential Monte Carlo . . . . . . . . . . . . . . . 148 Zhi-Gang Wu, Jun Zhu, and Xian-Bo Yu Troubleshooting of Frequent False Alarms on Low-Low Speed of the Main Pump in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . 159 Hang Liu, Zhao-Peng Liu, and Yang Liu Research on Switch Signal Transmission System Based on Optical Fiber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Mei-Qiong Xiang, Jia-Liang Zhu, Zheng-Xi He, Zhi-Guang Deng, Chen-Long Dong, Zhuo-Yue Li, Yong-Sheng Sun, and Ye-Shun Peng Research on Transient Control Performance Improvement of Complex Control System in Nuclear Power Plant . . . . . . . . . . . . . . . 181 Zhen-hua Luan, Rui Chen, Dao-guang Liu, Xin-hong Yan, and Jun Liang Analysis of the Influence of Decision Module Performance on Transient Events in Steam Generator Level Control . . . . . . . . . . . . . 190 Dao-Guang Liu, Zhen-Hua Luan, Zi-Rui Fang, Xin-hong Yan, Shuang-Jin Liu, and Liang Jun Research on Fault Diagnosis Method of Bus Type Intelligent Electric Valve in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Xin-Nian Huang, Ying Meng, Hui Wang, Chang guo-Xu, and Sheng-Feng Liu Discussion of Full Digital I&C System for AP1000 . . . . . . . . . . . . . . . . 208 Jia-Kang Zheng, Zi-Xi Chen, Jing-Bin Liu, and Ning Qiao

Contents

vii

Discuss on Consistency Evaluation of 1E Cable Accessories Products and Qualification Prototype of Nuclear Power Plant . . . . . . . . . . . . . . . 220 Jing-Yuan Yang, Shan Jin, Yuan Yao, Yang-Yang Chen, and Tian-Lei Ren Discuss on Application of High Frequency Electro-magnetic Compatibility Test of Digital Instrument and Control Equipment in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Jing-Bin Liu, Ning Qiao, Zi-Xi Chen, and Jia-Kang Zheng Fault Analysis of Frequency Converter of Main Pump in a Nuclear Power Plant in China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Zi-Xi Chen, Qi Zhang, Jing Kong, Jing-Bin Liu, and Jia-Kang Zheng A Kind of Monitoring System for RGL in Nuclear Power Plant . . . . . . 247 Liang Li, Zi-Ping Huang, Peng-Bin Duan, Wei-Jie Huang, and Cong Cui Development and Application of Special Tool for Aviation Plug Test of Nuclear Power Plant Core System . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Xin-Hong Yan, Jiang-Yong Zhang, Zhi-Yong Xu, Xue-Dong Kang, Zi-Jian Hao, and Hai-Yang Peng Study on Earthquake Ground Motion Parameters of Seismic Instrumentation System for Nuclear Power Plants on Operation in China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Liang Li, Rong Pan, Xiu-Li Du, and Hai-Yan Luan Study on Implementing Supplemental Human-System Interfaces in Highly-Integrated Control Room . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Ting Mao, Xiao-Mei Xu, Gang Zhang, Xue-Gang Zhang, Li-Ming Zhang, Yi-Chao Zhou, Bo Cheng, and Jie Zhou Successful Integration of Human Factor into a New NPP Project . . . . . 283 De Song-Su Using Confusion Matrix to Substantiate Confusability of Computer Based Procedure System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 De-Song Su, Jian-Bo Zhang, and Zhi-Hui Xu Rotor Passing Through Critical Speed with Assistance of Electromagnetic Damper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Xiang-Yu Jia, Yang Xu, Yu-Jie Bai, and Kai Zhang Design of Digital Control Platform for Magnetic Bearings Based on Multi-core Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Jun-Shui Wang, Yang Xu, and Kai Zhang Research on the Critical Concerns of Software V&V for NPP I&C System Important to Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Sheng-Chao Wang, Xin Du, Heng Li, and Zhou Xiao

viii

Contents

Discussion About Software Testing Document of Nuclear . . . . . . . . . . . 336 Mi Zhang, Hai-Bin Zhang, Guang-Zhi Sun, Liang Li, Wei-Jie Huang, Dan Liu, Ju-Zhi Wang, and Hai-Feng Liu Calculate Reliability by Fault Tree Method to Optimize the Periodical Test Cycle of Protection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Ning Qiao and Jin-Bing Liu Design Requirements and Practice of Representative Sampling of Airborne Radioactive Effluents in Nuclear Power Plants . . . . . . . . . . 360 Yu Sun, Jin-Ge Zheng, Lei Li, Long-Qiang Zhang, Hong-Tao Liu, and Dan Xu A Study About Cyber Security Design Basis Threat for Control System in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Wang Xi, Wei Liu, Wang-Ping Ye, and Hong-Yun Xie Research on Qualification Technology and Qualification System of Safety Grade Optical Fiber Cable in Nuclear Power Plant . . . . . . . . 385 Yu-Jun Su, Liang Zhou, and Long-Qiang Zhang Reactor Power Robust Control for a Heat Pipe Cooled Reactor . . . . . . 399 Song-Mao Pu, Ao-Di Sun, Pei-Wei Sun, and Xin-Yu Wei Research and Treatment of Abnormal Steam Generator Level Control in Transient Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Peng Liu, Fei Song, Junxia Che, Zhen-Hua Luan, Jian-Feng Qiao, and Shuang -Jin Liu Diagnosis and Research for Losing One RCP Loop During Power Conditions in a GEN-III Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . 419 Fei Song, Zhen-Hua Luan, Peng Liu, Hang Liu, and Jian-Feng Qiao Study on Preventing the Reactor Superpower of the Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Yan Liu Identification of Generic Task Types for Nuclear Power Plant Commissioning Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Zhao-Peng Liu, Zi-Jian Yin, Dong-Fang Yang, and Zhi-Zhong Li Research on Intelligent Accident Warning and Simulation for Loss of Coolant Accident in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . 451 Jing-Ke She, Tian-Zi Shi, Yu-qi Tang, and Yi-fan Zhang Discussion on Measurement Method of Rated Response Time of Pressure Transmitter in Nuclear Power Plants . . . . . . . . . . . . . . . . . 462 Yang-Yang Chen, Jing-Yuan Yang, and Zhi-Jia Yang

Contents

ix

Discussion on the Application of Human Factors Engineering for the Local Instrument of NPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 You-Ran Li and De Dong Design of Code Generator for Safety Level I&C Software of NPPs . . . . 479 Jiang Wei, Lan Lin, Yang Bin, and Rong-Bin Hou Nuclear Safety-Class DCS Hardware Logic Implementation Scheme Based on Modularization Design . . . . . . . . . . . . . . . . . . . . . . . . 490 Yan-Liang Hu, Xu Zhang, and Shi-Yong Chen Application of Optimal Design in Nuclear Safety-Class DCS Design . . . 500 Xu Zhang, Zhang Yao, Shi-Yong Chen, and Hao Peng Determination of Hardware Logic Drawing Simulation Modeling Criteria and Its Application in Nuclear Safety-Class DCS . . . . . . . . . . . 510 Xu Zhang, Shi-Yong Chen, Zhang Yao, and Zhi-Guang Deng Analysis of Temperature Rise for DCS Cabinets During Fire and Smoke . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 You-You Zhao and Guo-Ming Li Research on Fault Diagnosis Method of Analog Circuits of Important Equipment in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 Chao Zhang, Wang-Ping Ye, Chun-Bing Wang, Li-Ming Zhang, and Xin-Hong Yan Design of Signal Control System for CRDM Microphone in NPP . . . . . 542 Qian Wu, Rui-Ping Zhang, and Lin Ye Design and Realization of Time Synchronization System for Nuclear Power Station DCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 Zhang-Xiao Dong Design of Self-diagnosis for Diversity Actuation System Based on FPGA in ACPR1000 Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . 563 Ji-Kun Wang, Zhi-Hui Zhang, Gui-Lian Shi, Chang-Yu Mo, Gang Li, and Bin Wu Periodic Test Design of EDG Digitization Protection System in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Qing-Ming Wang, Chun-Ming Liu, and Chao Gao The Design of Safety DCS Platform Based on FPGA . . . . . . . . . . . . . . . 580 Yuan Zhang, Wu Sun, Ming-Xiao Wei, and Xiao-Li Huai Research on Common Cause Fault Evaluation Model of RTS Based on b-factor Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 Ying-Jie Lin, Jian-Ming Yang, Ren-Yuan Wang, and Yan-Xiong Yang

x

Contents

Research on Testability Analysis Technology of Nuclear Safety Level DCS System Based on Dependence Model . . . . . . . . . . . . . . . . . . . . . . . 600 Gui-Lian Shi, Xiao-Jin Huang, and Hu-Jun Jia On Key Technical Issues of Protection System Design . . . . . . . . . . . . . . 614 Lan Zhang, Tao Bai, Zhe-Ming Liu, and Qun-Feng Wang Development and Application of Self-diagnosis and Analysis Function of FirmSys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 Gui-Lian Shi, Jing-Wei Wang, Zhi-Hui Zhang, Min-Ling Zhang, and Le Li Study for Human Reliability Analysis on Emergency Feedwater Injection Under Severe Accident in Nuclear Power Plant . . . . . . . . . . . 650 Zhi-Hui Xu, De-Song Su, Zhao-Peng Liu, and Hua-Qing Peng Evaluation Method for Heavy-Duty Gas Turbine Overspeed Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 Wen-Jie Wu, Hua-Zhang, and He-Ming Bao Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679

Two-Warehouse Inventory Models: Considering Lead Time and Continuous Review Qiang Zhang, Yong Wang(B) , Rong Guo, and Jing Ye Shanghai Power Equipment Research Institute Co., Ltd., Shanghai 200240, China [email protected]

Abstract. This paper concerned the lead time in a two-warehouse and continuous review inventory system. Taking the total cost per unit time as the objective function, a model with constant lead time was established. The model was expanded to the model with continuous stochastic lead time and discrete stochastic lead time. The corresponding algorithms to find the optimal solution were provided. The existence of the global optimal solution was also confirmed by the proof of the objective function’s convexity. In the end two typical numerical examples in nuclear power plant were presented. The results showed that total cost per unit time in optimal point was largely reduced by about 60%. Keywords: Lead time · Two-warehouse model · Continuous review · Convexity · Genetic algorithm

1 Introduction Lead time has been one of the major factors in the inventory system [1–4]. Inventory models considering lead time have attracted more and more attention in recent years. This kind of model applies well to goods ordering in supermarket, blood bank, foodstuff, nuclear power plants, etc., while most of the models neglect it or assume that the lead times are constant [5]. In this paper, it was concentrate on a two ware-house inventory model developed by Sarma [6]. In his model, two different warehouses, an owned warehouse (OW) and a rented warehouse (RW), were available. In general, the RW was assumed to charge higher holding cost than the OW. In his paper, the cycle length was fixed and the OW was used to its full capacity, which was too restrictive. Lakdere Benkherouf developed the model further in his paper ten years later [7]. He relaxed the assumptions of fixed cycle length and known quantity to be stocked in the OW. Further, He found the optimal schedule that minimized the total cost per unit time in a cycle. This applied to some food products where some kind of fermentation was experienced during storage. However, the order lead time was neglected in his model. S. Kar established a two-storage inventory model with time-dependent demand and fixed time horizon [8]. In his paper, he solved the problem by a mathematical program based on gradient method. This methodology of model development and its solution were quite general and it can be applied to inventory models of any product whose © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 1–13, 2022. https://doi.org/10.1007/978-981-19-1181-1_1

2

Q. Zhang et al.

production was periodical and demand increased linearly with time. But in his model, the lead time was constant and shortage was not allowed. A new two-warehouse model considering incremental quantity discount and timevarying demand was proposed by Yang Shan-lin [9]. For items whose demand rate changes over time, this paper further extended two warehouse system by incorporation incremental quantity discounts, but lead time was not discussed in his papers. Sheng Zhong discussed high-cost but low-efficient spare part pooling management mode in many enterprises such as nuclear plant [10], manufacturing fields. It was assumed that each player faces the Poisson Demand process and the stock point operates under a continuous-review policy. In the end, a cost allocation policy was proposed under this condition. In this paper, the attention was placed on the lead time and continuous review. Lead time was becoming more and more important with the shortage of global resources (oil, coal, nature gas, etc.). With the development of computer science and technology, the ERP system was widely used, which made the continuous review of the inventory easier to do. In the next section, mathematical models of the inventory system were presented with two warehouses and show how the optimal reorder point can be found when lead time and continuous review is considered. The last section contained numerical example and a conclusion.

2 Notations and Assumptions To develop the proposed model, the notations (Fig. 1) and assumptions were used:

q Q L

RW

Q0 OW 0

X

T

t

Fig. 1. Curve of time and quantity of the inventory

Q0 Maximal capacity of OW. Q Maximal capacity of OW and RW, then the maximal capacity of RW should be Q − Q0 . q Current quantity of OW and RW. r Average demand per unit time. c1 Fixed ordering cost per order. c2 Inventory hold cost per item per unit time in the OW

Two-Warehouse Inventory Models

3

c3 Inventory hold cost per item per unit time in the RW, c2 < c3 . c4 Shortage cost per item per unit time. There should be c2 < c3 < c4 , or else the research will be meaningless. C1 Fixed ordering cost per cycle. C2 Total inventory hold cost per cycle in the OW. C3 Total inventory hold cost per cycle in the RW. C4 Total shortage cost per cycle. X Lead time, interval between placement of an order and arrival of those goods at the warehouse, short of order lead time. L Reorder point, continuous review was applied, when q ≤ L, the order is placed. T The length of cycle, interval between two adjoin arrival of those goods at the warehouse, the expression can be concluded as follows: T=

Q−L +X r

(1)

W The total cost per cycle, containing the order cost, hold cost in OW and RW, shortage cost, that was W = c1 + C2 + C3 + C4

(2)

C The total cost per unit time, that was C=

W T

(3)

Besides, other assumptions were put forth: 1. Sequence to sell the goods: the goods in RW were firstly sold up, then the goods in OW were secondly sold. 2. The replenishment rate was infinite at every arrival of the goods, replenishment time was omit. After every replenishment, it was assumed that the two warehouse reached their full capacities, that was q = Q. 3. There was only one order in a cycle.

3 Mathematical Formulation The object of the problem was to minimize the total expected cost per unit time, which consisted of ordering cost, holding cost and shortage cost, subject to a series of constrain. Reorder point was considered as decision variable. The goal was attempt to find the optimal reorder point. 3.1 Model with constant lead time Assume that the lead time X was constant. Considering the total demand rT every cycle as a scale, three different cases were investigated as follows: Case 1. If there was still leftover goods in the RW at the end of cycle (Fig. 2),

4

Q. Zhang et al.

q Q L

RW

Q0 OW 0

X

T

t

T

Fig. 2. Case there was still leftover goods in the RW at the end of cycle

rT < Q − Q0 , that is L > Q0 + Xr. Costs could be described as follows: T C1 = c1 , C2 = c2 Q0 T , C3 = c3 0 (Q − Q0 − rt)dt. Hence, the total cost per cycle was 

T

W = c1 + c2 Q0 T + c3

(Q − Q0 − rt)dt

(4)

0

Case 2. If the goods in the RW was sold up and there were leftover goods in the OW at the end of cycle (Fig. 3),

q Q L

RW

Q0 OW 0

X

T

t

Fig. 3. Case that goods in the RW were sold up and there were leftover goods in the OW at the end of cycle

Q − Q0 ≤ rT ≤ Q that was Xr ≤ L ≤ Q0 + Xr.

Two-Warehouse Inventory Models

5

Results could be concluded as follows: T  Q−Q0 0 C1 = c1 , C2 = c2 Q0 Q−Q + c2 Q−Q0 (Q − rt)dt, C3 = c3 0 r (Q − Q0 − rt)dt. r r

Hence, the total cost per cycle was Q − Q0 + c2 W = c1 + c2 Q0 r





T Q−Q0 r

Q−Q0 r

(Q − rt)dt + c3

(Q − Q0 − rt)dt

(5)

0

Case 3. If shortage of the goods appeared at the end of cycle (Fig. 4),

q Q L

RW

Q0

X

OW

0

T

t

Fig. 4. Case that shortage of the goods appeared at the end of cycle

rT > Q that is L < Xr. Costs could be described as follows: 0 C1 = c1 , C2 = c2 Q0 Q−Q + c2 r

C3 = c3



Q−Q0 r

0



Q r Q−Q0 r

(Q − rt)dt,

(Q − Q0 − rt)dt

Hence, the total cost per cycle was 0 + c2 W = c1 + c2 Q0 Q−Q r T +c4 Q (rt − Q)dt r



Q r Q−Q0 r

(Q − rt)dt + c3



Q−Q0 r

0

(Q − Q0 − rt)dt

(6)

6

Q. Zhang et al.

According to the analysis of three cases above and the expression (4), (5), (6), a function could be concluded as follows: W (L) =  ⎧ c1 + c2 Q0 T + c3 0T (Q − Q0 − rt)dt ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ 0 ⎪ T  Q−Q ⎪ Q−Q0 r ⎪ (Q − Q0 − rt)dt ⎪ ⎨ c1 + c2 Q0 r + c2 Q−Q (Q − rt)dt + c3 0 r

where L > Q0 + Xr

0

⎪ where Xr ≤ L ≤ Q0 + Xr ⎪ ⎪ ⎪ ⎪ 0 ⎪  Q−Q  Qr T Q−Q0 ⎪ r ⎪ c + c2 Q0 r + c3 0 (Q − Q0 − rt)dt + c2 Q−Q (Q − rt)dt + c4 Q (rt − Q)dt ⎪ ⎪ ⎪ 1 0 ⎪ r ⎪ r ⎩ where L < Xr

(7) or 0  min(T , Q−Q r ) 0 W (L) = c1 + c3 0 (Q − Q0 − rt)dt+c2 Q0 min(T , Q−Q r ) Q  min(T , r ) T +c2 Q−Q0 (Q − rt)dt + c4 min(T , Q ) (rt − Q)dt

min(T ,

r

)

(8)

r

thus, in this subsection, the model for the problem with constant lead time was min C(L) = s.t. L < Q

W (L) T (L)

(9)

Proposition 1. The optimal lead time L∗ only existed in the Case 3, where rT > Q or L < Xr. Proof. Under the three different cases above, the first derivative of the object function could be described as follows: Case 1. When rT < Q − Q0 that is L > Q0 + Xr, in order to get the optimal L∗ , If

dC(L) dL

= 0, the solutions for the equation were √ −2c1 c3 r L∗ = Q + rX ± c3

(10)

The two solutions were both irrational, because of the relation of −2c1 c3 r < 0. Case 2. When Q − Q0 ≤ rT ≤ Q that was Xr ≤ L ≤ Q0 + Xr, in order to get the optimal L∗ , If

dC(L) dL

= 0, the solutions for the equation were  c2 [(c2 − c3 )(Q − Q0 )2 − 2c1 r] ∗ L = Q + rX ± c2

The two solutions were both irrational, reasons as follows: c2 [(c2 − c3 )(Q − Q0 )2 − 2c1 r] < 0 where c2 < c3

(11)

Two-Warehouse Inventory Models

7

Case 3. When rT > Q that was L < Xr, in order to get the optimal L∗ , solve the roots of dC(L) dL = 0 as follows: ∗

L = Q + rX ±

c4 [c4 Q2 + 2c1 r + 2c2 Q0 Q + c3 Q2 − 2c3 Q0 Q + c3 Q02 − c2 Q02 ] c4 (12)

The part under radical sign was analyzed as follows: c4 [c4 Q2 + 2c1 r + 2c2 Q0 Q + c3 Q2 − 2c3 Q0 Q + c3 Q02 − c2 Q02 ] = c4 [c4 Q2 + c3 Q2 − 2(c3 − c2 )Q0 Q + (c3 − c2 )Q02 ] > c4 [c4 Q2 + (c3 − c2 )Q2 − 2(c3 − c2 )Q0 Q + (c3 − c2 )Q02 ] = c4 [c4 Q2 + (c3 − c2 )(Q − Q0 )2 ] >0

(13)

Because of L∗ < Q, the only rational solution was: c4 [c4 Q2 + 2c1 r + 2c2 Q0 Q + c3 Q2 − 2c3 Q0 Q + c3 Q02 − c2 Q02 ] L∗ = Q + rX − c4 (14) According to the analysis above, it can be conclude: The optimal lead time L∗ only exists in the Case 3, where rT > Q that was L < Xr. The proof was over. Proposition 2. The object function C(L) was convex. Proof. Similar to the proof of Proposition 1, three different cases were discussed here. Case 1. When rT < Q − Q0 that is L > Q0 + Xr, The second rank derivative of the object function C(L) could be worked out: d 2 C(L) 2c1 r = 3 >0 2 dL T

(15)

Case 2. When Q − Q0 ≤ rT ≤ Q that was Xr ≤ L ≤ Q0 + Xr, The second rank derivative of the object function C(L) could be worked out: d 2 C(L) (c3 − c2 )(Q − Q0 )2 + 2c1 r = >0 dL2 T3 Case 3. When rT > Q that is L < Xr,

(16)

8

Q. Zhang et al.

The second rank derivative of the object function C(L) could be worked out d 2 C(L) dL2 c Q2 +2c1 r+2c2 Q0 Q+c3 Q2 −2c3 Q0 Q+c3 Q02 −c2 Q02 = 4 T3 c4 Q2 +c3 Q2 −2(c3 −c2 )Q0 Q+(c3 −c2 )Q02 = T3 c4 Q2 +(c3 −c2 )Q2 −2(c3 −c2 )Q0 Q+(c3 −c2 )Q02 > T3 2 2 2 )(Q−Q0 ) = c4 Q +(c3 −c T3

(17)

>0

According the analysis above, it was summarized: ∀L < Q,

d 2 C(L) >0 dL2

(18)

Hence, C(L) was convex. 3.2 The Proof Was Over From the Proposition 1 and Proposition 2, it could be conclude that c4 [c4 Q2 + 2c1 r + 2c2 Q0 Q + c3 Q2 − 2c3 Q0 Q + c3 Q02 − c2 Q02 ] ∗ L = Q + rX − c4 (19)

C ( L)

was a global minimum (Fig. 5), which only exists where L < Xr.

0

L*

Fig. 5. The convexity of C(L)

L

Two-Warehouse Inventory Models

9

3.3 Model with Continuous Stochastic Lead Time In this subsection, it is assumed that the lead time X ∼ ϕX (x), where ϕX (x) was probability density function. The model for the problem with continuous stochastic lead time become ∞ min E[C(L, X)] = 0 W(L,x) T(L,x) ϕX (x)dx (20) s.t. L < Q where lead time X ∼ ϕ(x). Proposition 3. Function E[C(L, X)] was convex function of decision variable L. Proof. From Proposition 2, C(L, x) was convex function of decision variable L. ∀L1 , L2 ∈ (−∞, Q) and ∀λ ∈ [0, 1][0, 1], then λL1 + (1 − λ)L2 ∈ (−∞, Q), According to the definition of convex function, it can be concluded: C(λL1 + (1 − λ)L2 , x) ≤ λC(L1 , x) + (1 − λ)C(L2 , x)

(21)

According to the definition of expected value, the inequality as follow was right. E[C(λL1 + (1 − λ)L2 , x)] ≤ λE[C(L1 , x)] + (1 − λ)E[C(L2 , x)]

(22)

E [C ( L, X )]

Hence, E[C(L, X)] was convex function of decision variable L (Fig. 6).

0

L

Fig. 6. The convexity of E(C(L, X ))

The proof was over. From the proof above, it can be concluded that a global minimum exist to a certainty. Applying GA (Genetic Algorithm) and ANN (Artificial Neural Network) to the problem, the minimization of expected costs function can be achieved. The details for the mixture intelligent algorithm as follows: Step 1. Generated a series of random number x based on the distribution of X , X ∼ ϕX (x).

10

Q. Zhang et al.

Step 2. Generated the input data and output data using the model as follows: L → E[C(L, X )] → v

(23)

where v is the value of object function E[C(L, X )]. Step 3. Used the sample (L, v) to train a neural network in order to approximate the uncertain object function. Step 4. Generated pop_size chromosomes and tested the feasibility using neural network. Step 5. Conducted crossover operation and mutation operation to the chromosomes, tested the feasibility of the offspring using neural network. Step 6. Calculated the object function value of all chromosomes using neural network. Step 7. Calculated fitness value of all chromosomes according to the object function value using ANN. Step 8. Chose the chromosomes using Monte Carlo method. Step 9. Repeated between step 4 and step 7 until given times Step 10. Found the best chromosome as optimal solution. 3.4 Model With Discrete Stochastic Lead Time In this subsection, it is assumed that the lead time X ∼ PX (x), so function of total cost per unit time, that was C(L, x), was also discrete stochastic. The model with discrete stochastic lead time become minE[C(L, X )] =

∞

W (L, xk ) k=0

T (L, xk )

PX (xk )

(24)

s.t.L < Q The optimal solution can be achieved by following algorithm: Step N 1. Got the statistic PX (x0 ), PX (x1 ) · · · PX (xk ) · · · PX (xN ), where xk−1 < xk , k=0 PX (xk ) = 1.  W (L,xk ) Step 2. The object function f (L) = N k=0 T (L,xk ) PX (xk ), where N is finite. Step 3. Discreted the variable L in a fix length, chose L0 , L1 · · · Li · · · LM ∈ [0, Q], where M depended on given precision, Li−1 < Li . Step 4. Calculated f (L0 ), f (L1 ) · · · f (Li ) · · · f (LM ). Step 5. Found the point L∗ , which is f (L∗ ) < f (L∗ − 1) and f (L∗ ) < f (L∗ + 1).

4 Numerical Examples In order to illustrate the above solution procedure, an inventory system with two real examples was discussed as follows: Example 1. Data for a kind of box of goods such as spare parts and solid dosage in nuclear power plant:

Two-Warehouse Inventory Models

11

r = 12 boxes consumed per day; c1 = 10 kilo-yuan; c2 = 0.01 kilo-yuan per box per day; c3 = 0.02 kilo-yuan per box per day; c4 = 0.95 kilo-yuan per box per day; Q0 = 40 boxes; Q = 60 boxes; X ∼ N (3, 1) In order to solve the problem, firstly generated random numbers(subject to N (3, 1)) so that the training sample containing output data and input data from the uncertain model was available, then used the sample to train an ANN (one input unit, five hidden units, one output unit) to approximate the uncertain model. In the end, the global optimal solution for the problem was found. The final result was L∗ = 36.2445. Example 2. Data for a kind of liquid such as lube oil and water treatment chemical in nuclear power plant: r = 15 bottles consumed per day; c1 = 10 kilo-yuan; c2 = 0.03 kilo-yuan per bottle per day; c3 = 0.04 kilo-yuan per bottle per day; c4 = 1.50 kilo-yuan per bottle per day; Q0 = 40 bottles; Q = 60 bottles; X = {4 2 3 3 2 2 2 2 2 2 2 2 3 2 1 2 4 3 2 3 2 2 4 2 3 4 3 3 2 3 2 3 2 2 1 3 2 5 3 2 4 2 2} In order to solve the problem, firstly calculated the probability distribution of lead time X (Table 1). Table 1. Probability distribution of lead time X X

1

2

3

4

5

p(Xk )

0.0465

0.5349

0.2791

0.1163

0.0233

Then refer to the algorithm in Sect. 3.3. When x varies from 0 to 60, the curve was convex (Fig. 7), so the only global optimal solution was L∗ = 42. Comparing to the situation L = 0, the total cost per unit time in optimal point was drastically reduced by about 60%.

Q. Zhang et al.

The value of objective function

12

Lead time

Fig. 7. The convexity of the objective function with discrete stochastic lead time

5 Conclusion This paper placed emphasis on the lead time of the two-warehouse inventory system with continuous review, which was also the main feature of the paper. Three models was discussed based on different lead time (fixed, continuous stochastic, discrete stochastic). The presented model was applicable for power plant, supermarket etc., which were sufficiently accurate enough representations of some actual inventory situations so that they frequently were useful in practice. However, more complex model should be developed in an attempt to fit the real situations, after all there were still gap between practice and theory. The models in this paper should also be developed further, for example, One could extend the model by incorporating more realistic situations, such as, multiple items and the transportation cost to transfer the items of the RW to the OW.

References 1. James, H.: Bookbinder, Metin Cakanyildirim, random lead times and expedited orders in (Q, r) inventory systems. Eur. J. Oper. Res. 115, 300–313 (1999) 2. Cakanyildirim, M., Bookbinder, J.H., Gerchak, Y.: Continuous review inventory models where random lead time depends on lot size and reserved capacity. Int. J. Prod. Econ. 68, 217–228 (2000) 3. Pan, J.C.-H., Hsiao, Y.-C.: Integrated inventory models with controllable lead time and backorder discount considerations. Int. J. Prod. Econ. 93–94, 387–397 (2005) 4. Chua, P., Yang, K.-L., Chen, P.S.: Improved inventory models with service level and lead time. Comput. Oper. Res. 32, 285–296 (2005) 5. Hariga, M., Ben-Daya, M.: Some stochastic inventory models with deterministic variable lead time. Eur. J. Oper. Res. 113, 42–51 (1999) 6. Sarma, K.V.S.: A deterministic order level inventory model for deteriorating items with two storage facilities. Eur. J. Oper. Res. 29, 70–73 (1987) 7. Benkherouf, L.: A deterministic order level inventory model for deteriorating items with two storage facilities. Int. J. Prod. Econ. 48, 157–175 (1997)

Two-Warehouse Inventory Models

13

8. Kar, S., Bhunia, A.K., Maiti, M.: Deterministic inventory model with two levels of storage, a linear trend in demand and a fixed time horizon. Comput. Oper. Res. 28, 1315–1331 (2001) 9. Yang, S.-l., Zhou, Y.-w.: Two warehouse inventory model: Considering time varying demand and price discounts 10. Zhong, S., Yuan, S., Huang, W.: Research on the joint inventory of repairable spare parts. In: Proceedings of the 2017 4th International Conference on Machinery, Materials and Computer (MACMC 2017), 2018. Atlantis Press, Paris, France. https://doi.org/10.2991/macmc-17.201 8.75

Cause Analysis and Improvement of Abnormal Triggering Event in Radiation Monitoring Channel of NPP Xu-Tao Bai(B) , Dan-Dan Sun, and Hai-Rong Lu Suzhou Nuclear Power Research Institute, Suzhou 215004, Jiangsu, China [email protected]

Abstract. This paper introduces the principle and network structure of the monitoring channel in the reactor pool of a nuclear power plant radiation monitoring system in China, and expounds in detail the process of abnormal triggering of the radiation monitoring channel in the nuclear island during the overhaul and the temporary treatment measures. From the channel principle, network topology and other aspects, the possible causes of the fault are analyzed. Through the analysis of the waveform of the communication message and the connection mode of the communication line during the fault, the root cause of the fault is determined. According to the structure characteristics of the communication circuit in the reactor, the communication link of the monitoring channel is modified, which fundamentally solves the problem of channel abnormal triggering. Keywords: Radiation monitoring · Abnormal triggering event · Cause analysis

1 Introduction Nuclear power plant radiation monitoring system (KRT) is directly related to the operating conditions of the power plant. It is used to monitor the process, effluents and workplace radiation of the nuclear power plant, ensure the safe operation of the nuclear power plant and protect the health of workers and surrounding people. The system is mainly composed of data acquisition equipment (DAS), excitation box, power distribution box and monitoring channel. There are 80 monitoring channels in KRT system (1, 2 and 9 units) of a nuclear power plant, including 76 fixed monitoring channels. After each channel completes data acquisition, it is uploaded to DCS. It mainly includes the following main equipment: channel detector, local processing display unit, data acquisition cabinet, power supply box, etc. The detector and local processing display unit constitute a monitoring channel. Multiple channels upload the data to the data acquisition cabinet, and then transfer the data to DCS.

2 Channel Introduction The main function of KRT011MA (installed beside the reactor pool) and KRT012MA (installed on the reactor pool refueling machine) channels is to measure the gamma dose © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 14–24, 2022. https://doi.org/10.1007/978-981-19-1181-1_2

Cause Analysis and Improvement of Abnormal Triggering Event

15

rate on the surface of the reactor pool during the unit overhaul. When the primary circuit is put into operation before opening, the alarm will be triggered and the isolation valve of the containment ventilation system (EBA) will be closed when the detected radioactive material release exceeds the limit. When one of the two channels is not available, the protection of personnel in containment and containment shielding are still guaranteed for the release of radioactive materials (gas emission from fuel pellets). If two channels are not available at the same time, it is forbidden to perform high-risk work such as opening the pressure vessel top cover or upper components that may release radioactive gas. Meanwhile, it is forbidden to perform fuel related operation (continuous release of gas from damaged fuel) to avoid accidental release of inert gas, which may affect the radiation protection safety of personnel in containment and shielding in reactor [1].

3 Fault Process 2018-02-17, a nuclear power plant unit was in overhaul RCS mode. 2018-02-17T10:45, the main control triggered KRT system alarms: KRT013KA (monitoring channel fault alarm 3), KRT012KA (monitoring channel fault alarm 2), KRT063KA (reactor loading and unloading crane gamma dose rate level 2 alarm), KRT023KA (unit 1E train A partial channel group level 1 alarm). According to the alarm card, the operator found the KRT012MA fault, which caused EBA001/013/015VA isolation valve to close automatically. It was found that the communication load of local processing unit (LPDU) of KRT012MA suddenly increased to 100%, which frequently triggered LPDU channel fault, which made LPDU restart automatically. KRT012MA triggered secondary threshold alarm, which led to EBA isolation valve closing automatically. After treatment by maintenance personnel, the channel returned to normal. 2018-02-18T08:44, After 14 h of normal operation of KRT012MA, the communication load of KRT011MA and KRT012MA channels reached 100% at the same time, resulting in the restart of channels and the automatic shutdown of EBA001/013/015VA again.

4 Treatment Process According to the failure of KRT012MA on 2018-02-17, the maintenance personnel judged that there were two possible reasons. (1) The failure of LPDU in the channel led to the increase of communication load. (2) The communication link was disturbed by the outside world. In view of the above possible reasons, the following measures were taken: (1) Replacing the new LPDU, the fault still existed; (2) Removing KRT023MA, changing the network structure and relieving the network load;

16

X.-T. Bai et al.

(3) Increasing terminal resistance to eliminate line interference. Then the KRT012MA communication returned to normal and communication load returned to normal level [2]. 2018-02-18, KRT011MA and KRT012MA sent out fault alarm signal, and the instrument and control personnel to carried out the following checks. (1) Checking KRT011MA, and found that the communication cable in the junction box was exposed and it touched on the terminal due to the force on the plug. Then repackaging KRT011MA, it returned to normal; (2) Disconnecting the KRT011MA communication cable and sending the analog value of KRT011MA measured value to the main control display via the DCS standby channel through hard wiring; (3) Checking KRT012MA, and found that the interference increased after the operation of the refueling machine, the terminal resistance effectively suppressed the interference, and the wiring of the disturbed communication link was disconnected; (4) Removing the local cable shield grounding to ensure the remote single end grounding. Then the KRT011MA and KRT012MA channel returned to normal, and there was no load rise until the unloading was finished. After the unloading, the faults of KRT011MA and KRT012MA were handled and the faulty cable was replaced. Considering that the cable fault may affect the loading, TCA method was adopted to lay the cable temporarily, to send the measured value of KRT011MA and KRT 012MA to the main control display through hard wiring, so as to ensure the availability of KRT011MA and KRT012MA during loading [3].

5 Cause Analysis 5.1 Channel Composition and Principle KRT011MA and KRT012MA channel is mainly composed of semiconductor detector, local process display device (LPDU), excitation box (EJB) and other parts. Ionization chamber detector is installed beside and on the wall of RX and KX plant refueling pool to monitor the water surface gamma radioactivity of RX and KX pool. The specific structure is shown in Fig. 1. KRT011MA and KRT012MA channel is mainly used to detect the abnormal increase of dose rate caused by fuel damage accident; control and close the relevant valves of containment ventilation system (EBA) and nuclear island drainage and exhaust system (RPE) at the same time of secondary alarm; detect the sudden rise of dose rate around the refueling pool due to fuel operation accident, exceed the threshold level alarm value, and automatically transfer the fuel building ventilation system to the iodine filter branch. Semiconductor detector uses semiconductor materials as detection medium, which can be divided into P-type semiconductor and N-type semiconductor due to different doping. For example, silicon or Germanium Doped with boron is P-type, while silicon or Germanium Doped with phosphorus is N-type. The sensitive volume of semiconductor

Cause Analysis and Improvement of Abnormal Triggering Event

17

Fig. 1. Structure of KRT011MA/012MA channel

detector is called depletion layer [4]. When the incident particles enter the depletion layer, the electron hole pairs generated by ionization move to the two electrodes respectively under the action of electric field, and are collected by the electrodes to generate pulse signals, which are then processed to achieve the purpose of radiation detection. LPDU is responsible for signal processing and communication transmission. Its main functions include: coupling detector; real-time counting; using the specified algorithm to generate the unit needed for measurement; processing three kinds of relay signals and two kinds of analog output signals; recording events (including fault, alarm, command, parameter modification, power failure, etc.); keeping the average value of each measurement; saving the acquired real-time data Measurement value; channel selection and time acquisition selection, while ensuring three switching output functions; analog input/output function. Each monitoring channel of KRT system is connected to two RS485 bus communication links, which sends the measured value and alarm information to KRT server of unit 1 and unit 2 respectively. The structure of these two RS485 bus links is parallel and redundant. KRT011/012MA is the channel of KRT GROUP 13 link. There are KRT032/033/034/ 330/022/023MA channels on this link. The specific link is shown in Fig. 2. The whole link forms a bus type communication link. Two independent bus links send data to KRT server of unit 1 and unit 2 respectively.

18

X.-T. Bai et al.

Fig. 2. Schematic diagram of KRT system GROUP 13 link structure

5.2 Cause Analysis Through the fault phenomenon and processing, it can be judged that the direct cause of the fault was that, the communication link was interfered by the outside world, resulting in the link communication load was too high. Therefore, the communication protocol, network topology and hardware connection form of monitoring channel was analyzed. Communication Protocol RS485 is a kind of serial communication mode widely used in industry as a means of data exchange. The data signal adopts differential transmission mode, so it has strong anti-interference ability. It uses a pair of twisted pairs, one of which is defined as a and the other as B. Usually, RS485 signal will be decomposed into two positive and negative symmetrical lines (A and B signal lines) before it is sent out. When it reaches the receiving end, the signal will be subtracted and restored to the original signal. The positive level between transmitter drivers A and B is +2 ~ +6 V, which is “1”; the negative level between transmitter drivers A and B is −2 ~ −6 V, which is “0”. The receiver and the transmitter are connected by balanced twisted pair. The driving capacity, line loss and node load of the transmitter will affect the actual voltage value of the receiver. Therefore, when there is a level greater than +200 mV between A and B, the receiver will output a positive logic level. When there is a level less than −200 mV, the receiver will output a negative logic level. The KRT server requests the data of the local LPDU every 10 s, sends the request message to the bus, and responds to the corresponding LPDU. The normal communication message waveform is shown in Fig. 3. From the waveform, it can be seen that the high and low levels are clear, the trend of A and B lines is consistent, and the noise is small.

Cause Analysis and Improvement of Abnormal Triggering Event

19

Fig. 3. Normal communication message waveform

Due to the factors of design, construction and environment, communication instability exists in the process of using RS485 bus. The main factors that usually lead to RS485 network failure are: line reflection, unreasonable network topology, common mode/differential mode interference, etc. All channels of KRT system use RS485 bus to send the measured value and alarm information to KRT server. All LPDU produced by MGP have load judgment mechanism. These channels will generate fault alarm or even reset fault automatically when the load is high. The RS485 bus link of the whole KRT system is a shielded twisted pair cable with a cross-sectional area of 1 mm2 , but KRT012MA is installed on the loader. Because the cable needs to move with the loader, the manufacturer of nuclear fuel handling and storage system (PMC) uses a shielded twisted pair cable with a cross-sectional area of 0.25 mm2 , which is the fault point of this incident. For other units, due to the same structure, if this section of PMC cable is damaged, there is also the possibility that KRT011/012MA load will rise rapidly. For other KRT channels, because the cables are in the bridge, there will be no cable damage unless they are damaged by external force, and they are not easy to be disturbed, so the probability of rapid load rise of other KRT channels is small. Connection Form of Communication Cable Twisted pair is made up of a pair of insulated metal wires. The radio wave radiated by each wire in transmission will be offset by the radio wave emitted by another wire, which can effectively reduce the degree of signal interference. The PMCM001 cable is a 16 core 0.25 mm2 cable with 8 pairs of twisted pairs, which is in accordance with ISO/IEC 8482:1993 (standard for multi-point interconnection of twisted pair wires for remote communication and information exchange between information technology systems) the positive and negative lines of RS485 communication line correspond to a pair of twisted pair wires. However, the field inspection found that the positive and negative lines of RS485 communication line and twisted pair wires were not corresponding (as shown in Fig. 4), then couldn’t eliminate the differential mode interference. At the same time, different twisted pair wires couldn’t be completely

20

X.-T. Bai et al.

consistent due to the twisted path, so common mode interference couldn’t be eliminated, and RS485 differential circuit couldn’t eliminate common mode interference.

a) Before treatment

b) After treatment

Fig. 4. Comparison of twisted pair wiring before and after KRT012MA fault treatment

Signal Cable Shielding The signal cable of KRT on PMC is a 16 core cable of 0.25 mm2 . Through inspection, there was obvious interference in one pair of twisted pair in the PMC cable, and the signal interference reached 500 mV, while the interference of other cores was 200 mV, as shown in Fig. 5.

Fig. 5. Signal waveform comparison between normal cable and fault cable

When there is welding near the PMC or the PMC works, the interference of this section of twisted pair will increase significantly, and the interference can reach ±1– 1.5 V, which causes the load of KRT011/012MA LPDU to increase rapidly after receiving the abnormal signal, causing the LPDU to restart. After testing, it was found that the interference in the twisted pair cable with abnormality was obviously more than that in the normal cable, and the amplitude was larger, especially when there was external interference, it completely submerged the original signal, as shown in Fig. 6.

Cause Analysis and Improvement of Abnormal Triggering Event

21

Fig. 6. Waveform of faulty cable during PMC operation

In view of the fact that PMCM001 was used for Modbus communication protocol, its baud rate was 38400 bit/s. According to the signal recording waveform, it was finally determined that the characteristic of PMCM001 was decreased, which led to interference in series. Signal Interference Among the 16 cores of PMCM001 cable, 6 cores are three pairs of switch alarm signals, and 8 cores are RS485 communication signals. Through the test, the switching signal had some interference to the communication signal, mainly at the moment when the switching signal was turned on to form a loop. However, the interference time was short, and it can not always exist in the communication link, so it can not cause the rapid and continuous load rise of LPDU.

6 Treatment Measures The interference of the communication cable changes the normal signal voltage, which affects the data transmission, triggers the comparator at the input end of the receiver, and causes the receiver to receive the wrong signal, which increases the load, so that the LPDU can restart automatically. A pair of twisted pair in 2PMCM0052 cable was damaged, which caused interference to enter the link cable [5]. 6.1 Signal Circuit In order to change the KRT011/012MA analog signal transmission mode and optimize the drag chain cable, the signal circuit has been modified as shown in Fig. 7.

22

X.-T. Bai et al.

a) Before signal circuit modification

b) After modification of signal circuit

Fig. 7. Comparison of KRT011/012MA signal circuits

6.2 Signal Transmission Mode The measured gamma values collected by KRT011/012MA are changed from RS485 communication to 4–20 mA signal transmission, which involves the adjustment of KRT communication link and the modification of related NC-DCS database, configuration and screen. 6.3 Drag Chain Cable The drag chain cable of refueling crane is 16 cores, of which 6 cores are used to transmit switch signal, and the other 8 cores are used to transmit analog signal through RS485 communication signal. A new drag chain cable is added to separate analog signal from switching signal to avoid mutual interference [6]. After modification, the anti-interference ability of KRT011/012MA signal circuit has been improved. Even if the signal circuit fails, it will not lead to the automatic

Cause Analysis and Improvement of Abnormal Triggering Event

23

restart of LPDU and the interlocking action of EBA valve triggered by KRT, so as to avoid the failure mode during overhaul. After modification, KRT011/012MA can be viewed directly on KIC, and the value will no longer be displayed on the radiation monitoring system server (KRT002AR) and radiation protection duty room workstation (KRT002HA), but it can still be viewed through KNS system [7]. 137 Cs radioactive source with activity of 0.37 MBq and 60 Co radioactive source with activity of 0.37 MBq were used for energy calibration of KRT011/012MA probe, and the energy spectrum was collected as shown in Fig. 8.

Fig. 8. KRT011/012MA energy calibration map

7 Conclusion Through the modification of KRT011/012MA measured value signal transmission structure, the problem of LPDU automatic restart caused by KRT011/012MA RS485 signal circuit fault has been solved after modification, so as to avoid EBA valve interlock closing caused by KRT secondary alarm during overhaul. After two overhauls after the reconstruction, KRT011/012MA channel operate stably, and the loop communication load maintain at 30%–40% and EBA ventilation system has never been triggered by channel abnormality [8].

References 1. Liang, Y.-J.: Overall structure optimization process and improvement scheme of NPP radiation monitoring system, Radiat. Protect. (2), 26–30 (2018) 2. Zeng, S., et al.: Research on optimization scheme of radiation monitoring system for nuclear power plant. Instrumentation (1), 63–66 (2018)

24

X.-T. Bai et al.

3. Liu, S.-Q., Song, W.-W., Deng, K.-N.: Analysis and improvement of power supply design defect for nuclear power plant radiation monitoring display unit. Energy Energy Conserv. (4), 58–60, 147 (2019) 4. Wang, P., et al.: Communication efficiency improvement method of radiation monitoring system in nuclear power plant. Nucl. Electron. Detect. Technol. (8), 780–782 (2015) 5. Ma, B., et al.: The alarm logic optimization of Fangjiashan nuclear power project effluent radiation monitoring. Instrumentation (2), 64–67 (2017) 6. Ge, Y., et al.: Maintenance for radioactivity detecting system of research reactor. Instrumentation (3), 71–73 (2020) 7. Wu, R.-J., et al.: Design of small scale integrated radiation monitoring system for floating reactors at sea. Ship Sci. Technol. (11), 96–99 (2020) 8. Yang, K., Xiao, P.-F., Wang, P.: Study on the standard system of radiation monitoring equipment for nuclear power plants. Construct. Design Eng. (12), 143–144 (2020)

Discussion on Hydrogen Economy Solution Under Carbon Peak and Neutrality Background Wen-Zhen Mi, Ying Cao(B) , Tu-Nan Huang, and Peng-Fei Gu China United Gas Turbine Technology Co., Ltd, Beijing, China [email protected]

Abstract. Under the goal of carbon peak and neutrality, energy structure in China will experience from high carbon to low carbon and then to zero carbon with the speeding up of the energy supply-side reform in our country. This paper reviews the current new energy development situation of the nuclear power, wind power and photovoltaic industry, analyzes the cost and the modes of China and the United States nuclear power, wind power and photovoltaic industry, and then compared with the costs of hydrogen fuel. Finally, through the analysis of the trend of hydrogen fuel gas turbine, the long-term path of decarbonization of electric power industry led by hydrogen gas turbine is put forward. Under the current cost of hydrogen production from fossil energy, the power generation cost of hydrogen industry is not superior to that of natural gas power generation and traditional coal power generation. However, with the rise of carbon emission trading market, the carbon-free advantage of hydrogen economy will be more prominent. Keywords: Carbon peak and neutrality · Hydrogen fuel gas turbine · “Electric-hydrogen-electric” power generation mode · Hydrogen economy

1 Introduction According to the latest information released by the Climate Change Center of China Meteorological Administration, the trend of global warming is still continuing up to now, and China’s warming rate is significantly higher than the global average level in the same period, making China a sensitive and significant area of global climate change [1]. From 1901 to 2020, the annual mean surface temperature in China showed a trend of fluctuating increase, and the last 20 years became the warmest period since the beginning of the 20th century. With the deepening understanding of climate change in the scientific community, people tend to believe that climate change will have a significant impact on the natural ecological environment, including extreme weather, natural disasters and ecological balance [2]. In view of this, the international community began to build an international system to deal with climate change under the framework of the United Nations, such as the United Nations Framework Convention on Climate Change in 1992 and the Paris Agreement in 2015. China has also taken a clear stance on climate issues. In September © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 25–33, 2022. https://doi.org/10.1007/978-981-19-1181-1_3

26

W.-Z. Mi et al.

2020, President Xi Jinping made important remarks at the UN Climate Ambition Conference, saying that China would peak its carbon footprint by 2030 and become carbon neutral by 2060. It can be predicted that the technological innovation aiming at decarbonization will play an important role in the restructuring of energy economy in the future. The existing decarbonization technology can be roughly divided into elimination paths and replacement approaches, one is to remove greenhouse gases through carbon dioxide capture and storage, carbon sequestration of downstream industrial products and other special ways; The other is to use low-carbon renewable energy to replace traditional fossil energy and reduce carbon generation fundamentally. Hydrogen energy, as a clean secondary energy medium, is considered to have great potential in economic decarbonization in the future, and may play an important role in energy, transportation, materials and agriculture. This paper analyzes the cost and development mode of the nuclear power, wind power and photoelectric industry in China and the United States and compares it with the cost of hydrogen energy based on nuclear power, wind power and photoelectric industry, which have the best development trend of new energy. Finally, through the analysis of the development trend of hydrogen fuel gas turbine, the long-term path of decarbonization of electric power industry led by hydrogen gas turbine is put forward.

2 Development of Nuclear Power, Wind Power and Photoelectric Industry in China and America Under the goal of carbon peak and carbon neutrality, with the acceleration of China’s energy supply-side structural reform, China’s energy structure will experience a process from high carbon to low carbon to zero carbon, and representative new energy industries such as nuclear power, wind power and photovoltaic will inevitably usher in a new round of development. According to the development and operation consumption data of nuclear power, wind power, solar power and other new energy power generation of The State Grid Energy Research Institute [3], the proportion of non-fossil energy consumption will continue to increase, wind energy will become the main non-fossil energy variety around 2030, and solar energy will become the second largest fossil energy variety around 2040. The proportion of non fossil energy power in power supply will also rise rapidly. With the continuous decline of the cost of new energy and energy storage, as well as the economic and environmental advantages of clean electricity gradually emerging under the gradual promotion of carbon emission trading, onshore wind power and photovoltaic will gradually become the main body of the power supply structure, and the proportion of non-fossil energy power in the electricity supply will also rise rapidly. The proportion of nuclear energy in primary energy consumption will rise steadily. At present, China’s nuclear power generation accounts for 13.5% of the world’s total market share, which is the second largest country except the United States. The development of China’s wind power industry presents regional differences. The cost of kilowatt-hour electricity in most regions of northeast and southwest China is relatively low, while the cost of kilowatt-hour electricity in northwest China is the lowest in China. China’s photovoltaic industry is limited by solar energy resources, land cost, development cost and other factors, and the KWH cost of photovoltaic power generation

Discussion on Hydrogen Economy Solution

27

in the central and eastern regions is relatively high, with a trend of low in the west and high in the east. According to data from the power grid department, the cost per kilowatt hour of onshore wind power in China was about 0.315–0.565 yuan/(kW·h) in 2019, and the average cost per kilowatt hour was 0.393 yuan/(kW·h). The cost per kilowatt hour of photovoltaic power generation is about 0.290–0.800 yuan/(kW·h), and the average cost per kilowatt hour is 0.389 yuan/(kW·h), slightly lower than the cost of wind power, but the cost fluctuation is more affected by region. It is estimated that the cost per kilowatt hour of onshore wind power in China will reach 0.287–0.539 yuan/(kW·h), and the cost of photovoltaic power generation will reach 0.245–0.512 yuan/(kW·h). By 2025, the average kilowatt-hour cost of onshore wind power will be 0.241–0.447 yuan/(kW·h), and the cost of photovoltaic power will be 0.220–0.462 yuan/(kW·h). Nuclear power basically implements one plant and one price, and the national benchmark on grid price of nuclear power is 0.43 yuan/(kW·h). The wind resources are mainly concentrated in the central and western regions and the Pacific, Atlantic coast, additional power source is the second to the gas, electricity for the whole year accounts for about 2.9% of the total, total price of wind power is in the form of “price of long-term agreements” [4], by the wind farm and power grid company long wind trade agreement signed before investing, ensure that wind power purchase price within a certain period of time is relatively stable. The incentive policies for photovoltaic power generation vary according to the state, most of which adopt renewable energy quotas, tax incentives, cash subsidy programs, etc. The focus of photovotaic power generation in the United States is mainly on improving production efficiency and reducing product costs, which is also the main driving force for the development of the Solar power industry in the United States. In terms of nuclear power, a total of 56 nuclear power plants are operated in 30 states in the United States, with a total of 95 nuclear power units in operation. In 2019, the annual power generation of nuclear power will be 809.4 billion kwh, accounting for 19.7% of the total electricity generation in the United States, and the average capacity factor will reach 93.4%. All kinds of energy released, according to U.S. consulting firm Lazard leveling of whole life cycle cost of power generation (LCOE), according to a report in the case of no account of the federal government tax breaks, the leveling of the wind power and large photovoltaic power generation cost less than half of the coal, onshore wind power costs $28–54/mw (about 0.20 to 0.38 yuan/kW·h), offshore wind power cost is $89/MWH (about 0.62 yuan/kW·h). Residential, commercial and community rooftop pv costs $64–242/MWH (about 0.45–1.70 yuan/kW·h), and thin-film and crystalline silicon large-scale ground PV costs $32–44/MWH (about 0.23–0.31 yuan/kW·h). The average total power generation cost of nuclear energy is US $31.88/mwh (about RMB 0.23/kWh). By comparing the development and generation cost of nuclear power, wind power and photovoltaic industry in China and the United States, the development of nuclear power, wind power and photovoltaic industry is strongly related to the distribution of regional natural resources, and both are promoted by the government’s renewable energy subsidy policy. With deep decarburization of energy system, need to continuously increase renewable energy electricity power system of traditional fossil energy such as coal instead of electricity, renewable power there are geographical distribution, large energy density difference time domain problems, when the grid power short-term load too big impact

28

W.-Z. Mi et al.

to the grid to form, if use excess hydrogen production of renewable energy power generation, and grid-connected with hydrogen, while the total power generation efficiency there is a certain loss, but to become carbon neutral and ensure the safety of power grid can play an important role.

3 Development of Hydrogen Energy Industry and Power Generation Costs Hydrogen at present mainly as important industrial raw material, chemical field future goals in carbon, carbon neutral, the hydrogen is more important to apply as a low carbon, clean scene abundant secondary energy and flexible and efficient energy interconnection carrier, can exist in energy production, transmission and consumption and so on each link, to promote renewable energy efficient utilization and realize the coordination between different energy network optimization, power transformation of low carbon energy system in China. In addition, hydrogen energy can also be used as a green industrial raw material to realize the deep decarbonization of end-industry energy sectors such as steel and chemical industry. At present, hydrogen is mainly obtained from coal, industrial by – product hydrogen and natural gas. China’s coal-based energy structure determines that coal hydrogen production technology with high technology maturity and good economy is the main body of China’s hydrogen supply. The hydrogen application is still in the initial stage at present, and natural gas reforming hydrogen production (1.04–1.48 RMB/Nm3 ) and hydrogen production from coal (0.83–1.13 yuan/Nm3 ) is significantly lower than the cost of renewable energy of hydrogen electrolysis of water (4–5 yuan/Nm3 ), and renewable energy, hydrogen production matching hydrogen mass storage, transportation and other links are also technical bottlenecks still exist, the downstream demand hydrogen fuel cell is not fully stimulate, hydrogen is at the early stage of application and gradually moving towards parity. Li Haibo et al. [7] calculated the cost of hydrogen power generation based on the price of hydrogen production of 1.20 yuan/Nm3 (hydrogen produced from natural gas) and 0.95 yuan/Nm3 (hydrogen produced from coal). Now mainstream use F heavy-duty gas turbine per standard gas power generation 5–5.5 kWh, assumptions are replaced with hydrogen gas after the efficiency of the same (not to consider other technical limit), in each the party under the condition of 3.3 times the calorific value of natural gas for hydrogen, calculated by a median of 5.25 kWh of power generation, it is concluded that natural gas, hydrogen production from natural gas, coal hydrogen fuel kWh cost were 0.438, 0.754 kWh/kWh/yuan yuan, 0.597 kWh/yuan. It can be seen that under the current cost of hydrogen production from fossil energy, the power generation cost of hydrogen industry is not superior to natural gas power generation and traditional coal power generation. However, under the background of carbon neutrality, with the rise of carbon trading market, the carbon-free advantage of hydrogen energy will become more prominent, and the cost of hydrogen production from fossil energy and new energy will gradually decrease in the future.

Discussion on Hydrogen Economy Solution

29

4 Current Status of Hydrogen Fuel Gas Turbine and Related Technologies 4.1 Physical Characteristics of Hydrogen Fuel The physical properties of hydrogen are shown in the following table. Hydrogen fuel is an excellent energy carrier. Compared with other fuels, the chemical energy contained in hydrogen fuel of the same mass is 2.6 times that of natural gas and 3 times that of gasoline. Hydrogen can be used as a secondary energy source, stored, transported and utilized just like natural gas. Hydrogen and its derived fuels can achieve large-scale long-term storage with economic benefits (Table 1). Table 1. Comparison of physical properties of hydrogen with NG Physical properties

Hydrogen

Compared to natural gas

Gas density

0.089 kg/m3

1/10 of natural gas

Liquid density

70.79 kg/m3

1/6 of natural gas

The boiling point

252.76 °C

90 °C lower than liquefied natural gas

Energy per mass (LHV)

120.1 MJ/Kg

2.6 times that of natural gas

Energy per liquid volume

32.2 MJ/gallon

About 42% of LNG

Distal hydrogen or standing at the end of the hydrogen production, hydrogen through mass continuous conveying pipeline is considered the most convenient and effective, however, hydrogen has a wider than gas explosion limit and a faster burn rate, plus hydrogen osmosis of metal materials, the use of the existing gas pipe mix hydrogen or pure hydrogen fuel security problems to be solved. Once the existing pipeline is used to transport hydrogen or mixed hydrogen fuel in the future, it is necessary to conduct defect detection, repair, update and regular inspection of the pipeline [8]. The energy efficiency and safety of domestic hydrogen storage and transportation technology have not been completely solved. At present, the widely used high-pressure gas and hydrogen storage and transportation method has the disadvantages of low hydrogen storage density, high compression energy consumption, and high material cost due to the safety design redundancy of hydrogen storage tank. The best model for hydrogen power generation is to make it out of the box, eliminating storage and reducing the potential hazards in the middle. 4.2 Current Status of Hydrogen Fuel Gas Turbine Technology Siemens, GE, Mitsubishi and other gas turbine giants in the world regard hydrogen hybrid gas turbine as the primary direction of gas turbine technology development. GE has adopted a wide range of hydrogen-burning technologies in its gas turbine portfolio. Advanced F/H heavy-duty gas turbines allow fuel blends with hydrogen concentrations up to 50–60% by volume. Siemens announced its ambitious hydrogen burning roadmap back in January 2019, with plans to increase the hydrogen burning capacity of gas

30

W.-Z. Mi et al.

turbines to at least 20% by 2020 and 100% by 2030. Mitsubishi unveiled its market case for increasing hydrogen usage in the power sector in March 2019, saying hydrogen gas turbines are one of the key factors in “achieving a carbon-hydrogen society by 2050 using renewable energy globally. Almost all the major gas turbine manufacturers have launched hydrogen gas turbine development plans, and believe that hydrogen energy can not only make the global gas generating units more competitive in the low-carbon energy market, but also is expected to extend the vitality of existing units in accordance with national regulations and emission limits. When the gas turbine uses hydrogen fuel, it needs to be upgraded to adapt to the change of fuel. Hydrogen fuel gas turbine needs to meet the stable operation from 100% natural gas to hydrogen-rich fuel or even pure hydrogen fuel, while NOx emission is within a controllable range, which will not significantly increase the cost of nitrogen removal. Due to hydrogen gas per unit volume of low calorific value is less than natural gas, to keep output unchanged is bound to make into the burner fuel volume flow increases, the hydrogen flame speed higher than that of natural gas in the air at the same time, so the burning hydrogen or their mixtures [9] to solve the following problems: solve the problem of tempering and flame shock to increase the turbine safety and operability. Solve the automatic ignition problem of hydrogen-rich/pure hydrogen fuel at high temperature and high pressure; Improve combustion chamber structure to cope with higher fuel volume flow; The design of combustion systems needs to consider NOx reduction technologies. In addition to the combustion system upgrade, when change conventional gas turbine combustion of hydrogen, in maintaining the initial temperature of gas turbine under the premise of constant, the quality of the fuel flow rate and volume flow rate will have a certain degree of increase, which could make the compressor surge phenomena occur, therefore must consider when renovation design of gas turbine and compressor working medium flow matching problem.

5 Analysis of Electric-Hydrogen-Electric Power Generation Through the above technical and economic analysis, a reasonable decarburization power grid development path of the preliminary outline can be formed. In place where is rich in solar energy and wind power, power generation cost can be very low, hydrogen is generated by the method of electrolysis of water, and then through the pipe after the hydrogen compression, send to the gas turbine power plants to generate electricity. In addition, suitable stations can be found to store hydrogen along the route of the hydrogen pipeline. This solves the problem of renewable energy storage (electric-hydrogen-electric model). For example, abundant wind power and photovoltrics in northwest China, Inner Mongolia and the Tibetan Plateau can be used to electrolyze water to produce hydrogen, which is then sent to the mainland through pipelines for west-east gas transmission. Gas turbine plants use the green hydrogen fuel to generate electricity. This solution not only solves the problems of clean energy, environmental protection and sustainable development, but also thoroughly solves the problem of energy security for China. The advantages of hydrogen co-combustion turbine power generation compared with nuclear power, wind power and photovoltaic power generation are shown in Table 2 below. The solution is technically clear and elegant, and is a mature technology.

Discussion on Hydrogen Economy Solution

31

Table 2. Comparison of wind power and photovoltaic power generation by hydrogen cocombustion turbine Hydrogen mixing

Wind power,

Nuclear power

combustion engine

photovoltaic power

generation

generation Provide a stable and reliable power supply to Power supply

meet

peak

requirements

load of

the

system

Provides intermittent, fluctuating power and cannot participate in power

Base load operation mode

balance

It can be used as the main peak regulat ion Load characteristics

power source of power grid, with large peak regulation high

depth

and

peak regulat ion

The peak regulation power supply is required to

General peak shaving

provide peak regulation

capability

service

speed As Short-circuit capacity supply of the system

a

synchronous

electro mechanical source, it can provide short-circuit

capacity

and support capacity for

Cannot provide short

It can provide short-circuit

circuit capacity support to

capacity and support

the grid

capacity

the system System frequency support capability

Strong

frequency

support

The frequency support

can

capability is weak, and the

increase the inertia of

intermittent and fluctuating

the system, participate

output may cause the

in

the

ability,

primary

secondary

and

frequency

Strong frequency support ability.

frequency fluctuation of the system

modulation of the power grid Basically no harmonic harmonic

generation

The grid-connected inverter produces harmonics

Synchronous electrical Subsynchronous oscillation

source, can

suppress

sub-synchronous oscillation

Carbon emissions

It is easy to cause sub-synchronous oscillation

With the increase of the

The carbon emission

proportion of hydrogen,

generated during the life

carbon

emission

gradually decreases

cycle is very low, about 20 ~ 40g/kWh

Basically no harmonic is generated

It is not easy to cause subsynchronous oscillation

Basically carbon free

32

W.-Z. Mi et al.

Although there is a lot of room to improve efficiency and reduce costs, there is no need for major scientific breakthroughs and it can be started quickly. The fly in the ointment is that the market competitiveness of electric-hydrogen-electric solutions is questionable with the current state of the art. Even if wind or photovoltrics are economical, the roundtrip efficiency of electric-hydrogen-electric is less than 40% with current technology, and combined with current transportation and storage costs, the electricity delivered to the customer is still two to three times more expensive than natural gas or coal. To solve the problem of market competitiveness, there are two conditions [6]: first, policy support; Second, the size of the industry. Looking at the current international and domestic situation, both of these factors are moving in a very favourable direction. The size of the industry will be the ultimate driver of the market competitiveness of the electric-hydrogen-electric model. In the electric-hydrogen-electric solution, most of the equipment is still produced on a very small scale, the production process is backward, and the market price is very unreasonable. It can be expected that there will be a large space for price reduction in large-scale production in the future. The large-scale hydrogen supply chain will realize large-scale low-cost hydrogen production, storage and transportation through the trunk gate station mode and urban hydrogen distribution [5], providing a complete solution for the combination of renewable energy and hydrogen storage in China.

6 Conclusion This paper analyzes the cost and development mode of nuclear power, wind power and photoelectric industry in China and the United States and compares it with the cost of hydrogen energy. Under the current cost of hydrogen production from fossil energy, the power generation cost of hydrogen industry is not superior to natural gas power generation and traditional coal power generation. However, under the background of carbon neutrality, with the rise of carbon trading market, the carbon-free advantage of hydrogen energy will become more prominent. Cleaned hydrogen fuel replaces natural gas for gas turbine power generation to reduce a lot of carbon emissions, which is a trend in the future, Electric-Hydrogen-Electric power generation not only solves the problem of clean energy, environmental protection, and sustainable development, it also completely solves the problem of energy security for Our country. In the electric-hydrogen-electric solution, policy support and industry size will be decisive factors for the market competitiveness of hydrogen gas turbines. Large-scale renewable energy hydrogen production technology has made breakthroughs and formed a large-scale effect, greatly reducing the cost of hydrogen fuel production, transportation and storage, and reducing the overall cost of hydrogen fuel power generation from the source. Hydrogen production capacity can support the demand of hydrogen gas turbine power generation in the whole society. Hydrogen pipe network and other supporting systems will be fully upgraded and updated to meet safety requirements, which will become an important exploration direction under the hydrogen economy model.

References 1. Xinjiang Agricultural Reclamation Science and Technology, 201, 44(4), 70

Discussion on Hydrogen Economy Solution

33

2. Wang, Y., Li, R., Li, B., Luo, H.: Science and Technology Information, 201, 19(13), 92–95+115 3. State Grid Energy Research Institute: Analysis Report of New Energy Generation in China 2020. China Electric Power Press (2020) 4. Zhang, J.: Analysis on the development status of wind power in the United States. Global s&t Econ. Outlook 28(5), 1–6 (2013) 5. Huang, X., Lian, J., Shen, W., Chao, M.A.: Economic analysis of large-scale hydrogen energy supply chain in China. Southern Energy Constr. 7(2), 1–13 (2020) 6. Shu, G., Mi, W., Zhang, H.: Reshaping the Economy and Reversing Global Warming: A Dynamic Analysis of Hydrogen Economy. Shanghai University Press, pp. 5–12 (2021) 7. Li, H., Pan, Z., Huang, Y.: Electric Power Equip. Manage. (8), 94–96 (2020) 8. Huang, M., Wu, Y.: Feasibility analysis of mixing and transporting hydrogen by natural gas pipeline. Gas Heat 4 (2013) 9. Qin, F., Qin, Y., Shan, T.: Under the background of carbon neutral hydrogen fuel gas turbine technology present situation and development prospect of [J/OL]. Guangdong Electric Power, pp. 1–10 (7 Oct. 2021). http://kns.cnki.net/kcms/detail/44.1420.TM.20210812.1533.002.html

Introduction of Network Architecture for Real-Time Information Management System in Nuclear Power Plant Guo-Bin Xu(B) , Bing-Zhuo Zhang, and Jian-Wei Li Shandong Nuclear Power Company, Haiyang 265100, Shandong, China [email protected]

Abstract. The Real-time Information Management system (RIMS) collects the real-time data from the production process of Nuclear Power Plant (NPP) by connecting the unit DCS (Digital Control System) as well as other BOP (Balance Of Plant) control systems. It provides nuclear power plant management and technicians situated remotely in the office with the information of equipment status in the process. At the same time, it also lays the foundation for the information and digital construction of intelligent nuclear power plant. By analyzing the framework of the Real-time Information Management System, this paper provides a proposed solution for the network structure of the RIMS based on the cyber security strategy in nuclear power plant and this solution can be references for the information construction of other similar projects as well. Keywords: DCS · Information · Data · Cyber security

1 Introduction The daily operation management of NPP relies on the real-time data from the production process. However the Industry Control System(ICS), generally called DCS in NPP, for production process are generally layout in the area of centralized control room and electronic equipment room which is either adjacent to the site mechanical system or located in the Physical protection (also called physical security) area due to the consideration of safety regulation [1]. Real-time Information Management System provides a safe and reliable acquisition, transmission and storage platform for real-time data of process in nuclear power plant, so the management and technical personnel on the remote side can acquire in a timely manner unit operation parameters and equipment running status as well through which they could optimize the equipment operational and maintenance management. Furthermore, the NPP can manage to meet the increasingly challenging production management requirements by developing appropriate functional applications based on data of RIMS, and improve the overall safety and efficiency of the NPP as well as the modernization of the enterprise management.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 34–41, 2022. https://doi.org/10.1007/978-981-19-1181-1_4

Introduction of Network Architecture for Real-Time Information

35

RIMS does not perform any control function of the field devices and only collect, transmit and store the real-time data from process Control systems like DCS, SCADA (Supervisory Control And Data Acquisition) and PLC to form a mass information repository of production process. Such highly valuable data information not only can be used to optimize the production operation management of NPP itself, but also provide the necessary information for regulatory service, e.g. electrical technical supervision, nuclear and radiation safety regulation and the emergency response of NPP. Different from thermal power plants, nuclear power plants fulfill not only the task of generating electricity, but also the responsibility of nuclear safety. NPPs need to take into account higher availability, reactor safety and nuclear material protection unlike general ICS and SCADA systems [2]. In order to avoid risks of data leakage and external attacks from the outer network, the construction of real-time information management system in NPP shall put the network security in the first place. The RIMS will adopt advanced computer and network communication technology and the architecture to realize the interface connection with each production control system safely and reliably. It can efficiently compress the collected data and perform the long-term history store, and also provide convenient client application, so that the operators, maintenance personnel and production managers can timely and comprehensively understand the current or historical production situation and further actions will be taken when there are problems existing in the production process. Based on the requirements herein above, the main objectives of the RIMS platform are as follows: 1) The establishment of the RIMS platform must give first priority to the cyber security, and ensure the safe and stable operation of the production process control system of the NPP unit per safe and effective technical isolation. 2) Establish an unified real-time/historical data platform applicable to multiple units of NPP. The platform shall have good compatibility and stability, and its product components can be independently developed, tested and maintained. 3) The built platform can realize the connection between the production process control system and external systems such as the enterprise office LAN (Local Area Network). It can also acquire, process, share and store the data information in real-time manner from the production process. The elaboration of proposed RIMS network architecture in the following part of this paper will be based on the these objectives.

2 Network Architecture of Real-Time Information Management System 2.1 Classification of Cyber Security in Nuclear Power Plants Cyber security in compliance with the regulatory requirements for NPP will be the primary consideration when planning the RIMS network architecture. According to U.S. 10CFR 73.54(c)(2) and NRC guideline RG 5.71 C.3.2, the cyber security program must be designed “to apply and maintain integrate defense-in-depth protective strategies

36

G.-B. Xu et al.

to ensure the capability to detect, prevent, respond to, mitigate, and recover from cyber attacks” [8]. So the designer of RIMS architecture should consider to set up multiple security boundaries (or level) in light of the strategy of defense-to-depth protection to prevent the cyber attacks from outer network [3]. There are total 5 Levels (Level 0–4), as shown in Fig. 1. The safety related, equipments, security function and emergency related support systems and equipments are referred to as the Critical Digital Assets (CDA) and Critical System (CS), which should be given the highest Level of protection, i.e. the Level 4 [3]. The data flow is only allowed in one-way from level 4 to level 3 and from level 3 to level 2. According to the definition of CDA in RG5.71, the industrial control systems, namely the ICS [4] (including DCS and SCADA, PLC, etc.), are allocated to Level 4. Even if the different ICS systems are divided into the same Level, special measures might also be taken according to different security levels, for example, the boundary between the Safety Instrument System(SIS) and the Non-safety Instrument and Control Systems still need to deploy one-way gateway and only allows data from the former to the latter system. Level 3, commonly called the DE-Militarized Zone (DMZ), data from Level 4 can only be transferred to Level 2 via this zone at which the RIMS system locates. In addition, Level 2 refers to enterprise office LAN, and Level 1 and Level 0 normally refer to the enterprise Wide Area Network (WAN) and Internet respectively. There are similar requirements and regulations in China. Regulations on Security protection for Electric Power Monitoring System published by National Development and Reform Commission (Order No.14, 2014), stipulates that one-way isolation devices (unidirectional gateway) should be deployed in production control areas and management information area. Devices with access control functions, e.g. firewalls or facilities with the same functions, should be set up at the boundaries of the different sub-areas (control areas and non-control areas) within the same production control area to achieve logical isolation [5]. DCS system and RIMS system belong to the production control area. The former is in the control area, while the latter is in the non-control area. Enterprise LAN belongs to the scope of management information zone [5]. GB/T 22240– 2020(Information security technology-Classification guide for classified protection of cyber security) provides the definition of security protection level in which the protection objects is divided into five levels [6] according to the importance of the protection

Fig. 1. Simplified cyber security defensive architecture from RG 5.71

Introduction of Network Architecture for Real-Time Information

37

objects and the degree of harm once they are damaged. In practice, the network security level of ICS systems in NPPs is generally classified as Level 3. In GB/T 22239-2019 (Information security technology-Baseline for classified protection of cyber security), the Level 3 requirements for ICS network architecture is to achieve one-way technical isolation from enterprise networks, and technical isolation should also be deployed within the ICS system [7]. 2.2 DCS OPC Interface This section describes the DCS OPC (OLE for Process Control) Interface which has the purpose of providing data network points between the existing DCS system and external OPC Clients. The DCS OPC DA(Data Access) Server will provide the live point information in the form of OPC tags. Figure 2 describes the overall connection between the DCS system, OPC DA Server and the remote OPC clients. The OPC DA Server acts as a Base Station of DCS which is logically isolated by firewall from the client side network. The OPC Data Hub software installed on the OPC DA server will read data locally and then transfer the data to the remote OPC Data Hub software located on the OPC client (client side computer). The Data Hub mirrors and secures the data across the network by building a tunnel, so that both sides (server and client) maintain a complete set of all the data.

Fig. 2. DCS OPC Interface Architecture

2.3 Proposed Network Architecture Based on the relevant principles described in Sects. 2.1 and 2.2, two alternative network architecture schemes are described in the sections below.

38

G.-B. Xu et al.

1) Optional Plan A As shown in Fig. 3, the entire network in plan A is divided in three sections by a firewall and a unidirectional gateway. The industrial firewall is deployed between the OPC DA server and OPC client to logically isolate the DCS and RIMS network, protecting the DCS system from unauthorized access and intrusion threat from RIMS. There is a unidirectional gateway between RIMS and the enterprise office LAN. The unidirectional gateway is a new technology that function similarly between logical isolation and physical isolation and It only allows one-way transmission of data flow to ensure the information security of critical digital system (such as industrial control system, etc.) [4]. In order function properly, both front and rear side of the unidirectional gateway should configure an interface computer. The real-time process data from the units of the NPP will be taken out from the OPC server installed in DCS, and then transmitted to OPC client computer through the firewall. The data will finally be transferred to the real-time data server of the RIMS for further processing and storage. The mirror server of RIMS realtime data is configured and deployed in Enterprise LAN which can obtain and store the process data from the RIMS real-time data server through the unidirectional gateway between RIMS and the Enterprise LAN. The Mirror server provides realtime data of process not only for end users accessed from client computers within the same network segment, but also for application servers used for handling various production management applications, such as equipment health monitoring, fatigue monitoring, operation parameter trend analysis and so on. As NIST Special Publication 800-82 describes in Sect. 5.5.6: “ The most secure, manageable, and stable control network and corporate network segregation architectures are typically based on a system with at least three zones, incorporating one or more DMZs” [4], network in plan A is divided in three zones by a firewall and a unidirectional gateway. The unidirectional gateway can prevent any access to RIMS

Fig. 3. Topology of Optional Plan A

Introduction of Network Architecture for Real-Time Information

39

data server. Likewise, the firewall is capable of blocking potential invasion from RIMS to the control network. The architecture of plan A meets the classification requirements of the relevant regulations mentioned in Sect. 2.1. The advantage of plan A is that the equipment configuration is relatively simple, but the disadvantage is that the firewall can only achieve logical isolation which has a lower protection level than unidirectional gateway.

2) Optional Plan B Plan B has completely eliminated the deficiency of Plan A. As shown in Fig. 4, a unidirectional gateway and corresponding interface computers are added between the OPC client computer and RIMS. It should be noted that the interface computer at the front end of the unidirectional gateway needs to complete the function of the OPC client at the same time and other configurations are the same as Plan A. The real-time process data from DCS OPC server will transmit through both the firewall and unidirectional gateway before being sent to the real-time data server in RIMS. The rest of the data transmission path is totally the same as plan A. To strengthen the security protection of DCS system to the maximum extent, the design of Plan B considers multiple security protection measures, including the use of firewall, unidirectional gateway and the establishment of DMZ, which reflects a strong strategy of Defense-In-Depth. The main disadvantage of plan B is that the increase in multiple security protections not only increases the cost, but also brings management complexity with the increase in equipment.

Fig. 4. Topology of Optional Plan B

40

G.-B. Xu et al.

3) Summary of Network Architecture In a word, plan A and Plan B have their own advantages and disadvantages, but both of them meet the requirements of relevant regulations. The selection of the specific plan still needs to be made according to the actual requirements of the project. Nevertheless, we do recommend to implement Plan B in NPPs which can eliminate to the most extent the risks of unauthorized access. To be noted, in this paper, the discussion mainly focuses on the hardware architecture. However, in actual applications, the characteristics of both the software and hardware as well as actual situation of specific projects shall be combined together to make an appropriate policy configuration. To achieve the complete network security, a complete set of strict network security management (such as user password, user permissions, authentication, computer room management, etc.) should also be taken into consideration. In addition, both Plan A and B are equipped with mirror servers in the Enterprise LAN. This configuration can direct all the users’ access requirements at the external mirror data server which greatly reduces the load of the real-time data server of RIMS and extremely improves the reliability and security of data access.

3 Introduction for Multi-Control System Interface Nuclear power plants with several units usually have multiple DCS systems and many BOP systems controlled by SCADA and PLC. When designing and planning the interface between these ICS systems and RIMS, two interface schemes: independent channel and integrated channel are generally discussed. Taking DCS in Fig. 5 as an example, Plan A is an independent channel interface scheme, in which the independent unidirectional gateway is set in each channel. Plan B deploys only one common unidirectional gateway and one common data server on the upstream of the gateway. The advantage of Plan A is that DCS channels of each unit are independent from each other, with high security and reliability, but the weakness is that there are many isolation gate and interface computers happening with high cost and complex network management. However Plan B has simple topology, low cost, as well as the vulnerability of low security and single point failure that influence the reliability. Moreover, the common link reduces the efficiency of data transmission when there are more access sources, thus affecting the overall performance of RIMS.

Fig. 5. Comparison of Interface Architecture

Introduction of Network Architecture for Real-Time Information

41

To sum up, although the hardware of Plan A increases some costs, it has outstanding advantages in terms of safety and reliability. Therefore, it is recommended that DCS and some important SCADA or PLC control systems in NPPs should adopt Plan A, which is more in line with the security requirements of network and data in nuclear power plant.

4 Conclusion This paper briefly introduces the requirements and design objectives of the production Real-time Information Management System for NPPs, and focuses on the relevant regulations and requirements of the cyber security for nuclear power plants, and on this basis puts forward and analyzes the feasibility of RIMS architecture. The interface design of DCS, SCADA, PLC system and RIMS system is also illustrated, and the proposed implementation scheme presented in Sects. 2 and 3 has been successfully applied in Haiyang NPPs. As the rapid development of informatization, digital and intelligent technology of nuclear power plants in recent years, the Real-time Information Management System in nuclear power plants plays an increasingly important role, therefore the overall planning of RIMS must be prepared at the beginning of construction to ensure a safe and reliable real-time Information platform.

References 1. NRC website: Physical protection. https://www.nrc.gov/security/domestic/phys-protect.html. Last accessed 15 Nov. 2020 2. Kim, S., Heo, G., Zio, E., Shin, J., Song, J: Cyber attack taxonomy for digital environment in nuclear power plants. Nucl. Eng. Technol. https://doi.org/10.1016/j.net.2019.11.001 3. U.S. Nuclear Regulatory Commission: Cyber Security Programs For Nuclear Facilities. U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71 (2010) 4. U.S. Department of Commerce: Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82 R2 (2015) 5. National Development and Reform Commission, China: Regulations on Security protection for Electric Power Monitoring System, Order No.14 (2014) 6. Standardization Administration, China: Information Security Technology-Classification Guide for Classified Protection of Cyber Security, GB/T 22240-2020 (2020) 7. Standardization Administration, China: Information Security Technology-Baseline for Classified Protection of Cyber Security, GB/T 22239-2019 (2019) 8. Li, J., Xu, H., Yang, A., Ling, L., Li, X.: Research on the topic of cyber security in nuclear power plants. Nucl. Sci. Eng. 36 (6), 850–857 (2016)

Seismic Analysis and Qualification of Nuclear Safety Axial Flow Fan Shi Hong, Wang Yan, Qiang-Sheng Zhang, and Yi-Wei Chen(B) Nuclear and Radiation Safety Center, Beijing 100082, China [email protected]

Abstract. The seismic performances of 1A type fan play an important role in the safety operation of nuclear power plant. There are two ways to verify the seismic performances of fan: test and seismic analysis. In this paper, the equivalent static method and response spectrum method are used to analyze the response of nuclear safety fan under self weight, internal pressure and seismic load by using ANSYS Workbench 14.5 software. The calculation results show that the structural strength and operability of the fan meet the requirements of NB/T20038-2011, and the strength of connecting bolt meets the requirements of ASME BPVC-III-2004, Volume 1, subsection NF and appendix. The calculation results show that the motor mounting flange and supporting bolster are the main parts that bear the stresses. More attention should be paid in structural design. Keywords: Axial flow fan · Seismic analysis · Safety qualification

1 Preface Fans in nuclear power plants are mainly used for ventilation, exhaust and other air circulation. The fan with the following safety functions belongs to seismic category 1 equipment, 1) Maintain reactor in safe shutdown condition; 2) Residual heat export; 3) Storage of radioactive materials and Limiting emissions to the environment. For seismic category 1 equipment, it can be divided into 1I, 1F and 1A classes. Class 1A is for active equipment, which is required to ensure its structural integrity and operability during and after earthquake. There are two ways to verify the fan’s seismic performance, one is test, another is analysis. The identification test can simulate the seismic excitation and verify the seismic performance of the fan better, but the problems of long manufacturing cycle and high test cost are obvious. In recent years, with the development and promotion of finite element analysis technology, seismic analysis and calculation are widely used in the verification of fan’s seismic performance [1, 2]. The response spectrum method and equivalent static method are widely used in the seismic analysis. In this paper, the aseismic performance of the fan for Zhangzhou nuclear power station is verified by ANSYS Workbench 14.5. Firstly, the modal analysis of the fan is carried out. Secondly, the static method and response spectrum method are used to calculate the stress and deformation of the fan under self-weight, pressure and seismic © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 42–49, 2022. https://doi.org/10.1007/978-981-19-1181-1_5

Seismic Analysis and Qualification of Nuclear Safety Axial Flow Fan

43

load. Finally, the fan is evaluated according to NB/T20038-2011 and ASME BPVCIII-2004, Volume 1, subsection NF and appendix. The results show that the structural strength and operability of the fan meet the standard requirements.

2 Finite Element Model The fan’s seismic requirement is 1A. It is 1940 mm in length, 1350 mm in width, 1800 mm in height and 1482 kg in total weight. It is mainly composed of deflector, mounting bracket, motor bracket, fan cylinder, impeller and motor. The fan’s mounting bracket is welded to the embedded plate. The fan’s structure diagram is shown in Fig. 1.

Fig. 1. Diagram for the fan

Parameters of materials are shown in Table 1. Table 1. The material of main parts and it’s property data [3] Part name

Material

Density (kg/m3 )

Elastic modulus E (MPa)

Poisson’s ratio μ

Yield strength Sy (MPa)

Tensile strength Su (MPa)

Allowable stress S (MPa) 107

Fan cylinder Mounting bracket Motor bracket

Q235B

7850

1.96 × 105

0.3

235

370

Impeller

ZL104

2700

7 × 104

0.3

180

230

65

Deflector

3003

2700

7 × 104

0.3

35

95

23

Bolt

Grade 8.8 carbon steel

7850

1.96 × 105

0.3

640

800

/

In this analysis, the shell element is used to simulate the fan cylinder, mounting bracket, motor bracket and deflector, and the solid element is used to simulate the impeller, bolts and motor. The overall finite element model of the fan is shown in Fig. 2.

44

S. Hong et al.

Fig. 2. The FE modal for the fan

3 Load Combination and Evaluation Criteria According to NB /T20038-2011, the load combination and the corresponding evaluation criteria are shown in Table 2. For class 1A fan with operability requirements, class B criterion is adopted for critical condition and accident condition in seismic analysis. This is a design measure. Class C criterion is adopted in the United States and Canada. Table 2. Load combination cases and safety criteria [4] Load case

Load combination

Safety criteria

Normal condition

DW + NOPD

A

Abnormal condition

DW + NOPD + SL1

B

Critical condition

DW + NOPD + SL2

B

Accident condition

DW + NOPD + SL2

B

Note: DW is the dead weight of the equipment, NOPD is the operating differential pressure, SL1 is the operating reference seismic load, and SL2 is the safe shutdown seismic load.

The seismic envelope spectrum given by the designer is shown in Fig. 3.

Fig. 3. SSE seism floor response spectrum

Seismic Analysis and Qualification of Nuclear Safety Axial Flow Fan

45

According to NB/T 20038-2011, for plate and shell parts, the stress limits are shown in Table 3. In Table 3, σ1 is the primary membrane stress, excluding discontinuity and stress concentration; σ1 + σ2 is the primary membrane plus bending stress, excluding discontinuities and stress concentrations. Table 3. Evaluation criteria for plate and shell parts [4] Safety criteria

Primary membrane σ1

Primary membrane plus bending stress σ1 + σ2

A

σ1 ≤ 1.0S

σ1 + σ2 ≤ 1.5S

B

σ1 ≤ 1.0S

σ1 + σ2 ≤ 1.5S

C

σ1 ≤ 1.2S

σ1 + σ2 ≤ 1.8S

D

σ1 ≤ Min[1.5S, 0.4Su ]

σ1 ≤ Min[2.25S, 0.6Su ]

According to NB/T 20038-2011, the deformation limits under different service levels are shown in Table 4. dmax is the maximum deformation that the equipment can withstand without losing its intended function. The radial fit clearance between the casing assembly and the impeller is 4 mm, dmax = 4 mm. Table 4. Safety criteria of deformation [4] Safety criteria

Deformation limit

A

d ≤ 0.6dmax

B

d ≤ 0.6dmax

C

d ≤ 0.9dmax

D

d ≤ 0.9dmax

According to ASME BPVC-III, Volume 1, subsection NF and appendix, the evaluation standards of connecting bolts are shown in Table 5. Table 5. Safety criteria of connecting bolt [5] Safety criteria

Pure tensile stress ft

Pure shear stress fv

Combination of tensile and shear stress

Remarks

A

ft ≤ Ftb = Su /2

fv ≤ Fvb = 0.62Su /3

2 + ft2 /Ftb

Ferrite

2 ≤1 fv2 /Fvb

ft ≤ Ftb = Su /3.33

fv ≤ Fvb = 0.62Su /5

Austenite (continued)

46

S. Hong et al. Table 5. (continued)

Safety criteria

Pure tensile stress ft

Pure shear stress fv

B

ft ≤ Ftb = 1.15Su /2

fv ≤ Fvb = 0.713Su /3

Ferrite

ft ≤ Ftb = 1.15Su /3.33

fv ≤ Fvb = 0.713Su /5

Austenite

ft ≤ Ftb = 1.25Su /2

fv ≤ Fvb = 0.775Su /3

Ferrite

ft ≤ Ftb = 1.25Su /3.33   Min Sy , 0.7Su

fv ≤ Fvb = 0.775Su /5   Min 0.6Sy , 0.42Su

Austenite

C

D

Combination of tensile and shear stress

Remarks

Ferrite

Note: Ftb is the allowable tensile stress; Fvb is the allowable shear stress; Su is the tensile strength,Sy is the yield strength.

4 Analysis 4.1 Modal Analysis In the modal analysis, the position of the mounting bracket that welded to the embedded plate constrains all degrees of freedom. The first 764 modes are calculated. The total effective participation coefficient of the first 764 modes is 94.9% in X direction, 90.3% in Y direction and 91.2% in Z direction. According to the engineering practice, it can meet the calculation accuracy requirements that the total effective participation coefficient of each direction is more than 90%. First six natural frequencies for the valve are shown in Table 6. Table 6. First six natural frequencies for the fan (unite: Hz) Order

Natural frequency

1

21.60

2

29.60

3

35.28

4

36.72

5

47.23

6

50.30

Seismic Analysis and Qualification of Nuclear Safety Axial Flow Fan

47

4.2 Seismic Safety Analysis Because the first natural frequency of the fan is 21.60 Hz, which is less than 33 Hz, the equivalent static method and response spectrum method are needed to analyze the seismic safety of the fan. The static response of the fan under the action of gravity acceleration and internal pressure is analyzed by static method. The response spectrum method is used to analyze the dynamic response of the fan under the action of earthquake. The calculation results in X, Y and Z directions are combined by the square sum squared method (SRSS) [6– 8]. The results of static analysis and spectrum analysis are superimposed to obtain the response of the fan under D-level load, as shown in Fig. 4.

Fig. 4. Membrane + bending stress contour for shell department

5 Result Evaluation 5.1 Shell and Plate Department Check results of shell and plate departments (excluding discontinuities and stress concentration areas) are shown in Table 7. For the local discontinuous area and stress concentration area of the fan, three times allowable stress shall be used for checking, that is σtotal ≤ 3S = 321 MPa. The maximum principal stress in the discontinuous area and stress concentration area of the fan’s plate and shell parts is 275.68 MPa, less than 321 MPa. The strength meets the requirements. 5.2 Impeller The allowable stress is the limited stress of membrane stress plus bending stress for the fun’s material ZL104. The maximum principal stress of impeller is 60.87 MPa. It’s strength meets the requirements.

48

S. Hong et al. Table 7. Calculation results and evaluation of plate and shell parts (unite: MPa)

Department name

Calculated value of membrane stress

Allowable value

Calculated value Allowable of membrane value stress + bending stress

Evaluation result

Fan cylinder, Mounting bracket, Motor bracket

32.22

107

46.16

160.5

Pass

Deflector

6.75

23

6.87

34.5

Pass

5.3 Bolt Bolts to be checked for the fun are: Six grade 8.8 M16 × 50 bolts connected with air duct foot and mounting bracket; Eight grade 8.8 M16 × 80 bolts connected with motor and motor mounting flange; Sixteen grade 8.8 M10 × 40 bolts connected with motor bracket and fan cylinder; Eight grade 8.8 M16 × 40 bolts connected with motor bracket and motor. The tensile stress and shear stress of each group of bolts were extracted respectively. The allowable tensile stress and allowable shear stress of bolts are calculated by the following formula: ft ≤ Ftb = Su /2

(1)

fv ≤ Fvb = 0.62Su /3

(2)

The stress check results of each group of bolts are shown in Table 8. Table 8. Stress evaluation for the bolt (unite: MPa) Location

2 + f 2 /F 2 ft2 /Ftb v vb

Evaluation result

165

0.76

Pass

17.29

165

0.47

Pass

400

20.99

165

0.04

Pass

400

26.62

165

0.02

Pass

Tensile stress

Shear stress

Actual

Allowable

Actual

Allowable

Bolt connected with fun and mounting bracket

335.51

400

40.90

Bolt connected with motor and motor mounting flange

271.82

400

Bolt connected with motor bracket and fan cylinder

61.72

Bolt connected with motor bracket and motor

20.38

Seismic Analysis and Qualification of Nuclear Safety Axial Flow Fan

49

5.4 Operability Under the load of level D, the maximum radial deformation of the impeller is 2.21 mm, the maximum radial deformation of the fan cylinder is 2.17 mm. As the deformation direction is the same, the relative deformation is 0.04 mm, which is less than the deformation limit of 2.4 mm. Therefore, the operability of the fan during and after the earthquake can be guaranteed.

6 Conclusion In this paper, using ANSYS Workbench 14.5 software, the seismic safety analysis is carried out. The analysis results show that the strength of the fan plate and shell parts, impeller and connecting bolts meet the requirements of relevant standards. The gap deformation between the impeller and the fan cylinder is less than the required limit value, which can ensure the operability of the fan during and after the earthquake. The analysis shows that the installation flange of the motor and the supporting foot of the fan cylinder are the main components bear the stresses, which should be paid more attention to in the structure design.

References 1. Zhu, H., Huang, Y., Wang, Y., Liu, J.: Seismic performance analysis of nuclear grade fans in Taishan nuclear power plant. Fan Technol. 4, 27–31 (2015) 2. Li, Q., Li, P., Li, X., Sun, L., Liu, L.: Seismic analysis and evaluation of axial flow fans in nuclear power plants. Nucl. Power Eng. 40(S1), 90–92 (2019) 3. Cheng, D.: Mechanical Design Manual. Chemical Industry Press, Beijing (2016) 4. National Energy Administration: NB/T20038-2011 General Requirements for Design and Manufacture of Nuclear Air and Gas Treatment Code (2011) 5. The American Society of Mechanical Engineers: ASME BPVC-III-2004 Rules for Construction of Nuclear Facility Components Division 1-Subsection NF (2004) 6. Xue, Z.: Research on Seismic Performance Calculation of Nuclear Power Engineering Structures. Harbin Engineering University, pp. 31–35 (2012) 7. Cheng, D.: Mechanical Design Manual. Chemical Industry Press (2016) 8. National Energy Administration: NB/T20038-2011 Code on nuclear air and gas treatment general requirements on design and fabrication (2011)

Application Verification of Wireless Sensor Network in Nuclear Power Plant Zhi-Guang Deng(B) , Qian Wu, Mei-Qiong Xiang, Chen-Long Dong, Yue Qin, Zhuo-Yue Li, and Yong-Sheng Sun Science and Technology on Reactor System Design Technology Laboratory, Nuclear Power Institute of China, Chengdu 610213, China [email protected]

Abstract. The application of wireless sensor network in nuclear power plant can greatly reduce the workload of nuclear power plant cable wiring, and help to improve the automation and information level of nuclear power plant. However, its application also faces the constraints of strong electromagnetic interference, high temperature and other special complex nuclear environment, especially the narrow multi metal enclosed space of nuclear power plant cabin, which brings challenges to the application of wireless sensor. Based on the Lora wireless protocol, this paper studies the low-power selection of wireless sensor and MCU, sleep / wakeup low-power mechanism, dual star adaptive frequency hopping anti-interference, frequency division and time division multi node real-time communication and other aspects. On this basis, the prototype is developed, and the functional test, high and low temperature test, electromagnetic compatibility test and bench test are carried out. The feasibility of wireless sensor application in nuclear power plant is preliminarily verified, which lays a foundation for further application. Keywords: Wireless sensor network · Nuclear power plant · Lora · Environment test · Bench test

1 Introduction With the increasing demand for information exchange of equipment in ship cabin, the number and weight of traditional cable increase accordingly. In the case of limited internal space, wired data transmission will gradually become an important factor restricting ship informatization. It is urgent to have the wireless communication technology which can be applied to the special environment in the cabin to meet the communication needs of the equipment in the cabin in the future. Wireless sensor networks (WSN) has the characteristics of high degree of automation, high reliability and simple maintenance. When it is applied to nuclear power plant, it can reduce the workload of monitoring system cable wiring, reduce the impact of cable aging and termination failure in the use and maintenance of nuclear power plant, and make the distribution flexible and convenient. It can effectively shorten the maintenance time of nuclear power plant and help to improve the automation and information level of nuclear power plant [1]. However, © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 50–62, 2022. https://doi.org/10.1007/978-981-19-1181-1_6

Application Verification of Wireless Sensor Network in Nuclear

51

the wireless environment of nuclear power plant cabin has strong particularity, such as complex cabin structure, instantaneous start-up and stop of high-power mechanical and electrical equipment and other electromagnetic radiation will interfere with the wireless transmission process of wireless sensor network [2]. In addition, there are many metal equipments in the cabin, which lead to the shadow effect and frequency selective fading effect. Generally, refraction, reflection, diffraction, scattering and other phenomena will occur in the process of wireless signal transmission, which leads to serious multipath interference, multi-user interference, CO frequency interference and so on [3–6]. At the same time, the impact of special environmental conditions (radiation, high temperature and high pressure, etc.) on wireless sensor networks should also be considered. In this paper, based on the application prospect of wireless sensor network in nuclear power plant, aiming at the above problems, the related research is carried out based on Lora [7–10] and the prototype is developed, and the preliminary test verification is carried out, which lays the foundation for the subsequent practical engineering application.

2 Wireless Sensor Network Structure Design 2.1 Wireless Sensor Network System Framework

Ship cabin 1 Wireless Sensor 1 Lora Wireless gateway Wireless Sensor 2

...

Wireless Sensor N

Wireless subnet 1 Router Ship cabin 2

Host

Host compter

Wireless Sensor 1 Lora Wireless gateway Wireless Sensor 2

...

Wireless Sensor N

Wireless subnet 2

Fig. 1. Schematic diagram of wireless sensor network system

52

Z.-G. Deng et al.

The principle of wireless sensor network system is shown in Fig. 1. Each cabin is composed of a wireless gateway and wireless sensors (pressure, temperature) to form an independent cabin wireless subnet. The host computer forms an industrial Ethernet with each wireless subnet through a router, and it obtains sensor data of each cabin and displays the man-machine interface through Ethernet. The host computer supplies power to the wireless gateway in PoE mode, and at the same time it forwards sensor data to other devices. 2.2 Wireless Sensors and Gateways (1) the overall hardware structure of wireless sensor nodes According to the specific requirements of the remote wireless monitoring system under the ship environment, the pressure and temperature information of the pipeline in the cabin of the ship should be obtained in real time and accurately. And the wireless monitoring should be realized. The hardware structure of general wireless sensor is shown in Fig. 2.

Antenna

MCU

Lora

Sensor module

Power supply Wireless module

Fig. 2. Hardware structure diagram of wireless sensor

The whole hardware structure of wireless sensor consists of sensor module, wireless module, antenna and power supply. The sensor module is responsible for collecting pressure and temperature in the ship pipeline and transmitting the data to the wireless transmission module. The wireless transmission module is responsible for encoding these data according to the requirements of wireless communication protocol and then transmitting them to the wireless network through the antenna. When interference occurs, the terminal will switch to another group of antenna frequency bands. Finally, the power supply is responsible for supplying power to these hardware. (2) Wireless transmission module The wireless transmission module adopts RHF76–052 LoRaWAN module, which adopts SX1276 series LoRa special baseband chip, and MCU adopts ST company’s ultra-low power STM32L052 ARM chip. (3) Wireless gateway

Application Verification of Wireless Sensor Network in Nuclear

53

As an important link of network transmission, wireless gateway is an important device for collecting and uploading data of lower wireless nodes. Lora gateway is powered by Ethernet port, and its core controller is a processor based on ARM core.

3 Test Verification In order to ensure that the wireless sensor network based on the Loar wireless protocol can operate reliably and stably in the complex multi-metal barrier enclosed space of the nuclear power plant, low power consumption selection of wireless sensors and MCU, sleep/wake low power consumption mechanism, and dual-star adaptive frequency hopping technical research on anti-interference, frequency division and time division multi-node real-time communication, etc. was carried out. On this basis, a prototype was developed, and the functional performance tests, high and low temperature tests and electromagnetic compatibility tests were carried out. 3.1 Functional and Performance Test 1) Continuous working test of wireless sensor The wireless sensor node uses the battery model ER34615 with a capacity of C (4 sections in total, with a total nominal capacity of 76000 mAH). As long as the average current I a of the battery powered by a single sensor is measured, the battery life can be calculated according to its discharge curve. As shown in Fig. 3, the battery of the wireless sensor is connected in series with a sampling resistor (3.8 ), and the voltage on the sampling resistor is recorded with a memory oscilloscope for multiple working cycles (500 ms). The average working current is converted to calculate the specific Battery replacement cycle under battery capacity.

Fig. 3. Schematic diagram of single sensor average current test wiring

54

Z.-G. Deng et al.

During the test, using the data recorded by the oscilloscope to integrate the sampling voltage, and then calculate the average U a , and then divided by the sampling resistance R to obtain the average operating current I a . The measured data is shown in Table 1, and the data in the table can be seen, C/ I a > 17520, that is, the wireless sensor can operate continuously and stably for at least 2 years, and it can meet the daily tasks of the ship and match the maintenance time of the ship.

Table 1. Continuous working time of wireless sensor Wireless temperature sensor

Average voltage(mV)

Continuous working hours(h)

Wireless pressure sensor

Average voltage(mV)

Continuous working hours(h)

1

11.72

24683

1

9.50

30400

2

11.33

25557

2

8.88

32540

3

12.81

22562

3

8.13

35544

4

10.13

28523

4

8.50

33976

2) Wireless sensor data transmission delay test When carrying out the transmission delay test, first wireless terminal should be connected to the gateway (the receiving and sending are the same frequency band and channel at this time), and the distance between each wireless sensor node and the wireless gateway is 5m. And there is no obstacle between them. When the CPU (STM32) receives the pressure sensor or temperature sensor data, it outputs the high level of a jumper. And when the host computer receives the data, it also sends out a jumper (high level) through the USB port, and the two jumpers is connected to the logic analyzer to check the time difference between the two signals. The difference between the two times is the test time. The records are shown in Table 2. It can be seen from the results in the table that the wireless sensor data transmission delay test is less than 500 ms, which can meet the requirements of ship process measurement data collection. Table 2. Transmission delay of wireless sensor network Wireless temperature sensor

Data transmission delay(ms)

Wireless pressure Data sensor transmission delay(ms)

1

448

1

418

2

449

2

428

3

451

3

428

4

449

4

430

Application Verification of Wireless Sensor Network in Nuclear

55

3) Frequency hopping performance test The gateway design of this article has 2 working frequency bands, and data can be sent and received on these 2 frequency bands. The operating frequency of frequency band 1 is upstream 32 channels of 474 MHz ~ 490 MHz; the operating frequency of frequency band 2 is upstream 32 channels of 899 MHz ~ 915 MHz. The frequency hopping test is carried out in two frequency bands of the wireless gateway, as shown in Fig. 4. Normally, both band 1 and band 2 can communicate with wireless terminals, when band 1 fails, data can be transferred to channel 2 for transmission.

Frequency band 2

Frequency band 1

Fig. 4. 2-band frequency hopping communication

The test process is divided into two types: 1–2-1,2–1-2. The 1–2-1 type refers to checking whether the data can be received when the frequency band 1 is turned on and the frequency band 2 is turned off, then the band 1 is turned off to check whether the data can be received by simulating the failure of the band 1. Finally, Band 1 is turned Table 3. Frequency hopping test of wireless sensor network Wireless sensor

Test type

Wireless temperature sensor

1–2-1

2–1-2

Wireless pressure sensor

1–2-1

2–1-2

Received or not Band 1 on, Band 2 off

Received

Band 2 on, Band 1 off

Received

Band 1 on, Band 2 off

Received

Band 2 on, Band 1 off

Received

Band 1 on, Band 2 off

Received

Band 2 on, Band 1 off

Received

Band 1 on, Band 2 off

Received

Band 2 on, Band 1 off

Received

Band 1 on, Band 2 off

Received

Band 2 on, Band 1 off

Received

Band 1 on, Band 2 off

Received

Band 2 on, Band 1 off

Received

56

Z.-G. Deng et al.

on again, and Band 2 is turned off (simulating failure) to check whether data can be received. The 2–1-2 type is similar to this. The test record is shown in Table 3. The host computer can receive and display the data of 6 wireless sensors normally. 3.2 Environmental Test 1) High and low temperature test The wireless sensor systemto be tested is composed of 6 wireless temperature sensor nodes, 6 wireless pressure sensor nodes and 1 wireless gateway, as shown in Fig. 5. The sensor is powered by a battery, and the gateway is powered by 220VAC at the test site, all of them are placed in the temperature and humidity test box. The wireless gateway uploads the received data to the host computer software through the network cable to display and measure related functions and performance.

Fig. 5. High and low temperature test of wireless sensor

High temperature and low temperature working test environment are 60 °C and 5 °C respectively, the test time is 4 h. First, the entire wireless sensor system is in working condition and normal communication between the wireless gateway and the wireless sensor should be established. At the same time, the data transmission time is more than 1 min, and the host computer counts and records the measured data value of each wireless sensor and the transmission packet loss rate. Then, the temperature in the test box was adjusted to 5 °C and 60 °C successively, and the above operation was repeated to obtain data. Taking the wireless temperature sensor as an example, the average data and packet loss rate before, during and after the test are shown in Fig. 6. It can be seen that the wireless temperature sensor in the test environment normally measured data, and the packet loss rate is less than 0.3%.

Application Verification of Wireless Sensor Network in Nuclear

57

Fig. 6. High and low temperature test data and maximum packet loss rate of wireless sensor network

2) Electromagnetic compatibility test The composition of the wireless sensor system is the same as the high and low temperature test, and the test diagram is shown in Fig. 7. Similar to the high and low temperature test, the wireless sensor network system work normally and it receive data stably for more than 1 min, and then conduct the power line conduction sensitivity CS101, ground line conduction sensitivity CS102, electrostatic discharge sensitivity CS112, and CS114 cable bundle injection conduction sensitivity, magnetic field radiation sensitivity

Fig. 7. Electromagnetic compatibility test of wireless sensor network

58

Z.-G. Deng et al.

RS101, electric field radiation sensitivity RS103.The average value of wireless pressure sensor test data and the highest packet loss rate are shown in Fig. 8. It can be seen from Fig. 8 that the system can operate normally under the electromagnetic compatibility test. Except for the CS112 test which the packet loss rate is above 1%, the other test packet loss rates are all in 0.5% or less.

Fig. 8. Electromagnetic compatibility test data and maximum packet loss rate of wireless sensor network

3.3 Field Bench Test The layout of the wireless sensor network on the test bench simulates the actual environment of the ship as much as possible. As shown in Fig. 9, a wireless temperature sensor, a wireless pressure sensor and a wireless gateway are distributed in an area of about 13 m × 13 m on the platform. The position of the wireless gateway at the receiving end is fixed at the position shown in G1 on the second floor of the gantry, In each test, the wireless temperature sensor and wireless pressure sensor are placed in the 8 positions of S1, S2, S3, S4, S5, S6, S7, and S8 in sequence in the Fig. 9, and a total of 8 tests are carried out. Each position maintains a data transmission time of more than 1 min. At the same time, temperature and pressure data are measured at an obstacle-free position within 1m of the wireless gateway as standard comparison data.

Application Verification of Wireless Sensor Network in Nuclear

59

Fig. 9. Simulation bench test of wireless sensor network engine room environment

The wireless pressure sensor arranged at S7 on the first floor is shown in Fig. 10. It can be seen that the metal barrier around it is very serious. The host computer data display (0.0120 MPa) is shown in Fig. 11. It can be seen that the data can still be received normally in such a complex environment.

Fig. 10. The layout of the wireless pressure sensor at S7 on the first floor of the platform

In addition to the pre-planned locations of S1 ~ S8, a wireless transmission test at a special location was also carried out during the test. As shown in Fig. 12, a wireless temperature was placed behind a tank (in operation, with a temperature of about 30 °C). The linear communication path between the sensor and the wireless gateway is completely obscured by the tank. The host computer data (25.32 °C) is displayed as shown

60

Z.-G. Deng et al.

Fig. 11. Display of the wireless pressure sensor at the S7 position on the first floor of the gantry

in Fig. 12 Which shows that communication can still be established under such severe conditions (Fig. 13).

Fig. 12. Wireless temperature sensor arrangement at a special location on the second floor of the platform

The average temperature data value and the highest packet loss rate curve diagram of S1 ~ S8 and special locations are shown in Fig. 14. It can be seen that the packet loss rate of all location temperature and pressure data is less than 0.5%, and the S1 ~ S8 data fluctuates around the average value (19.20 °C). Therefore, the wireless temperature and pressure sensor can achieve the wireless temperature and pressure measurement function with a small packet loss rate.

Application Verification of Wireless Sensor Network in Nuclear

61

Fig. 13. Numerical display of wireless temperature sensor in special position on the second floor

Fig. 14. The average value of wireless temperature sensor data and the highest packet loss rate in the bench test

4 Conclusion Based on Lora protocol, which has strong anti-interference ability and low power consumption, the application of wireless sensor in nuclear power plant is preliminarily tested and verified through frequency hopping, wake-up / sleep, time division and other optimization measures. In particular, the communication test is carried out on the platform similar to the ship cabin environment, It is verified that the wireless sensor network based on Lora can communicate stably in the environment of multi metal barrier. In

62

Z.-G. Deng et al.

the future, we will continue to study and verify the complex electromagnetic compatibility characteristics, multi-point networking and long-term stability and reliability of communication in multi metal barrier environment, so as to realize the application of wireless sensor network in nuclear power plant as soon as possible.

References 1. Deng, Z., Qian, W., Xin, L., ZhuBiwei, Sijie, X., Xuemei, W.: Application analysis of wireless sensor networks in nuclear power plant. The Fourth International Symposium on Software Reliability, Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant(ISNPP), GuiYang, China 135–147 (2020) 2. Hai, L., et al.: Ship power system (2nd Edition). Beijing, National Defense Industry Press (2016) 3. Xiang, K., Yang, X.: Accurate measurement of the effect of interference attack on the performance of marine wireless network. Ship science and technology 40(7a), 139–141 (2018) 4. He, Y.: Strong electromagnetic interference suppression method of marine switching power supply. Ship science and technology 40(7a), 172–174 (2018) 5. Shuang, Y., Yanchun, W., Junqiang, He.: Suppression of ship noise interference by abnormal amplitude attenuation method. Geophy. Geochem. Calc. Technol. 40(3), 306–311 (2018) 6. Qinghai, W., Feiyong, H.: Interference suppression technology in Shipborne smart antenna communication system. Ship science and technology 41(5a), 145–147 (2019) 7. Lunbin, C.: Networking design and implementation of wireless Lora in transmission line monitoring. Xi’an University of technology (2017) 8. Shuhong, L., Jixuan, S.: Lora modulation technology and demodulation algorithm. Telecommunication technology 58(12), 1447–1451 (2018) 9. Wei, Y., Dai, Y.: Design of industrial monitoring ad hoc network system based on Lora 27(2), 225–228 (2019) 10. Xiao, Z.: Ship traffic signal control based on Lora technology. Ship science and technology 43(1a), 70–72 (2021)

Treatment of Flashing Primary Alarm of Scintillator Radiation Monitoring Device in NPP Xu-Tao Bai1(B) and Ming Chen2 1 Suzhou Nuclear Power Research Institute, Suzhou 215004, Jiangsu Province, China

[email protected] 2 Fujian Ningde Nuclear Power Co. Ltd, Ningde 355200, Fujian Province, China

Abstract. This paper briefly describes the process of KRT004MA flashing primary alarm of radiation monitoring system in a nuclear power plant, introduces the detection principle of scintillator radiation monitoring device and the main functions of LPDU, and analyzes various failure modes in detail in view of the possible reasons such as high real metering, equipment collision, external interference, circuit accidental failure and device performance degradation. According to the historical events and underlying data of the channel, combined with the inspection results of local equipment, external interference is determined as the root cause of the flash alarm event, and effective measures are taken to deal with it. Keywords: Scintillator · Radiation monitoring · Scintillation · External interference

1 Introduction Radiation monitoring system (KRT) is mainly used to measure the radiation of process, effluent and workplace of nuclear power plant, to ensure the operation safety of the power plant, prevent the staff from high-dose radiation, and monitor the integrity and effectiveness of the three barriers. Radiation detectors commonly used in radiation protection include gas detectors, scintillator detectors, semiconductor detectors, solid-state track detectors and pyroluminescent detectors [1]. 2017–11-14T15:47, KRT026KA alarm(KRT004MA SG1 sewage γ Activity level I alarm) was triggered in the main control room of a nuclear power plant During this period, the maximum value of KRT004MA radiation monitoring reached 1.45E + 06Bq/m3, but the indication of KRT034MA (downstream measurement channel of sewage) did not change. According to the operation calculation, the leakage rate of the primary circuit is normal, and the radioactivity of the secondary circuit of chemical sampling is normal. The specific situation is shown in Fig. 1.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 63–74, 2022. https://doi.org/10.1007/978-981-19-1181-1_7

64

X.-T. Bai and M. Chen

Fig. 1. Flash history data

2 Principle of Detector and Main Functions of Equipment 2.1 Principle of Scintillator Detection The basic principle of scintillator detector is that the fluorescence signal is converted into electrical signal by photomultiplier tube and amplified by irradiation of ray on a substance. Scintillation detector consists of scintillator, photomultiplier tube and corresponding calculation circuit (including emitter follower and follow-up circuit). When the X-ray penetrates into the scintillator, the molecules or atoms of the scintillator will be ionized and excited by the loss of energy, and the excited molecules or atoms will emit fluorescence when they are de excited. Photons arrive at the photocathode of photomultiplier tube from the place where they are produced, and produce electrons by photoelectric effect [2]. The generated electrons are multiplied by the multiplication pole (dynapole), and finally a voltage pulse is generated in the output circuit, which is proportional to the particle energy. The scintillator detector used in nuclear power plant is mainly NaI type radiation detector. NaI crystal pair γ The detection efficiency of X-ray is high, but it is fragile and deliquescent, so it needs to be sealed. Nai scintillator detector is composed of shell, insulation layer, NaI crystal, photomultiplier tube and voltage divider. Photomultiplier tube (PMT) is a kind of photoelectric device, which is mainly composed of photocathode, focusing electrode, dynode and cathode. It is sealed in the glass shell and has the outlet head of each electrode as the socket. The photomultiplier tube should have a good response to the photocathode spectrum and match the luminescence spectrum of the scintillator, with appropriate magnification, low dark current and noise level, good process and stability. 2.2 Major Function The radiation monitoring device takes LPDU as the processing center, takes the weak current and voltage signals of the detector as the input, and outputs various information after processing by the program in the processor: switching value, analog value, digital value in MODBUS-RTU format. The main functions are as follows.

Treatment of Flashing Primary Alarm of Scintillator Radiation

65

(1) Processing function: coupling detector; Real time counting; Use the specified algorithm to generate the required unit of measurement; Process relay signal and analog output signal; Record events (including fault, alarm, command, parameter modification, power supply failure, etc.); Keep the average value of each measurement; Save the real-time measured value; Channel selection and time acquisition selection [3]. (2) Test function: continuous test of voltage and temperature; The background value is tested regularly to verify the integrity of the detector; The electrical test verifies that the electronic circuit is normal; The light test verifies that the detector is normal; Analog output test. (3) Communication function: RS485 data line is used for data transmission through Modbus protocol; Three kinds of switch output; Analog input / output.

3 Failure Mode Analysis 3.1 High Real Radioactivity If the flaw detection source occasionally sweeps the detector. The radioactive source passes by the equipment during transportation (and the shielding body of the radioactive source has large leakage). There is radioactive material transportation in the detection environment or pipeline [4]. The characteristic of this kind of flicker is that the trend of measured value and time is similar to the normal distribution curve. 3.2 Equipment Collision KRT sensors are all high sensitivity detectors, especially for the equipment without preamplifier, the measured signal is extremely weak. For example, the signal strength of some ionization chambers is at the level of PA. if people touch the ionization chamber cable, there will be several orders of magnitude higher sensitive current than the signal source. Touching other types of detectors or detector cables will cause CPS to rise. Because the scintillator has a photomultiplier inside, its output signal has been amplified and can reach microvolt (μV) The induction signal generated by cable malfunction has little influence on the signal source. 3.3 External Interference The interference mainly comes from the strong electromagnetic interference in the surrounding environment of the equipment (such as the start-up and stop of high-power motor) from the IO interface and grounding terminal of the equipment into the equipment, and the transient surge voltage in the power grid into the equipment. Under normal circumstances, equipment manufacturers take hardware and software measures to prevent this kind of interference, but the signal detected by KRT equipment is very small. For example, the output signal current of ionization chamber equipment is in the order of 1E-15A, and the output signal voltage of scintillator equipment is 1E-6 V. To ensure that

66

X.-T. Bai and M. Chen

the weak signal can be detected, it will increase the difficulty of controlling interference. At the same time, because the project site is relative to the laboratory, its site installation conditions are affected by the engineering construction conditions, the actual situation of concealed works, the electromagnetic field distribution of the pipe network, the temperature and humidity under different working conditions, vibration and other conditions, and many kinds of interference may overlap each other to produce common mode / differential mode influence. Therefore, the instantaneous strong interference may cause short-term fluctuation of measured value, or even internal program disorder. Since the current hardware design will set the watchdog for self reset, it can return to normal after the interference, but before the self-test reset, there may be a short-time measurement value step up or down, if the value is too large or too low, it may cause the software to judge the measurement range, and trigger a short-time failure alarm. 3.4 Circuit Occasional Failure KRT equipment is composed of analog circuit, digital circuit, processor and supporting software. For digital circuits, all kinds of devices are composed of ideal logic elements. In fact, all kinds of logic devices have different degrees of rise and fall delay and other problems. In addition, the capacitance reactance between boards and circuits is easy to change, and internal interference and conflict may also be formed between components when the circuit is running, resulting in short-term disorder of internal signal or logic judgment program and flash. Generally, the watchdog of the chip can judge whether the program is abnormal and reset automatically. 3.5 Device Performance Degradation After long-time operation, some devices may have performance degradation. Such as: the increase of noise in the components, voltage variation and other performance parameters. As a result, the overall performance of the equipment will be degraded, which may cause flash failure or flash alarm exceeding level 1 or level 2 threshold. The flashover caused by this reason is characterized by frequent flashover, which will be significantly improved after replacing the faulty parts. 3.6 Failure Mode Judgment According to the possible causes of KRT004MA flash alarm, judge the reason, reason for sending and analysis of possible model, as shown in Table 1.

Treatment of Flashing Primary Alarm of Scintillator Radiation

67

Table 1. Judgment of flash failure mode of KRT004MA Possible causes

Reason for judgment

Reasons for objection

Possibility

High real radioactivity

Flash first level alarm

1. If there are hot particles Low passing through the sampling space in the secondary circuit, the radioactivity changes with time in a skewed normal distribution, while the actual radioactivity value appears instantaneously 2. KRT034MA indication has not changed 3. The radioactivity in the secondary circuit of chemical sampling is less than the measurement limit of 0.03MBq/m3 , and the result is normal

Misoperation of equipment

During the alarm, KRT003MA replaced the probe nearby

1. Failure alarm will be Low triggered by misoperation of power-off blocking equipment 2. KRT003MA power off and power transmission time is consistent with its own record, and different from KRT004MA alarm time

External signal interference

1. Flash the first level alarm, and the alarm duration is short 2. REA001PO starts before flashing, and the time interval between start-up and alarm is small 3. The ground network is public, and there is no independent grounding network

After restarting REA001PO, the indication fluctuated but did not reach the alarm value

High

(continued)

68

X.-T. Bai and M. Chen Table 1. (continued)

Possible causes

Reason for judgment

Reasons for objection

Possibility

Circuit accident

Flash first level alarm

1. If there is a problem in Low the circuit, the internal logic judgment program will make the equipment restart automatically, and no fault alarm has been triggered during the alarm period 2. The restart of the device will recalculate some internal parameters, which takes 5 min. Before the calculation is completed, the measured values will not be output. Before and after the alarm is triggered, KRT004MA indication is continuous and stable at 3,700Bq/m3

Component performance Flash first level alarm degradation

Equipment aging will Low cause abnormal changes of measurement parameters, such as the pulse count rate is too large, the pulse amplitude is reduced, the energy resolution is too high, which will cause the measured value to fluctuate or change slowly. The detector does not find the measured value to fluctuate or rise slowly (continued)

Treatment of Flashing Primary Alarm of Scintillator Radiation

69

Table 1. (continued) Possible causes

Reason for judgment

Reasons for objection

Possibility

Instrument failure

Flash the first level alarm, 1. If KRT004MA fails, Low and the alarm time is short the fault alarm will be triggered 2. Query the history record, no fault alarm was triggered during the alarm period 3. Before and after the alarm, KRT004MA showed continuously, stable at 3,700Bq/m3

4 Data Analysis and Follow-Up Measures 4.1 Historical Events and Underlying Data Analysis LPDU Internal History Event Record. Check the LPDU internal history event record. Except for the 9s record of flashing alarm, no other abnormal history record is found for alarm. After the alarm, the equipment has been in normal operation state, as shown in Fig. 2.

Fig. 2. LPDU historical event record

70

X.-T. Bai and M. Chen

Comparison of Measurement Data at the Bottom of Equipment. Compared with the measurement data of the equipment bottom one month before the alarm, no obvious change was found [5]. (1) The measured high voltage of the probe is between 642 and 643V, and the high voltage stability is in the range of plateau curve. (2) The gain of preamplifier is 1, and the signal strength has not been adjusted. (3) The total count of the total spectrum is between 54 and 57 CPS, and its fluctuation is in line with the statistical fluctuation range of radioactivity. The reference peak of Am-241 is between 828 ~ 830CH, the reference peak count rate is 15.50 ~ 15.52 CPS, the energy resolution is 3.17 ~ 3.23%, and the energy stability rate is greater than 0.99, which indicates that the energy discrimination, pulse count measurement, pulse amplitude measurement and the distribution of various amplitude pulses of the embedded source are not distorted. The details are shown in Fig. 3.

a)Equipment measurement data 1 month before alarm

b) Equipment measurement data 3 days after alarm

Fig. 3. Comparison of measured data of equipment before and after alarm

Comparison of Internal Parameters of LPDU. Internal characteristic parameters of

Fig. 4. LPDU internal parameters

Treatment of Flashing Primary Alarm of Scintillator Radiation

71

equipment and internal characteristics parameters after alarm one month before alarm. The parameters have not changed, as shown in Fig. 4. Energy Spectrum Data Analysis. Figure 5 shows the energy spectrum of 3, 600s collected by the equipment one month before the alarm, and Fig. 6 shows the energy spectrum of 3, 600s collected by the equipment three days after the alarm.

Fig. 5. Energy spectrum of one month before alarm

Fig. 6. Energy spectrum 3 days after alarm

The two energy spectra are smoothed and compared, as shown in Fig. 7.

72

X.-T. Bai and M. Chen

Fig. 7. Comparison of energy spectrum

The counting rate of the two spectra in each energy range is less than 0.01 CPS. The yellow area in the Fig. 7 is the ROI area of actual measurement of low discharge activity, and the energy is 100–2,500 keV. The average count rate of both ROI areas is in the range of background value (2.132 CPS before alarm and 2.152 CPS after alarm). Conclusion of Internal Data Analysis. (1) Through detailed historical event records and underlying data within the device, no abnormal parameters have occurred to the device. (2) Through the smooth spectrum comparison of energy spectrum before and after the equipment alarm, no abnormal energy is found in the low energy peak range, low water discharge measurement interval and Am-241 reference peak interval, and the distribution of various energy is also consistent with the energy spectrum measured normally [6]. (3) It can be judged that the current equipment is free of abnormality and can work normally. 4.2 Four Point Two Inspection of Equipment Installation Site Detector check. Disconnect the wiring between the detector and the measuring cable, and check the relevant parameters of the detector (Table 2).

Treatment of Flashing Primary Alarm of Scintillator Radiation

73

Table 2. Detector inspection results Inspection items

Inspection results

expected value

Resistance between probe shell and lead shield

+∞

≥100 M

Resistance between lead shield and ground wire

0.13 

≤1 

Resistance between detector shell and ground wire

+∞

≥100 M

Resistance between the inner core and shield wire of detector connector

+∞

≥100 M

Resistance between inner core and ground wire of detector connector

+∞

≥100 M

Resistance value of internal voltage divider of detector 3.28 M

3.2 ~ 3.4 M

Temperature in sampling chamber of detector

22 °C

10–40 °C

Is the sampling chamber dry

Dry and anhydrous

Dry

Inspection of Measuring Cable. Disconnect the wiring between the measuring cable and the processing unit, and check the relevant parameters of the measuring cable (Table 3). Table 3. Inspection results of sounding cable Inspection items

Inspection results

Expected value

External damage of cable Resistance between inner cores Resistance between inner core and earth Resistance between joint shell and earth

No damage +∞ +∞ 436 M

No damage ≥100 M ≥100 M ≥100 M

Conclusion of Data Analysis on Equipment Installation Site. Through the inspection of probe, measuring cable and LPDU, it can be confirmed that: (1) the probe floats, the temperature and dryness of the probe meet the requirements, and the internal voltage divider of the probe is normal; (2) The measuring cable is not damaged, and the inner core is not short circuited or grounded. The LPDU of the processing unit is not single point grounding, but multi-point grounding through fixed bolts, and the grounding is abnormal, with a large resistance value of about 119k 。

74

X.-T. Bai and M. Chen

4.3 Conclusion and Follow-Up Measures After analysis and inspection of the equipment, the causes of instrument failure, misoperation, high real radioactivity, electronic logic failure and component performance degradation can be eliminated. The LPDU of the processing unit is not single point grounding, but also multi-point grounding through fixed bolts, and the grounding is abnormal, and the impedance is large, about 119 k, At the same time, there was a large motor start before the flash, and the time interval between the motor start and the alarm was very small. During the flash, the measured value increased step by step and decreased rapidly. The data before and after the alarm were normal continuously, and there was no abnormal data and alarm again in the following month, In addition, the scintillator detector has experienced the case of measurement value change and alarm caused by the ground grid interference signal cascading into the equipment in multistatic. Therefore, the root cause of this event is that the equipment grounding impedance mismatch causes the noise signal to cascade into the signal source and causes the first level alarm to flash [7]. To improve the impedance matching between LPDU and grounding, the specific measures are as follows: (1) An insulating plate is added between the LPDU and the fixing bolt. (2) The insulation board is added between the electric box, junction box and fixed bolt in the same channel. (3) Other devices in the same channel are grounded through LPDU grounding point, and other grounding points are cancelled [8]. (4) Optimize the grounding, ensure the single point grounding of the whole equipment, and the grounding resistance is less than 1 . After the implementation of the above measures, the status of the channel was continuously monitored. From January 2018 to December 2020, the channel operated stably without flashing alarm.

References 1. Liu, D., Chen, X.-L., Bi, M.-D.: Ten years development of civil nuclear safety radiation monitoring equipment. Nuclear Safety. December 6(17), 85–90 (2018) 2. Chen, W.-X., Zhang, D.-F., Wu, R.-J.: Comparison of radiation monitoring system for the third generation PWR NPP. Radiation Protection Bulletin. June 3(38), 12–16 (2018) 3. Li, J., Chen, L.-G.: Analysis of abnormal fluctuations of radiation monitoring data in a nuclear power plant. Radiation Protection Bulletin. April 2(40), 27–31 (2020) 4. Wu, H.-J.: Development of BDCDE2DI signal IO module for radiation monitoring system of nuclear power station. Instrumentation. May 5(26), 84–87 (2019) 5. Yang, K., Qi, Y.-H., Wang, X.: Discussion on debugging of radiation monitoring system in nuclear power plant. Construction & Design for Engineering. May 10, 108–109 (2020) 6. Lei, Q.-X., Xiong, G.-H.: Research on the new nuclear radiation device in the controlled area of the ventilation system NPP. Nuclear Electronics & Detection Technology. July 4(38), 495–499 (2018) 7. Wu, R-J., et al.: Design of small scale integrated radiation monitoring system for floating reactors at sea, Ship Science and Technology, November 11(42), 96–99 (2022) 8. Zeng, S. et al.: Research on optimization scheme of radiation monitoring system for nuclear power plant, Instrumentation, January 1(25), 63–66 (2018)

Research on Cyber Security Standards of Nuclear Power Industry Control System An-Yi Yang(B) Nuclear and Radiation Safety Center, Haidian, Beijing 100084, China [email protected]

Abstract. The cyber security of the industrial control system in the nuclear power plant has attracted widespread concern all over the world. To improve the cyber security level of nuclear power industrial control system, the construction of supporting cyber security standard system is the top priority. This paper analyzes and compares the main cyber security standards at home and abroad, and puts forward some suggestions on strengthening the cyber security protection and standard construction of the industrial control systems in China’s nuclear power industry. Keywords: Nuclear power plant · Industrial control system · Cyber security · Supervision requirement

1 Introduction The Stuxnet virus in 2010 was the world’s first cyber-attack on a nuclear facility. Since then, the issue of cyber security of nuclear facilities has attracted widespread attention. In 2018, the four ministries and commissions of China jointly issued the “Guidance Opinions on Further Strengthening the Safety Management of Nuclear Power Operation” [1], which clearly requires that the cyber security management should be included in the nuclear power safety management system to guarantee the cyber security of nuclear power plants. On December 16, 2020, the National Nuclear Safety Administration and the China Atomic Energy Authority jointly issued a notice entitled “Cyber Security Technology Policy for Nuclear Power Plants” [2], requiring each nuclear power plant to establish a cyber security program according to the requirements, to ensure that important digital assets are protected from cyberattacks. In this paper, the cyber security related standards will be sorted out and analyzed, and finally put forward suggestions.

2 American Standard 2.1 Federal Standards Federal information system security standards are mainly formulated by the National Institute of Standards and Technology (NIST) of the United States, and the main cyber security standards are shown in Table 1 [3, 4]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 75–84, 2022. https://doi.org/10.1007/978-981-19-1181-1_8

76

A.-Y. Yang Table 1. The USA federal cyber security standards

Items

Publisher

Federal Information Security Management Act, FISMA

Federal Government

Key Infrastructure Information Protection Act 2002, CIIA

Federal Government

FIPS 199 Federal Information and Information System Security Classification Standard

NIST

FIPS 200 Minimum Security Requirements for Federal Information Systems

NIST

NIST SP 800–60 Guidelines for Mapping Information and Information NIST Systems to Security Categories NIST SP 800–53 Security and Privacy Controls for Federal Information Systems and Organizations

NIST

NIST SP 800–82 Guide to Industrial Control Systems (ICS) Security

NIST

NIST SP 800-53A Evaluating Security and Privacy Controls in Federal NIST Information Systems and Organizations: Building an Effective Evaluation Program NIST SP 800–34 Federal Information System Emergency Planning Guide

NIST

NIST SP 800–30 Risk Assessment Guide

NIST

Framework for Improving Critical Infrastructure Cybersecurity

NIST

NIST 800–37 Risk Management Framework for Information Systems and Organizations: a System Life Cycle Approach to Security and Privacy

NIST

“Federal Information Security Management Act “ (FISMA), as a top-level guiding law, requires government agencies to conduct an independent evaluation every year to ensure the effectiveness of information system security protection measures. FISMA authorized NIST to be responsible for the formulation of two standard series: Federal Information Processing Standards (FIPS) and special publication 800 (SP 800). FIPS standards are mandatory and federal agencies must follow them. FIPS 199 classifies information system security into low risk, medium risk, and high risk impact information systems based on the potential impact on the information system security triad (confidentiality, integrity, and availability).In order to ensure the implementation of security measures for different levels of information systems, FIPS 200 standard specifies minimum security requirements for federal information and information systems in seventeen security-related areas. Federal agencies must meet the minimum security requirements as defined through the use of the security controls in accordance with NIST Special Publication 800–53, “Security and Privacy Controls for Information Systems and Organizations”.

Research on Cyber Security Standards of Nuclear Power Industry

77

NIST SP 800–53 provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks. On the basis of this standard, the end user can form a suitable security solution through tailoring and adjusting according to the specific application environment of the information system. In 2007, in order to cope with the increasing cyber security risks for industrial control systems, NIST revised the standard and added special security control requirements for industrial control systems. In 2010, NIST issued SP 800–82 “Guide to Industrial Control Systems (ICS) Security”, which describes the topology of typical industrial control systems, analyzes the threats and vulnerabilities faced by industrial control systems, and provides security solutions to reduce the related risks. In 2002, the Bush Administration issued “the Critical Infrastructure Information Protection Act 2002” (CIIA), which brings cyber security issues into the scope of critical infrastructure security protection, and removes information sharing legal barriers between the federal government and private enterprises. To promote the implementation of the National Infrastructure Protection Plan, in 2014, NIST released “Framework for Improving Critical Infrastructure Cyber security”, The Framework focuses on using a business-driven approach to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The main recommended security standards include ISO/IEC 27001, NIST SP 800–53/82, and IEC 62443 etc. The United States is at the forefront of cyber security protection research of computer information system and critical infrastructure. It adopts the concept of classified protection, and forms systematic security standards and implementation guidelines. 2.2 NRC Standards Nuclear Regulatory Commission (NRC) is responsible for the safety supervision of U.S. nuclear facilities. After the terrorist attacks of September 11, 2001, the U.S. government attached great importance to the potential cyber security issues in the nuclear energy industry and developed a series of regulations, regulatory guidelines and technical documents, and forming a relatively complete cyber security regulatory system. The main regulations and standard documents are shown in Table 2. Table 2. Major U.S. NRC regulatory standards Items

Publisher

EA-02–026 Temporary Safeguard Measures and Safety Compensation Measures

NRC

EA-03–086 Nuclear Power Information Security Design Basis Threat NRC 10 CFR 73.54 Digital Computer and Communication Systems and Network Protection

Federal Government

RG 5.71 Nuclear Facilities Cyber Security Program

NRC

NEI 08–09 Nuclear Reactor Cyber Security Plan

NEI

78

A.-Y. Yang

In 2002, NRC issued EA-02–026, requiring nuclear facility licensees to consider and solve cyber security vulnerabilities. In 2003, NRC issued EA-03–086, which included cyber security threat into design basis threat (DBT).In 2009, 10 CFR 73.54 was issued. Regulations require that nuclear power plants provide adequate protection for digital computers, communication systems and networks. Ensure that the safety, security, and emergency preparedness (SSEP) functions of nuclear facilities are not subject to cyberattacks including design basis threats. Nuclear power plants are required to submit cyber security plans for NRC approval. In order to meet the requirements of 10 CFR 73.54, the NRC issued guidelines RG 5.71 in January 2010, The main body of RG 5.71 proposed the regulatory requirements for cyber security of nuclear power plant SSEP function in response to DBT threat, and guided how to establish cyber security program from three aspects of technology, operation and management. In the appendix of the program, Appendix A provides a general cyber security grogram template for nuclear power plants, which can be used as a reference for nuclear facility licensees to formulate cyber security program. Appendix B basically refers to the technical security control requirements in NIST SP 800–82, and Appendix C basically refers to the operation and management security control requirements in NIST SP 800–53 Rev. 3.In May 2010, the sixth edition of NEI 08–09 “nuclear reactor cyber security plan” was released. The plan aims to implement the requirements of 10 CFR 73.54 and RG 5.71, including a set of security controls based on NIST SP 800–82 and NIST SP 800–53 standards. From January 2013, NRC began to inspect the implementation of the cyber security plan of nuclear power plants, and completed the inspection of all nuclear power plants by the end of 2015 [5]. In 2012, The Cyber Security Council (CSD), an internal organizational department of the NRC, was established to coordinate and manage the cyber security activities within the scope of the nuclear facility licensees, including rule making, guidance, licensing, policy issues and supervision. The CSD includes a network assessment team to assess whether the identified threats will affect the licensed facilities and to advise the NRC.

3 International Standards International Electro-technical Commission (IEC) and International Organization for Standardization (ISO) have done a lot of work on cyber security standards of industrial control systems. Relevant security standards are shown in Table 3. Table 3. International standards Items

Publisher

IEC 62443 Security for Industrial Automation and Control Systems

IEC/TC65

IEC 62645 Nuclear Power Plants - Safety Requirements for Computer Based Systems in I&C Systems

IEC/TC 45

IEC 62859:2016/AMD 1:2019 Nuclear Power Plants - Instrumentation and Control Systems - Requirements for Coordinated Safety and Cyber Security

IEC/TC 45

Research on Cyber Security Standards of Nuclear Power Industry

79

IEC/TC 65 (Industrial-process measurement, control and automation) Technical Committee is responsible for formulating relevant standards for industrial automation control systems. It’s IEC 62443 standard series was developed to secure industrial communication networks and industrial automation and control systems through a systematic approach. The whole series of standard is organized into four parts, and covering all aspects of cyber security at all stages. The whole IEC 62443 series has not been fully released. The overall architecture is shown in Table 4. Table 4. IEC 62443 structure General

Policies and Procedures

System Technology

Component

1–1 Terms, Concepts and Models

2–1 Establishing an IACS Security Program

3–1 Technical Technologies for IACS

4–1 Product Security Development Lifecycle Requirements

1–2 Master Glossary of 2–2 IACS Security Terminology and Program Ratings Abbreviation

3–2 Security Risk Assessment for System Design

4–2 Technical Security Requirements for IACS Components

1–3 System Safety Compliance Metrics

2–3 Patch Management in IACS Environment

3–3 System Safety Requirements and Security Level

1–4 IACS Security Lifecycle and Use Cases

2–4 Installation and Maintenance Requirements of IACS Suppliers

The first part is about the basic knowledge of cyber security of industrial control system, including the typical structure of industrial control system, concept terms and security metrics. It is the best document for relevant personnel to learn the common knowledge of industrial control system security. The second part is focus on how to establish and implement cyber security management procedures for industrial control system users. The documents in the third group address security requirements at the system level, Including security technologies, cybersecurity risk assessment and system design. The fourth and final part provides information about the more specific and detailed requirements associated with the development of IACS products [6]. IEC 62443 series standards put forward relevant information security requirements for asset owners, system integrators and equipment manufacturers, and outline an overall framework of industrial control system security protection, which has been widely recognized by the international community. IEC/TC 45 (nuclear instrumentation) Technical Committee is responsible for the formulation of international standards for electrical and electronic equipment and systems of nuclear instruments, and SC 45A reactor instrumentation sub Technical Committee

80

A.-Y. Yang

is responsible for the formulation of international standards for electrical and electronic equipment and systems of nuclear facilities. IEC 62645 is an international standard which provides computer security programs guidance for I&C programmable digital systems in nuclear facilities, based on the relevant security concepts and requirements of IAEA NSS 17 and ISO/IEC 27000 standards. An IEC series standard has been widely used in many nuclear power plants at home and abroad. Studying in depth of IEC 62645 standards is of positive significance to strengthening the nuclear power cyber security and international cooperation. At the same time, it should be noted that the implementation of IEC 62645 standards needs the support of a series of other IEC standards. Therefore, when we use the standard in a specific way, we need to analyze it on a case-by-case basis [7].

4 Chinese Standards At present, there are three organizations participating in the cyber security standard research of industrial control system in China: National Information Security Standardization Technical Committee (SAC/TC 260), National Industrial Process Measurement Control and Automation Standardization Technical Committee (SAC/TC 124) and National Nuclear Instrumentation Standardization Technical Committee (SAC/TC 30). 4.1 Security Standards Related to SAC/TC 260 SAC/TC 260 Technical Committee is responsible for the development of domestic cyber security standards. The standards related to the cyber security of industrial control system can be divided into two categories: one is the Cyber Security Classified Protection Standard, the other is the Industrial Control System Security Standard [8, 9]. Cyber Security Classified Protection Standard. Classified Protection is the basic concept of computer information system security protection in China. The Cybersecurity Law of the People’s Republic of China promulgated and implemented in 2017 further clarifies the legal status of the classified protection of cyber security. In May 2019, the new classified protection standards series was revised, which included cloud computing, big data, Internet of things, industrial control system and mobile Internet into the protect scope. The main standards series are shown in Table 5. Table 5. Classified protection standards series Items

Date

GB_17859–1999 code for classification of computer information system security protection

1999

GB_T 22240–2018 information security technology cyber security classification guide

2018

GB/T 20269–2006 information security technology information system security management requirements

2006 (continued)

Research on Cyber Security Standards of Nuclear Power Industry

81

Table 5. (continued) Items

Date

GB/t20270–2006 information security technology network basic security technical requirements

2006

GB/t20271–2006 information security technology general security technical requirements for information system

2006

GB/t20272–2019 information security technology operating system security technical requirements

2019

GB/t20273–2006 information security technology database management system security technical requirements

2006

GB/T 22239–2019 information security technology basic requirements for classified protection of cyber security

2019

GB/T 25058–2010 information security technology information system security classification protection implementation guide

2010

GB/T 28448–2019 information security technology cyber security classification protection evaluation requirements

2019

GB/T 28449–2018 information security technology cyber security classification protection evaluation process guide

2018

Classified protection standards series includes security classification guide, security requirements, implementation guide, and safety product technical standards etc. Cyber security classified protection standards series is a set of standards with the most extensive content and the fastest development in the field of cyber security in China. It is a mandatory standard in essence to implement the requirements of relevant national laws and regulations. Industrial Control System Security Standard is a set of security standards of industrial control system in China, which is formulated by TC 260 Technical Committee based on the idea of classified protection of information system in China, and referring to NIST SP 800–82/53 and IEC 62443.The main standards are shown in Table 6. Table 6. Security standards for industrial control systems Items

Date

GB/T 32919–2016 Information Security Technology Application Guide for Security Control of Industrial Control System

2016

GB/T 36324–2018 Information Security Technology Industrial Control System Information Security Classification Specification

2018

GB/T 36323–2018 Information Security Technology Basic Requirements for Security Management of Industrial Control Systems

2018 (continued)

82

A.-Y. Yang Table 6. (continued)

Items

Date

GB/T 36470–2018 Information Security Technology General Safety Function Requirements for Field Measurement and Control Equipment of Industrial Control System

2018

GB/T 36466–2018 Implementation Guide for Risk Assessment of Information Security Technology Industrial Control System

2018

GB/T 37980–2019 Information Security Technology Guide for Security Inspection of 2019 Industrial Control Systems GB/T 37962–2019 Information Security Technology General Evaluation Criteria for Information Security of Industrial Control System Products

2019

At present, the standard series is still under development, and can be used as a necessary reference when planning the cyber security program of nuclear power industry control system. 4.2 Security Standards Related to SAC/TC 124 SAC/TC 124 is responsible for the standardization of industrial process measurement and control (industrial automation instrument) in China. Standards related to industrial control system security are shown in Table 7 below. Table 7. TC 124 related security standards Items

Date

GB/T 26333–2010 Code for Safety Risk Assessment of Industrial Control Network

2010

GB/T 30976.1–2014 Industrial Control System Information Security Part 1: Evaluation Specification

2014

GB/T 30976.2–2014 Industrial Control System Information Security Part 2: Acceptance Specification

2014

GB/T 33009.1–4-2016 Industrial Automation and Control System Cyber Security Distributed Control System (DCS)

2016

GB/T 33008.1-2016Industrial Automation and Control System Cyber Security Programmable Controller (PLC)

2016

GB/T 33007–2016 Safety Procedures for Industrial Automation and Control Systems 2016

GB/T 30976 standard series include an evaluation specification and an acceptance specification. The evaluation specification is used to evaluate the cyber security of industrial control system, including the evaluation target, evaluation content and implementation process. The acceptance specification specifies the acceptance process of industrial

Research on Cyber Security Standards of Nuclear Power Industry

83

control system cyber security solution, including test content, test method and technical requirements. GB/T 33009, GB/T 33008 and other standards propose cyber security solutions from the perspective of industrial control products.GB/T 33009 puts forward a DCS cyber security framework from four aspects: security protection requirements, security management requirements, risk assessment guidelines and risk and vulnerability detection.GB/T 33008 is focused on the cyber security of PLC system. At present, it only puts forward the security protection requirements of PLC, and the other standards have not been completed.GB/T 33007 is translated from IEC 62443–2-1:2010 to standardize the establishment of safety procedures for industrial automation and control systems. SAC/TC 124 industrial control system safety standards are based on IEC 62443 standards, and refer to NIST SP 800–82 and other standards. From the current situation, there are still some problems such as incomplete standard series and poor operability, which can be used as a reference standard for nuclear power industrial control safety construction. 4.3 Security Standards Related to SAC/TC 30 SAC/TC 30 is responsible for the standards relating to electrical and electronic equipment and systems for instrumentation specific to nuclear applications. The standards related to the cyber security of industrial control system are shown in Table 8. Table 8. TC 30 related security standards Items

Date

Source

GB/T 15474–2010 Classification of Safety Important Instruments and Control Functions for Nuclear Power Plants

2009

IEC 61226–2009

NB/T 20054–2011 Computer Software for Class a Functions of Safety Important Instrumentation and Control Systems in Nuclear Power Plants

2006

IEC 60880–2006

NB/T 20055–2011 Computer Software for Class B and Class C Functions of Safety Important Instrumentation and Control Systems in Nuclear Power Plants

2004

IEC 62138–2004

NB/T 20026–2014 General Requirements for Safety Important Instrumentation and Control Systems of Nuclear Power Plants

2011

IEC 61513–2011

NB/T 20428–2017 General Requirements for Computer Security of Instrumentation and Control Systems in Nuclear Power Plants

2017

IEC 62645–2014

SAC/TC 30 converts IEC/TC 45 related standards into the corresponding national or Energy Bureau standards. IEC 62645 standard has been revised and issued as the national Energy Bureau standard NB/T 20428–2017 “General requirements for computer security of instrumentation and control systems in nuclear power plants”. At present, there is no independent cyber security standard for China’s nuclear power plant.

84

A.-Y. Yang

5 Conclusions and Suggestions On the whole, the construction of cyber security standards for nuclear power industrial control system started relatively late in China. Different domestic organizations have proposed different cyber security standards for industrial control system. The number of standards is relatively large, but there is a lack of mutual consistency among those standards. Accordingly, the cyber security protection level of the overall nuclear power industrial control system lags behind, and there is still a lot of work to be done. It is suggested that the relevant laws and regulations should be improved, and a nuclear power cyber security standard system with Chinese characteristics should be established based on the Classified Protection Standards and other security standards. To further strengthen cybersecurity supervision and safety assessment in the whole life cycle of nuclear power construction [10, 11], and improve the cybersecurity level of nuclear power. In the long run, to improve the cyber security level of China’s nuclear power industry control system, it is necessary to strengthen the research of new science and technology, to improve the independent and controllable level of core technology, and to build a new industrial control system with inherent security characteristics.

References 1. Development and Reform Commission. Guidance on further strengthening security management of nuclear power operation [EB/OL]. [2018–05–30]https://www.ndrc.gov.cn/xxgk/ zcfb/tz/201805/t20180530_962734_ext.html 2. National Nuclear Safety Administration, China Atomic Energy Authority. Notice on printing and Distributing “technical policy for cyber security of nuclear power plant” [EB/OL]. [2020– 12–16]http://www.mee.gov.cn/xxgk2018/xxgk/xxgk09/202012/t20201222_814177.html 3. Chen, Y., et al.: Research on information security standards of FIPS. Information technology & standardization (4), 40–44 (2011) 4. Wang, H., et al.: The research on the serial information security documents of special publications. Info. Technol. Stand. 5, 65–69 (2011) 5. Liu, J., et al.: Research on cyber security grade protection of nuclear power plant instrument and control system. Nucl. Saf. 19(6), 121–126 (2020) 6. Wang, J., et al.: Comparative study on IEC 62443 and the baseline for classified protection of cybersecurity. Huadian technology 43(2), 72–76 (2021) 7. Lili, Y., et al.: Research and discuss on regulatory requirements for information security of nuclear power plant DCS. Nuclear safety 16(2): 50–55 (2017) 8. Dong, Z., Rigang, C.: Research on information security standard system. Proc. Auto. Instrumentation 40(6), 108–112 (2019) 9. National Information Security Standardization Technical Committee. Catalogue of National Information Security Standards (2018) [EB/OL]https://www.tc260.org.cn/front/cbw.html? start=0&length=4&type=2 10. Liang, Y.C., et al.: Research on information security assessment method for industrial control system of nuclear power plan. Nuclear safety 18(3), 67–73 (2019) 11. Hu, J., et al.: The status quo and supervision of NPP information security from stuxnet attacks. Nucl. Sci. Eng. 1, 181–185192 (2015)

Analysis and Treatment of Accidental Drop of Shutdown Bank Chao Wang(B) , Wen-Qing Yang, Zheng-Dong Huang, Xiao-Fei Li, Sheng-Xin Yuan, Dong-Liang Liu, Yu Wang, Xiong-Wei Cheng, and Jing Xiao State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen, Guangdong, China [email protected] Abstract. In order to analyze the cause of the accidental drop of the K16 shutdown rod cluster of Rod Position Indicating and Rod Control System (RGL) of a Third generation nuclear reactor Plant, the method of improving the stability and reliability of the RGL system operation was studied. According to the operating principle of the control rod, through the analysis of the cycling sequence of rod movement, the cause of the event was investigated by means of gradual elimination. Analyze from the perspective of plant safety, possibility of common cause failure, operation control function and Full Scope Simulator(FSS) verification. Based on the analysis results, solutions and suggested measures are proposed. The implementation of the suggestions and measures in this plant effectively guaranteed the normal operation of the RGL system and reduced the risk of accidental rod drop. At the same time, this treatment method also provides a reference for other nuclear power plants to solve similar problems. Keywords: RGL · Control rod · Accidental drop · Cycling sequence of rod movement · Shutdown rod · Plant safety · Operation control function · Full scope simulator verification

1 Introduction 1.1 A Brief Introduction The Rod Position Indicating and Rod Control System (RGL) includes Reactor Control Surveillance and Limitation system (RCSL), Rod Position Indication system (RPI), Control Rod Drive Control System (Rodpilot) and Control Rod Drive Mechanism (CRDM). The Operational Function and Safety Function of control rod need four subsystems to cooperate with each other (Fig. 1). CRDM is used to withdraw and insert 89 Control Rod assemblies, hold the Control Rod at the selected position, and release the drive rod after Reactor Trip to control reactivity and maintain the integrity of reactor coolant pressure boundary [1]. The normal operation of the Control Rod is directly related to the safety and reliability of the nuclear power plant. The accidental drop of the Control Rod will lead to distortion of the core power distribution, and the local power peak value of the fuel rod exceeds the safety limit, threatening the integrity of the fuel cladding. At the same time, it may cause rapid decline of turbine power, Partial Trip and other consequences. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 85–96, 2022. https://doi.org/10.1007/978-981-19-1181-1_9

86

C. Wang et al.

Fig. 1. RGL function diagram

1.2 Introduction to Rod Cluster Control Assembly The core of the plant has 241 Fuel Assemblies, including 89 RCCAs, all of which are black rods, 53 shutdown rod and 36 control rod. The shutdown rod is used to provide reactor shutdown margin, and the control rod is used for primary loop average temperature control, axial power offset control and maximum power control. The order of withdrawing the control rod is P5/P4/P3/P2/P1. The rod at the top position is called H bank, and the rest is called P bank [1]. Table 1. Composition of rod cluster control assembly TYPE

BANK

NUMBER

Shutdown rod

N1

25

N2

28

P1

PA

4

P2

PG

4

P3

PD + PE

8

P4

PF + PI

P5

PB + PC + PH

Control rod

8 12

The operation time of each step of RCCA of this type of plant is 800 ms, and rod movement is realized by outputting the established cycling sequence to SGC, MGC and LC through RodPilot. The Fig. 2 shows the rod withdrawal cycling sequence.

Analysis and Treatment of Accidental Drop of Shutdown Bank

87

Fig. 2. Rod withdrawal cycling sequence

At the beginning, MGC with reduced current, LC and SGC with zero current, and the cycling sequence of rod movement is as follows (Table 2): Table 2. Cycling sequence of rod movement 0 ms

MGC and LC with full current and RCCA move up one step;

174 ms

SGC with full current, at which time Control Rod is held by SGC and MGC together;

260 ms

MGC with zero current, MG loose;

290 ms

LC with zero current, MG moves down one step under the action of gravity and spring force;

590 ms

MGC with full current, MG holds the Control Rod;

694 ms

SGC with zero current, Control Rod completes the switching from SGC holding to MGC holding;

800 ms

The MGC with reduced current remains held, waiting for the next command

Rod insertion cycling sequence is similar to the rod withdrawal sequence.

2 Background Description A plant carries out approach to Criticality operation by withdrawing the Control Rod, and the operator withdraws the shutdown rods N1 group from the full insertion position to the top of the core according to the operation procedure. During the extraction process of N1, the measured position of rod K16 of the group changed from 264 steps to 0 steps, and the signal “rod in bottom end position” of K16 was triggered. By checking the output signal of the rod position detector and the post-processing module, it is verified that the RPI function is normal, the measured position is credible, and it is confirmed that the K16 rod has dropped into the bottom of core. At the same time, there is no fault or alarm on the cabinet of RodPilot. The Movable Gripper Coil (MGC) module indicates reduced

88

C. Wang et al.

current, and the Stationary Gripper Coil (SGC) module and Lift Coil (LC) module have zero current, which is consistent with the normal holding state of Control Rod. In this situation, K16 dropping violates the Operational Technical Specifications (OTS) and it is recorded as the group 1 event [2]. According to the Reactor state transition procedure, Criticality operation is prohibited when there is a group 1 event. Therefore, the operator immediately stopped the Approach to Criticality operation and inserted the N1 rod into the core to eliminate the group 1 event.

3 Incident Analysis 3.1 Cause Analysis of Accidental Drop As can be seen from the cycling sequence of rod movement, when a single gripper grips the drive rod, it may cause the rod to drop if the coil loses power supply or its current becomes small. When the control system detects the risk, the double-hold function is triggered: MGC and SGC hold the Control Rod at the same time, while RodPilot system generates an alarm. When the drive rod is switched between SGC clamping and MGC clamping, if the holding gripper is not completely held and the release gripper is completely released, which means the drive rod is not completely held at this time, i.e. Sliding occurs. As sliding occurs, the coil current is consistent with the normal operation, and no abnormal alarm will occur. According to the on-site inspection, the corresponding module has no abnormal alarm after K16 dropping, the current indication is normal, so the abnormal coil power supply is not the cause of Control Rod dropping. After the accidental drop occurred, the on-site personnel connected the high-speed recorder at the RodPilot cabinet to record the rod movement sequence of K16 rewithdrawing. According to Test Procedure-Rod Control Function Test [3], the switching time and pull-in/release current are analyzed in the recorded current-oscillograms. The closing time is characterized by LC/MGC/SGC current, and the opening time is characterized by LC/MGC/SGC voltage. The analysis results of K16 extraction (time unit: ms) are shown in the following table (Table 3):

Analysis and Treatment of Accidental Drop of Shutdown Bank

89

Table 3. Analysis Results of K16 extraction switching time Position LC LC SGC SGC MGC MGC pull-in drop-out pull-in drop-out pull-in drop-out 1

168

177

160

96

85

114

20

161

168

166

96

82

110

40

161

169

164

95

80

108

60

164

174

165

98

82

109

80

161

179

166

95

80

109

100

160

175

176

91

84

99

According to the analysis results, the SGC closing time is actually over 160 ms, the requirement specification that provided by the CRDM supplier should not exceed 140 ms [4]. In addition, according to the results of Rod Control Function Test, the SGC pull-in time range of K16 is 98 ~ 211 ms, and the SGC clamping current is too large, with an average value of 3.5 A, which is significantly larger than the average value of 2.8 A for other rod, which can be seen in Fig. 3, the red line represents the normal rod. Excessive clamping current will lead to longer SGC closing time, SG may not be completely held, and MG need a certain time to close. During this time, the drive rod is in a state where no gripper is held, which may lead to sliding steps or even rod dropping.

Fig. 3. Results of K16 SGC closing time

According to the above analysis, K16 Stationary Gripper have the possibility of occasional unsmooth movement. Combined with cycling sequence, the possible reasons are as follows: (1) Electromagnetic force is not enough to withdraw Control Rod. i Module failure or random failure: The module has defects and is not detected by its own monitoring unit. According to Siemens Component Failure Rate Calculation

90

C. Wang et al.

Standard [5], the module and its failure rate related to rod movement are as follows (Table 4):

Table 4. Failure rate of modules Modules

Failure rate Function

10A-Coil-Module-10

3050FIT*

Generate and monitor excitation current

RDM1-Module

1050 FIT

Control and monitor current with RCM (Rod Control Module)

SPLM1-RodPilot/ RCM- 2350 FIT

Control and monitor current with RDM1

* 1FIT refers to a component failure within 109 h.

As can be seen from the failure rate, the possibility of abnormal SGC closing time caused by this reason is small. ii. Dislocation of equipment installation: When the SG coil and the latch are dislocated, the effect of electromagnetic force generated by the coil on the latch will be weakened, resulting in slow SG action and long closing time. The three coils on site are integrally installed latch unit. If SG is dislocated, the other coil will also be dislocated and have cycling sequence abnormalities. In fact, through data analysis, MGC and LC sequences are normal, so the possibility of abnormal SGC closing time caused by installation dislocation is small. iii. Coil assembly self-failure: According to the supplier’s clarification reply to the problem that SGC closing time exceeds the limit value during the PRE-Cricticality test, the tester carried out 5000 step-by-step running-in on K16. After the running-in was completed, the test result was qualified. Moreover, after Fuel Loading, the coil insulation and resistance of K16 are checked to be qualified, so the possibility of abnormal SGC closing time caused by coil assembly failure is also small. (2) There are impurity particles in Primary Coolant CRDM latch unit is immersed in the Primary Coolant, and if impurities exist in the coolant, occasional unsmooth movement of latches may be caused. The actual on-site test found that the over-limit closing time of the SG coil occurred sporadically, and the over-limit time was also different each time. Different from the 5000 step-by-step test environment before the equipment leaves the factory, CRDM on-site test is immersed in a stable water quality environment, which is greatly different from the complex conditions and water quality of the on-site Primary Coolant system. According to the investigation of feedback related to the Control Rod slipping event at nuclear power plants at home and abroad, the vast majority of Control Rod slip events are caused by impurity particles in Primary Coolant, which leads to a high possibility of abnormal SGC closure time. (3) Poor running-in of latch unit

Analysis and Treatment of Accidental Drop of Shutdown Bank

91

According to the pre-Cricticality test results, the 5000 step-by-step test of K16 is added. The results show that the SGC closing time decreases with the increase of running-in times. Since K16 belongs to shutdown bank and has less action during normal operation, the running-in problem of latch unit may be the influencing factor and the probability of this factor is medium. (4) Defect of latch equipment Defects introduced during latch design, processing, assembly and transportation may lead to SGC closing time exceeding the limit. The latch unit is supplied in complete sets, and the factory test results all meet the requirements. The sliding step phenomenon of K16 is sporadic, which is not the sliding step that occurs at the initial stage of moving the rod. If the latch arm itself has defects, the sliding phenomenon should not be sporadic, which is inconsistent with the actual situation on site, so the possibility of defects in the latch arm itself is small. 3.2 Plant Safety Analysis The functional design of RGL RCCAs shall ensure that safety function can be completed under all Design Basis Condition(DBC), and relevant safety function can also be guaranteed under Design Extension Condition(DEC) [6]. According to the design basis, RGL system can make the core reach sub-Criticality in a short time at any initial power level. Under normal operating condition, Control Rod provides the minimum shutdown margin required for DBC events and ensures that the core can quickly return to the sub-critical state, thus avoiding potential fuel breakage consequences. In the reactor approach to Criticality operation, the shutdown rod is allowed to be withdrew only if the boron concentration meets the shutdown margin. In the process of withdrawing the shutdown rod, there is no safety risk to the reactivity control when a cluster of shutdown rod drops. According to the Operating Technical Specification, under the operating mode of reactor in power, if one or more clusters of shutdown rods are not in the required position, which would be recorded as the group 1 event. If there is no Control Rod mechanical stuck failure, the shutdown rod that is not in the required position can be manually withdrew to meet the initial condition of accident analysis. The impact of Control Rod drop on shutdown margin is consistent with the impact on initial condition of accident analysis. Sufficient negative reactivity can be introduced to ensure sufficient shutdown margin during rod drop. When Control Rod slides or drops, its actual position will introduce large negative reactivity in a short period of time, causing distortion of neutron flux distribution, increasing enthalpy rise factor and sudden increase of local Linear Power Density, which may lead to control failure and protection function triggering of low Departure from Nucleate Boiling Ratio or high Linear Power Density. When the nuclear power plant is in operating mode-reactor in power and the power distribution distortion is serious, Departure from Nucleate Boiling may occur in Fuel Assemblies, thus causing insufficient cooling of the fuel cladding, even causing cladding damage and fuel meltdown. During this incident, the plant was in the approach to Criticality process by withdrawing shutdown rod. The nuclear power was zero and there was no potential nuclear

92

C. Wang et al.

safety risk for K16 to drop. According to the requirements of reactor state transition, Criticality is prohibited when there is a group 1 event. From the perspective of plant unit state control, the rest of the N1 shutdown rod is inserted into the core to eliminate the group 1 event after the rod dropping. After the incident analysis is clear, the N1 shutdown rod is withdrew again according to the operation procedure. During the whole event process, the plant unit state is controllable and the reactivity control has no safety risk. 3.3 Common Cause Failure Analysis Through the analysis of the test results of rod control function under hot shutdown condition during PRE-Criticality, the SGC closing time of K16 is about 170 ms, which exceeds the criterion 140 ms, and the switching time of other rods meet the criterion, and the maximum SGC closing time of other rod is not more than 120 ms. After the K16 accidentally drop, the 5000 step-by-step test was carried out for mechanical running-in. During the running-in, the SGC closing time of the K16 was recorded and analyzed as shown in the following figure (Fig. 4).

Fig. 4. SGC closing time of K16 during running-in

According to the analysis of running-in results, it can be seen that with the increase of running-in steps, the closing time of SGC shows a significant decreasing trend, and the frequency of out-of-limit after multiple running-in also gradually decreases, i.e. Multiple mechanical running-in will improve the movement performance of CRDM. All Control Rods have moved about 24,000 steps and K16 about 30,000 steps so far. Only one time drop occurred during all rod movements of K16. The accidental drop of K16 is an accidental failure caused by the long closing time of SGC. Based on the fact that the SGC closure time of K16 is significantly longer than that of other rods, it can be inferred that there is no such Common Cause Failure, the possibility of multiple cluster rod dropping abnormally at the same time is extremely low.

Analysis and Treatment of Accidental Drop of Shutdown Bank

93

3.4 Full Scope Simulator Verification Analysis In order to better clarify the risk of accidental drop in Control Rod and formulate targeted control plans, the testers carried out a simulation test of dropping K16 under Full Power on the FSS. The initial state of the simulator is Full Power(100%NP), Beginning of Life, with the primary loop average temperature of 312 °C, 304 steps for P1 rod position and 397 steps for H rod position, with an average temperature deviation of 0 °C and a turbine power of 1750MW. The K16 was dropped to the bottom of the core through simulation (Table 5). The main alarm triggered after dropping is as follows [7]: Table 5. Triggering alarm list after simulating rod dropping Alarm

Reason

Axial power imbalance Quadrant power deviation

The insertion of K16 leads to the distortion of core power, and the axial power measured by SPND is unbalanced

RGL rod drop detection

Rod drop trigger

Average temperature deviation Negative reactivity is introduced into the dropping rod, which leads to a decrease in the average temperature of primary loop and an excessive deviation in the average temperature RCCA misalignment

Shutdown rod K16 is not at the top of the core (step 416)

Negative reactivity is introduced after rod drops, the primary loop temperature decreases, the P1 rod response average temperature control to be increased from 304 steps to 324 steps, reaching the upper limit position of the maximum power control, and the H rod response maximum power control to be increased from 396 steps to 416 steps. The average temperature deviation reached minus 2.76 °C at the lowest, and finally stabilized at minus 1.1 °C, and the average temperature finally stabilized at 311 °C. After dropping the rod, the thermal power began to decrease to 92.8% NP at the lowest, then increased and stabilized to 98.3% NP under the action of the control system, and the nuclear power reached 97.2% NP at the lowest, 103.8% NP at the highest and finally stabilized. After the state of the simulator was stable, the operator of the simulator carried out intervention measures according to the Operating Technical Specification. After the 60MW electric power was reduced, the average temperature control returned to dead band, and the automatic withdrawing and insertion of Control Rod demand signals disappeared. Then the power is reduced by boration, and the final electric power is reduced to 1203MW, and the thermal power is stable at 69.2% NP. From the results of FSS verification, it can be seen that, Due to the introduction of a large amount of negative reactivity in a short period of time after the rod is dropped, the core power and temperature are greatly disturbed. Under the action of the control system and reactor self-stability characteristics, the core can reach a stable state again,

94

C. Wang et al.

but in the transient process of reaching this state, the nuclear power exceeds the safety limit. Through operator intervention, the plant unit state can be transferred to a safe and stable power level through boration to reduce core power. To sum up, if the Control Rod accidentally drops, the instantaneous nuclear power of the core exceeds the limit and the nuclear hot spot factor deteriorates, which will definitely lead to an increase in the maximum Linear Power Density of the fuel assembly and a decrease in the safety margin, which may trigger a Partial Trip or a complete reactor trip. However, if the operator intervenes in advance, the reactor will be stabilized at a lower power level through boration to reduce core power to avoid excessive local Linear Power Density. 3.5 Functional Analysis of Rod Drop After Reactor Trip is triggered, the upstream control voltage of CRDM will be cut off, causing all CRDMs to lose power supply, latch arms are all released. Rod drops through gravity. If the SGC and MGC loss of power supply and latch arm releasing is abnormal, it will definitely affect rod drop function after the nuclear normal shutdown. MGC release time is less than or equal to 120 ms and SGC release time is less than or equal to 140 ms are required for rod withdrawing process, and MGC release time is less than or equal to 180 ms and SGC release time is less than or equal to 140 ms are required for rod insertion process. Table 1 shows the analysis results of K16 withdrawing and Table 6 shows the analysis results of K16 insertion. The process of withdrawing and inserting K16 meets the requirements. Table 6. Results of K16 rod insertion switching time Position LC LC SGC SGC MGC MGC pull-in drop-out pull-in drop-out pull-in drop-out 1

158

154

102

88

85

76

20

158

148

111

80

85

109

40

159

149

106

76

84

99

60

156

152

102

80

86

103

80

158

158

101

90

83

108

100

162

169

105

85

85

102

During the pre-Criticality of the plant unit, through the implementation of the Rod Drop Time Measurement Test [8], all Control Rods drop time are qualified, and rod drop function meets the requirements.

4 Problem Handling In view of the possibility of insufficient electromagnetic force, the tester replaced the K16 rod control module and sent the replaced module back to the supplier for module

Analysis and Treatment of Accidental Drop of Shutdown Bank

95

inspection and test to eliminate the defect factors of its control module. In addition, check the relevant parameters of K16 CRDM, and use recorder to record the current and voltage curves when moving K16, and analyze the parameters in time to master the characteristics of K16 in real time. In view of the possible defects of SGC latch arm, pay close attention to the state of the rod during normal operation of the plant unit. If interlocking, sliding or dropping rods occur again, it is necessary to inspect the latch unit and conduct a comprehensive survey of the same batch of equipment to prevent the problem from recurring. In view of the possibility of poor running-in of latch unit, according to incident analysis and experience feedback of other plants, regular maintenance test items for all Control Rod to carry out full-stroke withdrawing and inserting actions are added to increase mechanical performance. At the same time, adding full-stroke Control Rod withdrawing and inserting operation can remove potential impurity particles on CRDM latch unit and drive rod. In view of the possible excessive mechanical friction of latch unit, it is necessary to strengthen the circulation filtration of primary loop system and improve the water quality, optimize the chemical operation scheme during reactor shutdown and start-up, and reduce the deposition of particulate corrosion products. For the risk of accidental drop increased by K16 movement, when its manual control is involved, rod speed is modified to slow speed mode, i.e. 1600 ms/step, 37.5 steps/minute. So that each step of the coil has enough time to complete the action. Due to the possibility of mechanical damage to the drive rod caused by rod dropping, the latch arm material is heat-resistant stainless steel Z6CN Nb18–11, the contact surface coating is chromium, and the drive rod material is martensite stainless steel X12Cr13. The hardness of the latch arm chromium coating material is greater than that of the drive rod material, thus the drive rod is likely to be damaged. It is recommended to carry out K16 drive rod inspection during outage, and carry out necessary maintenance or component replacement according to the inspection. In addition, according to the phenomenon that K16 drops to the bottom of the core under Full Power verified by the simulator, RCSL control logic and the requirements of I-RGL and OTS, when Control Rod accidentally drops, the following control scheme diagram is formulated (Fig. 5).

Misalignment alarm and Rod drop detection alarm occurred in MCR

Judge whether Control Rod dropped

Operators implement the relevant measures in I-RGL procedure after rod drop

Record the Group 1 events according to I-RGL

Eliminate the fault and perform I-RGL to Withdraw the Drop Rod.

Troubleshoot and determine the cause of Rod Drop

Verify that Counted Position of the drop Rod is correctly displayed as 0

Implement Mitigation Measures to Reduce Power to 70% NP by boration

Fig. 5. Control scheme of accidental rod dropping

96

C. Wang et al.

According to RGL fault handling program [9], the calibration program shall be started manually after the Control Rod drops: reset the counted position of the fault rod in the RCSL logic so that the counted position is consistent with the actual position. In the RGL operation screen of main control room, the dropping rod shall be extracted in no more than 3 steps at a time, and the stable state of the plant unit shall be ensured during the rod withdrawing process.

5 Conclusion In this paper, the causes of accidental drop of K16 in approach to Criticality process are analyzed, and the possible causes are deeply studied. Through measures such as rod running-in and water quality control, the risk of accidental drop of rod K16 is reduced. At the same time, the potential consequences of rod dropping are analyzed, and the control scheme of accidental drop of the plant unit is formulated in combination with simulator verification and relevant safety analysis. Through the analysis and treatment of this incident, the normal operation of RGL system was effectively guaranteed and the risk of accidental drop was reduced. After the incident was handled, the plant unit did not have any accidental drop. At the same time, the understanding of operational function and safety function of RGL system is improved, which provides an effective reference basis for the plant control strategy after rod drop. The same type of CRDM is widely used in Pressurized Water Reactor Nuclear Power Station. The analysis and research of this problem have reference significance for the subsequent research and development, manufacture, installation, commissioning and operation of CRDM equipment.

References 1. REICHERT Marc. RGL - Equipment Operating and Maintenance Manual. AREVA NPCNPDC (2017) 2. Tang, X.-Q.: Operating Technical Specifications. TNPJVC 30 (2018) 3. Frederic, B.: TP RGL 101: Rod Control Function test. AREVA NP-CNPDC 118–119 (2017) 4. Faltermeier, R.: Project Specification for Control Rod Drive Mechanisms. AREVA NP-CNPDC 100 (2016) 5. Rudnick, M.: RodPilot -Equipment Operating and Maintenance Manual. AREVA NPCNPDC74–87 (2015) 6. DE SEZE Pierre-Arnauld. CEPR - OTS for RGL system - Designer contribution. AREVA NP-CNPDC (2016) 7. Savreux, R.: Reactor Control Surveillance and Limitation system (RCSL) - I&C Function Specification Level 4 - FunBase. AREVA NP-CNPDC (2015) 8. Bar, F.: TP RGL 102: Rod Drop time measurement. AREVA NP-CNPDC (2017) 9. Tang, S.: IRGL RGL malfunctions. AREVA NP-CNPDC(2017)

The Software Modeling and Sensitivity Study of Computer Based I&C System in Probabilistic Safety Assessment of Nuclear Power Plant Chu-Hao Xi1,2(B) , Wei Sun1,2 , and Li-Ming Zhang1,2 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China

Nuclear Power Engineering Co., Ltd., Shenzhen of Guangdong Prov., Shenzhen 518172, China [email protected] 2 China Nuclear Power Engineering Company LTD., Shenzhen 518045, Guangdong, China

Abstract. The assessment method for software of computer based Instrumentation & Control (I&C) system is one of the major sticking points in Probabilistic Safety Assessment (PSA) of Nuclear Power Plant (NPP). This paper introduces a conservative method of cut-off value for software modeling of computer based I&C system to consider the impaction of software in the PSA modeling, and sensitivity study of software is performed to analyze the significance of each software part of computer based I&C system. Finally, a case study is presented to show how to model the software and perform sensitivity study. Keywords: Software modeling · Sensitivity study · Probabilistic safety assessment

1 Introduction Computer-based I&C systems used for the control and monitoring of safety systems of NPP, could contribute to the overall PSA of the plants. Therefore, in order to properly assess the risks introduced by the computer-based I&C systems, it is important to develop a suitable and sufficient methodology for the modelling of computer-based I&C systems reliability in the Probabilistic Safety Analysis (PSA) to ensure more realistic models are constructed and relevant data are suitably underpinned. In engineering practice, the methodologies used for I&C PSA model should be justified, and should account for all key influencing factors, for example in human errors or failures of computer-based systems (including software errors), common cause failures (CCF), or the failures of structures, where the common cause failures (CCFs) of computer-based systems causing by software are hard to assessment.

2 Method for Software Modelling 2.1 Failure Mode of Software The software within each software-based I&C system and component could be considered to be made up of three key types: © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 97–103, 2022. https://doi.org/10.1007/978-981-19-1181-1_10

98

C.-H. Xi et al.

1. Operating system software – referring to the software that relates to the functioning of, and services provided by, the platform itself. The operating system is common to all systems sharing the same platform; 2. Application software – referring to the software that specifies the functions that perform a task related to the delivery of a safety function. Application software is likely to be common between redundant divisions of a system; 3. Communications Software – Referring to the Software Which Implements the Transfer of Data with Other Systems [1]. According to the breakdown of the types of software, the software within each software-based I&C system and component will be modelled using a maximum of three software basic events (i.e. in addition to the hardware): 1. Operating system failure; 2. Application software failure; 3. Communications unit failure. An “operating system failure” is a common basic event for all systems implemented on the same platform. Application software is unlikely to be common to dissimilar systems but may be common across redundant divisions or channels of that system. The modelling of an individual unit therefore includes an “application software failure” basic event, which is common to any systems using the same application software. The failure of communications units within a system could result in intra-system or cross-divisional failures. For some systems it may be possible to bound this within the failure modes of the operating system if that is where the communications function resides [2, 3]. The generic model for a unit containing software is shown in Fig. 1. I&C System Failure (Single unit)

Hardware Failure

Application Software Failure

Operating System Failure

Communications Software Failure

Fig. 1. Software failures.

2.2 System Reliability Capability I&C systems are by nature highly complex and our capability to fully analyze the equipment is limited. IEC 61508 sets out the key concept of SILs, corresponding to a range of safety integrity values where SIL 4 has the highest level of safety integrity and SIL 1 has the lowest. Each SIL has an associated target probability of dangerous mode failures to

The Software Modeling and Sensitivity Study of Computer

99

be achieved which are shown in Table 1. The concept of systematic capability is defined as the measure of confidence that the systematic safety integrity of an element meets the requirements of the specified SIL. Systematic capability is relevant to both hardware and software and practically results in a limit to the benefits from increasing redundancy within a single non-diverse safety system [4]. Table 1. Safety integrity levels SIL

Average Probability of a Dangerous Failure on Demand (PFD AVG)

4

≥1E-05 to trigger action; 2. The emergency shutdown system is designed to trigger the reactor emergency shutdown when the output of the system loses power; 3. In the event of loss of power or air supply, the engineered safety device driver is designed to maintain or enter a proven acceptable state, for example, the pump is maintained at the previous state and the pneumatic valve is in a safe state. 4.1.6 Diversity Requirements: in order to reduce the risk of common cause failure, I&C system adopts diversified design. These methods include the diversity of shutdown functions and various backup shutdown methods. The shutdown treatment mode of the digital I&C system of AP1000 consists of PMS system, DAS system, PLS system and manual shutdown.

216

J.-K. Zheng et al.

1. The overall structure of instrument and control will be based on two different software and hardware platforms, which are used for security level and non-security level I&C system functions respectively; 2. The digital protection system adopts the design of functional diversity, and the protection variables are grouped reasonably. The protection variables of each accident adopt the variables of different measurement principles as far as possible, and are allocated to different processors to deal with, so as to prevent the influence caused by common mode fault of application software; 3. If the digital protection system fails due to common mode fault, the related functions are performed by the diversified protection system; 4. The system level command of manually triggering shutdown and special action can completely bypass the digital protection system and extend through solid-state logic or relay to the driver control interface of each actuator; 4.1.7 Equipment Qualification Requirements: define the scope of I&C system equipment qualification, the regulations and standards based on and the conclusion of the qualification. Relevant environmental test, seismic test and EMC test have been carried out for the important key equipment of the digital I&C system of AP1000, and the V&V, configuration management, reliability and other process certification have been completed. 1. Using the verified, mature and certified digital technology and platform, the hardware qualification of computer components meets GB/T 12727, and the software qualification meets NB/T 20054; 2. Configuration management activities are carried out in the whole life cycle of the digital system, identifying the hardware components, software, version numbers of files and historical data of item configuration; 3. Various means are adopted to ensure the reliability of the safety level system and reduce the faults and risks caused by the common faults of the safety level system software. These diversified means include the functional diversity of protection system, the setting of diversified drive system, the use of conventional technology and the manual control of backup panel of equipment, etc.; 4. The instrument and control system equipment has good EMC performance, which can avoid the interference of external electric field and magnetic field [8]. The EMC test of safety equipment follows R.G 1.180, and that of non-safety equipment follows R.G 1.180 or IEC 61000. 4.2 Applicability Analysis of HAF 102-2004 4.2.1 Section 6.4.1 “General Requirements for Safety Critical Instruments and Control Systems” Regulations: instruments that can monitor the variables and systems of nuclear power plant in the whole process under normal operation, expected operation accidents, design basis accidents and serious accidents must be set to ensure the full information of the

Discussion of Full Digital I&C System for AP1000

217

status of nuclear power plant. Instrumentation and recording devices must be sufficient to provide practical and possible information for the determination of the plant status during a serious accident and for making decisions during accident management [9]. AP1000 response: a large screen display associated with the process information and control system to show the overall status and main parameters of the plant; A security control area based on the normal display equipment of safety information and control system or computer display screen, which is used as backup when the safety information and control system are not available. 4.2.2 Section 6.4.4 “Application of Computer Based Systems in Safety Critical Systems” Regulations: When the safety important system is designed to rely on the reliability of the computer-based system, the corresponding standards for the development and test/verification of computer hardware and software must be determined or formulated, and must be implemented during the whole life of the system, especially during the development of software. An appropriate quality assurance program must be implemented throughout the development process [9]. AP1000 response: WCAP-16096-A provides a design process planned for common Q software development at all stages of the life cycle. NRC used the criteria of R.G 1.152 and R.G 1.168 to review and approve it [10]. The standards and regulations are also updated, which are limited to the following stages: concept stage, requirement stage, design stage, implementation stage, test stage and installation inspection stage. 4.2.3 Section 6.4.4 “Automatic Control” Regulation: all safety actions must be automatic so that no operator intervention is required for a reasonable period of time when the expected operation event or design basis accident begins. In addition, the operator must be able to obtain appropriate information to monitor the effect of automatic action [9]. AP1000 response: in the design basis accident, the AP1000 automatically triggers the safety related actions necessary to protect the plant. The design of the plant system provides the operator with the necessary information to monitor the plant status and evaluate the performance of safety related passive systems and safety independent active systems. The active system is designed to automatically trigger, provide in-depth defense against various events in the power plant, and prevent unnecessary start-up of safety related passive system. The power plant design provides the manual start-up capability of safety related system and safety independent defense system in depth as the backup of automatic start.

5 Conclusions Through the research and Discussion on the digital I&C system of AP1000, it has a far-reaching impact in the follow-up work and has a good practical significance.

218

J.-K. Zheng et al.

5.1 Supplement and Improvement of Laws and Standards In terms of nuclear safety laws and regulations, the United States, Russia, the United Kingdom and other countries with early development of nuclear power adopt the mode of single independent law of atomic energy law, that is, only the atomic energy law is formulated. After the Fukushima nuclear accident, Japan and South Korea separated the “atomic energy law” into “nuclear energy utilization Promotion Law” and “nuclear safety law” in 2012. China’s current nuclear safety laws are only “law on prevention and control of radioactive pollution” and “nuclear safety law”. Learn from the experience of developed countries and regions, establish and improve the nuclear safety laws and regulations system with Chinese characteristics and in line with the world. It is embodied in: a complete legal system based on the security provisions in the constitution, with comprehensive nuclear safety law as the core, single special nuclear safety law as the backbone, international nuclear safety treaty as the supplement, and technical documents as the support. 5.2 Safety Construction of Nuclear Power Construction In the process of nuclear power construction, person should proceed from the overall situation, understand the general situation, consider the overall situation, and thoroughly implement the overall layout. To ensure the safety of nuclear power is the basis for the continuous development of nuclear power in China. Country should continue to improve the safety level of nuclear power units in operation and under construction, and continue to enhance the public recognition and support for nuclear power. AP1000 has the world’s most advanced third-generation nuclear power technology, which provides guidance for China’s nuclear power construction and development. Specifically, deal with the relationship between development and safety, progress and quality, improve the quality assurance system, strengthen the construction of safety culture, clarify their respective responsibilities, earnestly fulfill their responsibilities, make everyone a safety barrier, and ensure the sound and rapid development of nuclear power. 5.3 Safety Supervision of Nuclear Power Construction Referring to the concept of AP1000 safety supervision, China’s nuclear safety supervision must employ sufficient full-time professionals with the corresponding ability to perform their functions and responsibilities. Due to the professionalism of nuclear facility safety standards, regulatory technical system and hardware equipment, the requirements for the professional quality and engineering experience of regulatory personnel are strict. A new person needs a long time of training to have the ability to perform safety regulatory duties. This kind of training not only needs the training of theoretical knowledge, but also depends on the exercise in work and the accumulation of experience. To explore effective talent training methods and modes is the key to strengthen the capacity building of nuclear safety institutions in the future.

Discussion of Full Digital I&C System for AP1000

219

References 1. Lin, C.-G.: An Advanced Passive Plant AP1000 (2008) 2. Aldemir, T., Miller, D.W., et al.: Current State of Reliability Modeling Methodologies for Digital Systems and Their Acceptance Criteria for Nuclear Power Plant Assessments. NUREG/CR-6901 (2006) 3. Fink, B., Killian, C., et al.: Guidelines on the Use of Field Programmable Gate Arrays (FPGA) in Nuclear Power Plant I&C Systems. Electric Power Research Institute, USA, TR-101981 (2009) 4. Liu, Y.: Analysis and research of DCS security level I&C platform. J. Autom. Saf. (2012) 5. Jin, T.-L.: Design of RCS digital I&C system and shutdown protection logic for AP1000 nuclear power plant (2010) 6. Zhang, S.-H.: Introduction of I&C system in AP1000 nuclear power plant. J. Autom. Instrum. (2010) 7. Li, W.: Safety analysis of AP1000 all digital I&C system. Power safety technology (2006) 8. NRC RG1.180 Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems (2003) 9. NNSA.HAF102-2004 Safety regulations for design of nuclear power plants (2004) 10. NRC RG1.152 Criteria for Digital Computers in Safety Systems of Nuclear Power Plants (2006)

Discuss on Consistency Evaluation of 1E Cable Accessories Products and Qualification Prototype of Nuclear Power Plant Jing-Yuan Yang1 , Shan Jin2 , Yuan Yao1 , Yang-Yang Chen1(B) , and Tian-Lei Ren3 1 Nuclear and Radiation Safety Center, Beijing, China

[email protected]

2 China Nuclear Power Engineering Co., Ltd., Beijing, China 3 China Nuclear Power Engineering Co., Ltd., Shenzhen, China

Abstract. The Nuclear power plant equipment qualification is a means to prove that equipment can perform its safety functions under the environmental conditions that may operate during its lifetime. Class 1E cable accessories for nuclear power plants are mature industrialized products with a finer division of labor. In the actual production process, there is a certain difference between the product and the qualification prototype. This paper studies the conformance criteria of 1E cable accessory products and qualification prototype for nuclear power plants. It analyzes the relevant requirements in IEEE 323, IEEE 383, RCC-E, and QME1, and introduces the conformance evaluation process of cable accessories for a certain project. It provides technical reference for the evaluation of the consistency of products and qualification prototype. Keywords: Cable accessories · Products · Qualification prototype · Consistency

1 Introduction Nuclear power plant 1E cable accessories is a type of direct, branches, and transitions, which are connected to the operating conditions, connecting two or more heel cables [1]. The material type of 1E cable attachment in my country’s nuclear power plant is mainly thermal shrinkable material. The heat shrinkable material is a hot shrinkage polymer shape memory material, which is a new intelligent material. The normal polymer material will have a memory effect after radiation of the radiation source. The heat shrinkable material is contracted and tightly wrapped in the outer surface of the cable through a hot air gun or other heat source. The cable accessories functions as an external surface of the cable, and functions such as insulation, sealing, protection and connection. The 1E-level cable connector is part of the cable system, and its safety level and quality qualification should be the same as the connected cable. Due to the particularity of the related cable attachment materials and uses, the cable accessories tend to become a high quality weakness and faults in the entire cable system. Manufacturers are considered in terms of cost and time, often need to choose representative qualification prototypes during the actual equipment appraisal, and push the © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 220–231, 2022. https://doi.org/10.1007/978-981-19-1181-1_21

Discuss on Consistency Evaluation of 1E Cable Accessories Products

221

qualified appraisal of the sample to “similar” equipment. In the regulatory process, it has repeatedly found that the procurement equipment and qualification prototype are inconsistent. But the consistency requirements of the actual product and qualification prototype in the regulatory requirements. There is no relatively unified review principle, scope, and points. This paper discusses the above problems, and proposes the views and insights of issues, and evaluates the consistency of a project cable accessory product and qualification prototype.

2 Standard Requirement Combined with the main stack of nuclear power plants in my country, the main standard series used in the nuclear safety equipment appraisal practice. This article combed the IEEE 323–2003, RCC-E 2005, ASME QME-1 and EPRI TR 100516 about qualification prototype representation and the consistency of product and qualification prototype. 2.1 IEEE 323-2003 The actual equipment is required in the IEEE 323 standard to be equal to or enveloping practical equipment in materials, environmental stress (environmental conditions), aging mechanism and function [2]. For external and dimensions, this standard emphasizes the same or similar, and changes can be made under certain conditions. IEEE 323-2003 does not expressly explain the representative requirements or extrapolation requirements of qualification prototypes in quality control, production process and other performance parameters. However, in Section 6.4, the identified equipment has been completed, and when the design, material, manufacturing process, installation conditions, etc. changes, the evaluation or re-qualification is required. 2.2 RCC-E 2005 RCC-E Specification B Volumes Emphasized: Before product manufacturing, the “manufacturing assessment”, including the quality control system assessment and technical assessment of manufacturers [3]. During product production, the manufacturing process should be supervised, verify practical equipment. For the supervision activities of the manufacturing process to ensure the actual equipment and qualification prototypes, the RCC-E specification refers to the use of production process supervision, reviewing changes, and sample trials. 2.3 ASME QME-1 ASME QME-1 has a more detailed description of the qualification of the prototype and the actual equipment, which also has good guiding significance for electrical equipment. The representation of the qualification prototype according to QME-1 QR-A7132 can be proved by comparison manufacturing, equipment model, serial number, device dynamic attribute, structure, and operating characteristics. These characteristics also considered to consider whether the appraisal conclusions can cover the elements of the product [4].

222

J.-Y. Yang et al.

2.4 EPRI TR 100516 In this manual, emphasis is emphasized to analyze the difference between actual equipment and qualification prototypes to determine representation of the prototype and the applicability of the actual equipment for the qualification conclusion. The main points of the analysis include: identifying the materials and manufacturing differences between actual equipment and qualification prototype; identifying the installation difference between actual equipment and qualification prototype; determine if there is sufficient qualification information to handle the above difference; the impact of performance and qualification; the important impact of evaluation [5]. Through combing it can be seen that the standard specifications put forward representative requirements in the design, manufacturing, and physical characteristics of the prototype. The standard specifications also put forward the consistency requirements of the product and the prototype in terms of quality control and supervision activities. For manufacturing on the same production line, using the same design, manufacturing process and quality control level, there will still be differences in performance parameters between the certified prototype and the actual equipment. Therefore, the consistency evaluation of the product and the appraisal prototype is mainly analyzed from two aspects: the consistency of equipment performance and the consistency of equipment quality.

3 Main Performance Indicators and Test Items Class 1E cable accessories are mainly composed of heat-shrinkable sleeves, branch sleeves, stress control tubes, sealing tubes, insulating sleeves and terminals, etc. It can provide good insulation, stress relief, abrasion resistance and mechanical protection. Combined with the relevant power station technical specifications and related standards, Table 1 shows the performance indicators and test items of typical 1E cable accessories. Table 1. Performance indicators and test items of typical safety cable joints Test item

Test method

Insulation tube index

Sheath tube branch sleeve index

Tensile strength

GB/T 1040

≥10 MPa

≥12 MPa

Elongation at break

GB/T 1040

≥350%

≥300%

AC withstand voltage

GB/T 12706.4

30 kV/cm for 5 min with no breakdown or flashover

Volume resistivity

GB/T 1410

≥1014 ·cm

≥1013 ·cm

Breakdown field strength

GB/T 1408

≥20 MV/m

≥15 MV/m

Dielectric constant

GB/T 1409

≤4

– (continued)

Discuss on Consistency Evaluation of 1E Cable Accessories Products

223

Table 1. (continued) Test item

Test method

Insulation tube index

Sheath tube branch sleeve index

Hardness

GB/T 2411

≤80

Oxygen Index

GB/T 2406

≥30

–

Water absorption

GB/T 1034

–

23 °C, 24 h, ≤0.1%

Flame-retardant properties

GB/T 19666, GB/T 18380, IEC 60332, IEEE Std 1202

Flame-retardant properties

Thermal aging

GB/T 11026, IEEE 383, RCC-E, GB/T 22577

50% tensile strength and elongation at break retention rate to meet the power station lifetime requirements

Radiation Aging Test

IEC 60544.2, RCC-E, IEEE 383, GB/T 22577

Sum of the total dose experienced by the cable during the lifetime of the entire station (60Co, gamma irradiation)

Irradiation exposures under accidents

GB/T 22577, IEEE 383, RCC-E

Irradiation doses (60Co, gamma irradiation) under accident conditions

LOCA operating conditions

EJ/T 1197, RCC-E, IEEE 383, IEEE 323

Containment test chemical spray test under ambient conditions

The qualification tests for 1E cable accessories generally include conventional type tests and functional qualification tests. Conventional type tests include performance tests for insulating tubes and branch sleeves, hot melt adhesive performance tests, and conventional electrical performance tests for cable accessories. Functional appraisal tests include accelerated thermal aging test, irradiation aging under normal operating conditions, irradiation under severe accident conditions, simulation of severe accident conditions, immersion test after severe accident, and bundled combustion test. The contents of the factory test mainly include: routine tests for each product, including test items such as appearance, wall thickness unevenness, length change rate, thermal shock and restricted shrinkage; for each batch of products (referring to the same raw materials, using the same Process-manufactured products) sampling test, including tensile strength, elongation at break and other test items.

4 Evaluation Plan In order to verify the performance of the product, this article evaluates the consistency of the product and the appraisal prototype of the cable accessories supplied by a certain project. Comprehensively consider the requirements in the standards and specifications, use the comprehensive means of technical evaluation and sampling verification, analyze and formulate the evaluation plan from the following three aspects: design consistency, quality consistency and performance consistency.

224

J.-Y. Yang et al.

4.1 Design Consistency Function. The function performed by the actual equipment does not exceed the scope of the appraisal prototype. Failure Mode. In terms of equipment performance degradation and functional failure caused by the same initial event, environmental stress, the actual equipment did not exceed the scope of the appraisal prototype. Material. The material of the product and the appraisal prototype are not the same batch, and the insulation, sheath, filler, shielding and other materials must be consistent, and the consistency of the materials should be verified through verification. Structure. The cable accessory includes multiple parts, the insulating tube has a difference in size, and the branch tube has a difference in the number and size of branches. After comparison, the selected model of the appraisal prototype can cover the supply model of this batch of products. This verification should select representative samples for verification in terms of size and number of branches. Installation. The appraisal prototype verifies the separate finger gloves and cable accessory kits. The actual equipment performs the corresponding functions in the kit form. The safety aspect is more conservative. The installation interface, orientation, fixing method, protection level, specification and quantity are more conservative. It did not go beyond the scope of appraisal of prototypes.

4.2 Quality Consistency Quality assurance system: The design and manufacturing activities of the appraisal prototype and the actual product are covered by the same quality assurance system. The quality assurance requirements included in the project quality assurance program and procedures of the actual product are consistent with the appraisal prototype. Manufacturing process: The supplier has promised that each process and control of the actual equipment manufacturing process are equivalent to those of the appraisal prototype. The inspection level, the responsibility awareness and technical capabilities of the personnel engaged in the actual equipment production and inspection work are equivalent to those of the appraisal prototype. However, changes in conditions such as personnel, raw materials and component suppliers, specifications and models, production equipment, and environment must be verified to prove consistency. 4.3 Performance Consistency There is no need to discuss the similarity between the environmental conditions of the prototype and the actual operation of the equipment and the environmental conditions of the accident. Generally, the qualification of environmental conditions is required to envelop (severe) the actual environmental conditions of the equipment. Therefore, the analysis of the consistency of the product and the certified prototype is focused on the

Discuss on Consistency Evaluation of 1E Cable Accessories Products

225

equipment. In the evaluation of the physical system, some appraisal test items can be selected to verify the physical characteristics. To evaluate the consistency of product appraisal prototypes, it is necessary to extract some appraisal test items to verify the consistency of product design, quality and performance. Based on the thermal aging parameters in the qualification test report, according to the Arrhenius accelerated thermal aging curve and its calculation formula, the test parameters of the cable accessories at 170 °C accelerated thermal aging for 207.9 h are calculated. In the radiation aging test of the qualification test, the total radiation dose of the nuclear-grade cable accessories is 215 Mrads of gamma radiation dose, which includes the cumulative radiation dose corresponding to the lifetime of 50 Mrads (IEEE 383) and 165 Mrads (150 Mrads plus 10% Margin) of the cumulative dose under DBE operating conditions. In the LOCA test of the qualification test, the test sample has been sprayed with a chemical solution from the sixth hour and continued until the end. The chemical spray solution is composed of 0.28 mol of H3 BO3 and 0.064 mol of Na2 S2 O3 , and is diluted with NaOH. The pH value at 25 °C ± 5 °C is 10.5. For the flameretardant performance test, the heat-shrinkable tube is heat-shrinked to multiple cables in accordance with the IEEE1202-1991 standard, and the test piece is fired according to the time and fire intensity required by the standard. The carbonization highly validates the flame retardant performance. Due to the long time and high cost of the irradiation test, the LOCA test and the bundle combustion test, this evaluation adopts the method of report analysis. This verification indirectly verifies the flame-retardant properties of cable accessories through oxygen index and material burning test. The reference standards are ASTM D2863 and ASTM D635 respectively. In addition, the spectrum test can be used to quickly and simply characterize the chemical structure of the material from the molecular level. If the chemical structure of the material is consistent at the molecular level, then the properties of the material must be consistent. However, due to the early development of the appraisal test, it is impossible to directly compare the materials of the appraisal prototypes and products. Therefore, the products of different raw materials and manufacturing batches are compared with the materials of this batch of products to verify the consistency of materials and process control. The final evaluation plan is shown in Table 2. Table 2. Evaluation plan Test item

Reference standard

Evaluation plan

Breakdown field strength test

GB/T 1408.1-2016

Sampling test

Oxygen Index Test

ASTM D2863

Sampling test

Spectral test

GB/T 6040-2019

Sampling test

Burning test

GB/T 2408-2008

Sampling test

Accelerated thermal aging test

GB/T 2951.12-2008, qualification test report, IEEE383

Sampling test

Mechanical performance test after thermal aging

GB/T 2951.11-2008, qualification test report, IEEE383

Sampling test (continued)

226

J.-Y. Yang et al. Table 2. (continued)

Test item

Reference standard

Evaluation plan

Electrical performance test after heat aging

GB/T 22577, GB/T 3048.5, GB/T 3048.8, IEEE383

Sampling test

Irradiation aging test Appraisal test report

IEEE383

Report analysis

Accident radiation exposure test Appraisal test report

IEEE383

Report analysis

LOCA accident and post-accident test Qualification test report

IEEE383

Report analysis

5 Test Content 5.1 Test Sample Two batches of equipment are selected for the test. In order to distinguish between batch A and batch B, the sampling equipment includes heat shrinkable tubing, heat shrinkable finger sleeves, heat shrinkable end caps and heat shrinkable kits (from heat shrinkable tubing, heat shrinkable Composed of finger sleeves and end caps). Since the test samples are taken from the actual delivered batches, the total number of samples cannot be too many, and the sizes of different parts cannot meet the needs of all tests. The specific sampling distribution is shown in Table 3. Table 3. The specific sampling distribution Batch

Breakdown field strength, oxygen index

Spectral test

A

Heat shrinkable tube A1

Heat shrinkable finger cot A2

B

Heat shrink finger cot B1

Combustion test

Mechanical performance test after thermal aging

Electrical performance test after thermal aging

Heat shrinkable end cap A3, Heat shrinkable finger cot A4

Heat shrinkable kit A5

Heat shrink finger cot B2

5.2 Test Organization The testing organization holds the corresponding third-party qualifications. The test organization must show the name, model specification, serial number, measurement

Discuss on Consistency Evaluation of 1E Cable Accessories Products

227

range and validity period of the certificate serial number of the measuring instrument and special test equipment. The test organization needs to provide the calibration certificate of the equipment used and the qualification certificate of the relevant test personnel to prove its validity. 5.3 Test Equipment In addition to general test instruments, special test equipment for test institutions mainly includes: 1) 2) 3) 4) 5) 6) 7) 8) 9) 10)

Electronic tensile testing machine, (No. ISTCW-M-128-2017/1710); AC medium strength tester, (No. ISTCW-M-002-2016); High insulation resistance tester, (No. ISTCW-M-017-2016); HJC-100 kV computer-controlled voltage breakdown tester, (No. HJC026); Power frequency withstand voltage test system, (No. ISTCW-M-053-2016); Oxygen index analyzer, (No. 161340); Precision aging box, (No. ISTCW-M-074-2016); Plastic burning test machine, (No. ZJ4025); Fourier transform infrared spectrometer, (No. JL0361); Extension ruler, (No. ISTWC-M-094–2016);

5.4 Test Implementation and Results 1. Breakdown field strength. The breakdown test is carried out in liquid oil and is carried out using the rapid boost method described in chapter 10.1 of GB/T 1408.1-2016 [6]. The specific content is shown in Table 4. Table 4. Breakdown field strength test implementation and results Item

Sample

Test environment

Requirements

Test results

Breakdown field strength

A1

Pretreatment ambient temperature 23 °C

≥14 MV/m

25 MV/m

Pretreatment time 24 h Pretreatment relative humidity 50% Boost rate 2000 V/s

2. Oxygen Index. Prefabricated specimens according to ASTM D2863 standard [7]. Compare the continuous burning time of the sample or the burning length of the sample with the given standard, and estimate the minimum oxygen concentration through a series of tests under different oxygen concentrations. Test three samples, and judge at least two samples to go out according to the standard. The specific content is shown in Table 5.

228

J.-Y. Yang et al. Table 5. Oxygen index test implementation and results

Item

Sample

Test Environment

Requirements

Test Results

Oxygen index

A1

Pretreatment ambient temperature 23 °C

Greater than or equal to 28

30

Pretreatment time 60 h Pretreatment relative humidity 50% Ignition method A

3. Spectral test. The samples are heat shrinkable fingers B1 and A2, and the spectrum is shown in the Fig. 1 and Fig. 2. Based on the absorption of each functional group with a specific wavenumber range, comparing the position, intensity and shape of the absorption peak in the spectrum, the two samples contain high consistency.

Fig. 1. Infrared spectrum of sample B1

4. Burning test. The test is carried out in accordance with the GB/T2408-2008 horizontal combustion standard, the sample width is 13 mm, the thickness is about 2–3 mm, and the length is 70–80 mm [8]. The specific content is shown in Table 6.

Discuss on Consistency Evaluation of 1E Cable Accessories Products

229

Fig. 2. Infrared spectrum of sample A2

Table 6. Oxygen index test implementation and results Item

Sample Test Environment

Burning test B2

Requirements Test Results

Burning time after removing the flame 0.3

1

1

—

—

g 1 1

g 1 1

Triaxial Response spectrum recorder ≤ 0.3 > 0.3 g g — — 1 1 —

1 —

—

—

—

—

—

—

—

—

—

—

—

Triaxial peak accelerometer

Seismic switch

≤ 0.3

> 0.3

≤ 0.3

> 0.3

—

—

—

—

—

—

—

g — —

g — —

g — 1

1

g — 1

1 —

—

—

—

1

1

—

—

—

—

1

1

—

—

1

1

—

—

—

—

1

—

—

—

—

1

—

—

—

—

1

—

—

1

—

—

1 —

—

—

—

—

— 1

—

—

—

—

Study on Earthquake Ground Motion Parameters of Seismic Instrumentation

269

2.3 Seismic Instrument Types The national standard for seismic design of NPPs revised in 2019 (GB 50267-2019) stipulates that NPPs should be equipped with seismic monitoring and alarm system [7]. The earthquake monitoring and alarm system should operate reliably in normal times and in case of OBE and the earthquake alarm index should be fully demonstrated. The content of this standard is a new item, which specially emphasizes that the earthquake alarm index should be fully demonstrated. At present, the main index of earthquake warning is the PGA. Taking Yangjiang NPP Units 3 and 4 as an example, OBE alarm is triggered by 7 Triaxial accelerometers (Table 4). When any one of the accelerometers exceeds the OBE, the OBE alarm is triggered. The alarm logic of 1 out of 7 is adopted, and the operation of the NPPs is considered to be stopped according to the situation. Table 4. Seismic instrumentation system of NPPs No

Sensor location

Seismic instruments

1

Free field

Triaxial accelerometer

2

Raft foundation of reactor building of Unit 3

3

Containment structure in reactor building of Unit 3

4

Raft foundation of nuclear auxil-iary building

5

Raft foundation of Unit 4 reactor building

6

Containment structure of Unit 3

7

Nuclear auxiliary building

3 Relevant Suggestions in This Paper 3.1 Selection of Ground Motion Parameters This paper fully considers the three elements of ground motion, including intensity, frequency spectrum and duration. In this paper, a new method is proposed. Firstly, the ground motion time history is filtered to filter out the high-frequency small earthquakes which are not destructive. Then, the three-dimensional fitting is carried out, and the appropriate duration is selected. Finally, the stable acceleration alarm threshold is obtained. As for the selection of filtering frequency band, according to the research of Li Liang’s paper research on intensity calculation method based on ground motion parameters [8], by analyzing the influence of different frequency bands on acceleration time history change, it is found that filtering has little influence on most acceleration time history, and the change rate is less than 20%. But for small earthquakes with small epicentral distance, the filtering effect is obvious, and the change rate before and after filtering

270

L. Li et al.

even reaches 90%. The main frequency bands of NPPs are generally different. This paper proposes to adopt 2–10 Hz filtering frequency band for filtering. In order to illustrate this method, a three-way ground motion time history of KIK-net is taken as an example to filter the three-way ground motion time history respectively [9]. As shown in Fig. 1, the comparison diagram before and after filtering the threeway acceleration time history is shown Fig. 2 shows the resultant vector acceleration of three-dimensional time history after filtering. At this time, the acceleration values are all positive. Take the effective peak acceleration of 0.3 s or more (see Fig. 2), and finally get the acceleration alarm value.

Fig. 1. Comparison between acceleration time history using and not using Filter

acc / gal

60

40

20

0 0

10

20

30

40

50

Time / sec

60

70

80

90

100

Fig. 2. Acceleration time history which is synthesized by three components

3.2 Selection of Ground Motion Parameters On the basis of the original seismic instrument, three triaxial accelerometers with threedimensional fitting function are added on the free field (Table 5), and the alarm logic of 2 out of 4 is adopted, as shown in Fig. 3.

Study on Earthquake Ground Motion Parameters of Seismic Instrumentation

271

Table 5. Seismic instruments recommended in this paper No

Sensor location

Seismic instruments

Remarks

1

Free field of Unit 3

Added

2

Free field of Unit 3

Triaxial accelerometer (adding three-dimensional synthesis function)

3

Free field of Unit 3

4

Free field of Unit 3

5

Raft foundation of reactor building of unit 3

6

Containment structure in reactor building of unit 3

7

Raft foundation of nuclear auxiliary building

8

Raft foundation of Unit 4 reactor building

9

Containment structure of Unit 3

10

Nuclear auxiliary building

Original

Fig. 3. Acceleration alarm of 2 out of 4

3.3 Setting ASTS in High Intensity Sites At present, the second generation NPPs on operation are not equipped with ASTS in China. In some countries, especially in strong earthquake areas, ASTS is installed. In 2007, a magnitude 6.8 earthquake occurred in Niigata Prefecture, Japan. The earthquake triggered an earthquake alarm device, which automatically shutdown on operation [10]. After the Fukushima accident, the nuclear safety regulatory authorities of South Korea and other countries or regions all required the installation of ASTS. As seen in Table 3, Japan mandates an ASTS by the Ministry of International Trade and Industry (MITI) order 62 [11]. Before the Niigata Chuetsu-oki earthquake in 2007, MITI recommended to use 0.9S1, where S1 is the maximum design earthquake, for the trip setpoint, referencingthe JEAG4601 (Japan Electric Association Guideline) criteria [12]. However,

272

L. Li et al.

the Nuclear Safety Commission has changed the trip setpoint incorporating the lessons learned from the Niigata earthquake. The revised setpoint is set at 120 gal (Table 6). Table 6. ASTS design characteristics of four countries Nation

Backgroud of ASTS

Basis of setpoint

Sensor installation

Japan

Mandated by regulatory authority

120 gal (before 2006, 0.9 SSE)

Free field

USA

Optional

OBE

China

Optional

OBE

Korea

Mandated by regulatory authority

0.18 g

The southeast coast of China is an earthquake prone and high intensity areas, among which Fujian Province is the most widely distributed. There are Ningde NPP Units 1, 2, 3, 4, Fuqing NPP Units 1, 2, 3, 4 in Fujian Province. It is suggested that the ASTS should be set up on high intensity areas. As for the principle of setting the shutdown threshold, the low trigger level alarm should be close to OBE (usually related to the operating limit), which will not cause serious damage to SSCs. For the ASTS, the maximum threshold and trigger level of reactor shutdown should be determined according to SSE. It is also necessary to refer to the fact that for an earthquake of this level, the area near the site may be seriously damaged, accompanied by the loss of off-site power supply and the interruption of water supply for waste heat removal. All emergency procedures and actions of operators should be consistent with this scenario.

4 Conclusion and Suggestion In this section, through the above analysis and analysis, this paper puts forward four suggestions. (i)

It is suggested that the original earthquake alarm index based on the PGA should be changed to parameters that considering the three elements of ground motion (amplitude, spectrum and duration). At the same time, the alarm logic of 1 out of 7 should be changed to 2 out of 4, which is more stable and avoids the influence of isolated and prominent single high-frequency acceleration spike on ground motion. (ii) It is suggested to cancel the peak accelerometers and change it to the time history accelerometer. After an earthquake, if you want to get the peak value of the ground motion time history through the peak accelerometer, you need to get back to the laboratory and read the PGA under the magnifying glass, which is very unfavorable for the timeliness. It should be noted that although the standards for seismic instrumentation system design of NPPs in China all require the setting of peak accelerometers, they have been replaced by more advanced accelerometers and calculation software in practical engineering.

Study on Earthquake Ground Motion Parameters of Seismic Instrumentation

273

(iii) It is suggested that ASTS and reasonable shutdown threshold should be set up on high intensity areas such as Fujian Province. (iv) It is suggested to add the requirement of regular data collection and analysis. At present, there are more and more NPPs on operation in China. We should make good use of the monitoring data of seismic instruments, collect and analyze the data regularly, so as to support the regular safety review of NPPs and continuously improve the seismic safety of NPPs.

Acknowledgments. This research was funded by National Key Research and Development Program of “Aging Degradation Behavior and Prediction Model of Important Structures and Equipment Materials of In-Service Nuclear Power Plants”(No. 2019YFB1900900). This paper was prepared to document work performed by Nuclear and Radiation Safety Center, Ministry of Ecology and Environment (NSC). This paper is an independent product does not reflect the view or regulatory position of NSC.

References 1. HAF102/02-2019: Seismic Design and Evaluation of NPPs. National Nuclear Safety Administration, Beijing (2019) 2. Ministry of Research and Industry: French Republic. Basic Safety Rules. RFS I.3.b (1984) 3. Yuan, Y.: Impact of Intensity and Loss Assessment following the Great Wenchuan Earthquake. J. Earthq. Eng. Eng. Vib. 7(3), 247–257 (2008) 4. Whorton, R.: US utility perspectives on earthquake response and seismic instrumentation. IAEA Workshop (1995) 5. National Standard of the People’s Republic of China: Code for seismic design of nuclear power plants. GB50267-1997, China Architecture and Building, Beijing (2019) 6. USNRC: Seismic Instrumentation. Standard Review Plan, NUREG-0800, Chapter 3.7.4 (2007) 7. National Standard of the People’s Republic of China: Code for seismic design of nuclear power plants. GB50267-2019, China Architecture and Building, Beijing 8. Li, L.: On the Computational Method of Instrumental Seismic Intensity Based on Ground Motion Parameters. Institute of Engineering Mechanics, China Earthquake Administration, Haerbin (2011) 9. Jin, X.: Research Report on Seismic Instrument Intensity Standard. Seismological Bureau of Fujian Province, Fu Zhou (2010) 10. Pan, H., Li, J., Wu, D.: The Impacts on the kashiwazaki-kariwa Nuclear Power Station Due to the Niigata ken chuetsu oki. Recent Development World Seismology 11, 21–32 (2007) 11. MITI Order No. 62: Technical Standards for Nuclear Power Plant Facilities. MITI (1989) 12. JEAG 4601 criteria: Technical Guidelines for Aseismic Design of Nuclear Power Plants. JEAG (1987)

Study on Implementing Supplemental Human-System Interfaces in Highly-Integrated Control Room Ting Mao(B) , Xiao-Mei Xu, Gang Zhang, Xue-Gang Zhang, Li-Ming Zhang, Yi-Chao Zhou, Bo Cheng, and Jie Zhou State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, Nuclear Power Engineering Co., Ltd., Shenzhen 518172, Guangdong, China [email protected]

Abstract. The rapid development of digital technology has promoted the application of digital human-system interface in Highly-Integrated Control Room (HICR). However, how to identify the range of standby human-system interface (HSI) after digital human-system interface failure has always been a technical problem. This paper aims to study the establishment process of the supplemental HSI list applicable to the HICR, and to discuss the monitoring and control requirements of the nuclear power plant after the failure of the main digital HSIs, then propose the basic principles of Spatially Dedicated and Continuously Visible HSIs design, and provide reference for the design of supplemental HSIs. Keywords: Highly-integrated control room · Supplemental human-system interface · Nuclear power plant

1 Introduction Recently, digital instrument and control technology has been widely applied to the thirdgeneration nuclear power plants around the world. The Highly-Integrated Control Room (HICR) has adopted a highly automated and information-integrated design, using displays and touch screens as the main Human-System Interfaces (HSIs), providing operators with information-focused, automated, intelligent operation. The application of computerized HSI in MCR is a significant improvement. However, the widely use of computerized HSI has led to the following issues that must be taken into account in design considerations: 1) What HSIs are needed in addition to non-safety, selectable HSIs provided on control room workstations that adequately support plant safety, reliability and operability goals? This work was supported in part by the Guangdong Basic and Applied Basic Research Foundation (project No. 2019 B1515120060), and in part by the Open Funds of State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 274–282, 2022. https://doi.org/10.1007/978-981-19-1181-1_27

Study on Implementing Supplemental Human-System Interfaces

275

2) Considering the existence of “keyhole effect” [1] (Computer-based HSI components usually contain more displays and controls than can be viewed at one time via its display devices. Because the total set of display cannot be viewed at once, the user views portions of it one after another, similar to a person looking into a room through a keyhole in a door. This “keyhole effect” limits the number of soft controls that can be viewed or used at one time, thus forcing serial rather than parallel access.), the operator may need to spend more time on the selection target, which may result in the operator not being able to respond in time when an emergency occurs. For some HSIs, regulatory requirements and associated guidance documents are clear on what specific HSIs are needed and what design criteria should be applied. For others, they are not very clear and are subject to interpretation, or they are silent on what requirements apply. This paper will explore how to identify and implement a set of HSIs that are needed in addition to selectable HSIs provided on HICR workstations that adequately supports meeting plant safety, reliability, and operability goals. For convenience, we define this kind of man-machine interface as “supplemental HSIs”.

2 Regulatory Standards and Guidelines The summary of regulatory standards and guidelines are list as follows for capturing the relevant requirements for supplemental HSIs. 1) IEC 60964–2019 (Nuclear power plants Control rooms Design) [2]. Main control room HSIs design flow is as follows: a) Determine the functional objectives of the Main Control room system design according to the plant operational safety goals. b) Determine functional requirements based on design goals. c) Perform functional analysis and allocation. d) Confirm the function allocation result. e) Design and approve the functions of HSIs (including alarms, displays and controls required to complete the task). 2) 10 CFR 50.34 (Contents of applications; technical information) [3]. After the TMI-2 accident, the safety monitoring and control needs to be considered: a) Safety Parameter Display System (SPDS, detailed requirements can refer to IEC 60960–1988 [4]). b) Safety system bypass and available status indication. c) Auxiliary water supply system automatic start and flow display. d) Insufficient core cooling indication, pressure vessel water level and core thermocouple indication. e) Provide direct indication of relief and safety valve position (open or closed). f) Post accident monitoring.

276

T. Mao et al.

g) Radiation monitoring in the plant. 3) IEEE Std 603–2009 (Safety Systems for Nuclear Power Generating Stations) [5]. Requirement for display and control of safety systems as follow: a) Indication of manually controlled actions for which no automatic control is provided. b) Indication of safety system status. c) Indication of bypass. d) Manual control shall be provided for protective actions that have not been selected for automatic control. e) Manual control shall be provided to maintain safe conditions after the protective actions are completed. 4) IEEE std 497-2010 (Accident Monitoring Instrumentation for Nuclear Power Generating Station) and RG1.97 Rev.4 (Criteria for Accident Monitoring Instrumentation for Nuclear Power Plants) [6, 7]. IEEE std 497 and RG1.97 define five types of post-accident monitoring parameters, A/B/C/D/E, and make the following requirements: a) For Type A and Type B variables, at least one redundant display segment shall be a continuous real-time display of either a validated digital display or a dedicated analog display. b) For Type A, Type B and Type C variables, each category of variables should have at least one channel that can be used for data recording; c) For Type A, Type B and Type C variables, the requirements of Single Failure Criterion, independence and separation, safety power supply and seismic and environmental qualification shall be met. d) If direct or immediate trend or rate information is essential for operator action, the trend information shall be continuously available on dedicated trend display and selectively on another redundant trend display.

3 Supplemental HSIs Design Process The design of the supplemental Human-System Interfaces needs to be determined in combination with the overall operation goal of the power station and the overall framework of the Instrumentation and Control. In this paper, the requirements of NUREG 0711 [8], ISG-05 and other standards and regulations are studied [9]. Combined with the design experience of HICR, the design process of a set of supplemental HSIs list is sorted out as follows: 1) Identify the functions and tasks to be performed by the supplemental HSIs: Identify the functions and tasks to be performed by the supplemental HSI according to the Probabilistic Safety Analysis (PSA), task analysis, etc. and in combination with the failure mode analysis of the main HSIs;

Study on Implementing Supplemental Human-System Interfaces

277

The determination of the supplemental HSIs should be based on the analysis and allocation of the power plant’s functions, and the main HSIs allocated to the main control room should be clearly defined. Then clarify the functional positioning of the supplemental HSIs. Generally, according to the principle of power plant defense in depth, and the corresponding instrument and control system for defense in depth principle, the functions that the supplemental HSIs need to perform mainly include: – During normal operation, when the main HSIs are unavailable, maintain the plant in a steady state or execute unit withdrawal; – In the event of an anticipated operational event or design basis accident, the plant will be brought to a controllable state and stabilized in a safe shutdown state; – During normal operation, when the main HSIs are unavailable due to planned maintenance, perform monitoring and control of the plant operation. 2) Identify HSIs resources required to complete functions and tasks: determine the required controls, displays and alarms according to the key safety paths used in Emergency Procedure Guidelines (EPG) and Emergency Operation Procedure (EOP); For a conceptual design an initial determination can be made of what controls, displays and alarms are likely to be needed for each type of supplemental HSI, and approximately how many of these there will be. This information can then be used to scope out early design concepts for implementing these HSIs. At this conceptual design stage detailed task analysis are not required. Task analysis would be needed later during detailed design to define specific HFE requirements related to the supplemental HSI functions and tasks. 3) Determine the design principles for the selection of soft and hardware HSI: determine the design principles of software and hardware according to the overall framework of Instrumentation and Control in combination with the overall framework of Instrumentation and Control and the regulatory requirements of regulations and standards; 4) Define and evaluate design options for implementing supplemental HSIs, including important tradeoffs in selecting an appropriate design concept. – Determine the HSIs meeting SDCV criterion: according to the requirements of regulations and standards, as well as the key safety paths in the regulations, and in combination with the Experience Feedback of power plant operation, determine the list of HSIs that need to be spatially dedicated and continuously visible (SDCV); – The determination of what HSIs should be included in the set of supplemental HSIs, and how those HSIs should be implemented, is dependent on and interacts with decisions on the architecture of the I&C and information systems. Iteration between these activities may be needed to arrive at a final integrated solution that satisfies all the applicable requirements and design constraints.

278

T. Mao et al.

Fig. 1. Process for identifying and implementing supplemental HSIs in a HICR

5) Verification and validation of the overall scheme of the Main Control Room: Select typical human factors (it is recommended to refer to the actions of important personnel at risk) and verify and confirm the overall human-computer interface of the control room on the simulator or simulation platform (Fig. 1).

Study on Implementing Supplemental Human-System Interfaces

279

4 Analysis of HSI Design Options In the actual design process, the problem of HSI scheme selection may also be encountered. At present, in the standards and regulations, there is no selection standard for traditional interface and digital interface, nor is it clear which equipment needs to meet SDCV or can be obtained in one operation. In the detailed design stage, the consideration of these issues can refer to the following: 4.1 Conventional Interface or Computer-Based Interface There is no doubt that computer-based interface has become the development trend. It can provide rich and integrated graphic images, sufficient information and perfect system functions in a centralized way. The dynamic and static display images are combined to conveniently, accurately and reliably reflect the real-time working conditions of the system. It can also use computer process control to determine the optimal man-machine function allocation, provide picture information matching regulations, and improve the task execution efficiency of operators. However, its shortcomings are also obvious, such as the display is not intuitive and the operator needs to spend more time familiar with the system. In the actual design process, the following factors need to be considered as far as possible: 1) Minimize the type of HSIs, such as Display Unit, touch screen, conventional equipment, etc. The more HSIs types, the greater the negative impact on operators. 2) Weigh the pros and cons of conventional and computerized means in many aspects, including but not limited to Table 1:

Table 1. Comparison of conventional and computer-based HSI technologies

Occupy space

Conventional

Computer-Based

Large

Small and compact

The operator has large movement The operator has small movement range and high physical load range and low physical load Intuition

Ease of qualification

Strong

Weak

It is easy to obtain information intuitively and has low cognitive load

It takes a long time to obtain information and has a high cognitive load

Conventional equipment is more easily qualified than is a computer-based system

Software qualifications are particularly important when implementing safety-related functions (continued)

280

T. Mao et al. Table 1. (continued) Conventional

Maintainability

Computer-Based

The maintenance cost is high and Easy to repair difficult Traditional analog equipment may produce drift and so on, requiring regular maintenance and calibration

Periodic calibration is not required

Flexibility for future modification

It is difficult to reform

Computer-based HSIs accommodate future changes more easily than do conventional panels

Reliability

High

Low

Task Support

Less

Provide more intelligent operator task support: such as Automatic Diagnosis, integrated alarm management, etc

Fast Accessibility

Quick

Slow

3) Consider the impact on program development and operator training. For example, in the renovation of In Service Power Station, it is necessary to consider the acceptance of digital HSI by the old operators and the increased training intensity. There are also differences between the development of digital regulations and the development of paper regulations, etc. 4.2 List of HSIs Meeting SDCV Criterion In the actual supplemental HSI design, the requirements of IEEE 603 for safety manual operation, RG1.97 and IEEE 497 for safety parameters display after accidents, and IEC 60960 for safety parameter display system are integrated, and the selection principles of HSI List meeting SDCV criterion are put forward: 1) Indications support entering accident procedures and important plant status information needed by procedures; 2) Indications of failure of main monitoring system; 3) PAMS Type A, B variables; 4) High-risk operations prompted in PSA analysis, operations needed quick response and related supporting display information; 5) Implement and confirm the reactor shutdown and manually start the components related to safety.

Study on Implementing Supplemental Human-System Interfaces

281

4.3 Minimizing the Number of Different Types of HSIs Different types of HSIs require different operation methods, which can easily cause confusion to operators. In order to achieve the highest level of integration and consistency practical, it is important to try to consolidate as much as possible and minimize differences in the functional characteristics of the various HSI resources provided to the operators. Designers should take advantage of opportunities to consolidate HSIs to meet multiple requirements.

5 Suggesting Scheme of Supplemental HSIs There is a wide range of options available for implementing the supplemental HSIs, ranging from solutions using mostly conventional HSI technology to those employing primarily computer-based solutions using visual display units (VDUs) for display and control. In this paper, we prefer to use computer-based solutions as an example aimed to HICR. According to above analysis and the requirements of regulations and standards, a set of schemes for standby HSIs are proposed as shown in Fig. 2. It should be noted that the actual quantity of HSIs will depend on the overall structure of the Instrumentation and Control and the requirements of human factors.

Fig. 2. Suggesting Scheme of Supplement HSIs

These include: 1) Large Display Panel: presents the overall plant status in a large size arrangement, after the failure of the main digital human-system interface; 2) Alarm panel: indicate the entry of accident procedures;

282

T. Mao et al.

3) Post-accident parameter monitoring: used to indicate Type A and Type B variables required in IEEE 497; 4) A small amount of hard wiring display and control (including core cooling monitoring system(CCMS)): for operations requiring emergency response, important status monitoring; 5) Safety Display Unit: used for Safety Related parameter display; 6) Safety Control Unit: used for Safety Related equipment operation; 7) Non-safety Display Unit: used for digital alarm, overall indication of procedures and supporting displays, and a small amount of non-safety displays and controls.

6 Conclusions This paper discuss about identifying and implementing a set of HSIs that can meet the requirements of Nuclear Power Plant monitoring and control after the failure of the main computerized HSIs, and puts forward the selection of fixed continuous visual HSIs design. The design process of supplemental HSIs is studied, and finally, the recommended scheme of standby supplemental interface is given, which provides a reference for the design of HICR and the renovation of in service power plant.

References 1. 2. 3. 4. 5. 6. 7. 8. 9.

Nureg0700: Rev.2. Human-System Interface Design Review Guidelines (2002) IEC 60964: Nuclear Power Plants-Control Rooms-Design (2019) Regulations, 10CFR 50.34: Contents of applications; technical information IEC 60960: Functional design criteria for a safety parameter display system for nuclear power station (1988) IEEE Std 603: IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (2009) IEEE Std 497: IEEE Standard Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating Station (2010) U.S. Nuclear Regulatory Commission. RG1.97, Rev.4: Criteria for Accident Monitoring Instrumentation for Nuclear Power Plants (2006) NUREG 0711, Rev. 3: Human Factors Engineering Program Review Model (2012) U.S. NUCLEAR REGULATORY COMMISSION: Digital Instrumentation and Controls-ISG05, Highly Integrated Control Rooms Human Factors Issues (2008)

Successful Integration of Human Factor into a New NPP Project De Song-Su1,2(B) 1 China Nuclear Power Engineering Company, Ltd., Shenzhen 51800, China

[email protected] 2 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment,

Shenzhen, China

Abstract. The article first reviews the background where the human error issues arose, reviews some standards most crucial to the implementation of human factor engineering(HFE), and summarizes the key concept and process widely recognized at the nuclear industry Then, it embarks on the actual implementation of HFE at practical case, analysing the key elements addressed in HFE standards while paying attention to experiences gaining through project practice, and refers to key aspects that should be noted during implementation. In the end it summarises the conclusion and provides some recommendation for HFE implementation. Keywords: HFE · Human error · Process of implementation · Key concerned items

1 Background Since Three Miles Island(TMI) accident, concerns over safety of Nuclear Power Plant(NPP) have been increasing, and it has become such an extent that many countries have ceased to grant the construction permit of new NPP. Later, the scale seven accident, Chernobyl accident in 1986 at Ukraine exacerbated this situation. In 2011, the Fukushima accident’s occurrence made the situation even worse, casting great doubt on the safety of NPP. Investigation to the TMI accident showed that although safety problem is the issue, the defaults the design lacked sufficient consideration of operators’ factor, in particular the HMI design, contributed greatly to the cause of the accident. Since then, scientists and engineers have been focusing on the topics as how to incorporate operators into the design, and how to prevent, mitigate human errors, hence reduce the consequence to NPP safety. A lot of organizations are involved, and fruitful results are produced. This article reviews some of the standards regarding to human factor consideration in NPP, summarizing the experience ever made at Chinese NPP, and then poses some recommendation for future human factor integration into NPP.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 283–291, 2022. https://doi.org/10.1007/978-981-19-1181-1_28

284

D. Song-Su

2 Standards Overview The primary role of standards is to standardize the process, material, application, and testing of an “acquisition product” to ensure that the end product achieves minimum attributes deemed essential to its service. Human factors requirements are normally the objectives-setting ones, i.e. they are not obligatory, however, compliance with them might improve the eventual human performance and then reduce risk and improve safety. It is thus beneficial to review related standards and their history, to provide a good reference to the designers. A broad of organisations are involved into human factor standards development, and they have issued standards which are either general or specially focused on specific areas. To name a few, the organisations are the ones like International Atomic Energy Agency(IAEA), International Standard Organization(ISO), Institute of Electric and Electronics Engineers, Some national agencies or departments like Nuclear Regulator Committee(NRC), American National Standards Institute(ANSI), Federal Aviation Administration, Department of Energy, National Aeronautics and Space Administration(NASA), etc. The list cannot be exhaustively named here. The areas might be on nuclear plant, chemical plant, aviation, or military service, etc. where human operations are intense and failure of which normally could lead to severe consequence. Nor will the areas be exhaustively listed, as it should be up to the designers and engineers to search for and then decide the final suitable list for their Human Factor Engineering(HFE) work. As this article is focused on NPP projects, one criteria of selecting standards is their pertinence to NPP areas. If the standards’ content is not heavily related to NPP projects, they are not selected. It should also be noted that only the most significant and general standards are selected. 2.1 IAEA Series The most important one is Specific Safety Guide No.51, Human Factors Engineering in the Design of Nuclear Power Plants [1]. This Safety Guide provides recommendations on the application of human factors engineering (HFE) to meet the requirements established in IAEA Safety Standards Series No. SSR-2/1 Safety of Nuclear Power Plants: Design Specific Safety Requirements; NS-R-2, Safety of nuclear power plants: commissioning and operation; and GSR Part 4, Safety Assessment for Facilities and Activities [2–4]. The standard covers the following lifecycle processes like Programme management, Analysis, Design, Verification and validation, Implementation of the design, Human performance monitoring in a general but comprehensive way. Though it serves as a high level standard, at its appendix thirty-four additional detailed standards are provided for reference, referencing primarily to ISO, IEC, NRC, IEEE series. 2.2 ISO/IEC Series The four ISO subcommittees develop four categories standards, General ergonomics principles, Anthropometry and biomechanics, Ergonomics of human-system interaction, and Ergonomics of the physical environment.

Successful Integration of Human Factor into a New NPP Project

285

General ergonomics principles ones comprise primarily: ISO 6385, Ergonomics principles in the design of work systems; ISO 26800, Ergonomics - General approach, principles and concepts. The two standards serve as high level standards and are applicable to various industries, including NPP facilities. Anthropometry and biomechanics standards: the series contain many specific standards, applicable to anthropometric and biomechanical design, e.g. ISO 14738, Safety of machinery -Anthropometric requirements for the design of workstations at machinery; Ergonomic design for the safety of machinery, Part 1 to part 3, Principles for determining the dimensions required for openings for whole-body access into machinery and Anthropometric data. Ergonomics of human-system interaction: the series encompass multiple standards dealing with human-machine interaction, of which most famous ones are ISO 9241 subseries, dealing with human – computer video interaction; ISO 11064, part 1 to part 7, concentrating on design control centres, are widely adopted by NPP main control room design. Ergonomics of the physical environment: the subseries contains standards related to provisions for physical environment design, including heat, ventilation, humidity, vibration, noise, etc. 2.3 IEEE Series IEEE also publishes various standards for HFE. For NPP project, the most famous one is IEEE std 1023, IEEE Recommended Practice for the Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities, which is the high level guidance for HFE, for both new project and updating project. Inside the standard, a series of specific standards are also referred to. It does provide a good support of implementing the human factor consideration at NPP [5]. 2.4 ANSI/NRC/DOE Series Following standards are also referenced to when design: ANSI: ANSI/HFES 100–2007 Human Factors Engineering of Computer Workstations [6]. This standard contains hardware design specifications that are based on accepted human factors engineering research and experience for computer workstations, their associated furniture, and the end user’s workplace environment. NUREG 0711: Human Factors Engineering Program Review Model [7]. The standard is widely used at NPP projects. The purpose of these reviews is to verify that the HFE aspects of the plant are developed, designed, and evaluated via a structured analysis founded on HFE principles that are acceptable to the NRC staff. The model encompasses twelve elements, HFE Program Management, Operating Experience Review, Functional Requirements Analysis and Function Allocation, Task Analysis, Staffing and Qualifications, Treatment of Important Human Actions, Human-System Interface Design, Procedure Development, Training Program Development, Human Factors Verification and Validation, Design Implementation, and Human Performance Monitoring.

286

D. Song-Su

NRC also issues a series of standards for specific areas, e.g. NUREG /CR 6634 for computer-based procedures; NUREG 0700 for HMI design, and so on. DOE also issues a series of standards for conducting HFE design, monitoring and performance improvement activities, e.g. DOE-HDBK-1140, Human Factors Ergonomics Handbook for the Design for Ease of Maintenance; GPG-FM-027, Human Factors Engineering; DOE-STD-1029, Writer’s Guide for Technical Procedures, and so on.

3 Human Factor Integration Process 3.1 General Process Standard ISO/IEC/IEEE 15288, Systems and software engineering - System life cycle processes, classifies system engineering process into four major process groups: Agreement processes, Organizational Project-Enabling Processes, Project Processes and Technical Processes; Each process group contain more than one process [8]. Some of these processes align with those HFE processes (e.g. the processes associated with the twelve elements in NUREG 0711). For instance, the verification and validation process are the also required in NUREG 0711, implementation process of ISO/IEC/IEEE 15288 is also similar to the design implementation process of NUREG 0711. To conclude, fulfilment of these processes can enhance the successful likelihood of the project. IEEE std 1023 first advocates an iterative process of implementing HFE (See Fig. 1) [9].

Fig. 1. Engineering process model STAR model in IEEE std 1023 [9]

IEEE std 1023, at its appendix, also illustrates the HFE process which new or updating project could reference. For example, at Fig. B.1, it provides the HFE in facility organisation where the responsibilities are divided into Facility Organisation and HFE group. This specification and allocation provide a good example of specifying project activities, and arrange the HFE responsibilities. At Fig. B.2 it provides a HFE in design process, and at Fig. B.3 HFE in system upgrade process. Both figures provide a general and graphic allocation of various activities. For example, the design process is as shown in Fig. 2.

Successful Integration of Human Factor into a New NPP Project Planning 6.2 -HFE Responsibilities -HFE Activities -Regulatory Mandates -Control of Products -Tracking & Resolution of Issues

Input -Objective -Operating Experience -Lessons Learned -Constraint

ANALYSIS 6.3 System Analysis -Needs& Constraints -Function Analysis Safety Analysis -Design Basis Events -Probabilistic Risk Assessment -Human Reliabilities Analysis

Design Criteria -Engineering Standards -HFE Design Guideline -Facility Conventions

Task Analysis -Instrument & Control list -Annunciation Requirements -Procedure Requirements -Training Requirements -Staffing Requirements -Environmental Characteristics

Specification 6.4 -Design Bases -Allocation of Control Functions -Design Requirements -Procurement Requirements -Performance Requirements -Environmental Requirements

Tools & Methods -Measures & Criteria -Review & Comment -User Feedback -Models, Mockups & Prototypes

Verify Availability & Suitability -Document Review -Design Review Validate Usability - Preoperational Tests -Realistic Test Environment(e.g. High Fidelity Simulator) -Representative Range of Tests

Operations & Maintenance 6.6 - Configuration & Change Control -Facility/ Organizational Trends -Operating Experience Review -Procedures, Staffing & Training -Lifecycle Changes & Decommissioning

Fig. 2. HFE design process [10]

287

288

D. Song-Su

3.2 Further Explanation to Key Processes As is shown above, at high level, activities of the HFE process are alike. In this chapter, some key activities are cited and explained for expressing the consideration that should be taken into account when engineering a NPP project. The elements normally include HFE Programme Management, Operating Experience Feedback, Functional Requirements Analysis and Function Allocation, Task Analysis, Staffing and Qualifications, Treatment of Important Human Actions, Human-System Interface Design, Procedure Development, Training Program Development, Human Factors Verification and Validation, Design Implementation, and Human Performance Monitoring, although each of these twelve elements could further decomposed into a couple of activities or tasks. 3.2.1 HFE Programme Management A HFE Programme is by definition ‘a set of related measures of activities with a particular long-term aim’. From HFE perspective, a programme means a series of HFE activities necessitated for the pushing forward the whole project. This element is further decomposed into general goals; HFE team, member qualification and organization; HFE process and procedures; HFE issues trackings; and HFE elements. The project organisation should organize well the HFE organization, staffing and qualifying them; it should also set aims to attain, build suitable processes and procedures, information management for HFE information, and arrange other HFE elements like analysis, procedure development. To direct various activities implementation, the activities should be programmed into a practicable plan, termed as Human Factor Integration Plan (HFIP). The HFE team should track the carrying out these activities against plan, and track the trouble-shooting until the related issues are addressed. 3.2.2 Operating Experience Feedback This activity aims to retain the good feature of previous design while correcting or preventing any undesirable features, through collecting, analysing and incorporating related experiences derived from previous fleet, peer NPP, or other process industries. This is one imperative step, but is also pretty difficult one to reasonably and well address, for new project always evolves compared with previous facilities, while the pertinence and suitability of the experience feedback are thus difficult to decide. If a project fails to take seriously the experience feedback, e.g. the analyse is superfluous and lacking a thorough true root cause investigation and a punctual counter measures, the fundamental caveats might still exist and passed on to current project. The project should thus value experience feedback, and arrange certain resource in the activity. 3.2.3 Functional Requirements Analysis and Function Allocation Functions are the activities or processes through which objectives are attained. So, whether the functions are fully identified, analysed and allocated balancedly between machine and human, have a great influence on the achievability of the goals, usability of the systems, safety of the operation, and the satisfaction of the users.

Successful Integration of Human Factor into a New NPP Project

289

However, the decomposition of the functions, analysis of them completely, understanding the various features necessitate a great deal of work; a multiple-disciplinary and experienced team should be gathered up, and deep analysis should be conducted. This might entail a long term, which sometimes might be subject project’s cost constraints and lead to incomplete result. 3.2.4 Task Analysis Task analysis are normally detailed operation task decomposition and characterisation, thereby to obtain the detailed features of the targeted tasks. The results of task analysis are crucial for subsequent activities like human system interface design, training programme development and procedure development, and even for the purpose of V&V, design implementation. To address the need of such divers objectives, a couple dozens of tools concerning Task Analysis have been developed. For instance, Kirwan introduced more than 40 techniques [11]. Of all these techniques, they most concentrate on the five high level elements: Person, Task, Equipment, Organisation and Environment (Fig. 3). The five elements could be further decomposed into detailed elements when performing analysis. E.g. Person could be decomposed into anthropometric characteristics, capabilities and limitation like perception, decision-making, response rendering, short term memory, attention, etc. depending on what aims the task analysis intends to arrive at.

Fig. 3. Human factors model of person–task–equipment system

Notwithstanding, the task analysis work also entails a great deal of efforts, as the tasks list might be such a large number. Taking one NPP unit as an example, the final procedure might be several hundred thousand pages in volume, which are the detailed

290

D. Song-Su

results derived from task analysis. Considering this, combination of the tasks alike and screening the tasks deemed as important is critical. In reality, as a new NPP is an evolving rather than a revolutionary one, analysis focuses should be concentrated on the newly emerging ones, safety-significant ones, or those deemed complex ones. 3.2.5 Staffing and Qualifications Organisation is crucial for successful enforcement of the HFE programme. As such, experienced, skilful, and knowledgeable staffs are important and should be well equipped with for the HFE team. 3.2.6 Treatment of Important Human Actions Important human actions are those actions deemed as probabilistically and deterministically safety-significant, failing of which could lead to high risk to safety. A full identification, analysis and evaluation to all important human actions are crucial to the facility safety, and this is also a proportionate approach affordable by the HFE team, as compared with tasks, the important human actions are relatively limited in number. A suitable resource input could generate desirable result. 3.2.7 Human-System Interface Design Human System Interface are the means on which users intervene with the systems, i.e. gaining displaying information, then forming response strategy, and then enforcing the response actions. The HSI design is a complex and comprehensive task. As a good HSI should not only barely fulfil the task implantation requirement, but also complies with a series of performance criteria such as error prevention, aesthetic compliant, multiple tasks compatible, and so on. 3.2.8 Training Programme and Procedure Development These two activities are to produce suitable training courses and procedure for operation purposes; they are specifications dictating the training, qualification and requalification of operators, and instructions for the operation tasks. During the development process, the owners’ staff should be involved into the project, and responsible for the development of the documents. 3.2.9 Design Implementation and V&V Design implementation is the process through which the design is mapped into specific hardware, software and final products. The activity is normally assigned to contractor, whereas the purchaser should be careful to make sure that the specifications are implanted while the performance criteria are guaranteed. V&V is needless to say one indispensable process through which the requirements/design is verified and validated. A well-plan should be set up, and a good sample of scenarios should be chosen prior to validation.

Successful Integration of Human Factor into a New NPP Project

291

3.2.10 Performance Monitoring When the systems/products are in service, performance are watched and weighed against standards. Designers should collaborate with the users to measure the performance, identify the gaps and make corrections if found.

4 Conclusion New NPPs are being built to fulfil the energy demand of the people. A series of new project are planned and undertaken to build the NPPs, during which the human factors elements play even increasingly important role. Unlike the physical and real objects at NPP, human factor issues are complex and abstract, and in most cases are hard to fulfil concretely. A series of standards are produced to support the incorporating of HF requirement to system engineering process, whereas the standards themselves do not function spontaneously to produce the desired results. Endeavours must be undertaken and well-designed plan should be established to procure the expected results. HFE engineers are on behalf of users, proposing the stakeholders’ need and seeking the meeting of the need. However, it is system designers who are responsible for the system design. Thus HFE engineers and system designers should collaborate to promote a successful HF integration.

References 1. IAEA.: SSG 51, Human Factors Engineering in the Design of Nuclear Power Plants. IAEA, VIENNA, P1 (2019) 2. IAEA.: SSR-2/1 Safety of Nuclear Power Plants: Design Specific Safety Requirements. IAEA, VIENNA, P1 (2016) 3. IAEA.: SSR-2/2 Safety of Nuclear Power Plants: Design Specific Safety Requirements. IAEA, VIENNA, P1 (2011) 4. IAEA.: GSR-Part 1, Safety Assessment for Facilities and Activities. IAEA, VIENNA. P1 (2009) 5. IEEE.: IEEE std 1023, Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities. IEEE. P 1 (2004) 6. ANSI.: ANSI/HFES 100, Human Factors Engineering of Computer Workstations. ANSI. P1 (2007) 7. NRC.: NUREG 0711, Human Factors Engineering Program Review Mode, Rev. 3. NRC. P iii (2012) 8. ISO/IEC/IEEE 15288, Systems and software engineering —System life cycle processes. ISO. P1 (2015) 9. IEEE.: IEEE std 1023, Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities. IEEE. P 12 (2004) 10. IEEE.: Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities. IEEE. P 23 (2004) 11. Kirwan, Ainsworth: A Guide to Task Analysis. CRC press. P 1 (1992)

Using Confusion Matrix to Substantiate Confusability of Computer Based Procedure System De-Song Su1,2(B) , Jian-Bo Zhang1,2 , and Zhi-Hui Xu1,2 1 China Nuclear Power Engineering Company, Ltd., Shenzhen 51800, China

[email protected] 2 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment,

Shenzhen, China

Abstract. Computer Based Procedure is increasingly used at Nuclear Power Plant (NPP), whereas its reliability has become a concerned issue due to the reliability of the platform it resides. Regulator raises concerns over the usability and availability of the CBP system (CBPS), and stipulates the need to substantiate. Signal Detection Theory (SDT) and Confusion Matrix (CM) Provide the possibility to complete the substantiation. The article reviews the theoretic background of the SDT and CM, defines the Delta Difference Number (DTN), constructs the CM basing on the sample procedure, then interprets the significance behind the CM, and eventually provide a recommendation for reducing the confusability. Keywords: Signal detection theory · CBPS · Confusion matrix · Delta difference number · Ergonomic improvement

1 Background At one NPP project, the designer encounters one problem concerning the reliability of the Computer-Based Procedure System(CBPS): the CBPS is usually developed basing on the paper operation procedure, and is used to aid operators in diagnosing and control the incidents or accidents that occur at the NPP [1]. The CBPS could be implemented with different level of automation [2]. When the platform to implement the CBP is FC-3 (FC means safety Function Class) computer system, not the higher level qualified system (FC-1 or FC-2), and the CBP is used by the operators to control and stabilise the NPP under accidental condition, through aiding the operator acquiring related displays, making decision, forming response plan, and then manoeuvring the FC-1 of FC-2 safety functions (through manual actions or equipment). As the reliability level of CBPS is not consistent with that of safety function requirement, the need to substantiate the reliability of CBP arises. A lot of plant operation procedures can be computerized, e.g. Normal Operation Procedure, Abnormal Operation Procedure, Emergent Operation Procedure [3]. As the article is written to describe how to enhance the reliability of the concerned system by © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 292–300, 2022. https://doi.org/10.1007/978-981-19-1181-1_29

Using Confusion Matrix to Substantiate Confusability of Computer

293

reducing confusion, only the diagnosis portion are involved while the detailed operation portion is excluded; The latter are less likely to error, as there is usually no diagnosis. The method adopted to substantiate is called Confusion Matrix(CM), which is proved effective and practical to achieve the objective. To avoid any unnecessary intellectual property dispute, the illustration uses a hypothetic procedure, rather than the real one.

2 Description on Concerned CBPS The concerned CBPS was developed through two major steps: Step one, developing the Diagnosis Flowchart (DF, paper format); Step two, computerizing the paper DF using the FC-3 computer. To illustrate, a sample Diagnosis Flowchart as shown in Fig. 1 is selected, where: START denotes starting point of the procedure; Common paths means an abbreviation of the instructions; Test A, B, C, D denote the checks of the conditions or parameters complying the preset criteria; EXIT 1, 2, 3, 4 denote the diagnosis exit of the DF.

Fig. 1. Sample diagnosis flowchart

Computerization of the paper procedure means implementing the logic with a computer system, using associated configuring application, and then deploying it to the actual control system [4]. A sample CBPS architecture is shown at Fig. 2, where: Detector denotes the signal detector; Actuator denotes the equipment the performs functions; CBPS Server denotes Calculation Server where CBP calculation logics reside; Process Control Unit denotes interface unit between actuator and other signals; Display & Control Console(DCC) denotes the video Screen for displaying and commanding purpose. The process that CBPS works on the automatic processing calculation are as follows:

294

D.-S. Su et al.

Fig. 2. Sample CBPS

Step 1: Acquiring signals needed for determining the True of False of the pertinent Test(s) from the network bus; Step 2: Comparing the acquired value against the setpoint set at the Test(s), and deriving the binary value of the Test(s); Step 3: Indicating the calculation result of the Test(s) of interest, e.g. via changing the colour of the diagnosis path on display, or via displaying the result via illuminated lamp at another screen, and then moving forward to the Test(s) immediately adjacent to current Test(s); Repeating the above steps until a diagnosis path is completed, and one Exit is reached. For example, suppose that CBPS has completed the calculation of the Test A, Test B and Test D where all these three tests (Test A, Test B and Test C) are computed True, then the whole diagnosis path is completed, with the diagnosis result is EXIT 2; The related Tests and the path are indicated by CBPS, as shown at Fig. 3. As the CBPS server might be subject to qualification limit, e.g. FC-3, whereas detector, the transmission paths, and the Process Control Unit might be FC-1 or FC-2, and the FC-3 equipment is normally less reliable compared with FC-1 and FC-2, a discrepancy arises between the two equipment: whether the AP result is creditable for operators’

Using Confusion Matrix to Substantiate Confusability of Computer

295

Fig. 3. A sample diagnosis result representation

fulfilling their roles, and if any unreliability occurs, whether operators are sufficiently cued, alerted, so that they can adopt suitable recovery measures. To solve the discrepancy and certify the CBPS usable, substantiation must be made to demonstrate its reliability.

3 Theory Introduction In order to substantiate the reliability, several ideas must be clarified prior to the detailed process. 3.1 Human Reliability Enhancement Approaches Human Reliability Enhancement Approaches- To promote the human performance reliability, multiple approaches or techniques might be adopted. Normally, ergonomic theory considers the task performance through five fundamental elements: Person, Task, Equipment, Organisation and Environment (See IEEE std 1023) [5]. Enhancing any of the concerning elements can promote the reliability, e.g. if we improve the Person’s training, skill or experience, we can expect performance be improved; likewise, if the Task is better organised, e.g. by reorganising the instruction of the procedure, or we introduce redundant displays(cues, or alerts, or sound reminding, etc.), the operators could by be cued manifold, and thus they will be less unlikely to commit errors, thereby the whole system’s functioning performance is enhanced. 3.2 Signal Detection Theory Signal Detection Theory(SDT) concerns the signal detection, processing and analysis. It was originated at electronic field and later extended to engineering and psychological area, where it denoted the signal detection and prediction [6]. It was where the Confusion Matrix(CM) originated.

296

D.-S. Su et al.

3.3 CM Theory A Confusion Matrix (also known as an error matrix or contingency table) visually represents the difference between the actual and predicted classifications of a mode. It is used to easily recognize how often a classification system mislabels one classification as another [7]. Originally CM was used as classifier, as illustrated at Fig. 4 [8].

Fig. 4. Sample CM.

The four quadrants in CM and interpretation: • True Positive (TP) is an outcome where the model correctly predicts the positive class. • True Negative (TN) is an outcome where the model correctly predicts the negative class. • False Positive (FP) is an outcome where the model incorrectly predicts the positive class. • False Negative (FN) is an outcome where the model incorrectly predicts the negative class. It can be seen that the original usage of CM, as is illustrated, was to evaluate the prediction outcome against the actual values (the Inputs). The idea can be expanded to discriminate the discrepancy characteristics of different items.

4 Substantiation of the CBPS Procedure Basing on the SDT and CM theory presented above, the confusability of the Procedure (might be deemed as part of a Task, if its reliability is improved, so does the whole CBPS’s reliability). This section first defines Delta Difference Number (DTN), illustrate

Using Confusion Matrix to Substantiate Confusability of Computer

297

how to construct the CM upon the sample procedure (flowchart diagram at Fig. 1), then derive the Delta Difference Number(DTN) between paired procedures, and then interpret the discrepancy via the DTN. 4.1 DTN Definition The DTN is defined the number difference between two diagnosis paths, e.g. if one diagnosis path contains a test different from the paired path, the DTN is increased by one, and vice versa. To illustrate, take a look at Fig. 1 for the base of construction CM. Suppose there are two diagnosis paths, Diagnosis Path 1 and Diagnosis Path 2. Diagnosis Path 1 passes through Test A, B, and C, until eventually ends at Exit 1, whereas Diagnosis Path 2 passes through Test A and Test E, until end at Exit 4(See Fig. 4). In this case, as two paths shared Test A, whereas Test B and Test C are exclusively for Diagnosis Path 1(Labelled by Exit 1), and Test E is exclusive for Diagnosis Path 2 (Labelled by Exit 4), so the total DTN between Diagnosis Path and Diagnosis Path 2 is 3 (Test A, Test B and Test E, delta number count is 3) (Fig. 5).

Fig. 5. Defining DTN of paired procedures

4.2 Construct the CM of Paired Diagnosis Result Following the steps at illustrative approach at Sect. 3.1, a CM of the paired procedures could be constructed. Again, taking the Procedure at Fig. 1 as the base, by calculating the DTN between paired paths, one can derive a CM like Table 1.

298

D.-S. Su et al. Table 1. DTN of sample procedure EXIT 1

EXIT 2

EXIT 3

EXIT 4

EXIT 1 EXIT 2

1

EXIT 3

2

0

EXIT 4

3

3

0

Supplementary annotation to the deriving process: 1) Considering the mirror effect, namely DTN between EXIT 1 and EXIT 2 is the same as DTN between EXIT 2 and EXIT 1, only half the matrix cells are retained. 2) If two diagnosis EXITs differ in many paths, then only the minimum DTN is retained. i.e., if following two paths to two exit, DTN = 3, whilst following another two paths, the DTN result equals 2, then 2 is assigned to the paired EXITs. 3) Comments to the two 0s at Table 1: For the pair EXIT 2 and EXIT 3, as the closest paths they shared pass through the common tests (from Test A, to Test B and then Test D; at the path, there is no exclusive Test), this minimum DTN is thus defined as 0. The same principle applies to the pair EXIT 3 and EXIT 4. Pairs with DTN = 0 are thus considered as the most confusability-leading pairs. 4.3 Interpretation of the CM The meaning of DTN for the paired diagnosis results is straightforward. If simply the operation task(procedure) is considered and on other factors (like Person, Equipment, Organisation or Environment) are considered when designing a system, the pair with small number DTN signifies that two tasks risk of being easily confused, as they share most common tests, and the difference only resides at the compliance check to the final Test, from which the diagnosis paths diverge to two different direction: if the Test is True, then the diagnosis is directed toward the bottom exit, otherwise, to the horizontal path to another Exit. Notwithstanding, there are many approaches which could increase the difference to reduce the potential high confusability risk: Expand the display content associated with the paired procedure. For instance, if the DTN is 0, then the difference of the pair resides only at the answer to the final Test, human interface designers can provide redundant and manifold displays regarding this Test. So when operators perform the diagnosis to the interested Test, they will be cued and informed by manifold displays, thereby they can distinguish the answer to the concerned Test(Remember the theory presented at Sect. 2.1, when the Equipment, namely Human System Interface in this case, is improved with its quality, the human error can be reduced). Enhance the task design by dividing the final test into serval tests. The idea is straightforward: if the DTN is small, dividing the critical test into serval tests will introduce more salient and distinguishing features to the paired Exits, thereby holistic performance

Using Confusion Matrix to Substantiate Confusability of Computer

299

of the task under the context of five performance shaping factor(PSFs), namely the five elements mentioned at Sect. 2.1. Use a diagram to demonstrate the idea. Suppose, if Test D is divided into Test D1 and Test D2, and Test D1 = True or Test D2 = True remain lead the path to reach EXIT 2. In this case, chances are that maybe the introduced additional tests could not necessarily increase the DTN, if the additionally introduced Tests are not salient enough to separate two exits, i.e. DTN of the pair EXIT 2 and EXIT 3 remains equal to zero as in Fig. 6; however, as there is another path can lead the operators towards to EXIT 2, the risk of confusability decreases anyway.

Fig. 6. Introducing additional tests to separate paired path

5 Conclusion Adopting CBP at modern NPP is an increasing trend. Constrained by the qualification of computer system. The reliability of the CBP might be less reliable if lower qualification platform is used, which normally face the challenge from regulation requirement. However, using the ergonomic and human reliability theory, and by introducing the tool of CM, the designers can construct the CM basing on the hypothetic procedure, and then evaluate the confusability degree of the paired procedure. The substantiation of the CBPS might help to pinpoint the weak point regarding to CBPS, and help to invoke a suitable process to find the remedies to the weakness, thereby recommendation for the iterative procedure design and implementation could be proposed.

300

D.-S. Su et al.

References 1. O’Hara, J.M., et al.: NUREG/CR-6634, Computer-Based Procedure Systems: Technical Basis and Human Factors Review Guidance. U.S. NRC. Jan, P xiii (2000) 2. O’Hara, J.M.: BNL*. NUREG-0700, Human-System Interface Design Review Guidelines. U.S. NRC. July, P8–5 (2020) 3. O’Hara, J.M., et al.: NUREG/CR-6634, Computer-Based Procedure Systems: Technical Basis and Human Factors Review Guidance. U.S. NRC. Jan p 1 (2000) 4. O’Hara, J.M.: BNL*. NUREG-0700, Human-System Interface Design Review Guidelines. U.S. NRC. July P8–1 (2020) 5. IEEE. IEEE std 1023, Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities. IEEE. (2004) 6. Wixted, J.T.: The forgotten history of signal detection theory. Journal of Experimental Psychology: Learning, Memory, and Cognition 46(2), 201–233 (2020) Feb 7. http://www2.cs.uregina.ca/~dbd/cs831/notes/confusion_matrix/confusion_matrix.html 8. Confusion matrix - GIS Wiki | The GIS Encyclopedia

Rotor Passing Through Critical Speed with Assistance of Electromagnetic Damper Xiang-Yu Jia1 , Yang Xu1(B) , Yu-Jie Bai2 , and Kai Zhang1 1 Department of Engineering Physics, Tsinghua University, Beijing 100084, China

[email protected] 2 Science and Technology on Particle Transport and Separation Laboratory, Tianjin 300180,

China

Abstract. Active electromagnetic damping technology has plenty of advantages, such as convenient parameter setting, fast response speed, suppression of vibration in a wide frequency domain, and so on. In this paper, an electromagnetic damper with PID controller is designed and assembled. Function of shock absorption and effect on rotor passing through critical speed are studied respectively under different combinations of damper parameters. Response behavior of the damper under static conditions is obtained experimentally through data acquisition board after applying displacement impact to the damper mandrel. Then, the damper is installed to the rotor test system set to accelerate to the first-order bending critical speed, at which vibration response of the rotor is investigated. Results show that the form and effect of the damper attenuating the displacement disturbance and whether the system passes through critical speed smoothly or not are all restricted by setting of damper parameters. Under specific parameter combinations, the effect of the electromagnetic damper on passing criticality has shown to be better than that of the oil film damper. Moreover, a controller with additional zero and pole pairs connecting in series is proved to be able to further optimize the response behavior of the rotor-damper system in low frequency region. Through the experiment, effectiveness of design function of the electromagnetic damper is proved, which provides a reference for the selection of the working parameters and a research basis for further optimization of the damper. Keywords: Electromagnetic damper · PID controller · Bending critical speed · Vibration response

1 Introduction Active magnetic bearing (AMB) has the characteristics of no mechanical wear, low energy consumption, no lubrication required, suitable for vacuum and high-speed working conditions, and so on [1]. It has been widely used in high-speed rotating machinery, such as Helium Turbo-compressor and Circulator for High Temperature Gas-cooled Reactor (HTGR) [2]. Compared with conventional sliding bearings or rolling bearings, AMB installed at both ends of the rotor not only can provide stable and reliable support, but also use controllable electromagnetic force to output variable dynamic parameters © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 301–315, 2022. https://doi.org/10.1007/978-981-19-1181-1_30

302

X.-Y. Jia et al.

such as stiffness and damping, playing a role in ensuring the stable operation of the system [3–5]. Several results have been achieved currently in the research of AMB-assisted method for rotor passing critical speed. H. Habermann et al. proposed that AMB with PID controller is able to provide a suitable damping coefficient and phase lead to reduce the amplitude of the rotor near the critical speed and AMB with a rotating coordinate servo loop could realize Free Force Control, making the rotor rotate around its mass axis to overcome imbalance [6–8]. H. Fujiwara et al. proved that AMB with an additional phase buffer filter or notch filter is able to overcome the higher-order-mode instability of the system under analog control or digital control through experiments [9]. S. Lei et al. added a notch filter in flywheel system in FEM calculation and experiments, which suppresses the interference caused by Sensor Runout and imbalance successfully [10]. Huidong Gu et al. verified the effectiveness of the phase compensation method based on LQG in assisting heavy-duty flexible rotor to pass the second-order bending frequency [11]. Kai Zhang et al. added a second-order Butterworth filter in series to the PD controller, increasing the gain of the controller near the flexibility critical frequency [12]. Active electromagnetic damping technology takes full advantage of the variable output stiffness and damping of AMB. It has great development potential and broad application prospects in the vibration reduction and noise suppression of equipment mentioned above for HTGR. Based on the original structure design and working mode of the squeeze film damper (SFD), an electromagnet is used to replace the damping oil to output variable electromagnetic force to the damping mandrel connected to the rotor [13]. Compared with traditional oil film dampers, electromagnetic dampers have the advantages of high sensitivity, convenient parameter control, lubricating oil pollution elimination, sealing devices reduction, and a wider frequency domain for suppressing vibration [14]. In this paper, experiments based on electromagnetic damper assistance method of displacement disturbance attenuating and rotor passing through critical speed are carried out, which verify the effectiveness of the damper.

2 Rotor-Damper Experiment System The original oil film damper for the rotor passing through critical speed experiment system is illustrated in Fig. 1. The damping mandrel is immersed in damping oil of specific viscosity and inserted into the housing socket through the needle shaft at the lower end. The rotor is inserted into the mandrel through a ball joint bearing with specific stiffness at the lower end. In fact, the mandrel does not synchronously rotate with the rotor, but moves in a type of conical swing driven by its precession, which drives the damping oil to move together at the same time. The moving damping oil applies restoring force and damping force to the mandrel and controls its vibration and then the rotor’s. The rapid development of AMB provides an inspiration to improve this kind of damper. Electromagnetic damper working in conical whirling form is based on the modified design in Fig. 1 where damping oil is replaced by an electromagnet, as shown in Fig. 2. An additional displacement sensor that obtains the vibration signal of the damping mandrel is installed.

Rotor Passing Through Critical Speed

303

Fig. 1. Schematic diagram of oil film damper

Fig. 2. Schematic diagram of electromagnetic damper

The schematic diagram of the component experiment system for the damper is shown in Fig. 3. During the experiment, electromagnetic damper is steadily placed on the working platform plane. After impact displacement δ dis (s) is applied to the damping mandrel, the sensor will provide the signal collector in FPGA module with a voltage signal usen (s) = k sen δ dis (s), where k sen represents the gain coefficient of the sensor ignoring delay and dynamic characteristics. Then, the arithmetic unit will calculate and output the voltage uamp (s) = − GPID (s)usen (s) to the power amplifier under PID control strategy. Transfer function GPID (s) in the process is represented in Eq. (1), in which the PID parameters k p , k i and k d are set by control program written from PC to FGPA. GPID (s) = kp + ki

1 + kd s s

(1)

The amplifier will output a current iamp = k amp uamp (s) after it receives uamp , driving the electromagnet to output electromagnetic force f mag to the mandrel. As shown in Eq. (2), k amp represents the gain coefficient of the amplifier, k δ and k I represent forcedisplacement and force-current coefficient respectively. Terms proportional to δ dis and its derivative sδ dis are directed to restoring force and the damping force, which are related

304

X.-Y. Jia et al.

Fig. 3. Schematic diagram of component experiment system.

to the parameters k p and k d respectively. fmag (s) = −kδ δdis (s) + kI iamp (s)    kδ 1 = −kI kamp ksen + kp + ki + kd s δdis (s) kI kamp ksen s

Fig. 4. Path of signal flow

(2)

Rotor Passing Through Critical Speed

305

The path of signal flow is shown in Fig. 4. What’ s more, signals including δ dis and iamp are input to the LabVIEW system in PC through the data acquisition board for data storage and visualization. In the rotor passing through critical speed experiment system, two more eddy current sensors are installed in the protective housing to measure respectively the displacement δ x and δ y of the upper end of the rotor in two orthogonal directions x and y during precession. The system is shown in Fig. 5 where the electromagnetic damper assembly is installed.

Fig. 5. Schematic diagram of rotor passing-criticality experiment system.

3 Component Experiment of Electromagnetic Damper 3.1 Motion Behavior of the Damper Mandrel The stable operating condition of the electromagnetic damper refers to the condition that the damper is able to realize its function under the specific PID parameters. In

306

X.-Y. Jia et al.

other words, the damper is able to attenuate the disturbed displacement of the damping mandrel under the given PID parameter combination and control the amplitude within allowable design range. The mandrel moving in the conical whirling form under stable conditions has two degrees of freedom. According to the conclusion of vibration theory, it is reasonable to simplify the description of the mandrel motion with the decoupled two degree of freedom vibration model into two single degree of freedom models [15]. Therefore, there are two possible motion forms in each direction of mandrel motion, namely, the amplitude of mandrel decays in a periodic form or in a logarithmic form, corresponding to a small or a large damping coefficient respectively.

Fig. 6. Motion form of mandrel under stable condition

The results of the component experiment show that the motion behavior of the mandrel conforms to the above analysis for the stable operating condition of the damper. In the experiment, after the mandrel receives a displacement disturbance, it usually moves rapidly in the opposite direction of the disturbance displacement and reaches the maximum displacement of the attenuation process. Then, the amplitude attenuation of the mandrel motion is approximately expressed as a periodic form or a logarithmic form. As shown in Fig. 6, for most cases of k p = 0.10, the subsequent motion is shown as a periodic motion with amplitude attenuation after the amplitude of the mandrel reaches the maximum value; for the condition of k p = 0.10, k i = 0.5 and k d = 1.5 and all stable operating conditions of k p = 0.25 and k p = 0.50, the motion of the mandrel is shown as a logarithmic decay form. In addition, the motion of the mandrel showed three types of instability in the component experiment, as shown in Fig. 7: (1) When k p = 0.50, k i = 1.2 and k d = 0.5, the mandrel cannot be stabilized in the equilibrium position. A form of vortex with a frequency of about 150 Hz appears;

Rotor Passing Through Critical Speed

307

(2) When k p = 0.10, k i = 1.2 and k d = 0.0, the mandrel and the housing rub against the half circumference with a frequency of about 31.8 Hz; (3) When k p = 0.05, the mandrel keeps colliding in the area of about 1/4 of the housing with a frequency of about 6 Hz.

Fig. 7. Mandrel’s unstable trajectory

3.2 Indexes of Damping Performance with PID Parameters The following will analyze the influence of PID parameters on the indexes of damping performance of the damper. Through a set of component experiments, corresponding displacement data of the mandrel at several time points under different PID parameter combinations have been collected. When the free vibration form of the mandrel is a periodic amplitude attenuation motion, record the peak value of the displacement in a complete attenuation process and the corresponding time: (x 1 , T 1 ), (x 2 , T 2 ), (x 3 , T 3 ),…, (x i , T i ), (x i+1 , T i+1 ). The logarithmic reduction coefficient is defined by the Eq. (3), where n is the damping coefficient and T d = (t i + 1 − t 1 )/i is the average decay period.   ti+1 − t1 x1 1 =n = nTd (3) δ = ln i xi+1 i When the amplitude attenuation of mandrel is in the logarithmic form, record i + 1 data points (x 1 , T 1 ), (x 2 , T 2 ), (x 3 , T 3 ), …, (x i , T i ), (x i+1 , T i+1 ). The logarithmic coefficient is expressed as the Eq. (4), where s is the reduction factor related to the damping coefficient and t = t j+1 − t j = const, j = 1, 2, 3, …, i.   ti+1 − t1 x1 1 =s = st (4) δ = ln i xi+1 i The logarithmic attenuation coefficient δ varies with k d (k i = 1.2) and k i (k d = 1.5) under the given k p are shown in Fig. 8 and Fig. 9 respectively. It can be concluded from the figure that under stable conditions, δ decreases with the increase of k p when k i and k d are defined. Combining with the influence of k p on the motion form, it would obtain better vibration damping performance by designing the mandrel amplitude to be

308

X.-Y. Jia et al.

attenuated in a periodic form. When k p = 0.10, δ shows an increasing tendency with the increase of k d and a fluctuation change with the increase of k i . In other words, the larger value of k d and the intermediate value of k i , a larger δ and a better amplitude attenuation effect can be obtained when k p = 0.10. When k p takes 0.25 and 0.5, not only the form of motion has changed, but also the tendency of . In these cases, the intermediate value of k d and the larger value of k i , a larger can be obtained.

Fig. 8. Varies with k d (k i = 1.2)

Fig. 9. Varies with k i (k d = 1.5)

Rotor Passing Through Critical Speed

309

4 Rotor Passing Through Critical Speed Experiment 4.1 Passing Through Critical Speed Behavior of Rotor For the system in Fig. 5, install the oil film damper assembly firstly and conduct a speedup experiment. The sampling rate of the data acquisition board to the vibration signal through eddy current sensor is 10,000 Hz. During data processing, the FFT operation is performed on 10,000 collected data points in every 1 s. The waterfall chart of the FFT curve of the vibration signal with time is shown in Fig. 10 (due to the excessive number of lines, only the curve information of every 5 s is retained in the figure). As shown in Fig. 10, the upward trend of the speed can be seen intuitively. When the speed increases to about 63.5 Hz, that is, near the first-order bending frequency of the rotor, the imbalance excitation force effectively excites the vibration. The amplitude rises rapidly in a narrow frequency domain near this frequency. When the amplitude in the frequency domain rises to the maximum value Acri at a certain moment, it is considered that the speed has reached the critical frequency, that is, the frequency f cri corresponding to Acri . The FFT curve where the point (f cri , Acri ) is located is shown in Fig. 11. After the rotor passes this frequency smoothly, the amplitude in the frequency domain decreases gradually. It can also be found from Fig. 10 that in addition to the speed and its multiplier information, the FFT curve also includes the peak corresponding to the first-order frequency of the system with a frequency of about 3.6 Hz.

Fig. 10. Waterfall chart of the FFT curve

The oil film damper was replaced with the electromagnetic damper. Different PID parameter combinations were set and the speed-up experiments were repeated. The results show that PID parameter setting has a direct influence on whether the damper could successfully assist the rotor to pass the first-order bending frequency smoothly. For successful cases, results of the critical frequency f cri and the corresponding maximum amplitude Acri are shown in Table 1. And when setting k p = 0.10 and k d = 5.0 separately,

310

X.-Y. Jia et al.

Fig. 11. FFT curve when speed reaches f cri

FFT curves at f cri are shown in Fig. 12 and Fig. 13 respectively. Following conclusions can be obtained: Table 1. Comparison of auxiliary effect on rotor passing-criticality kp

ki

kd

f cri / Hz

Acri / m

0.10

1.2

1.5

69.8

24.2

0.10

1.2

2.0

68.6

26.2

0.10

1.2

5.0

64.4

7.4

0.25

1.2

5.0

69.7

21

0.50

1.2

5.0

70.2

22

(1) For the parameter combinations shown in the charts, the electromagnetic damper achieves better auxiliary effect on passing-criticality than the oil film damper. That is, the electromagnetic damper reduces the amplitude Acri when the rotor reaches f cri more effectively, especially when k p = 0.10 and k d = 5.0. (2) When k p = 0.10, a larger k d effectively reduces Acri . However, when k d = 5.0, it shows that Acri corresponding to k p = 0.25 and k p = 0.50 is not much different. Combining with the conclusions obtained from the component experiment, the smaller the k p , the better the damping and the auxiliary effect. By the way, a larger k d can show a more obvious effect when k p = 0.10. (3) Electromagnetic damper has increased the critical frequency f cri . Larger k p and smaller k d would bring larger f cri .

Rotor Passing Through Critical Speed

311

Fig. 12. FFT curve when speed reaches f cri (k p = 0.10)

Fig. 13. FFT curve when speed reaches f cri (k d = 5.0)

4.2 Control Algorithm Improvement Under PID parameter settings such as k p = 0.10, k i = 1.2 and k d = 1.0, the damper cannot effectively suppress rotor’s vibration near f cri . In these cases, the rotor may collide with the housing due to excessive vibration amplitude, which is mainly composed of components in low frequency region between the first-order frequency of the system and the first-order bending frequency of the rotor. Because of that, kinetic energy of the rotor will be converted into internal energy by friction force, resulting in a rapid

312

X.-Y. Jia et al.

speed decrease. Then, the speed rises again under the action of motor. The phenomenon above occurs repeatedly near f cri . So, the rotor was not able to pass the critical frequency smoothly. In order to reduce the amplitude of the system and the resonance of the rotor in the low-frequency region, it is considered to connect an additional unit on the basis of second order control cell to the PID controller in series, which introduces an extra pair of zeros and poles [16]. The transfer function of this unit is described by Eq. (5). G(s) =

T12 s2 + 2ζ1 T1 s + 1 T22 s2 + 2ζ2 T2 s + 1

(5)

Figure 14 shows the Bode diagram of this unit when T 1 = (2 × 12)−1 , ζ 1 = 0.6, T 2 = (2 × 12)−1 and ζ 2 = 0.45. It’s obvious that this control unit provides phase lead for the low-frequency region and introduces additional damping force to the rotor especially when the rotating speed is about 13 Hz. The new path of signal flow after modification is shown in Fig. 15.

Fig. 14. Bode diagram of G(s)

Rotor Passing Through Critical Speed

313

Fig. 15. Path of signal flow

The introduction of this control unit effectively reduces the amplitude of the rotor in low speed range. For example, when setting k p = 0.10, k i = 1.2 and k d = 1.0 again, the FFT curve when the rotating speed reaches f cri is shown in Fig. 16.

Fig. 16. FFT curve when speed reaches f cri with G(s) (k p = 0.10, k i = 1.2 and k d = 1.0)

314

X.-Y. Jia et al.

5 Conclusion This paper conducted component experiment and rotor passing through critical speed with assistance of active electromagnetic damper experiment. Conclusions are as follows: (1) The results show the forms and effect of the damper attenuating the displacement disturbance. Also, whether the system passes through critical speed smoothly or not is essentially restricted by the damper parameter setting. (2) Under specific parameter combinations, the assistant effect of the electromagnetic damper on rotor passing through critical speed is better than that of the oil film damper. It’s proved that smaller k p and larger k d is better to reduce the amplitude of the rotor near the critical frequency. (3) A kind of control cell based on second-order unit connecting in series with PID controller has been proved to further optimize the response behavior of the rotordamper system in low frequency region. Through the experiments, the effectiveness of the electromagnetic damper is verified, which provides a reference for the selection of the working parameters and a research basis for further optimization of the damper. Acknowledgement. This project is supported by National Key Research and Development Project (No. 2018YFB2000100) and National Natural Science Foundation (No. 51775292).

References 1. Schwertzer, G., Maslen, E.: Magnetic Bearings - Theory, Design, and Application to Rotating Machinery. Springer, Berlin (2009) 2. Jie, W., Hong, W., Gang, Z., Xiaoyong, Y., Ping, Y., Xinhe, Q.: Helium turbo-compressor and circulator for a high temperature gas-cooled reactor. Journal of Tsinghua University (Sci & Tech) 61(04), 350–360 (2021) 3. Ming, Q., Long, C., Yingchun, L.: Bearing Tribology - Principles and Applications. Springer, Berlin (2016) 4. Eugenio, B.: Semi-active and active magnetic stabilization of supercritical rotor dynamics by contra-rotating damping. Mechatronics 24(5), 500–510 (2014) 5. Shaolin, R., Yefa, H.: Active vibration control of the flexible high-speed rotor with magnetic bearings via phase compensation to pass critical speed. Journal of Low Frequency Noise, Vibration and Active Control 38(2), 633–646 (2019) 6. Habermann, H., Brunet, M.: The Active Magnetic Bearing Enables Optimum Damping of Flexible Rotor. ASME 1984 International Gas Turbine Conference and Exhibit. American Society of Mechanical Engineers Digital Collection (1984) 7. Habermann, H., Brunet, M.: The Active Magnetic Bearing Enables Optimum Control of Machine Vibrations. ASME 1985 International Gas Turbine Conference and Exhibit. American Society of Mechanical Engineers Digital Collection (1985) 8. Dekui, Z., Wei, J., Hongbin, Z.: Unbalance vibration control methods for active magnetic bearings system. Journal of Tsinghua University (Sci & Tech) 40(010), 28–31 (2000)

Rotor Passing Through Critical Speed

315

9. Fujiwara, H., Ito, M., Takahashi, N.: Modal control of flexible rotors supported by active magnetic bearings. Trans. Japan Soc. Mechani. Eng. 70(698), 2797–2804 (2004) 10. Shuliang, L., Alan, P.: Control of flexible rotor systems with active magnetic bearings. J. Sound Vib. 314(1–2), 19–38 (2008) 11. Huidong, G., Lei, Z., Lei, S.: Controller design for a flexible rotor supported by active magnetic bearing passing the critical rotational speed. Journal of Tsinghua University (Sci & Tech) 45(06), 821–823 (2005) 12. Kai, Z., Xingjian, D., Xiaozhang, Z.: Controller design of a supercritical high speed motor system suspended by active magnet bearings. Journal of Tsinghua University (Sci & Tech) 50(11), 1785–1788 (2010) 13. Zhenlin, W.: Numerical and Experimental Study on Damping Characteristics of Squeeze Film Damper for Turboshaft Engine. Harbin Institute of Technology (2013) 14. Burrows, R., Sahinkaya, N., Clements, S.: Active vibration control of flexible rotors: an experimental and theoretical study. proceedings of the royal society of London. Mathematical and Physical Sciences 422(1862), 123–146 (1989) 15. Weaver, W., Timoshenko, S., Young, H.: Vibration Problems in Engineering. John Wiley & Sons, New York (1990) 16. Golnaraghi, F., Kuo, B.: Automatic Control Systems. John Wiley & Sons, New York (2010)

Design of Digital Control Platform for Magnetic Bearings Based on Multi-core Architecture Jun-Shui Wang, Yang Xu, and Kai Zhang(B) The Department of Engineering Physics, Tsinghua University, Beijing 100084, China [email protected]

Abstract. Magnetic bearing digital control platform is the core of a magnetic bearing system. In order to solve the problems of an analog magnetic bearing control platform whose parameter adjustment is inconvenient and hardware structure is not easy to change, or a single DSP control platform whose hardware resources are limited and software resources are scarce, a magnetic bearing digital control platform based on AM5728 with a multi-core architecture was designed. Firstly, the overall architecture of the magnetic bearing digital control platform is given to clarify the division of task and requirements of each component. Secondly, the selection of core devices such as data analysis core, AD/DA and FPGA is finished according to the demands. Finally, based on the SOM-TL5728 core board, the FPGA hardware logic development process, DSP side program development and transplantation, and IPC heterogeneous multi-core development process are discussed. The dual DSP core development case shows that the designed multi-core architecture digital platform can fully meet the requirements of the magnetic bearing digital control platform, and has outstanding advantages in terms of computing performance, system stability, and interface scalability. What’s more, it can also be seen that the designed digital control platform based on multi-core architecture can realize its powerful performance potential through software migration and resource allocation. Keywords: Magnetic bearing · Digital control platform · Multi-core · AM5728

1 Introduction Active magnetic bearings which have a series of advantages such as low energy consumption, clean and pollution-free, and long life are widely used in high speed rotation machines, such as flywheels, pumps and compressors. Compared with passive magnetic bearings, the main advantage of active magnetic bearings is the ability to achieve real-time monitoring and control of rotor vibration through a closed-loop feedback loop of electrical signals [1–3]. The magnetic bearing digital control platform is the core hardware of vibration control for active magnetic bearings. With the development of high-speed rotating machinery technology, the functions of the digital control platform for magnetic bearings are facing higher challenges. On the one hand, the control platform needs to run more complex control algorithms and achieve higher speed data communication to meet the increasingly high control accuracy and stability requirements of the © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 316–326, 2022. https://doi.org/10.1007/978-981-19-1181-1_31

Design of Digital Control Platform for Magnetic Bearings

317

magnetic bearing; on the other hand, it needs to add various digital interfaces and digital signal processing system to achieve the transmission and monitoring of rotor speed, rotor displacement, coil current and other signals. The traditional analog controller can meet the basic requirements of the magnetic bearing system to some extent. However, its parameters are not easy to adjust and the hardware structure is not easy to change which make it difficult to achieve complex control [4]. Digital control has the characteristics of high hardware integration and good control performance, but some single DSP control platforms have limited resources and scarce software resources [5, 6]. In this paper, based on the powerful AM5728 SoC heterogeneous multi-core processor developed by TI, a more powerful and scalable magnetic bearing digital control platform was designed and developed. With the help of SOM-TL5728 core board, the device selection and hardware design of the magnetic bearing control platform were completed to meet the operation requirements of the digital control platform. As for platform hardware selection, the FPGA digital logic development process and the RTOS development process of the AM5728 dual-core DSP side were given; based on the IPC joint development component, the joint development method of the magnetic bearing control platform was given. The development potential of the designed magnetic bearing digital control platform is fully verified by running the control algorithm and FFT algorithm cases separately on the dual-core.

2 Architecture of Magnetic Bearing Digital Control Platform A simplified general magnetic bearing system with all necessary components is shown in Fig. 1. The magnetic bearing digital control platform architecture is complex due to many tasks involved, such as multiple sensor signal sampling, filtering, signal modulation and shaping, control algorithms, and op-amp control signal output.

Fig. 1. Components of active magnetic bearing system

318

J.-S. Wang et al.

The magnetic bearing digital control platform based on multi-core architecture designed in this paper is shown in Fig. 2. When the rotor is running, a series of sensors installed in the magnetic bearing system monitor the rotor motion information. The rotational speed sensor transmits the rotational speed signal to the FPGA. The signals from the displacement sensor are oversampled, digitally filtered and signal shaped by the FPGA. Compared to some digital control platforms without FPGA, this platform’s FPGA module takes over the ADC, DAC, speed signal, signal synchronization, shaping and filtering modules, which greatly simplifies the tasks of the DSP so that it can focus on digital control signal process and helps to improve the stability and control performance of the system. The multi-core architecture of the digital control platform can achieve a significant increase in overall performance by reasonably allocating memory and computational resources, such as allocating some real-time tasks in parallel or some non-real-time tasks to cores besides the core running the real-time control algorithm, which on the one hand reduces the occupation of computational resources for the control algorithm cores, and on the other hand can increase the signal process frequency so as to improve the real-time performance. The platform built in this paper takes the example of a dual core DSP with one core running the control algorithm and the other core running FFT algorithm.

DAQ Card

PC

DAQ Card

JTAG/Ethernet/RS232 Displacement Signal

SOM-TL5728

Current Signal

GPMC

Displacement Sensor

Speed Sensor

ADC

FPGA

Speed Signal

DAC

Power Amplifier

Synchronization Signal

·

Fig. 2. Multi-core architecture of magnetic bearing digital control platform

The FPGA communicates with the SOM-TL5728 core board through the GPMC interface. The FPGA sends the sorted operation information to the DSP core, and the two DSP cores run the control algorithm and FFT spectrum analysis algorithm to analyse the rotor’s running information respectively. The DSP1 core runs the higher-order control algorithm and outputs the processed amplifier control voltage signal to the FPGA to complete the control of the magnetic bearing rotor motion and realize the high-speed and stable running of the rotor. The DSP2 core runs the FFT algorithm to further analyze the rotor speed, vibration and other operating information, and the obtained time and frequency domain data are transmitted to DSP1 for control application and to the ARM

Design of Digital Control Platform for Magnetic Bearings

319

for storage through the IPC component, and the ARM can even further send the operating information to the PC. The FFT analysis can, on the one hand, provide in-depth analysis of rotor vibration characteristics and, on the other hand, be used as a backup for speed measurement to prevent loss of speed sensor signals and improve the system’s antiinterference performance.

3 Hardware Construction of Digital Control Platform In order to accelerate the design, the digital control platform is built by a core board and a base board. Magnetic bearing digital control platform consists of sensor signal process circuits, AD/DA, FPGA, signal process system and other parts. The signal process system, FPGA and AD/DA are the core components to focus on in the selection of components. The AD component needs to have high accuracy and meet the highspeed sampling requirements of sensor signals. The FPGA needs to have sufficient logic resources to meet the task requirement while having sufficient I/O for signal transmission. Signal process system needs to be powerful enough to meet the demand for computing resources and memory resources for control algorithms and FFT analysis. Meanwhile, it needs to be scalable enough to adapt to demand of future digital control platforms. 3.1 SOM-Tl5728 To meet the computing needs of the magnetic bearing digital control platform, the Tronlong SOM-TL5728 core board is used as the signal process core. It is a heterogeneous multi-core SoC industrial-grade core board designed based on TI Sitara series AM5728 dual-core ARM Cortex-A15 + floating-point dual-core DSP C66x processor. Its hardware block diagram is shown below (Fig. 3).

80pin B2B Female Connector

80pin B2B Female Connector OSC 22.5792MHz

eMMC

TI AM5728 2×DDR3

2 USER LED

2×ARM Cortex-A15 2×DSP C66x

2×DDR3

POWER LED

ECC DDR3

PMIC

ECC DDR3

ECC DDR3

80pin B2B Female Connector

CDCM61002

OSC 25MHz

DC 5V3A

80pin B2B Female Connector

Fig. 3. Hardware block diagram of Tronlong SOM-TL5728

80pin High Speed B2B Connector

OSC 20MHz

SPI FLASH

320

J.-S. Wang et al.

For the digital control platform, the performance parameters are evaluated from two main aspects. In terms of computing resources: AM5728 has dual-core ARM CortexA15, running at a frequency of up to 1.5 GHz; two C66x floating-point ultra-long instruction digital signal processors with 32 16× 16-bit vertex multiplication operations per cycle, and in the meanwhile perfectly compatible with C67x and C64x target codes. The AM5728’s rich multi-core computing resources enable it to achieve a significant increase in platform performance through rational allocation of resources. Meanwhile, the memory resources: 256 Mbit SPI NOR FLASH, 1 GByte DDR3 + 256 MByte ECC DDR3 or 2 GByte DDR3 + 512 MByte ECC DDR3 and 2.5 MByte On-Chip Memory are onboard, fully meeting the control platform’s computing and data storage requirements. What’s more, the core board is rich in peripheral interfaces, integrating Gigabit LAN, PCIe, GPMC, USB2.0, USB 3.0, UART, QSPI, SATA, I2C, DCAN and industrial control bus, as well as rich scalability for secondary development with FPGA integration (Table 1). Table 1. Resources of Tronlong SOM-TL5728. Device Detail resources CPU

CPU: TI Sitara AM5728 2x ARM Cortex-A15,1.5 GHz 2x DSP C66x, 750 MHz, floating-point operations 2x IPU (Image Processing Unit) with 2 ARM Cortex-M4 cores per IPU subsystem, 4 ARM Cortex-M4 cores

ROM

4/8 GByte eMMC 256 Mbit SPI NOR FLASH 32Kbit ATAES132A encryption chip

RAM

1 GByte DDR3 + 256 MByte ECC DDR3 or 2 GByte DDR3 + 512 MByte ECC DDR3 2.5 MByte On-Chip Memory 2.5 MByte On-Chip Memory

3.2 Fpga The Cyclone IV E series FPGA developed by Intel (formerly Altera, later acquired by Intel), model EP4CE55F23C8, is selected for the base board and its typical performance parameters are shown in Table 2. This FPGA has sufficient input and output ports and a large number of internal logic components to meet the resource requirements for interfacing with SOM-TL5728, multi-chip ADC, DAC and related expansion modules.

Design of Digital Control Platform for Magnetic Bearings

321

Table 2. FPGA (EP4CE55F23C8) of control platform. Main parameters

Property values

Number of logic elements

55856

Number of inputs/outputs

324 I/O

Max. operating frequency

200 MHz

Total memory

2340k bit

Phase-locked loops

4

18 × 18 multiplier

154

3.3 AD/DA and Other Devices The AD7357 is a dual-channel 14-bit simultaneous sampling successive approximation ADC with a maximum sampling rate of 4.2 MSPS per channel. With a maximum sampling rate of 4.2 MSPS per channel, low power consumption of 36 mW at full power operation, and a high precision on-chip reference voltage of 2.048 V at 6 ppm/°C and a full differential input range of 0 to 2.048 V, the AD7357 is well suited for industrial grade fast data acquisition systems. To generate a ten-channel power amplifier control signal for a five-degree-of-freedom magnetic bearing, three AD5644, with post-stage filtering, biasing, and differential conversion circuits are selected to build the digital-to-analog conversion channel. With a full-scale output range of 5 V and a typical output voltage build-up time of 3.5 µs, the AD5644 can meet the response requirements of magnetic bearing systems. Other functional modules are included: - Power supply module (15 V, + 5 V, 1.2 V, 2.5 V, 3.3 V required by various devices on board). - SOM-TL5728 debugging and communication modules (JTAG, boot mode selector switch, reset, indicator, RS232, GPMC,100Mbps network port, expansion IO). - FPGA debugging, communication module (JTAG, AS, configuration chip, reset, indicator, synchronization, RS232, GPMC, expansion IO). - Clock circuit (25M active crystal on board). - Speed module (two-way speed pulse signal isolated input, shaping). - Relay module (two relays for system control).

4 Control Platform Software Development The hardware architecture of the Magnetic bearing digital control platform requires software development to realize its functions. Compared with a single DSP digital control platform, which only needs to download and debug the program through JTAG interface with an emulator, the development process of the multi-core architecture digital control platform is more complicated. It generally includes FPGA development process, DSP side development (RTOS) process, and ARM side development (Linux) process.

322

J.-S. Wang et al.

4.1 FPGA Digital Logic Development Process Intel’s Quartus® Prime development software for its Cyclone IV E series FPGAs is powerful and can perform a range of functions including design entry, synthesis, optimization, verification and simulation. The development flow of the FPGAs covered in this paper consists of [7]. 1. design input, hardware logic description using Verilog HDL, pin assignment and constraint with tcl scripts; 2. functional simulation, complete the functional simulation of the module with ModelSim-Altera, verify the logic model; 3. synthesis, compile the design into cells supported by the target device, and obtain the post-synthesis netlist after compilation and optimization. 4. layout wiring, wiring the synthesized cell layout to the target device. 5. timing constraints, complete the clock, input output port and other timing constraints with TimeQuest Timing Analyzer. 6. hardware simulation, complete hardware simulation and debugging with Signal Tap logic Analyzer. 7. program curing, cure the compiled FPGA program to the EPCS16 serial configuration device on the board.

AM5728

SPEED × 2

GPMC

LED/KEY/ RELAY/SYNC ADC × 4

RS232

Filter × 6

DAC × 3

Fig. 4. Task division of FPGA

In this paper, the FPGA is mainly responsible for the input and output control of related signals and communication with AM5728. As shown in the figure above, the logical framework of FPGA includes four ADC drivers, six filter and oversampling modules, GPMC communication module, three DAC drivers, two speed signal processing modules, serial communication module, LED, key, relay and synchronization modules. The arrows in Fig. 4 show the direction of the signals.

Design of Digital Control Platform for Magnetic Bearings

323

4.2 DSP Core with RTOS Development Process For the joint development of AM5728, the DSP side runs the RTOS system, so the Linux version of RTOS Processor SDK needs to be installed for the RTOS development on the DSP side. DSP1 and DSP2 are running FFT and control algorithm respectively. FFT algorithm completes the FFT analysis of the signal, store and output the processed time-domain frequency-domain signal; control algorithm includes the displacement/speed signal sampling, higher-order control algorithm operation, amplifier control signal output, etc. The development process is as follows. 1. install CCS7.4.0, add the corresponding Linux version TROS development kit components for RTOS development environment construction. 2. select the corresponding processor, architecture, XDC tool version, components, platform to build the RTOS project. 3. write the corresponding DSP control algorithm and FFT analysis program respectively, select the corresponding serial driver for compilation, and complete the program porting. 4. load and run the RTOS project image based on emulator or U-Boot. 4.3 IPC Multi-core Joint Development Process Since the AM5728 is a SoC heterogeneous multi-core processor, the ARM side runs the Linux system and the DSP/IPU (Cortex-M4) side runs the RTOS (SYS/BIOS) system, in general. But the ARM, DSP, and IPU sides can all run the RTOS system separately. The joint development of ARM, DSP and IPU side through IPC components (ARM side running Linux system, DSP/IPU side running RTOS system) is based on Linux, and the Linux version of RTOS Processor SDK needs to be installed. The AM5728 is an ARM + DSP + IPU heterogeneous multi-core processor and can be used for inter-processor communication, inter-processor communication and interdevice communication via the IPC component (ARM side running Linux, DSP/IPU side running RTOS). The ARM is the Host side (Master Core) and the DSP/IPU is the Slave side (Remote Core) in joint development, The Host side runs the Linux system and communicates with the Slave side running the RTOS system. The following diagram shows the flow of inter-core communication based on MessageQ component. 1) After the Slave side starts, it creates a MessageQ message queue and waits for the Host side to send messages. When the Slave side receives a MessageQ message from the Host side, it returns the message to the Host side. 2) After the Host side starts, it opens the MessageQ message queue created by the Slave side and sends messages to the MessageQ queue and wait for the return value from the slave side. At the end of the program, send the APP_CMD_SHUTDOWN shutdown command to close the MessageQ queue and the program ends (Fig. 5).

324

J.-S. Wang et al.

ARM

DSP

IPC_Start IPC_attach

BIOS_Start IPC_attach

MessageQ_op en

MessageQ_cre ate

MessageA_put

MessageA_get

Message Parsing Processing

IPC Initial

MessageQ Transmission

MseeageA_clo se

MseeageA_del ete

IPC_stop

Server_exit

End

End

Close IPC

Fig. 5. IPC multi-core joint development flow

In the magnetic bearing digital control platform operation, after starting the program for DSP and ARM, the DSP firstly initializes and then waits for the control cycle interrupt (10 kHz). When the interrupt is triggered, the two DSPs respond separately to run the corresponding program. DSP1 checks whether the update parameter flag is set. If it is not set, it means there is no request to update the parameter and DSP1 will run the control algorithm directly; if it is set, it means the parameter to be updated already exists in the shared memory, then DSP1 will go to the shared memory to get the new parameter and reset the update parameter flag, set the update completion flag, and then start to run the control algorithm. The control algorithm includes displacement/speed signal sampling, higher order control algorithm operation, amplifier control signal output, etc.

Design of Digital Control Platform for Magnetic Bearings

325

A message is created on the DSP2 side to pass the information, and two spaces are built on the ARM side for data storage. After displacement data is stored in shared memory 1, the ARM side send a message to DSP2. After receiving the message, DSP2 reads the data from shared memory 1 and performs the FFT amplitude operation, stores the result in shared memory 2, and sends a message to ARM (Fig. 6).

Fig. 6. The dual DSP core development case

The IPC joint development component enables the powerful computing capability of AM5728 dual DSP and the real-time performance of RTLinux on the ARM side to be fully revealed. Taking the dual cores running the control algorithm and FFT algorithm separately as an example, the designed digital control platform can run more complex and higher order algorithms while realizing timely online update of parameters through the reasonable allocation of computing resources and communication of the dual DSP cores, which improves the stability, reliability and anti-interference of the system. At the same time, it can also be seen that the designed digital control platform based on multi-core architecture can realize its powerful performance potential through software migration and resource allocation.

5 Conclusion In this paper, the digital control platform for magnetic bearing with multi-core architecture is designed, and the selection of the digital processing system, FPGA, AD and other key devices of the control platform is carried out to satisfy the operation requirements of the digital control platform. Based on the SOM-TL5728 core board, the FPGA hardware logic development process, the DSP side program development and transplantation, and the IPC heterogeneous multi-core development process are given. The case of running control algorithm and FFT algorithm with dual cores respectively shows that

326

J.-S. Wang et al.

the designed multi-core architecture digital platform can fully meet the demand of the magnetic bearing digital control platform. What’s more, it has outstanding advantages in computing performance, system stability and interface scalability, and its strong performance potential can be further exploited through secondary development such as software porting and resource allocation. Acknowledgement. This project is supported by National Key Research and Development Project (No. 2018YFB2000100) and National Natural Science Foundation (No. 51775292).

References 1. Erichm, G.: Magnetic bearings: theory, design, and application to rotating machinery. Springer, Berlin Heidelberg 1–26 (2009) 2. Bai, C.J., Song, F.Z., Shao, H.Y.: The development and application of magnetic bearings. J. Jinan Univ. (Natural Science Edition) 4, 325–331 (2007) 3. Dai, X.J., Tang, C.L., Zhang, K.: Research progress of advanced flywheel energy storage power engineering application. Power Technology 33(11), 1026–1028 (2009). Dai X.J., Tang C.H.L., Zhang K.: Progress of advanced power system using flywheel energy storage. Chinese Journal of Power Sources 33(11), 1026–1028 (2009) 4. Zhu, H.Q., Xu, L.X.: Design and implementation of digital controller for active magnetic bearings based on DSP. Appl. Elec. Technol. 27(7), 30–32 (2001) 5. Wu, G.Q., Zhang, G., Zhang, J.S., et al.: Research on active magnetic bearing electric spindle control system based on DSP. J. Elec. Machi. Ctrl. 010(002), 118–120 (2006) 6. Zhang, K., et al.: A new generation of magnetic bearing controller experimental platform based on PC and RTLinux. Appl. Elec. Technol. 29(004), 38–41 (2003) 7. Xue, L.X.: Research on magnetic bearing measurement and control system. Tsinghua University 47–55 (2018)

Research on the Critical Concerns of Software V&V for NPP I&C System Important to Safety Sheng-Chao Wang1,2(B) , Xin Du1,2 , Heng Li1,2 , and Zhou Xiao1,2 1 State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China

Nuclear Power Engineering Company Ltd., Shenzhen 518172, China [email protected] 2 I&C Department, China Nuclear Power Engineering Company Ltd., Shenzhen 518172, China

Abstract. Compared with the second generation of nuclear power plant (NPP), the third generation of NPP puts forward higher requirements in terms of safety and reliability, and the corresponding regulatory requirements are also more stringent. Therefore, the reliability of the safety digital instrumentation and control (I&C) systems and the software for implementing safety functions of NPPs have been highly valued. Software verification and validation (V&V) technology is an effective means to verify the safety software quality of NPPs, and has been widely recognized in the field of nuclear power. According to the related regulations and standards of software V&V for I&C systems important to safety of NPPs, the safety software V&V plan outline is analyzed. Combined with the consensus of main implementing authorities of software V&V in nuclear power field and the concerns of regulatory authorities, the implementation depth and key points of each activity in the work outline of safety software V&V for NPPs are expounded respectively. Finally, it summarizes the regulations and standards that the safety software V&V must follow, the core points in the implementation process, and the role of V&V measurement, in order to provide a reference for the specific implementation of the software V&V for I&C systems important to safety in NPPs. Keywords: NPP · I&C · Software V&V · Regulations and standards

1 Introduction As China’s third-generation nuclear power projects enter the mass construction stage, the third-generation nuclear power plants (NPPs) put forward higher requirements in terms of safety and reliability compared with second-generation NPPs, and the corresponding regulatory requirements are also stricter. Therefore, the reliability of the safety digital instrumentation and control (I&C) system and the software for implementing safety functions of NPPs have been highly valued. Although some regulations, guidelines and standards related to software V&V have been successively issued in the nuclear power field with reference to IEC, IAEA and other international standards, these regulations, guidelines and standards only provide © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 327–335, 2022. https://doi.org/10.1007/978-981-19-1181-1_32

328

S.-C. Wang et al.

the requirements for software V&V in the nuclear power field. As for how to follow the relevant standards and how to implement the software V&V, there are no mandatory and standardized requirements. Therefore, the formation of software V&V implementation specification of safety digital I&C system for NPPs is an urgent problem to be solved for safety software V&V in nuclear power field. For this reason, relevant regulatory authorities of China’s NPP safety digital I&C system called together relevant representative authorities such as those engaged in software V&V business in the industry, and reached a consensus on how to implement software V&V in the nuclear power field. This study focuses on reviewing the requirements of relevant regulations, guidelines and standards for the software V&V I&C system important to safety for NPPs, and elaborates the execution depth of each activity in the V&V plan outline and the key points that regulators pay attention to according to the content of the V&V plan outline.

2 Software V&V Related Requirements 2.1 Regulations and Standards and Their References NPP safety I&C system software performs safety functions and shall meet the requirements of relevant regulations and standards of nuclear safety according to regulatory requirements (see Fig. 1).

IAEA SSR-2/1

HAF 102-2016

HAF 003-1991

IAEA SSR-39

HAD 102/16-2004

US NRC I0CFR50 App.B

IEC 61226

GB/T 15474-2010

IEC 61513

NB/T 20026-2014

NB/T 60880-2006

NB/T 20448-2017 China

IEC 60880

IEEE 1012

Other countries and international organisation

Fig. 1. Software V&V related regulations and standards for safety I&C system of NPP.

Based on the regulations and relevant guidelines for the design of systems important to safety in NPP, and combined with the functional classification and general requirements of I&C systems, this diagram decomposes the related requirements of software V&V.

Research on the Critical Concerns of Software V&V

329

2.2 Regulatory and Guideline Requirements The concept and definition of quality assurance for NPPs originated from the United States, and the world’s first nuclear power quality assurance regulation was also issued by the United States in 1970. Based on this, IAEA and other nuclear energy countries subsequently issued their own quality assurance regulations, and China’s “Quality Assurance for Safety in Nuclear Power Plant” (HAF003) was just issued under this background [1]. HAF 003 is a basic requirement that must be met for the establishment and implementation of the quality assurance program of NPPs and other civil nuclear facilities and their related authorities in China [2]. It is also an important means to ensure the safety of NPPs and other civil nuclear facilities. HAF 003 has 10 supporting guidelines for the HAD 003 series. These guidelines are all guidance documents. Different methods and schemes can be used to establish the quality assurance program, but they must be proved to have the same safety level [3]. HAF 102 defines the requirements that must be met for the design of safety-critical structures [4], systems, and components in NPPs, as well as for codes and organizational processes. HAF 102 clause 6.4.4 specifies system based on computer application in the system important to safety, as I&C system important to safety is designed to be dependent on the reliability of the system based on computer, the computer software must be determined or enact related verification standards, and in the whole life cycle of the software implementation, and perform the appropriate quality assurance program. Besides, a variety of complementary integrated methods must be adopted at each stage of the development process and the formal system design of the method must be validated to meet the system requirements. The purpose of the HAD 102/16 guideline is to provide guidance for evidencegathering and documentation of safety justification at all stages of the software life cycle of computer-based systems important to safety in NPPs [5], which is used to adequately demonstrate the safety and reliability of system important to safety based on computer. Chapter 10 of the 102/16 provides general rules, recommendations, and documentation requirements for verification and analysis, and the Chapter 12 provides general rules, recommendations, and documentation requirements for verification and analysis of computer-based systems, applicable to verification and analysis of new software. Due to the difficulty of obtaining information on the development process of existing or commercial software, the application of its safety features is given specific guidance and recommended practice in Appendix I. 2.3 Standard Requirements GBT 15474 stipulates the classification method of the I&C function important to safety of NPP and the system [6], equipment and components that implement the function, and determines the technical requirements and quality assurance requirements of each category in terms of function, reliability, performance and other aspects. It specifically includes classification principles and methods, A/B/C functional type description and classification criteria, classification procedures, various technical requirements and quality requirements, which can guide the implementation of software V&V criticality analysis task and determine the implementation depth and breadth of software V&V.

330

S.-C. Wang et al.

NBT 20026 stipulates the general requirements for the I&C system important to safety of NPPs [7], which is applicable to the I&C system important to safety of new NPPs, and can be used as a reference for the upgrade or transformation of the I&C system important to safety of existing NPPs. Section 6.5 of the NBT 20026 puts forward the quality appraisal requirements and process of the I&C system important to safety, including the quality appraisal requirements of system software and application software, and the informative appendix B gives the principle of function classification and system classification. Under the specified environmental conditions and limitations, the I&C system can continuously meet the design standards and performance requirements required by the safety important functions. NBT 20054 stipulates the requirements of software aspects for computer-based systems performing category A functions in the I&C system important to safety of NPPs [8]. It is applicable to obtaining highly reliable software and involves each stage of the process of generating and documenting the software. Software V&V related requirements include software quality assurance planning, configuration management, software safety security, software verification and validation (V&V), and qualification of pre-developed software, and the informative Appendix F provides software verification and testing activities and methods. NB/T 20448 defines the V&V process applied to the entire life cycle of systems [9], software and hardware, and is applicable to the V&V of the I&C system in NPPs. This standard can be used to perform certain cycle processes and related V&V processes according to the actual situation of the project. Chapter 9 of this standard gives specific software V&V activities and the minimum set of V&V tasks that each activity should perform, Chapter 12 gives an exemplary V&V plan outline, and the informational appendix provides an introduction for risk-based integrity level scheme, definition of independent V&V, reusable software V&V and hazards, security and risk analysis.

3 Software V&V Plan Outline According to the consensus reached by the major stakeholders in the software V&V field of the I&C system important to safety of NPPs in China, the regulatory authorities gave the following opinions according to the consensus: the safety software V&V must comply with the relevant requirements of the software V&V in HAF003, HAF102 and HAD102/16. The implementation can refer to the standard NB/T 20054 or NB/T 20448, but the contents of the two should not be mixed. The regulator would prefer the software V&V executor to work according to the sample V&V plan outline in NB/T 20448, which gives more detailed guidance on how to do it. Therefore, according to the content framework of the sample V&V plan outline in NB/T 20448, combined with the experience feedback and good practice of safety software V&V in NPPs, various contents and key points in the plan outline are explained. 3.1 Purpose The purpose, goal and scope of the V&V should be stated in the V&V plan outline, but in the specific execution process, the V&V authority needs to give the version of

Research on the Critical Concerns of Software V&V

331

the V&V object and its identification, especially for the software developed based on programmable logic devices, its chip identification must be given. The focus of purpose of the V&V plan outline is to describe the scope of V&V work, which is also the basis for regulators to identify the boundary of V&V work and the scope of later supervision. Software, as V&V objects, is often presented in the form of system components, so it is necessary for V&V execution authorities to distinguish the hardware and software boundaries and clarify the software and interface for implementing safety functions in the technical specifications, which is beneficial to avoid the risk of later testing and acceptance. 3.2 Referenced Documents The V&V plan outline shall identify the basis, references and supporting documents for the V&V work. Where reference documents can go wrong is between the development document and the V&V reference document. For example, the V&V work is performed according to NB/T 20054, which is often the reference standard for software development. This requires that the scope of the reference document be clearly defined in the V&V plan outline. 3.3 Definitions The terms, abbreviations and symbols to be quoted should be defined in the V&V plan outline. The definitions of these terms, abbreviations and symbols must be professional and consistent in the content of the outline as well as in the following published documents, otherwise it is easy to cause confusion to document users and regulatory authorities. 3.4 V&V Overview The V&V overview includes: organization, master schedule, software integrity level scheme, resources summary, responsibilities, and tools, techniques and methods. The organizational structure shall meet the requirements of technical independence, managerial independence and financial independence. The definition and form of independence are introduced in Appendix B of NB/T 20448. The V&V execution authority should establish a unified and formal interface channel with the development authority, which is mainly for the delivery of the tested software and the timely handling of abnormal items. In addition, the interface should also explain the relationship between the V&V process and software development, quality assurance, configuration management and other related processes, and the interface relationship is often presented in the form of drawing. A sample organizational diagram is given in Appendix E of NB/T 20448. Master schedule shall be determined according to the development progress of the development authority, and the progress tasks shall be subdivided according to the milestones in the service contract, and be recognized by the development authority, so that the development authority and the V&V authority can better cooperate in the following iterations.

332

S.-C. Wang et al.

Software integrity level scheme generally provides specific safety levels through software function classification or critical analysis in order to match the appropriate V&V activities and tasks. The safety software performs category A functions, and the V&V work performs the V&V activities and tasks that match the Software Integrity Level 4 of NB/T 20448, or the related requirements of the software with category A functions of NB/T 20054. Resource summary should be made to show and analyze whether the V&V resources of V&V authorities meet the needs of V&V work from aspects of human, machine, material, method and environment, so as to avoid the failure to complete the master schedule tasks due to resource shortage in the later stage of V&V work. In particular, the impact of key V&V personnel turnover on V&V work should be analyzed according to the project cycle, which is often overlooked. Responsibilities are required to determine the personnel involved in V&V work and the corresponding tasks they undertake, and to pay attention to whether the personnel have the qualifications to undertake the corresponding tasks. This is the concern of the regulators, because the qualifications and abilities of personnel have a direct impact on the effect of V&V. Tools, techniques and methods of content description shall specify V&V activities and tasks of specific tools, techniques and methods, and tools, techniques and methods should be adopted by the different from the developer, to verify the software quality and provide the enough confidence. Safe and reliable tools are the necessary conditions to ensure the effective implementation of V&V activities and to objectively evaluate software quality. V&V tools shall be quality-assessed or suitability assessed as needed to ensure that the tools have sufficient safety and credibility to ensure that the V&V tools do not introduce errors that adversely affect the safety and quality of the software parts and the final product. If a mature commercial tool is used, the applicability and scope of the tool needs to be demonstrated, and the effectiveness of the self-developed V&V tool needs to be verified. 3.5 V&V Processes The V&V process in NB/T 20448 can be summarized into four parts, including: 1 common V&V process, activities and tasks, 2 system V&V process, activities and tasks, 3 software V&V process, activities and tasks and 4 hardware V&V process, activities and tasks. The software V&V process is related to the first and third parts. The common V&V process, activities and tasks are the primary configuration management V&V, which is the primary activity to conduct a configuration management assessment to verify that the configuration management process is complete and appropriate. Software V&V process, activities and tasks (see Fig. 2) are the core of the V&V plan outline and should correspond to the phases of the software development life cycle. The Verification between user requirements and system requirements specification, and Validation between validation system tests and system requirements specification in the Fig. 2 are generally not included in the software V&V work scope. However, under the higher safety requirements of third-generation NPPs, the front-end V&V work related to the design of system requirements specification has attracted great attention and become

Research on the Critical Concerns of Software V&V

333

a V&V task that must be performed. The latest approach is to dynamically verify that the system requirements specifications are met through system process modeling. The rest of the activities and tasks of the Software V&V process can be performed in accordance with the provisions in Chapter 9 and Table 10 of NB/T 20448, which cover the V&V tasks corresponding to each V&V activity and the execution criteria, required inputs and outputs of each V&V task. Safety software V&V matches V&V activities and tasks according to software integrity level 4.

Fig. 2. Software V&V process of I&C system important to safety of NPPs [10]

3.6 V&V Reporting Requirements The V&V report of safety software includes V&V process records, task reports, anomaly reports, activity summary reports, V&V final report, test documents, etc. The reports should objectively record and summarize the V&V process and results, and the traceability and consistency between reports should be presented by a reasonable reporting system. The related requirements of V&V reports can be referred to Sect. 11.1 of NB/T 20448, and the specific content can be compiled according to the actual situation of the project. 3.7 V&V Administrative Requirements V&V administrative requirements mainly include anomaly resolution and reporting, task iteration policy, deviation policy, control procedures, and standards, practices, and conventions. Anomaly resolution and reporting should include anomaly reporting criteria, resolution department and critical level of exception.

334

S.-C. Wang et al.

Task iteration policy is mainly to determine the scope of V&V tasks to be iterated and analyze the impact of changes when the input changes or the task process changes. Deviation policy is mainly aimed at the strategy that should be adopted when the contents formulated in the V&V plan outline deviate from the plan in the implementation process, and the department or personnel that should approve the implementation of the strategy should be stipulated. Control procedures mainly include quality assurance, configuration management, data management, process control and other activities. Standards, practices, and conventions are to determine what should be followed for V&V administrative tasks. 3.8 V&V Test Documentation Requirements The V&V activities and tasks include the relevant tests to be performed by the V&V team, so the corresponding test plans, test designs, test cases, test procedures and test results need to be prepared as per the requirements of Sect. 11.3 of NB/T 20448.

4 Conclusions The software V&V of I&C system important to safety for NPPs must comply with the related requirements of software V&V in HAF 003, HAF 102 and HAD 102/16. The specific implementation can refer to the standard NB/T 20054 or NB/T 20448, but the combination of the two should not be used. Regulatory authorities of China prefer that V&V executing authorities carry out their work according to the content of the V&V plan outline shown in the example in NB/T 20448, as NB/T 20448 provides more detailed guidance on implementation. The core of the V&V is the software V&V process, activities and tasks, most of the other contents in the V&V outline tend to be related to management and documentation. However, in order to provide comprehensive, high-confidence evidence to fully demonstrate that the software implementation meets the functional requirements, V&V should be carried out in strict accordance with the relevant regulations and standards and the concerns of the regulatory authorities. NB/T 20448 Appendix D gives the methods of V&V measurement. These measures include: measures for evaluating anomaly density, measures for evaluating V&V effectiveness, measures for evaluating V&V efficiency, to provide feedback for continuous improvement of the V&V process and to evaluate the development process and software products. V&V measurements are necessary to evaluate software product quality, but the role of these V&V measurements is often overlooked.

References 1. Huang, C., Wang, X., Duan, H., Tian, F.: Discussion on some issues in the revision of HAF 003. Nucl. Saf. 12(2), 13–16 (2016) 2. HAF003 Quality Assurance for Safety in Nuclear Power Plant, National Nuclear Safety Administration of China (1991)

Research on the Critical Concerns of Software V&V

335

3. Yuan, M., Luo, X.: Comparison research on quality assurance system of HAF003 and ASME code. Nucl. Saf. 18(3), 19–24 (2019) 4. HAF 102 - Safety Regulations for Nuclear Power Plant Design, National Nuclear Safety Administration of China (2016) 5. HAD 102/16 - Nuclear power plants - instrumentation and control system important to safety - software aspects for computer-based system, National Nuclear Safety Administration of China (2004) 6. GB/T 15474 - Nuclear power plants-instrumentation and control systems important to safety - Classification of instrumentation and control functions, Standardization Administration of China (2010) 7. NB/T 20026 - Nuclear power plants-Instrumentation and control important to safety -General requirements for systems, National Energy Administration of China (2014) 8. NB/T 20054 - Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer- based systems performing category A functions, National Energy Administration of China (2011) 9. NB/T 20448 - IEEE Standard for System, Software, and Hardware Verification and Validation, National Energy Administration of China (2017) 10. IAEA TR 384 - Verification and Validation of Software Related to Nuclear Power Plant Instrumentation and Control, INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA (1999)

Discussion About Software Testing Document of Nuclear Mi Zhang1 , Hai-Bin Zhang2 , Guang-Zhi Sun3 , Liang Li1(B) , Wei-Jie Huang1 , Dan Liu3 , Ju-Zhi Wang3 , and Hai-Feng Liu3 1 Nuclear and Radiation Safety Center, MEE, Beijing 100082, China

[email protected]

2 China Techenergy Co., Ltd., Beijing 100085, China 3 Wuhan Second Ship Design and Research Institute, Wuhan 430064, China

Abstract. By researching IEEE829–2008, Standards of Software Testings Document of Digital Computer used in Safety Systems of Nuclear Power Plants, the classification of testing level(phase), the definition of testing task and the requirements of software testing of digital computer used in the safety system of nuclear power plants are identified. Keywords: Testing documents · Software · Digital computer · Safety systems · Nuclear

1 Introduction Software testing documents of digital computer for safety-grade systems of nuclear power plant shall comply with relative national and international regulations and standards for the safety-grade of nuclear power plant. And then, equipment manufacturers shall establish the classification of level (phase), the definition of testing task and the requirements of testing document planning and complication of software testing of digital computer used in the safety-level system of nuclear power plants.

2 Structure of Standard of Software Testing Document At present, the standard system followed by the international nuclear industry in the software testing process and activities of the digital computer for the safety level system of the nuclear power plant mainly include standards of American IEEE series and IEC series. After analyzing the applicability of many nuclear safety standards, it is concluded that the structure of the standard system of software testing of digital computer for safety level systems of nuclear power plants is shown in Fig. 1. It is required in regulations and guidance issued by the National Nuclear Safety Administration that all outlines must provide that any activity affecting the quality of a nuclear power plant, including activities during the operation of nuclear power plant, © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 336–349, 2022. https://doi.org/10.1007/978-981-19-1181-1_33

Discussion About Software Testing Document of Nuclear

337

must be in accordance with the written procedures, rules or drawings applicable to the activity to complete, validated and analyze to form the documentation. Standard Review Outline NUREG-0800 of Safety Analysis Report Nuclear Regulatory Commission (NRC) includes the guidance R.G.1.171, and in R.G.1.171 [1], IEEE 829 is identified as the standard for software testing document of digital computer for safety level systems of nuclear power plant [2]. Therefore, in this paper, IEEE829 is studied.

3 Version of IEEE829 IEEE829 is available in 2008 and 1998, and alteration from the 1998 version of IEEE829 to 2008 version as follows: • Consistent with IEEE/EIA Std1207.0–1996, to move from focusing on documents to the process, and while retaining planning document information; • To add the concept of integrity levels, assist organizations in identifying the minimum set of test tasks recommended to support the completion of tasks and the test documentation that is also required to be selected • To identify the minimum recommended tasks for the example integrity level plan in the document • To add activities to select the right documents and content; • To add an overall test plan to record the actual management of the entire test execution activity; • To add the publication of the intermediate test status report of the level in the test execution activity [3]. • When a multi-level test report needs to be merged, add a master test report, and the overall test report summarizes the test tasks identified in the overall test plan.

338

M. Zhang et al.

HAF 102ǃHAF003/Nuclear safety regulations

HAD 102/16ǃHAD 003/Nuclear safety guidance

IEEE 603ǃIEEE 7-4.3.2ǃR.G.1.152/ Standards of safety level digital instrument control system

IEEE 1074ǃR.G.1.173ǃBTP14ǃ IEC 12207/ Software lifecycle standards, guidance

IEEE1008ǃR.G.1.171ǃIEEE829/ Software testing standards, guidance

Software testing activities Fig. 1. Standard structure of software testing document of digital computer for safety level systems of nuclear power plant

4 The Use of IEEE829 Two methods are fully and partially adopted for the use of IEEE829. The following first describes methods fully and partially adopted, and then explains the concepts involved, and provides examples of the processes and minimum tasks of the software lifecycle [4]. 4.1 Methods Fully Used for IEEE829 Methods used for IEEE829–2008 is shown in Fig. 2.

Discussion About Software Testing Document of Nuclear

339

Select an integrity level schema

Identify the desired integrity level for the software or system to be tested (e.g., Level 1 to 4)

Select the testing tasks identified as needed based on the integrity level. Each testing task identifies its associated documentation.

Inventory the test documentation identified as needed based on the testing tasks.

Select the contents for each testing document Fig. 2. Methods used for IEEE829–2008

As IEEE829–2008 places more emphasis on the concept of process, all entire approach adopted aim at the entire life cycle of the software. Firstly, an integrity rating scheme is developed, and the integrity level of the software or system is determined, and then according to the integrity level, the testing tasks and related testing documents are determined, and finally contents of each test document is determine. 4.2 Methods Partially Used for IEEE829 Methods partially used for IEEE 829–2008 section is shown in Fig. 3.

340

M. Zhang et al.

Testing plan

Testing design Testing examples/ procedures and execution Report of testing result Fig. 3. Method partially used for IEEE829–2008

4.3 Example of an Integrity Level Scheme Integrity level scheme are generally defined according to the consequences of software or system failure and the potential for mitigation [5]. An example of an integrity scheme is shown in Table 1. Table 1. Integrity scheme based on the severity of the consequences Integrity level

Description

4

Software elements must be executed or catastrophic consequences (loss of life, loss of systems, economic or social loss) will occur. It is impossible to mitigate its consequences

3

Software elements must be executed, or the expected use of the system or software (tasks) will not be realized, with serious consequences (long-term damage, major system degradation, economic or social shocks). Partial or complete mitigation of its consequences is possible

2

Software elements must be executed, or the expected function will not be implemented, with minor consequences. A complete mitigation of its consequences is possible

1

Software elements must be executed, or the expected function will not be implemented, with negligible consequences. Mitigation of its consequences is not needed

4.4 Requirements of Each Integrity Level Examples of different requirements of each integrity level for testing documents are shown in Table 2. And this table also implies the quantities of test activity are to be performed in the actual testing activities. Testing document for each level generally

Discussion About Software Testing Document of Nuclear

341

Table 2. Examples of requirements for testing document for each integrity level integrity level

An example of testing document

4

Overall testing plan /Level (Phase) Testing Plan (Components, Component Integration, System, Reception) Level (Phase) Testing Plan (Components, Component Integration, System, Reception) Level (Phase) Testing Example (Components, Component Integration, System, Reception) Level (Phase) Testing Procedure (Components, Component Integration, System, Reception) Level (Phase) Testing Log (Components, Component Integration, System, Reception) Exception report Level (Phase) Intermediate Testing Status Report (Components, Component Integration, System, Reception) Level (Phase) Testing Report (Components, Component Integration, System, Reception) Overall testing report

3

Overall testing plan Level (Phase) Testing Plan (Components, Component Integration, System, Reception) Level (Phase) Testing Design (Components, Component Integration, System, Reception) Level (Phase) Testing Design (Components, Component Integration, System, Reception) Level (Phase) Testing Procedure (Components, Component Integration, System, Reception) Level (Phase) Testing Log (Components, Component Integration, System, Reception) Exception Report Level (Phase) Intermediate Testing Status Report (Components, Component Integration, System, Reception) Level (Phase) Testing Report (Components, Component Integration, System, Reception) The overall test report

2

Level (Phase) Testing Plan (Components, Component Integration, System, Reception) (continued)

342

M. Zhang et al. Table 2. (continued)

integrity level

An example of testing document Level (Phase) Testing Design (Components, Component Integration, System, Reception) Level (Phase) Testing Example (Components, Component Integration, System, Reception) Level (Phase) Testing Procedure (Components, Component Integration, System, Reception) Level (Phase) Testing Log (Components, Component Integration, System, Reception) Exception report Level (Phase) Intermediate Testing Status Report (Components, Component Integration, System, Reception) Level (Phase) Testing Report (Components, Component Integration, System, Reception)

1

Level (Phase) Testing Plan (Components, Component Integration, System, Reception) Level (Phase) Testing Design (Components, Component Integration, System, Reception) Level (Phase) Testing Example (Components, Component Integration, System, Reception) Level (Phase) Testing Procedure (Components, Component Integration, System, Reception) Level (Phase) Testing Log (Components, Component Integration, System, Reception) Exception Report Level (Phase) Testing Report (Components, Component Integration, System, Reception)

includes testing plans, testing designs, testing examples, testing procedures and test results (including exception reports, intermediate testing status reports, testing reports, and so on) [6].

Discussion About Software Testing Document of Nuclear

343

Description: Different testing levels (phases) are described in the table. Testing levels (phases) generally includes: component testing (also known as unit testing [7], module testing), component integration testing, system testing, and reception testing. IEEE829 states that the acceptance test is similar to the qualification testing and the validation testing in IEEE/EIA Std 12207.0–1996 [8]. More serious consequences of a software or system failure, the level of integrity is higher, and more testing activities and testing tasks will be required during the testing phase, and the more relevant testing document will be required. Equipment manufacturers define testing levels (phases) and specific content according to IEEE829–2008.

5 Testing Activities and Tasks Testing activities and tasks during software engineering are shown in Fig. 4. Based on the description of the software lifecycle process in IEEE/EIA Std 12207.0– 1996, all test activities throughout the software lifecycle is described in the above figure, and detailed description is given as below. (1)

Test management a) b) c) d) e)

(2)

Acquisition support a) b) c) d)

(3)

Scope of testing work (preliminary) To plan interfaces for testing and supporting activities (preliminary) To acquire system requirements To establish contract guidelines for owner testing

Test planning a) b) c) d)

(4)

To generate the overall test plan To perform the management review of the testing work To perform the support for the management and technical reviews The interface that organizes and supports the process To identify opportunities for process improvement during testing, including lessons learned

To plan interfaces for testing and supporting activities (continued) Scope of testing work (continued) To identify the matrix To identify integrity levels

Concept a) Knowledge of user requirements is concept document for review by the tester b) To review documents required by the system

344

M. Zhang et al.

Process

Activity

Management

test management

Task ĂĂ Explanation in the following text

Acquisition

acquisition support

ĂĂ Explanation in the following text

Supply

ĂĂ Explanation in the

test planning

following text

concept

ĂĂ Explanation in the

requirements

ĂĂ Explanation in the

following text

design Development

implementation test

installation/checkout

following text ĂĂ Explanation in the following text ĂĂ Explanation in the following text ĂĂ Explanation in the following text

ĂĂ Explanation in the following text

Operation

operational test

ĂĂ Explanation in the following text

Maintenance

maintenance test

ĂĂ Explanation in the following text

Fig. 4. Testing activities and tasks during software engineering

c) To generate the testing tracking matrix (preliminary) d) To identify integrity levels (5)

Requirements a) b) c) d) e) f) g)

(6)

To generate the reception testing plan To generate the system testing plan To review the software requirements and testing of interfaces To identify integrity levels (updated) To generate the testing tracking matrix (updated) To identify risks (testing) To identify security issues (testing)

Design

Discussion About Software Testing Document of Nuclear

a) b) c) d) e) f) g) h) i) j) (7)

To generate the reception testing design To generate the system testing design To generate the testing plan of components integration To generate the testing design of components integration To generate the component testing plan To generate the component testing design To identify integrity levels (updated) To generate the testing tracking matrix (updated) To identify risks (testing) To identify security issues (testing)

Implementation (a) b) c) d) e) f) g) h) i) j) k) l) m) n) o) p)

(8)

Test a) b) c) d) e) f) g) h) i) j) k)

(9)

To generate the example of reception testing To generate the reception testing procedure To generate the example of system testing To generate the system testing procedure To generate the example of component integration testing To generate component integration testing procedures To generate the example of component testing To generate the component testing procedures To perform component testing To evaluate component testing results To prepare the component testing report To generate the testing tracking matrix (updated) To perform the testing readiness review To identify integrity levels (updated) To identify risks (tests) To identify security issues (testing)

To perform component integration testing To evaluate the component integration testing results To prepare the component integration testing report To perform the system testing To evaluate system testing results To prepare the system testing report To perform the reception testing To evaluate the reception of testing results To prepare the reception of the testing report To identify risks To identify security issues

Installation/checkout

345

346

M. Zhang et al.

a) b) c) d) e) f) g)

To install configuration audit support (physical and functional) To perform the installation/inspection To evaluate the installation/inspection To prepare the installation/inspection report To prepare overall testing report (if required) To identify risks (testing) To identify security issues (testing)

(10) Operational test a) b) c) d) e) f)

To evaluate operating procedures To perform the operation testing To evaluate results of the operation testing To prepare the operation testing report To identify risks (testing) To identify security issues (testing)

(11) Maintenance test a) To revise all affected testing documents b) To perform the exception assessment c) To test the task iteration

6 Relationship of Testing Documents 6.1 Relationship of Level (Phase) Testing Documents Relationship of the level (phase) testing document is shown in Fig. 5.

Discussion About Software Testing Document of Nuclear

347

Fig. 5. Relationship of the level (phase) testing documents

6.2 Overall Relationship of Testing Documents Overall relationship of testing documents is shown in Fig. 6. Description: For examples, the reception of testing is only described in detail in the upper part of the above figure. In the figure, the level testing plan includes the reception of testing plan, the system testing plan, the testing plan of components integration, and the component testing plan. Level testing design, level testing examples, level testing procedures, level intermediate testing status reports, level testing logs, level exception reports also include similar contents.

348

M. Zhang et al. Overall test plan

Receiving test plan

System test plan

Component intrgration test plan

Component test plan

Receiving test design

᧕᭦⍻䈅⭘ֻ Receiving test case

᧕᭦⍻䈅㿴〻 Receiving test procedures

Test execution

Level test log

Receiving test report

Intermediate test status report

Exception report

System test report

Component intrgration test report

Component test report

Overall test report

Fig. 6. Overall relationship of testing documents

7 Conclusion Based on the study of IEEE829–2008 standard, the following conclusions can be drawn: The testing level (phase) of the software testing of digital computer for the safety level system of nuclear power plants shall generally include four levels: component testing, component integration testing, system testing, and reception testing. The integrity level scheme in the IEEE829–2008 standard can be directly applied for software testing of digital computer for the safety level system in the nuclear power plants, specifying testing tasks and document requirements for different integrity levels.

Discussion About Software Testing Document of Nuclear

349

References 1. U.S. Nuclear Regulatory Commission.NUREG-0800,chpt.7, Appendix 7-A, Branch Technical Position HICB-14. Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems. Washington DC (2007) 2. U.S. Nuclear Regulatory Commission. R.G.1.171–1997 Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. Washington DC (1997) 3. The Institute of Electrical and Electronics Engineers, Inc. IEEE std. 829–2008 IEEE Standard for Software and System Test Documentation. New York (2008) 4. The Institute of Electrical and Electronics Engineers, Inc. IEEE std. 1074–1997 IEEE Standard for Developing Software Life Cycle Processes. New York (1997) 5. The Institute of Electrical and Electronics Engineers, Inc. IEEE std. 1012–2004 IEEE Standard for Software Verification and Validation. New York (2004) 6. International Electrotechnical Commission. CEI/IEC 60880–2006 Nuclear power plants Instrumentation and control systems important to safety Software aspects for computer-based systems performing category A functions. Switzerland (2006) 7. The Institute of Electrical and Electronics Engineers, Inc. IEEE std. 1008–1987 IEEE Standard for Software Unit Testing. New York (1987) 8. International Electrotechnical Commission. IEEE/EIA Std 12207.0–1996 Information technology - Software life cycle processes. New York (1996)

Calculate Reliability by Fault Tree Method to Optimize the Periodical Test Cycle of Protection System Ning Qiao and Jin-Bing Liu(B) I&C Department, Nuclear and Radiation Safety Center, Beijing, China [email protected]

Abstract. Reliability-cantered maintenance (RCM) is a maintenance strategy that is implemented to optimize the maintenance program based on reliability analysis. This article focuses on the periodic test of the protection system. Based on the structure of nuclear power plant’s protection system and combined with the actual operating data of nuclear power plant, the reliability of the protection system is calculated through fault tree analysis. According to the reliability index of the protection system and the availability requirements of the nuclear power plant, the maximum period of the periodic test of the protection system logic and response time is calculated, providing the basis for the maintenance activities of the nuclear power plant. Keywords: Fault tree analysis · Protection system · Reliability · Periodic test

1 Preface As the operating hours of nuclear power plants increase, people are increasingly aware of the importance of rationally arranging maintenance activities for the operation of nuclear power plants. It can not only ensure that the risk level of nuclear power plants is at an acceptable level but also can avoid the adverse effects caused by maintenance. Reliability-centered maintenance (RCM) is a method of maintenance analysis developed in the late 1970s. It determines the specific maintenance strategies according to the impact of failure modes on the entire system and its failure characteristics. RCM has been used in nuclear power plants such as Daya Bay Plant in China. Based on the structure of TW nuclear power plant’s protection system and combined with the actual operating data of TW nuclear power plant, the reliability of the protection system is calculated through fault tree analysis, providing the basis for the maintenance activities of the nuclear power plant.

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 350–359, 2022. https://doi.org/10.1007/978-981-19-1181-1_34

Calculate Reliability by Fault Tree Method to Optimize

351

2 Reliability-Centered Maintenance RCM is a system analysis method for system functions and their failure modes and is a method of analyzing maintenance tasks based on priority. Analyzing the impact and consequences of equipment failure modes, RCM finds out the maintenance strategy corresponding to each failure mode [1]. Refers to standards GJB/Z 1391–2006, a typical RCM analysis process should include the following three parts, 1) According to the failure condition of the target system to be studied, determine the equipment and scope of failure for RCM research; 2) Perform FMEA analysis and FTA analysis on the system, and have clear and definite conclusions on the system’s functional failure mode and its consequences; 3) For all failure modes of the equipment, propose appropriate incident management decisions (maintenance decisions) and determine the corresponding results and technical features [5]. The digital protection system is an important part of ensuring the safety of nuclear power plants. It is used to prevent the working conditions of reactors from exceeding the expected safety limit or to mitigate the consequences of reactors exceeding the safety limit. This paper mainly focuses on the failure of the protection system, which is the actuating signal that triggers the Reactor Trip Breaker cannot be generated under accident conditions. The third section of this paper uses the fault tree analysis (FTA) to establish a fault tree with reactor scram failure as the top event based on the signal flow chart of the protection system and uses the actual failure rate data of hardware component as input. Then the established fault tree is quantitatively analyzed, and the failure rate of reactor scram is obtained. According to the overall reliability and availability requirements of the protection system, the fourth section derives the maximum cycle of periodic testing to guide the maintenance activities of nuclear power plants.

3 Reliability Calculation of the Protection System Using the Fault Tree Analysis 3.1 Introduction to Fault Tree Analysis FTA is a technical approach that takes the undesired events at the system level as the target, analyzes the direct causes of failures at all levels of the system, and finally analyzes the cause (or combination of causes) of the top event, as well as evaluates the probability of the top event. This paper takes the reactor scram failure as the top event and uses FTA to evaluate the failure probability of the protection system [2].

352

N. Qiao and J.-B. Liu

Fig. 1. Fault tree analysis flow chart

Figure 1 is a typical FTA process. First, the scope of analysis should be determined according to the structure and function of the protection system. Then, according to the hardware composition of the protection system, including its PCB communication and power supply scheme, the signal flow graph of the protection system is plotted. According to the signal flow graph, as well as the failure mode and reaction mechanism of the board, the fault tree is established. Taking the operating data of the board into the tree for calculation, the probability of the protection system refusal and the minimum cut set can be obtained [3]. 3.2 The Overall Structure of the Protection System The main function of the protection system is to perform safety functions when an accident occurs: to trigger reactor scram and start the Engineered Safety Features Actuation System. The system usually consists of four redundant channels, each of which meets the requirements of independence and isolation, etc. Channels are composed of multiple modules, including signal acquisition module, signal processing module, and signal output module. The structure of the digital protection system for nuclear power plants is shown in Fig. 2. When the reactor operating parameters are close to the safe operating range limit, the reactor protection system automatically prevents the reactor from operating in the unsafe range by shutting down the reactor. The signal generated by the safety-level process instrumentation and nuclear instrumentation is collected and computed by the protection system, and compared with the set value, then the scram signal is generated.

Calculate Reliability by Fault Tree Method to Optimize

353

Fig. 2. Structure diagram of digital protection system

Reactor trip variables (process variables, neutron fluence rate, etc.) are measured by two to four redundant measuring instrumentation channels, and the corresponding acquisition and logic processing channels (protection group) collect and calculate the measured signals then compare them with a fixed value to generate a “partial trip” signal for logic voting. The “partial trip” signal is sent to three other protection groups except itself next. Therefore, each protection group is given a “ partial trip “ signal corresponding to the number of measuring channels. Each protection group then votes on and logically processes these “ partial trip” signals. When the required logical combination requirements are met, a reactor trip signal is sent to open the reactor trip breaker [4]. 3.3 Fault Tree Analysis The establishment of the fault tree should be carried out from top to bottom. The first task of fault tree modeling is to determine the top event. In this paper, the top event of the fault tree is the protection function failure of the protection system. 3.3.1 Determine Basic Events According to the Failure Mode of the Protection System Fault tree analysis is a process of finding the direct cause of the event layer by layer. According to the fault criterion, the direct cause of the fault tree top event is connected to the top event as an intermediate event with logic symbols (OR gate, NOT gate, etc.), and the intermediate event continues to be decomposed downwards. Repeating the above process until all events cannot be decomposed downward or it is not necessary to decompose downwards anymore. These events at the bottom of the fault tree are the basic events. Top events, intermediate events, and basic events should be strictly defined before the analysis begins.

354

N. Qiao and J.-B. Liu

The protection system consists of four redundant channels. The outputs of these four channels execute 2-out-of-4 voting logic to output the actuation signal. If three or more channels fail to act at the same time, the protection system will fail to operate. Each channel of the protection system consists of multiple modules, such as input, processing, and output modules. According to the signal flow graph of the protection system, it is possible to analyze how the fault status of each module determines the status of the channel, that is, the logical relationship between the modules. The modules are composed of different types of PCB. The fault of the PCB, whether the fault can be diagnosed, and the fault handling mechanism should be considered. For modules that have self-diagnosis ability, such as processors, there are two types of fault: detectable faults and undetectable faults. For detectable faults, the faulty component can be detected immediately and repaired. Mathematically, failure of the components is considered to be time-independent. For undetectable faults, it is considered that can only be detected by periodic tests. According to the author’s research results of several nuclear power plants and their design companies, undetectable faults usually account for 1% to 10% of detectable faults. An average of 5% is taken in this paper, that is, undetectable faults account for 5% of total faults. Also, in engineering practice, for some modules with extremely short self- diagnosis cycles, such as network adapter or communication modules, undetectable faults are not considered. According to the protection system structure described in Sect. 3.2 and the basic events given in this section, establish the fault tree (Fig. 3).

Fig. 3. Fault tree

These triangles represent transfer door. 3.3.2 Consideration of Common Cause Failure Common cause failure (CCF) refers to the simultaneous failure of two or more components in a system due to a common failure mechanism. CCF is the main cause of redundant system failure. From the perspective of engineering practice, the same type of components performing the same functions work similarly, so CCF is more likely, and these components should be set to one common cause group. The protection system adopts the design of diversity of reactor trip parameters. Channels 1 and 3 use variables

Calculate Reliability by Fault Tree Method to Optimize

355

measured by one measurement scheme, and channels 2 and 4 use variables measured by another measurement scheme. In this way, channels 1 and 3 belong to a common cause group, and channels 2, 4 belong to another common cause group. CCF parameters require a large amount of statistical data to obtain, nuclear power plants in China have not yet accumulated enough reliable operating data. In particular, there is a lack of digital I&C system data management, thus this paper uses the common cause parameters given in Section 3.1 of NUREG 5497–2015. NUREG 5497–2015 counts 116 CCF of 3224 independent random failures of digital I&C system from 1997 to 2015, including bypass, control, and overriding types (Table 1). Table 1. Common cause parameter Number of components 2 in a common cause group Beta

3

4

3.05 × 10–2 2.93 × 10–02 2.07 × 10–02

Gamma Delta

4.06 × 10–02 5.28 × 10–01 3.84 × 10–01

3.3.3 Consideration of Software Reliability Industrial computers used in nuclear power plant I&C system nowadays are using operating systems such as Linux and Windows, the platform and applications for safety-level I&C systems are also developed based on these systems. Since the software has a unique failure mechanism different from the hardware devices, it is very difficult to evaluate the reliability of the software. At present, there is no international standard for methods of quantitative analysis and calculation of I&C system software reliability. The industry has put forward many software reliability quantitative evaluation methods, however, whether these methods are applicable to nuclear power plant safety-level I&C system software reliability, there is no consensus so far. Various countries have formulated relevant regulations and standards to stipulate the overall reliability indicators of the I&C system, for example, HAF102 “Nuclear Power Plant Design Safety Regulations” requires that “appropriate and reliable control systems must be set up to keep the relevant process variables within the specified operating range”, but there is still a lack of systematic and standardized reliability evaluation methods [7]. In engineering practice, according to its safety-level instrumentation and control platform technical specifications, Siemens considers the software failure rate of a single protection channel as a whole at 1.0 × 10–06 based on its domestic and foreign operating experience of the safety-level and non-safety-level I&C system platforms. This article uses 1.0 × 10–05 to be on the safe side.

356

N. Qiao and J.-B. Liu

3.4 Reliability Calculation of Fault Tree Analysis 3.4.1 Data Processing In the existing RCM analysis of nuclear power plants, the data used is provided by international general databases or obtained from conservative assumptions. Using these data to analyze the safety-related components of nuclear power plants, the results will have great limitations. Due to the different environments in which equipment is installed, commissioned, and operated, the actual data of the power plant may be inconsistent with the data from standard databases. In this paper, the actual operating data of nuclear power plants are used, which can better reflect the actual situation of power plants than the general data. The value and distribution of the component failure rate should be given according to the input requirements of the FTA. However, the TW nuclear power plant only provides the number of PCB failures and the operating time, so the data needs to be processed. Besides, for fault-free components during operation, an estimate of the failure rate is required. The nuclear power plant studied in this paper has operated multiple fuel cycles and has passed the early failure period of the components. It can be considered that the failures of the safety-level I&C system components are randomly and uniformly distributed. Therefore, the failure distribution of components is exponentially distributed, and the failure rate is constant. The failure rate per unit time (per hour) is equal to the number of failures divided by the operating time. For the fault-free components during operation (for example, they act only during tests), assume the probability of failure remains unchanged throughout the test. For components that act on demand, assume there are n independent tests, each test has only two results, success, and failure. If there is no failure in n consecutive actions, the failure rate and confidence interval of the component can be estimated according to the method in Section 8.7.1 of GB/T 9225–1999 “General Principles of Reliability Analysis of Nuclear Power Plant Safety System” [9]. n=

ln a ln(1 − P0 )

(1)

Where n is the number of times, P0 is the failure rate, and α is the confidence interval. When there is no failure in n consecutive actions with a confidence level of 100(1–α)%, the upper confidence limit of failure probability P is less than or equal to P0, or the lower confidence limit of reliability is greater than or equal to 1-P0. Transform the formula 3.1 to get: 1

P0 = 1 − a n

(2)

According to this formula, it is possible to estimate the failure rate P0 when n tests are successful at the required confidence interval α. 3.4.2 Calculation Results This paper uses Risk Spectrum developed in Sweden to analyze and calculate the reliability, which is widely used in the nuclear power industry for FTA.

Calculate Reliability by Fault Tree Method to Optimize

357

Using the fault records provided by the TW nuclear power plant, following the method in Sect. 3.4.1 and inputting in the fault tree presented in Sect. 3.3.1, the overall failure rate λ = 3.703 × 10–9 is calculated, which meets the requirements of GB/T 4083 (failure rate of 1 × 10–04 ) [8].

4 Optimize the Periodic Test Cycle of the Protection System 4.1 Method of Determining the Periodic Test Cycle The maintenance activities of nuclear power plants are divided into three categories: preventive maintenance, corrective maintenance, and periodic test. A periodic test is to test and monitor important safety-related equipment or systems which have significant impacts on the nuclear power plants at a fixed cycle to check whether they can still perform the expected functions. Nuclear power plants regularly inspect the functions of the equipment to detect the availability of these components that are normally on standby. The reliability of the I&C system calculated by FTA can be used to determine the periodic test cycle of the nuclear power plant’s protection system. Before further discussion, the following assumptions are made: 1) Compared with the degree of unavailability caused by the equipment failure, the degree of unavailability caused by the equipment failure during the periodical test can be ignored; 2) The product of equipment failure rate during standby and period test cycle is far less than 1; 3) The degree of unavailability of equipment caused by the human in the periodic test is not taken into consideration. In the third section of this paper, it is explained that the failure distribution of the components of the protection system is exponentially distributed, and the failure rate is constant. According to GB/T 9225–1999, for components whose failure density function is exponentially distributed, the average degree of unavailability can be expressed as:   ∫T 1 − e−λt dt (3) Q= 0 T Where T represents the periodic test cycle, and λ is the failure rate of the equipment.   ∫T0 1 − e−λt dt Q= (4) T When λT “0”

2019-11-29 14:24:29 728.1

Channel F “1”- > “0”

2019-11-29 14:24:40 503.1

Channel A “0”- > “1”

2019-11-29 14:24:29 504.1

Channel D “0”- > “1”

2019-11-29 14:24:29 505.1

Channel B “0”- > “1”

2019-11-29 14:24:29 506.1

Channel E “0”- > “1”

2019-11-29 14:24:29 507.1

Channel C “0”- > “1”

2019-11-29 14:24:29 508.1

Channel F “0”- > “1”

562

Z.-X. Dong

6 Conclusion The time synchronization design and implementation methods described in this paper have been applied in the digital control system SH_N. After long-term operation and multiple rounds of testing, this time synchronization design and implementation has an accuracy of better than 50 ms for digital events and an accuracy of SOE events better than 1ms, which meets the requirements of nuclear power station DCS for time accuracy. The entire system only needs one input interface for time synchronization, and the system does not need additional time synchronization equipment support when the scale of SOE application is expanded, which improves the ease of use of the system. The I/O server, main control module, and communication module that undertake the main time synchronization function in the system are all redundant, and the time source between stations is also redundant, which effectively improves reliability of the system.

References 1. Du, H.: Nuclear non-safety level DCS proofing time subsystem design and malfunction methods. Ind. Control Comput. 2, 22–23+25 (2016) 2. Cao, Q.: Symphony system time synchronization principle and troubleshooting. Electric Power Electr. Eng. 1, 59–60 (2012) 3. Wang, J.: Time synchronism ways for several common thermal power plant DCS system. Sci. Technol. Vis. 32, 325–326 (2013) 4. Xiong, K.: Method for setting the SOE network time clock synchronization in DCS of thermal power plant. Thermal Power Gener. 7, 54–55+59+77 (2006) 5. Wang, S.: Application of SOE in Yokogawa CS3000 Control System. Ind. Control Comput. 11, 78+87 (2007) 6. Liu, W., Fu, Q.: Contrast on the result of SOE performance tests of several DCS. Central China Electric Power 6, 35–38 (2005) 7. Jia, P., Ai, Y., Wu, P., et al.: Design and implementation of network setting to time system based on NTP. Meteorol. Environ. Sci. 4, 89–91 (2010) 8. Qiumei, W.A.N.G.: Design and optimize of GPS time synchronism system in fossil fuel power plant. Sci. Mosaic 8, 137–140 (2010) 9. Yang, C.: Design of high precision time synchronization system based on multiple redundant controller. Autom. Instrum. 8, 58+62 (2015) 10. Han, W., Zhang, L., Huang, S.: Investigation on thermal power plant time synchronization system design. Electric Power Constr. 7, 60–62 (2007)

Design of Self-diagnosis for Diversity Actuation System Based on FPGA in ACPR1000 Nuclear Power Plant Ji-Kun Wang(B) , Zhi-Hui Zhang, Gui-Lian Shi, Chang-Yu Mo, Gang Li, and Bin Wu China Techenergy Co. Ltd., Beijing 100094, China [email protected]

Abstract. Self-diagnosis for diversity actuation systems (KDS) is essential for the safe operation of nuclear power plants (NPPs). With the development of FPGA technology, more and more KDS in NPPs are realized with FPGA technology. This paper provides a self-diagnosis solution for KDS based on FPGA, which includes fault detecting, fault handling, diagnosis information monitoring and alarm indication. After testing and verification in ACPR1000 NPPs, and this solution can effectively improve the maintainability of KDS, can be widely used in other type of NPPs, and has broad application prospects. Keywords: Diversity actuation system · FPGA · Self-diagnosis

1 Background According to IEC 61513 [1], the faults and errors should be fully detected, and sufficient and correct fault diagnosis information should be provided. Therefore, The selfdiagnostic function is very important for the I&C system in NPPs. The design of the self-diagnostic function directly affects the maintainability of KDS, and can effectively improve the safety of NPPs [2–5]. The FitRel platform is a FPGA-based product developed by China Techenergy Co. Ltd., and has been formally applied in ACPR1000 NPP [6]. However, there is no precedent and experience to follow for KDS based on FPGA technology. Therefore, it is urgent to design a set of self-diagnostic solutions suitable for FPGA technology. Based on the practical experience in the FitRel product development, and maintainability design theory, this paper raises a self-diagnostics solution suitable for KDS in NPPs.

2 Methodology of Self-diagnosis The system self-diagnosis function is based on the basic principles of self-diagnosis design, which includes 3 steps. Step 1: Completeing the classification of the fault, and determining the severity of the impact of the control station function where the faulty device is located. Step 2: Determining the fault diagnosis method based on the severity of the fault. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 563–571, 2022. https://doi.org/10.1007/978-981-19-1181-1_54

564

J.-K. Wang et al.

Fault classificati on

Fault diagnosis design

Fault Handling and indication

Fig. 1. Methodology of self-diagnosis diagram

Step 3: Fault indication for the operation and maintenance personnel (Fig. 1). For the FPGA based platform, There are many fault modes that need to be defined, and for the fault diagnosis design and indication, there are some principles that need to follow.

Fig. 2. Self-diagnosis diagram of KDS

Design of Self-diagnosis for Diversity Actuation System

565

3 Self-diagnosis Design Through the failure mode effects analysis (FMEA) of KDS system [7], The diagnostic measures, handling measures and alarm indication mechanisms of the failure modes are designed based the failure mode effects. Especially, because the FPGA is very complex, and the self-dignosis for FPGA is not easy to analysis and design, so this paper difines FPGA failure as an special part, and the self-diagnosis diagram can be shown in Fig. 2. 3.1 Fault Classification Fault classification is to classify the fault according to the severity of the fault, and the fault level will be the basis for the fault alarm indication. In this document, the severity of the faults will be judged based on the severity of the impact of the fault modes on the function of the control station where the fault device is located. The failure modes are shown in the following Table 1: Table 1. List of failure modes No.

Failure mode

Involved equipment

1

AI module channel circuit failure

AI module

2

AI module communication failure

AI module

3

AI module FPGA failure

AI module

4

DI module channel circuit failure

DI module

5

DI module communication failure

DI module

6

DI module FPGA failure

DI module

7

AO module channel circuit failure

AO module

8

AO module communication failure

AO module

9

AO module FPGA failure

AO module

10

DO module channel circuit failure

DO module

11

DO module communication failure

DO module

12

DO module FPGA failure

DO module

13

KDS Level2 equipment failure

KDS Level2 equipment

14

OPS task process failure

OPS station

15

NCU module communication with MPU failure

MPU module, NCU module

16

NCU module FPGA failure

MPU module (continued)

566

J.-K. Wang et al. Table 1. (continued)

No.

Failure mode

Involved equipment

17

NCU communication failure with other NCU module

NCU module

18

MPU module FPGA failure

MPU module

19

The power supply bus in the cabinet loses power Power supply bus of the cabinet

20

24V power supply module failure 24V power supply module

21

The cabinet temperature exceeds the upper limit Device in the cabinet

22

Fan status is abnormal

Power supply module

Device in the cabinet

3.2 Fault Diagnosis Design In order to cover the faults of the KDS system to the greatest extent, the fault diagnosis design principles are as following: 1) The overall design principle follows IEC 60671 [8], self-diagnosis shall cover all diagnosable faults; 2) In order to prevent the system from spurious actuation, the fault handing shall led to fail-safe, and mainly indicate fault information in detail. The self-diagnosis of the KDS system include two parts, the self-diagnosis function of the FitRel platform and the self-diagnosis of the engineering application. The selfdiagnostic function of the FitRel platform refers to the inherent fault diagnosis measures of the FitRel product; the application self-diagnostic measures are designed according to specific engineering applications. Platform self-diagnosis measures are shown in Table 2 For FPGA failure, this paper involes 7 self-diagnosis measures to keep all the dignosable failure mode can be detected and handled. Application self-diagnostic measures are shown in Table 3. Table 2. Platform self-diagnosis measures Classification

Failure mode

Self-diagnosis measures Fault handling and indication

FPGA failure in MPU\NCI\IO modules

FPGA failure

Digital power diagnosis Fault indication

Clock diagnosis

FPGA reset, Fault indication (continued)

Design of Self-diagnosis for Diversity Actuation System Table 2. (continued) Classification

Other failures in MPU\NCU\IO modules

Failure mode

Data communication failure

Self-diagnosis measures Fault handling and indication State machine self-diagnosis

FPGA reset for five times, then Lock-down, Fault indication

Watchdog

FPGA reset, Fault indication

Module in-position diagnosis

Fault indication

Interface diagnosis

FPGA reset, Fault indication

EEPROM CRC check

FPGA reset for five times, then Lock-down, Fault indication

Data frame serial number detection

Output AS-IS, Fault indication

Communication cycle detection Source address and destination address detection CRC check Analog signal drift failure

AI dynamic self-check

Fault indication

Analog acquisition signal over-range fault

AI over-range self-checking

Fault indication

Digital acquisition signal is always a fixed value

DI redundant hardware acquisition and comparison

Fault indication

Analog output signal drift failure

AO output end sampling Fault indication and readback

Fixed failure of analog acquisition signal

No output for analog output signal Digital output signal fixed failure

DO channel readback

Fault indication

567

568

J.-K. Wang et al.

Application self-diagnostic measures: Application self-diagnostic measures are aimed at failure modes related to the application, and are a supplement to platform self-diagnostic measures. The application self-diagnostic measures of KDS system in ACPR1000 NPP are as follows. Table 3. Application self-diagnostic measures Classification

Failure mode

Self-diagnosis measures

Fault handling and indication

Commercial Outsourcing Device failures

The cabinet temperature exceeds the upper limit

Temperature sensor

Fault indication

Fan status is abnormal

Fan monitoring

Fault indication

The cabinet door status The travel switch check is abnormal

Fault indication

24 V power supply module failure

Fault indication

Power supply voltage monitoring

KDS Level2 equipment Level2 equipment failure self-diagnosis

Algorithm failures

Fault indication

Power failure

Monitoring of power Fault indication supply bus in the cabinet

Redundant channel deviation

Real-time comparison of Fault indication the deviation of the collected value, calculated value and output value of the redundant channel

3.3 Fault Indication Principles of alarm indication: 1) Indicate fault information on the human-machine interface; 2) The failure information display needs to be consistency with different humanmachine interface. After the fault is diagnosed, each cabinet of the KDS system will give an alarm indication in the following three ways: Main control room alarm indication: alert the operator and maintenance personnel of KDS failure in the first time; Local display alarm indication: the fault diagnosis information is transmitted to the LOC-VDU through the network to indicate the faulty equipment;

Design of Self-diagnosis for Diversity Actuation System

569

Local cabinet indication: process the fault information with turning off the cabinet lamp and other module lamps, and help maintenance personnel locate the faulty cabinet (Fig. 3). Self-diagnostic information of Cabinet 1

Note Communicaiton

Cabinet Lamp Self-diagnostic information of Cabinet 2

Hardwire Cabinet Lamp

Self-diagnostic information of Cabinet 3

MCR Alarm

Cabinet Lamp Self-diagnostic information of Cabinet 4 Cabinet Lamp Self-diagnostic information of Cabinet 5 Cabinet Lamp

Communicaiton

SERVER

LOCVDU Alarm

Fig. 3. Fault indication flow diagram

4 Test The test results are shown as follow in KDS in Yangjiang 5&6 NPP and engineering prototype. All the failure mode of KDS can be detected and indicated, and if the FPGA failure, the output of failure module can be set as fail-safe. There is no spurious trip in KDS (Table 4). Table 4. Test results Fault classification

Requirement

Result √

AI module channel circuit failure

Warning in real time

AI module communication failure

Warning in real time, fail-safe

AI module FPGA failure

Warning in real time, fail-safe

√ √

(continued)

570

J.-K. Wang et al. Table 4. (continued)

Fault classification

Requirement

DI module channel circuit failure

Warning in real time

DI module communication failure

Warning in real time, fail-safe

DI module FPGA failure

Warning in real time, fail-safe

AO module channel circuit failure

Warning in real time

AO module communication failure

Warning in real time, fail-safe

AO module FPGA failure

Warning in real time, fail-safe

DO module channel circuit failure

Warning in real time

DO module communication failure

Warning in real time, fail-safe

DO module FPGA failure

Warning in real time, fail-safe

The cabinet temperature exceeds the upper limit

Warning in real time

Fan status is abnormal

Warning in real time

KDS Level2 equipment failure

Warning in real time

OPS task process failure

Warning in real time

NCU module communication with MPU failure

Warning in real time, fail-safe

NCU module FPGA failure

Warning in real time, fail-safe

NCU communication failure with other NCU module

Warning in real time, fail-safe

MPU module FPGA failure

Warning in real time, fail-safe

The power supply bus in the cabinet loses power

Warning in real time Warning in real time

24 V power supply module failure 24 V power supply Warning in real time module Warning in real time

Result √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √

5 Conclusion This paper presents a self-diagnostic solution for the KDS in ACPR1000 NPP. The selfdiagnostic solution draws on the best practical experience in the field safety I&C. At present, the self-diagnostic solution has been applied in Yangjiang 5&6, The Hongyanhe 5&6 project, and has undergone testing and verification, including R&D testing, in-plant testing, owner’s factory commissioning. The results show that the solution can cover all diagnosable faults of the FitRel platform based on FPGA technology, can indicate the diagnosis information in real-time, and can provide sufficient information for the daily maintenance of nuclear power plants. After adaptive adjustment, it can meets the requirements of AP1000, EPR reactor-type NPP, and has broad application prospects.

Design of Self-diagnosis for Diversity Actuation System

571

References 1. IEC: IEC 61513 Nuclear power plants - Instrumentation and control important to safety General requirements for systems. IEC, Geneva (2011) 2. NUREG/CR-7006: Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems. NRC (2010) 3. Naser, J.: Guidelines on the Use of Field Programmable Gate Arrays (FPGAs) in Nuclear Power Plant I&C Systems. TR-1019181 EPRI 2009, pp. 41– 59 (2009) 4. Ranta, J.: The current state of FPGA technology in the nuclear domain. VTT (2012) 5. Bobrek, M., Bouldin, D., Holcomb, D.: Survey of field programmable gate array design guides and experience relevant to nuclear power plant applications, pp. 5– 9. ORNL (2007) 6. Shi, G., Wang, J.: The design of diverse actuation system device in ACPR1000 PWR nuclear power plant. Nucl. Saf. 15(1), 61–65 (2016) 7. IEC: IEC 60880 Nuclear power plants - Instrumentation and control important to safety Software aspects for computer-based systems performing category a functions. IEC, Geneva (2006) 8. IEC: IEC 60671 Nuclear power plants - Instrumentation and control important to safety Surveillance testing. IEC, Geneva (2007)

Periodic Test Design of EDG Digitization Protection System in Nuclear Power Plant Qing-Ming Wang(B) , Chun-Ming Liu, and Chao Gao China Techenergy Co., Ltd., Beijing 100094, China [email protected]

Abstract. Referring to the different types of periodic test of the whole Emergency Diesel Generator system and considering the features of the digitalized protection system used in Emergency Diesel Generator of nuclear power plant, also on the basis of reliability analysis, this paper firstly describes the periodic test of the protection system, then introduces the design requirement of the Emergency Diesel Generator protection system and finally figures out a design scheme. This scheme provides technical reference for the subsequent digitalized modernization of Emergency Diesel Generator protection system periodic test scheme design. Keywords: Emergency diesel generator · Protection system · Periodic test · Digitalized transformation

1 Overview As an important back-up power supply, the Emergency Diesel Generator (EDG) of nuclear power plant provides power supply for medium and low voltage nuclear auxiliary equipment required for reactor safely shutdown, so as to prevent damage to the important equipment caused by loss of external AC power supply and to ensure the safety of the personnel and environment. The EDG protection system which considered as the nerve center directly affects the overall system reliability of EDG. At present, the protection systems of emergency diesel generator units in CPR1000 Nuclear Power Plant are mostly the analog systems provided by foreign countries in the early stage and built with analog components. During the operation, they are characterized by fixed value drift, high failure rate and the poor self-diagnosis ability, facing the situation that spare parts are not replaced; the reliability of EDG is seriously affected. With the widespread application of the advanced digital technology, great changes have been taken place in I&C system and the digital I&C system is gradually applied in the control field of EDG in nuclear power plant. Different from the hardware structure of traditional analog system, digital system is a complex of software and hardware, with higher integration, better maintainability and high valued expandability. The digital I&C system is different from the tradition analog system in application technology, development methods, failure mode, status monitoring, reliability analysis and periodic test scheme. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 572–579, 2022. https://doi.org/10.1007/978-981-19-1181-1_55

Periodic Test Design of EDG Digitization Protection System

573

The purpose of this paper is to systematically analyzing the relevant regulations and standards of periodic test of digital protection system. Also, referring the current EDG whole periodic test strategy and analyzing the design requirement, it discusses the design process, compares and optimizes the strategy and finally refines a complete periodic test scheme of EDG I&C system.

2 The Overall Periodic Test Strategy of EDG According to the requirements of the relevant regulations and standards at home and abroad, in order to verify the performance indexes of EDG and ensure the reliability and availability of the system, the periodic tests are needed. According to statistics, the in-service EDG units of the nuclear power plant only perform the overall periodic test of EDG themselves, but do not perform the special periodic test for the EDG protection system which based on analog technology. The EDG periodic tests of the CPR1000 nuclear power plants in China include low-power-test and full-power-test [6]. The low-power-test is conducted by cutting off the external normal power supply and switching to the internal power supply to verify the starting sequence, voltage and frequency regulation of the diesel generator unit can perform its functions correctly. The test interval is generally once every two months. The full-power-test is conducted by connecting the diesel generator unit to the auxiliary power grid outside of the plant through the power supply bus to verify the ability of the diesel generator unit to provide rated power to the special emergency safety actuators. The test interval is generally once per refueling cycle. According to the particularity of nuclear power plant, it requires the fast start of EDG and its test can be divided into slow-start-test and fast-start-test. The slow-starttest verifies the ability of EDG to start normally from standby condition and verifies that the voltage and frequency meet the design requirements. The fast-start-test proves that the EDG starts from standby condition and verifies that the voltage and frequency limits are reached within the acceptable time. With the practice, optimization demonstration, safety analysis of the nuclear power industry at home and abroad, and finally obtaining regulatory permission, the domestic CPR1000 nuclear power plant EDG slow-start-test interval is determined to be once a month, and the fast-start-test is determined to be once every six months. The above tests are the periodic tests of the whole EDG, and the special periodic tests of the EDG protection system are not mentioned. But in principle, the special periodic tests of the EDG protection system can be covered or simplified to a certain extent. At present, in the nuclear power industry, there is no clear and unified discussion on the periodic test scheme after the modernization application of the digital I&C system of EDG protection system and the concept is relatively vague, so there is the possibility of missing detection of some system failure modes.

574

Q.-M. Wang et al.

3 Requirements for Periodic Test of EDG Protection System As an important part of the overall instrument and control system of EDG, the protection system mainly performs the EDG safety protection function, and belongs to the important safety system equipment. Therefore, the EDG protection system needs to meet the requirements of regulations and standards related to the periodic test of nuclear power plant safety system at home and abroad. The IEEE 603 stipulates that the safety system equipment should have the ability of test and calibration while maintaining the ability of the safety function execution [1]. The IEEE 338 and GB/T 5204 stipulate that the periodic test and monitoring of safety system is to realize the expected system availability [2, 3]; The IEC 60671 requires that the safety system should be able to ensure the functional capability of I&C system and corresponding control path by monitoring test [4]. The HAF 102 stipulates that the design must allow all the links of the system from the sensor to the final actuator to be tested during operation [5]. Therefore, the periodic test process of EDG protection system should not affect the system safety function, but also cover all aspects of signal input, processing and the output. As a safety classified digital I&C system with independent intellectual property rights, the FirmSys platform of CTEC has been successfully applied in the field of EDG I&C. Therefore, it is necessary to determine the periodic test strategy of the EDG protection system by reasonably combining with the overall periodic test of EDG, which is conducive to ensuring the effectiveness of the system protection function and reducing the risk of refusing to system operate.

4 Periodic Test Design The determination of periodic test scheme of EDG protection system is closely related to platform self-diagnosis design and system configuration. In this paper, through the analysis of the system reliability, system configuration, system function, signal flow direction and the requirements of regulations and standards at home and abroad, a periodic test strategy is determined, and the periodic test scheme of protection system is simplified on the basis of the overall periodic test of EDG. 4.1 System Reliability Analysis The reliability is defined as the probability of an item or system to complete the required function in a given state and within a given time interval [7]. It is necessary to analyze the reliability of FirmSys system based on digitization technology when it is applied to EDG protection system. Reliability analysis needs to analyze all component failure modes, system states, failure effects, compensation measures, self-diagnostic monitoring methods and periodic tests based on system configuration and functions on the basis of platform products, so as to determine whether all single failure can be detected during normal operation of the system and whether single failure will prevent the protection action of the system. The flow chart of reliability analysis is shown as follows. The I&C system which based on digital technology usually adopts the combination of self-diagnosis and periodic test to cover all system failure modes, so as to ensure

Periodic Test Design of EDG Digitization Protection System

575

Start

Analyze System Configuration & Function

Failure Mode and Effect Analysis

Generate Reliable Analysis and Data Report

Determine the Analysis Range

Define Failure Mode

Modeling and Analysis

The End

Fig. 1. The flow chart of the reliability analysis

the overall reliability of the system. According to the IEC 60671, self-diagnosis and monitoring can replace the periodic test [4]. The system needs to analyze and to identify the diagnosable failure modes. For the non-diagnosable residual failure modes or they have been proved there is no impact on the safety function, or they are covered by the periodic test. To sum up, the failure mode of EDG protection system can be detected by self-diagnosis, and the failure mode that cannot be detected by self-diagnosis needs to be detected by periodic test. 4.2 Analyze the Signal Flow The main function of EDG protection system is to receive the field sensor signal or the remote/local operation command, and output protection command signals of EDG unit through logic operation; The system is equipped with operation button and switch to realize local manual control of diesel engine starting or other equipment; The system also needs to send the relevant alarm and operation parameters to the display unit. Combined with the products of the FirmSys system platform and the typical functions of EDG protection system, the signal flow direction is shown in the figure below.

576

Q.-M. Wang et al.

S Isolation & Distribution

Signal Acquisition

Processing

Communic ation

Other System

Signal Output

M Fig. 2. Signal flow of EDG protection system

4.3 Determine the Test Strategy The HAF 102 stipulates that the system design must allow testing of all the links from the sensor to the final actuator [5]. Therefore, the scope of periodic test should cover all the equipment performing safety classified protection function, including sensors, logic processing and actuators; the method of overlapping test can be used to ensure that the above equipment can be completely covered [8]. Combined with the signal flow diagram mentioned above and on the basis of system reliability analysis, also combined with the platform self-diagnosis and non-diagnosable failure mode, and adopting conservative design principle, the system designs the corresponding T1, T2, T3 three segment overlapped test. In addition, in order to meet the requirements of the fast emergency start-up time of EDG, the system needs to design a special response time test. T1 test mainly verifies whether the acquisition channel drifts. The specific test methods include cross check and channel verification. The cross check is used to verify whether the single channel is drifting compared with the redundant channel; the channel verification aims at the very low probability event that all channels drift, and identifies whether there is deviation beyond the expected value by injecting the standard signal source into a single input channel. By analyzing the logic of EDG protection system, there is no analog data acquisition of redundant protection channel and cross check is not needed. The existing periodic tests of EDG cannot cover channel verification. Therefore, the T1 part only needs to perform channel verification, and the test method is as follows. According to the product reliability analysis data, the cycle of channel verification is generally a refueling cycle which is 18 months.

Periodic Test Design of EDG Digitization Protection System

S T1

Response Time Test

Isolation & Distribution

Signal Acquisition

T2

Processing

Communic ation

Other System

Signal Output

T3 M Fig. 3. Segments of EDG protection system periodic test

The schematic diagram of T1 analog channel verification is as follows.

Fig. 4. Schematic diagram of channel verification test

577

578

Q.-M. Wang et al.

During test, the standard signal source is used to inject data through the test terminal, and the data is read by the channel verification test table, and the deviation comparison is automatically completed. The algorithm of deviation comparison is as follows: E error = (V measured value -V expected value )/R range *100%, the allowable error range is (−σ, + σ), and the value of σ is always 0.25% of the signal engineering range. If |E|σ, the test result is Not Good. T2 test is used for the protection logic inside the digital processor. It uses the maintenance test tool to inject test data into the processor, read back the logic calculation results, and compare with the expected value to verify the correctness of the logic. According to the conclusion of the system and platform product reliability analysis, CPU self-diagnosis can cover all failure modes that affect safety functions. Furthermore, the digital protection system in accordance with the digital processor with strong diagnosis function and the diagnosis program can run automatically which covers the hardware component as processor, memory watch dog, etc. Due to the commonly shared CPU and memory, so there will be not a single function or department by mistake phenomenon inside of the system. However, according to the experience and conservative practice in the nuclear power industry, the T2 test is usually carried out by selecting typical logic or periodically restarting the processor. Due to the particularity of EDG itself, the overall periodic test frequency of EDG is generally one month, covering the protection logic of processor, so the T2 test does not need to be performed separately. T3 test is used to verify the correctness of the system output to the field device or the input of the field device and the third party interface. Due to the particularity of EDG, the overall periodic test frequency of EDG is generally one month, covering the actual equipment action and the protection signal test related to the third party interface, the operator can monitor the changes of the interface signal according to the alarm status. Therefore, T3 test does not need to be performed separately. The response time test is used to verify the response time of the EDG protection system. Because the EDG fast-start-test covers the verification of the overall response time, it has covered the response time of the EDG protection system. Therefore, the response time test does not need to be performed separately. In addition, because the EDG protection system uses a certain number of switches, buttons and the indicator lights, the system needs to design light test or switch test to determine the availability of the equipment. Special lamp test button and lamp test logic should be designed for lamp test. It is suggested that the switch test should be carried out during the periodic test of the whole EDG units. The switch not covered by the periodic test of the whole EDG should be operated separately, and the corresponding action output should be locked at the same time. 4.4 Test Notes The design of periodic test function should not affect the safety function of the system; during the periodic test, if the function of the tested object is affected, the methods like bypass or locking shall be adopted to prevent the field equipment from being triggered by mistake, and the indication shall be provided in the control room to inform the operator.

Periodic Test Design of EDG Digitization Protection System

579

5 Conclusion This paper first analyzes the characteristics of the overall periodic test of the emergency diesel generator unit in the current nuclear power plant. Then, based on the reliability theory analysis of FirmSys system platform and make full use of the advantages of digital technology, it realize the classification of the periodic test. Finally, through the analysis comparison, a periodic test strategy of digital protection system suitable for the field of emergency diesel generator is proposed and discussed. The purpose is to determine a rigorous and reliable periodic test scheme and obtain widely practical application. It provides technical reference for the determination of the periodic test scheme of the emergency diesel generator protection system after the subsequent digital modernization. The periodic test scheme of the EDG protection system fully considers the frequency and coverage of the overall periodic test of the EDG unit, which can not only reduce the workload of the test personnel, but also effectively avoid the design omission and ensure the effectiveness of the EDG protection function.

References 1. IEEE 603-2009: IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (2009) 2. IEEE 338-2006: IEEE Standard Criteria for Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems (2006) 3. GB/T 5204-2008: Periodic test and monitoring of safety system in nuclear power plant (2008) 4. IEC 60671-2007: Nuclear power plants- Instrumentation and control systems important to Safety-Surveillance testing (2007) 5. HAF 102-2004: Design safety regulations for nuclear power plants (2004) 6. Li, J.-B., Zhou, Z.: Discussion on periodic test start-up mode of emergency diesel generator set in nuclear power plant. Nucl. Sci. Eng. 37, 639 (2017) 7. Ren, L.-H., Lang, A.-G., Li, S.-X., Wu, C.-X.: Analysis and calculation of reliability and availability for instrument and control system in Nuclear Power Plant. Autom. Instrum. 36(11), 130 (2015) 8. Sun, H.-T., Wang, Q.-M., Wang, Z.-J., Lu, C.: Design and implementation of ESFAS Periodic Test for CPR1000 Nuclear Power Plant. Nucl. Sci. Eng. 37, 366 (2017)

The Design of Safety DCS Platform Based on FPGA Yuan Zhang(B) , Wu Sun, Ming-Xiao Wei, and Xiao-Li Huai China Nuclear Control System Engineering Co., Ltd., Beijing 100176, China [email protected]

Abstract. Safety DCS, known as the “neural center” of nuclear power plants, is one of the most important part of nuclear power plants, which directly affect the safe, reliable and stable operation of nuclear power plant. According to the safety system standard and the requirements of the reference nuclear power plant, this paper describes the design of safety digital control system (DCS) platform based on programmable gate array (FPGA) technology. This design complies with the life cycle model, using multi-bus cooperative architecture, redundant FPGA design, co-processor information display technology, safety communication technology, self-diagnosis technology, engineering work station tools and equipment qualification that ensure suitable FPGA logic, hardware and software quality and reliability for critical applications. According to the type test and independent engineering review, it is proved that the safety DCS platform designed by this method can meet the requirements of general engineering application of nuclear power plant. Keywords: Safety DCS · DCS platform · FPGA technology

1 Introduction The safety DCS, known as the “neural center” of nuclear power plants, is one of the most important part of nuclear power plants, which directly affect the safe, reliable and stable operation of nuclear power plants. China has lagged behind abroad in safety DCS area. The main reason is that safety DCS generally require highly safety requirements, harsh application environments, difficult R&D techniques, and high capital investment. In addition, The existing safety DCS of nuclear power plants has long relied on imports, and it results in dependence on imported equipment. Due to the technical characteristics, the safety DCS is more driven by the development of the electronics and computer industry. In recent years, the FPGA technology is more and more widely used in the I&C field of nuclear power plants around the world, especially in the field of safety DCS. Compared with microprocessor based DCS, FPGAs are significantly simpler than microprocessors and link only the functions needed for a given application, the complexity of the resulting application system can be significantly less than that of a microprocessor-based system. Also, FPGAs have burned-in programmed logic that reacts to incoming information and do not rely on application software continuously running to process incoming information. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 580–589, 2022. https://doi.org/10.1007/978-981-19-1181-1_56

The Design of Safety DCS Platform Based on FPGA

581

In recent years, with the guidance of state policy, the safety DCS has been gradually developed. And the FPGA based safety DCS provides a solution for nuclear power plants with cost advantages and long-term support. This paper describes the design of safety DCS platform based on FPGA technology. The information provided in this paper covers the following topics to fully understand the development method: design requirements for safety DCS, development lifecycle, platform composition, multi-bus cooperative processing architecture, redundant FPGA design, co-processing information display, safety communication, self-diagnosis, engineering work station tools and equipment qualification.

2 Design Requirements for Safety DCS Chapter 5.2 of IEC 62566 states: “the development lifecycle of HPD that may be undertaken in parallel with the development of other components (software or hardware) of the system, but coming together at the integration and validation phases of the system life-cycle. The approach proposed to development is based on the traditional “V cycle” model as this approach has been reflected in other Standards and is also recommended in IAEA NS-G 1.3.” [1]. According to the “Reactor RPS Requirement Specification” of reference power plant, the safety DCS shall meet the following functional requirements. • • • • •

Input/output function Data communication function Logic process function Self-diagnosis function Display and operation function

Also according to the safety system guidelines determined by IEEE 603 and IEEE 7-4.3.2, the design of the safety DCS shall meet the following design criteria except the engineering application parts: • • • • • •

Single-failure criterion [2] Independence Information display Reliability Repair Equipment qualification

3 Development Lifecycle Development lifecycle is a vehicle by which the development process can be controlled and whose adoption should also result in the evidence necessary to justify the correct operation of safety systems. According to the requirements of IEC 62566, a V cycle model development lifecycle is used for developing safety DCS platform, which includes platform requirement, platform design, module requirement, module design,

582

Y. Zhang et al.

module implementation, module integration, module validation, platform integration and platform validation. The development process of safety DCS platform strictly follows the activities defined by the lifecycle shown in Fig. 1. 9 platform validation

1. Platform requirement

8 platform integration

2. platform design

3 module requirement

7 module validation

4 module design

6 module integration

Legendφ :Lifecycle activity :Verification activity

5 module implementation

:Validation activity :Process line

Fig. 1. Lifecycle for developing safety DCS platform

A traceability matrix is established from platform requirement phase, which adopts IBM Rational DOORS as the requirement management tool to track the realization of requirement, design and implementation, in order to assure that the requirement and design of each phase can be traced to upstream requirements, and that each requirement is distributed and implemented effectively.

4 Platform Design 4.1 Platform Composition In order to meet the functional requirements, safety DCS platform is designed as a series of modules and structure components. • Maintenance module: which is used to achieve platform configuration and maintenance interface. • Controller module: it is the key process module of the platform, which receives data from I/O modules or communication modules, perform logic process and then output the results. The module supports hot standby redundancy configuration operating as master or slave.

The Design of Safety DCS Platform Based on FPGA

583

• Display module: it is used to display the operation status information and output control commands, which receives communication data from communication modules and operation commands from the touch screen. • I/O modules: including analog input module, analog output module, discrete input module and discrete output module. • Communication module: including point-to-point (PTP) communication module, multi-node communication module and gateway communication module. • Power module: which is used to monitor and display the power supply of the chassis, each chassis is configured with two redundant power modules. • Structure component: including chassis and cabinet. The chassis is an industry standard 19” chassis and can be mounted in the platform cabinets. Each chassis contains a number of modules which is dependent on the specific safety application as well as the type of modules that are installed in the chassis. Multiple chassis can be connected together through a motherboard connector if more modules are needed for the application. The platform software can be divided into 2 categories according to IEC 60880. System software is part of the software of an I&C system designed for a specific computer or equipment family to facilitate the development, operation and modification of these items and associated programs. The software tool set supports the whole software life cycle i.e. specification, design including verification and validation, system operation and modifications in case of later changes of the input requirements [3]. • System software: microprocessor-based embedded software in display process module. • Software tool: engineering work station tools software. 4.2 Multi-bus Cooperative Processing Architecture Safety DCS platform includes a number of modules capable of performing different but very specific safety critical functions. All the modules have been defined in the Sect. 4.1. Figure 2 is an illustration of a generic safety DCS platform architecture showing the relationship between Maintenance module, Controller module, I/O modules and communication modules. Typically, the Controller modules are redundantly configured as master and slave to increase the system availability and prevent single controller failure.

Y. Zhang et al. 373 &RPPXQLFDWLRQ 0RGXOH



373 &RPPXQLFDWLRQ 0RGXOH

0XOWLQRGH &RPPXQLFDWLRQ 0RGXOH

&RQWUROOHU% 0DLQWHQDQFH PRGXOH

0XOWLQRGH &RPPXQLFDWLRQ 0RGXOH

&RPPQLFDLWRQEXV

&RQWUROOHU $

&RPPQLFDLWRQEXV ,2EXV

FRQQFWRU

584

0DLQWHQDQFHEXV 32:(5$

32:(5%

$,

$2

',

'2

Fig. 2. Typical safety DCS platform architecture

There are four internal communication buses in the chassis, which are implemented as independent and separate buses to ensure independence between modules. 4.3 Redundant FPGA Design All FPGA based safety DCS platform modules have been designed similarly. Figure 3 shows a generic standard module layout.

FRONT PANEL

Power 2

DC DC

POWER A

Hot Swap

POWER B

C-BUS Tx/RX R-BUS Tx/RX L-BUS Tx/RX

LED Indicator

Power 1

Power 2

M-BUS Tx/RX ID Detect Circuit

User Interface

Porcess FPGA CIRCUIT

Diagnosis FPGA CIRCUIT

P1-Public Connector

Power Supervisor &Dist. Power Supply

Power 1

C-BUS R-BUS M-BUS L-BUS Rack/Slot ID

Internal Bus Divers

Logic Curcuit NVM

NVM

P2-Channel Signal Connector

Channel/Graphic Process/Communication Protocol Process CIRCUIT

Fig. 3. Common design of redundant FPGA

The layout of the typical module circuit board consists of the following major circuit groups:

The Design of Safety DCS Platform Based on FPGA

585

• Power supply: includes Hot-swap and under voltage/over voltage detection circuits. • Logic circuit: includes the FPGA devices and the local oscillators. • Non-Volatile Memory (NVM): includes the NVM device used for storing configuration information. • Internal bus drivers: includes the physical hardware drivers used to for communication between Modules. • Front panel and LED: include the front panel LED indicators and the associated mechanical parts. • Mother board connectors: two connectors (P1 and P2) are designed. The P1 connector is used for internal bus connection. The P2 connector is used for channel circuit connection through the rear transition modules, which connect the field signals terminal blocks. The reuse of component and circuit is a key aspect of the efficiency of the safety DCS platform design. This improves long-term reliability and maintainability, but also gives the modules a common look and feel. 4.4 Co-processing Information Display In order to meet the design criteria of information display, Display module is designed as the interface module of the platform. Display module consists of FPGA logic circuit and microprocessor circuit which performs graphical display functions. The FPGA logic circuit is described in Sect. 4.3. Microprocessor with graphics processing and storage expansion is used in microprocessor circuit, performing data processing, memory management, data exchanging and UI display functions. Embedded software is designed in microprocessor circuit. The software is divided into driver layer and task layer according to the function, the driver layer provides hardware drivers and the task layer can only access the hardware via the interface provided by the driver layer. The task layer runs independently as fixed cycle, interrupts are not used. Only one task performs completely, the next task begins. 4.5 Safety Communication The safety communication consists of 4 types of communication, designed to use the fiber cable as transmission medium. The main features of each communication are: • Point-to-point communication is used for intra-divisional or inter-divisional communication, with highly real-time data exchanging. • Multi-node communication is used for the Inter-divisional communication, with largecapacity data transmission. • Maintenance communication is the inter-platform communication, which is used for monitoring of real-time platform information, modification of the platform module configuration, application periodic tests and calibration. • Gateway communication is used for the communication between safety DCS platform and other non-safety systems.

586

Y. Zhang et al.

All the communication uses the following mechanism to ensure the communication reliability and independence: • State-based communication and no communication handshaking or interrupts is used which could disrupt safety function processing. • Communication is transmitted periodically in a predefined and fixed period of time, regardless of whether the data has changed. Once the configuration is fixed, the time doesn’t change. • The communication channel is predefined and statically allocated in particular safety application design. • The message is transmitted in a predetermined fixed length, and the composition of the message is also determined. • Using optical fiber as the medium in the communication to ensure the electrical isolation. • Using the dual-port RAM and communications controller perform the buffering function, providing an interface preventing the non-safety computer from inhibiting or delaying the safety function [4]. 4.6 Self-diagnosis In order to improve the reliability of the system, according to IEC 61508 and IEC 60671, “enabling safety functions to be testable when the EUC is operational” [5], and “surveillance testing may be performed by the execution of functional tests or by selfsupervision within the I&C systems important to safety” [6]. The iagnostic design of the safety DCS platform uses the following design principles. Self-diagnosis does not reduce the system safety performances (processing cycle, processing capacity, response time) and safety function, and taking the real-time monitoring in each FPGA process cycle. The platform is equipped with three types of self-diagnosis features: a hardware based detection process, a FPGA logic based detection process, and a combination thereof. When an error is detected, an alarm is generated. When the error is severe, the controller enters failure mode. • Hardware based detection process: with this feature, self-diagnosis is implemented by special diagnostic circuit on the module. The feature involves a watchdog timer, parity error, timeout, etc. • FPGA logic-based detection process: with this feature, self-diagnosis is implemented using FPGA. The feature involves FPGA healthy check, ROM error check, RAM error check, etc. • FPGA logic/hardware combination: with this feature, circuit that supports selfdiagnosis is added to the module, and self-diagnosis is performed using FPGA logic-based read/write operations. This feature involves a discrete input check, discrete/analog output read-back check, etc. The module is monitored based on the above self-diagnosis processes every FPGA process cycle. The individual error items can be identified by the LED displayed on the

The Design of Safety DCS Platform Based on FPGA

587

front panel of each module or by the engineering work station tools via the maintenance communication. 4.7 Engineering Work Station Tools In order to meet the design criteria of repair. The Engineering Work Station tools are designed for accessing a specific application system in operation. The tools provide plant personnel access to advanced features of the safety DCS system such as system diagnostics, post-accident analysis, monitoring real-time operation, initiating various run-time tests, and performing test, calibration and maintenance operations. Maintenance module Key switch

Engineering work station

Fig. 4. Engineering work station tools

The Engineering Work Station tools can be a permanently attached device, or it can be a removable laptop that temporarily connects to the system (Fig. 4). The tools can only communicate with the safety DCS platform when the working mode key has been switched to maintenance mode on the Maintenance module. 4.8 Equipment Qualification Equipment qualification process is generally based on the applicable requirements of laws and regulations and general standards. In the United States, IEEE 323 is the general standard for the nuclear power plant 1E electrical equipment qualification. In Europe, IEC 60780 is mainly used as a general standard for the qualification of 1E level. In addition, the French proposed to follow RCC-E volume B for the qualification. RCC-E volume B also recognized the relevant requirements of IEC 60780, and it pointed out that the specific qualification programmes shall be drawn up in accordance with the requirements in paragraph 5.3 of IEC 60780 [7]. Germany proposed to KTA3503 standard for the type test, and in this standard, it also proposed the system level qualification should meet the requirements of IEC 60780. China has converted IEC 60780 to GB/T 12727, the standard for qualification of electric equipment. Equipment qualification activities of the safety DCS platform are according to GB/T 12727, at the meanwhile reference to IEEE 323 and RCC-E volume B. The Qualification process is divided into four stages; the test sequence for the equipment is identified as follows:

588

Y. Zhang et al.

• The benchmark test—Equipment compliance inspection, benchmark functional performance test, and caution test. • EMC test—electromagnetic interference test of conductive (CE, CS) and radiation (RE, RS). • Environmental test—Testing and/or evaluation of equipment performance over time; (Including thermal aging, mechanical aging and aging test, etc.). • Seismic test—Tests under conditions of the accident and after the accident.

5 Design Verification and Application NicSys®8000N is a safety DCS platform based on this design and released the first version of the platform product, which has passed the Independent Engineering Review of Instrumentation and Control Systems (IERICS) organized by IAEA in September 2016. The design and development of the platform comply with the requirements of Specific Safety Guide SSG-39 [8]. All the four kinds of equipment qualification test have been conducted during 2017. The test data supports the ability of the NicSys®8000N to operate during and after the corresponding event. The acceptance criterion for these tests includes no loss of safety function, no spurious actuations, performance within the required accuracy and timing, and maintenance of structural integrity (i.e., no broken or loose parts) during and following testing. Nuclear Instrumentation System (RNI) of Karachi K-2/K-3 project in Pakistan is the first application of NicSys®8000N. The supply has been completed.

6 Conclusion The development of the safety DCS platform based on FPGA technology is based on the standards and the long-term engineering experience of application. In accordance with the design criteria of the safety system standards and the actual application requirements of the reference nuclear power plant, this paper summarizes the general requirements of the safety DCS platform. The design makes full use of the advantages of FPGA technology, uses multi-bus cooperative processing architecture to improve bus performance, and uses the microprocessor as the co-processor of FPGA to improve the efficiency of the safety information display. The deterministic communication technology ensures the real-time, security and correctness of the safety communication. Self-diagnostic technology provides a basis for the stable operation of the system. And the engineer station tools provide design, development, and verification support means for the entire life cycle of the system. According to the requirement of the equipment qualification standard, this paper summarizes safety DCS qualification method, and NicSys®8000N platform has completed the equipment qualification based on this method. The platform has passed the IAEA review and has been applied to actual engineering projects, it is also necessary to verify its correctness and reliability in the long-term operation in the future.

The Design of Safety DCS Platform Based on FPGA

589

References 1. IEC 62566: Nuclear power plants – Instrumentation and control important to safety – Development of HDL-programmed integrated circuits for systems performing category A functions. IEC Central Office 3, rue de Varembé CH-1211 Geneva 20 Switzerland (2012) 2. IEEE 603: Criteria for Safety Systems for Nuclear Power Generating Stations. IEEE 3 Park Avenue, New York, NY 10016-5997, USA (2009) 3. IEC 60880: Nuclear power plants – Instrumentation and control systems important to safety – Software aspects for computer-based systems performing category A functions. International Electrotechnical Commission, 3, rue de Varembé, PO Box 131, CH-1211 Geneva 20, Switzerland (2006) 4. IEEE 7-4.3.2: Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations. IEEE 3 Park Avenue, New York, NY 10016-5997, USA (2010) 5. IEC 61508-3: Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 3: Software requirements. IEC Central Office 3, rue de Varembé CH-1211 Geneva 20 Switzerland (2010) 6. IEC 60671: Nuclear power plants – Instrumentation and control systems important to safety – Surveillance testing. IEC Central Office 3, rue de Varembé CH-1211 Geneva 20 Switzerland (2007) 7. RCC-E: Design and Construction Rules for Electrical Equipment of Nuclear Islands. AFCEN, Tour Areva 92084 Paris la Défense Cedex (2012) 8. International Atomic Energy Agency: IAEA Review of the NICSYS®8000N Safety Class I&C Platform Designed by CNCS. IAEA Department of Nuclear Energy, Division of Nuclear Power (2016)

Research on Common Cause Fault Evaluation Model of RTS Based on β-factor Method Ying-Jie Lin(B) , Jian-Ming Yang, Ren-Yuan Wang, and Yan-Xiong Yang China Techenergy Co., Ltd., Beijing 100094, China [email protected]

Abstract. With the extend application of multi-redundant instrument and control system in nuclear power plants, common cause failure has become an important failure mode that cannot be neglect. To solve the problem of how to correctly evaluate the common caused failure in System, this paper provides the β-factor Maximum Likelihood Estimation (MLE) based on hypothesis from the practical engineering application. A common cause fault evaluation model based on the β factor method is derived for the Reactor Trip System (RTS), combined with the Reliability Block Diagrams (RBD), which is calculated and analyzed with the actual project data. The effective measures to reduce the common cause failure are given through analysis, which can provide reference for the reliability analysis of nuclear power DCS, and bring engineering experience to related field. Keywords: Reliability model · CCF · β-factor method

1 Introduction Since the 21st century, the digital Distributed Control System (DCS) has gradually replaced the traditional analog system, in order to improve the stability and reliability of Distributed Control System, in practical engineering is widely used in the structure of multiple redundancy, self-diagnosis function design [5]. However, the reliability of redundant devices is greatly reduced due to the existence of common cause failures [1]. From the previous Probabilistic Safety Assessment (PSA) reports of commercial nuclear power plants, it is not difficult to find that common cause failure is the main cause of the unavailability of redundant systems in nuclear power plants. It has been mentioned in the American PWR risk assessment report WASH-1400 that the failure rate calculated with consideration of common cause failures is two orders of magnitude larger than that calculated independently without consideration. In addition to the highlevel requirements mentioned in ASME RA-S-2002 system Analysis, system analysis shall reasonably and comprehensively consider common cause failures and intersystem and intersystem correlations. In addition to setting up the diversity system to prevent the common cause failure, how to carry out the quantitative analysis of the common cause failure is particularly important. Therefore, the common cause fault analysis of redundant equipment is an important problem to be solved in practical engineering [6]. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 590–599, 2022. https://doi.org/10.1007/978-981-19-1181-1_57

Research on Common Cause Fault Evaluation Model

591

2 Common Cause Failure and Analysis Model Common Cause Fault (CCF) refers to the failure of two or more components caused by Common causes at the same time or within a relatively short time interval [7]. These reasons include system unit failures caused by its own reasons, such as aging, fatigue, wear and corrosion of components, and accidental factors in the external environment, such as earthquake, lightning strike, collision, fire, etc. [8]. The occurrence of these very destructive contingent factors will lead to the simultaneous failure of some or all units in the system.The existence of common cause failures negates the advantages of redundant systems. At present, with the advancement of research, analysts have proposed many models and methods, including some single parameter models: α factor method, β factor method; There are also complex multi-parameter models: Binomial Failure Rate Model (BFR), Basic Parameter Model (BP), Multiple Greek Letter Model (MGL). Both complex multiparameter models and simple single-parameter models are faced with a problem, that is, the setting of parameters. In the above calculation model of common cause failure, many parameters can only be obtained by expert experience or semi-empirical formula. If there is no universally recognized parameter confirmation method, the calculation results of common cause failure are doubtful. Compared with multi-parameter model and single-parameter model, it has the advantages of simple parameters and intuitive expression, and this paper will focus on the derivation of β factor and the evaluation model of common cause failure.

3 Brief Introduction of RTS The full probability formula is an important theoretical basis in the theory of probability. By using it we can transform the probability of a complex event into the sum of the probabilities of simple events in different conditions. In practical problems, in order to obtain the probability of a complex event, we usually decomposing it into calculate the

Fig. 1. 2 out of 4 trip logic system architecture

592

Y.-J. Lin et al.

conditional probability of each event and the probabilities of occurrence of these events [10] (Fig. 1).

4 Derivation of β Factor 4.1 Model Assumptions In order to make the model more concise and reasonable and avoid unnecessary double calculation, if the system considered is composed of M identical components, the following assumptions are adopted in this paper: 1) In the case of no common cause failure, the life of each principle in the system follows an exponential distribution and is independent of each other. 2) The event of simultaneous failure of N elements caused by the same cause of the system is denoted as A, then the common cause shocks of B, C and D are independent of each other and also independent of independent failures. 3) As a repairable system, the system can diagnose faults and misoperation faults can be found immediately and repaired. 4.2 MLE of β Factor Single parameter model represented by β factor and multi-parameter model include multi-Greek letter model (MGL), binomial failure rate model (BFR), etc. These basic models are derived based on the general Poisson model. According to the hypothesis in the previous section, the parameter estimation of β factor model can be easily obtained as follows: Assuming that the total running time of the whole system is T, and within time T, the number of simultaneous failure of N components is MN , and λN is the failure rate of simultaneous failure of N components, then MN obeobees the Poisson distribution of the parameter is, i.e. MN ∼ π (λN T )(N = 1, 2, · · ·)

(1)

Under the assumption of general Poisson model, the maximum likelihood estimate of β factor parameter is: M

j=2 jnj

β = M

j=1 jnj

(2)

For self-diagnosable system, within time T, where the number of detected simultaneous failures of n components is Mn , and λn is the failure rate of detected simultaneous failures of n components, then Mn obeys the Poisson distribution of the parameter is, i.e. Mn ∼ π (λn T )(n = 1, 2, · · ·)

(3)

Research on Common Cause Fault Evaluation Model

593

βD is the factor that can be detected, then under the assumption of the general Poisson model, its maximum likelihood estimate is estimated to be: Mn j=2 jnj (4) βD = M n j=1 jnj

5 Derivation of Analysis Model of Common Cause Failure First of all, to quantitatively calculate the failure rate of common cause failures, a premise must be acknowledged that the total failure rate can be divided into failures caused by common cause failures and independent failures, as shown in Fig. 2 below [11]:

Fig. 2. System failure top-level fault tree

During the calculation of probabilistic safety assessment, according to the β factor correlation assessment method given in the above section, if the fault mode is simply classified as diagnosable fault and undiagnosable fault, the calculation of the average repair time of the repairable system will have a large error from the actual and the result will deviate from the reality. Therefore, undiagnosable faults are classified in detail into rejection and misoperation. In addition, it is assumed that the occurrence of undiagnosed faults may be either a rejection or a misoperation, which are independent and mutually exclusive events. As a whole, the failure rate can be expressed as: λD βD + λU β

(5)

Where λD indicates the detectable failure rate and λU indicates the undetectable failure rate.

594

Y.-J. Lin et al.

5.1 Construction of Single Channel Failure Model In order to study the quantitative calculation of the common cause failure of redundant voting structures, it is necessary to make the corresponding assumption and derivation for the single channel failure model. This structure consists of only one channel, and failure of any mode will render its functionality unavailable.

Fig. 3. Single channel failure model

According to the setting in Fig. 3, the failure model of this channel can be considered to be composed of two parts, one of which is the detectable failure and the other is the undetectable failure. Among them, the failure rate that cannot be detected can be further subdivided into the rejection rate λUR and the misoperation rate λUM . In order to facilitate calculation, tCE is set as the equivalent average stop time of a channel, MTTR as the average recovery time, and T1 as the detection time interval. The total failure rate can be understood as the sum of the two: λ = λD + λU

(6)

And the equivalent average stop time of the channel tCE , should be equal to the sum D and t U of the two parts, t D is the equivalent average stop of the respective stop time tCE CE CE U time of detectable failure, tCE is the equivalent average stop time of undetectable failure, which is directly proportional to the contribution of each part to the failure probability of the channel. It is composed of the weight product of the corresponding failure time and probability of diagnosable fault, misoperation and rejection, as follows [4]: D U + tCE tCE = tCE

tCE =

λD MTTR + λ

λUR λ



T1 2

(7)

 + MTTR +

λUM λ

MTTR

2

(8)

The mean failure probability to evaluate the reliability of the entire system. Therefore, for a single channel: PFD = 1 − eλtCE Because λtCE  1, the overall average failure probability PFDG is:   λUR + λUM tCE PFDG = λD + 2

(9)

(10)

Research on Common Cause Fault Evaluation Model

595

5.2 Derivation Two-Out-of-Three Failure Model Through the derivation of the above failure model of single channel, its application is extended to the most commonly used 2oo3 logic type, and the logical voting architecture can be set as shown in Fig. 4 below:

Fig. 4. 2 out of 3 failure model

Where, the equivalent average stop time tCE of A single channel is the same as above:   λUR T1 + MTTR + λUM λ 2 λ MTTR λD MTTR + (11) tCE = λ 2 The equivalent average stop time of the entire voting link for the whole voting link of the three channels, when the rejection occurs, the equivalent average stop time of the three channels should have different time coefficients. If two channels in the three channels reject within the specified time, the voting link is invalid. To solve the coefficient, a random number equation is set: ai ∈ [0, 1](i = 1, 2, · · · , n) bi ∈ [0, 1](i = 1, 2, · · · , n) i=n AGE = lim

n→∞

i=1 min{ai , bi }

n

(12)

Then, the equivalent average invalidity time of the whole voting process is: D UR UM tGE = tCE + tCE + tCE

(13)

596

Y.-J. Lin et al.

tGE =

λD MTTR + λ

λUR λ (AGE T1

+ MTTR) + 2

λUM λ

MTTR

(14)

For the whole 2oo3 link, the failure probability can be divided into the failure caused by common cause failure and the failure caused by non-common cause failure. Where, the failure caused by non-common cause failure can be understood as the entire voting logic failure caused by the superposition of one channel among the three channels during the non-common cause failure of the other channel:   2 λUR + λUM  2 tCE tGE (15) PFDG = A3 (1 − βD )λD + (1 − β) 2 Then the overall mean failure probability PFDG is:  2  λUR + λUM tCE tGE PFDG = 6 (1 − βD )λD + (1 − β) 2 λUR (AGE T1 + MTTR) + λUM MTTR +βD λD MTTR + β 2

(16)

5.3 Derivation of Common Cause Failure of RTS 2oo4 logic from four as the main logic type of RTS in reactor protection system, as shown in Fig. 5:

Fig. 5. 2 out of 4 failure mode

The structure consists of four parallel channels and the output signal depends on the voting results of at least two of them. It is assumed that fault diagnosis changes the

Research on Common Cause Fault Evaluation Model

597

output state, such that the channel outputs a fail-safe value when a diagnosable fault occurs. According to this analysis, the failure modes of its voting should be as follows: at least three channels have diagnosable faults, at least three channels have refused to move, and at least two channels have mismoved. The average stop time of single channel is the same as above, and a random number equation can also be set for solving the coefficient of the average stop time of the whole link: ai ∈ [0, 1](i = 1, 2, · · · , n) bi ∈ [0, 1](i = 1, 2, · · · , n) ci ∈ [0, 1](i = 1, 2, · · · , n) i=n AGE = lim

n→∞

i=1 min{ai , bi , ci }

n

(17)

The overall mean failure probability PFDG is:   3 λUR + λUM PFDG = A34 (1 − βD )λD + (1 − β) tCE tGE 2 λUR (AGE T1 + MTTR) + λUM MTTR + βD λD MTTR + β 2

(18)

6 Case Analysis

Table 1. Single channel failure data Main indicators

Data

Diagnose failure rate

1.5825E–06

Misoperation rate

8.62601E–08

Rejection rate

8.62601E–08

According to the derivation of the above calculation formula 2oo4, the overall average failure probability PFDG is (Table 1):  3  λUR + λUM PFDG = 24 (1 − βD )λD + (1 − β) tCE tGE 2 λUR (AGE T1 + MTTR) + λUM MTTR +βD λD MTTR + β 2

(19)

598

Y.-J. Lin et al.

After calculation, the overall hardware failure rate of RTS including common cause failures is: PFDG = 1.10907E − 05

(20)

It can be seen from the application of the above practical engineering projects that the common cause failure model is simple to apply and easy to popularize. For different nuclear power DCS projects, the total hardware failure rate can be obtained by sorting out the relevant failure data according to the corresponding redundant channels.

7 Conclusion In this paper, a set of common cause fault evaluation model based on β factor method is presented for safety-level Reactor Trip System. First of all, according to the general assumptions, Under the assumptions of the general Poisson model, the maximum likelihood estimate of the β factor parameter is given.Using the reliability block diagram analysis method (BRD), analysis model of the RTS system is established.According to the established reliability block diagram model deduced the corresponding mathematical model, proposed to the multi-channel redundant systems from moving rate and the rate of maloperation of judgement, Finally, the feasibility of this method and model is verified by calculating the model with actual project data [2, 3]. Compared with the widely used Markov model, the reliability block diagram has the advantages of easy to understand [5], simple model and easy to maintain, and does not appear the problem of combination explosion like markov model, so it is more suitable for practice [9]. According to the calculation results, the smaller the β factor is, the smaller the impact of common cause failure will be. In order to effectively control common cause failure, in addition to avoiding the logical architecture of 2oo3/3oo4/4oo5, we should also try to meet the requirements of appropriate derating of components and equipment during the design stage, and high diagnosis coverage rate of the system.

References 1. Shengkui, Z., Tingdi, Z., et al.: The System Reliability Design and Analysis Tutorial. Beihang University Press, Beijing (2001) 2. Hu, H., Zhai, S., Sun, H.: Study on reliability model of launch vehicle GNC system based on total probability formula, aerospace control (2014) 3. Ma, X., Zhang, L.: The generalization of total probability formula and its application in insurance, studies in college mathematics (2010) 4. Yang, Z.: Probability Theory. Science Press, Beijing (2004) 5. Jiang, G., Li, F., Mo, C., Ma, G.: The research and development of self-diagnostic function for NPP I&C system. Nucl. Sci. Eng. 39(01), 146–154 (2019) 6. Fang, Y., Zeng, X., Wang, G.: Common cause failure analysis of automatic train control system. J. Shanghai Jiaotong Univ. 49(7), 1052–1057 (2015) 7. Vaurio, J.K.: Uncertainties and quantification of common cause failure rates and probabilities for system analyses. Reliab. Eng. Syst. Saf. 90(2–3), 186–195 (2005) 8. Lin, J., Yan, Z., Gong, S., Zhou, J.: The application of GO-FLOW methodology in common cause analysis. Ind. Saf. Dust Control 30(2), 11–13 (2014)

Research on Common Cause Fault Evaluation Model

599

9. Li, C., Chen, X., Yi, X., Tao, J.: Analysis of k-out-of-n: G systems subject to common cause failures based on Markov process. Syst. Eng. Electron. 31(11), 2789–2792 (2009) 10. Zhang, Q., Ma, Q., Han, W., Hu, Q.: The reliability analysis of nuclear power plant safety DCS with common cause failure [J]. Progr. Report China Nucl. Sci. Technol. 5, 92–98 (2017) 11. International Electrotechnical Commission. IEC 61508–6 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3. Geneva (2010)

Research on Testability Analysis Technology of Nuclear Safety Level DCS System Based on Dependence Model Gui-Lian Shi1,2(B) , Xiao-Jin Huang2 , and Hu-Jun Jia1 1 China Techenergy Co., Ltd., Beijing 100094, China

[email protected] 2 Institute of Nuclear and New Energy Technology, Tsinghua University, Beijing 100084, China

Abstract. This paper introduces testability theory to implement a testability analysis and improvement method of nuclear safety DCS system based on dependence model for existing product design in nuclear power plant DCS field. By establishing a dependence model, the testability prediction and improved design plan of DCS product can be achieved. Thus, the diagnostic ability of DCS system is improved, and several maintenance difficult issues such as the difficulties and the low efficiency of positioning the faults can be solved. This can make sure a failure of the system internal parts can be detected and located in time, in order to achieve rapid and economical maintenance. The testability analysis and improvement method of nuclear safety DCS system based on dependence model has been verified in a nuclear safety DCS system, and the results show that the method is simple, can clearly describe the testability of the system, and effectively improve the diagnosis and isolation ability of the system. Keywords: Nuclear safety DCS · Testability · Dependence model

1 Introduction The nuclear safety level DCS system is the nerve center of nuclear power plant, which controls the operation of the whole nuclear power plant and the processes of all kinds of working conditions. It plays an important role to ensure the safety, reliability, stability and economic operation of nuclear power plant. Nuclear power plant puts forward the most stringent requirements for DCS reliability, availability and quick repair after failure. With the development of technology and the increasing complexity of equipment, the probability of system failure is greatly increased. For the complex electronic equipment, its detection and isolation fault time accounts for more than half of the maintenance time, nuclear power plant DCS system maintenance has gradually become an important problem to face. But in the early stage of DCS design, the reliability of the system is considered more, in recent years, due to the increasing demand for maintenance, the focus has gradually turned to the design related to maintenance. Testability research has gradually become a hot research direction in various fields, especially in electronic systems and equipment related fields. Testability refers to a © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 600–613, 2022. https://doi.org/10.1007/978-981-19-1181-1_58

Research on Testability Analysis Technology

601

design feature that a product can be timely and accurately determined its state (working, non-working or degraded performance) and isolated from internal failures. The ultimate goal of testability is to improve the quality and reliability of products, reduce the life cycle cost of products, and pursue high quality products. At present, although there are many researches on testability technology, its applications are mainly concentrated in military fields such as weapons, aerospace and aviation [1]. Other applications are rarely reported. There are five difficult problems in the current operation and maintenance process of nuclear safety DCS, that is, it is difficult to locate DCS after failure, waste of resources, slow location, high location requirements, and great location impact, and the location is mainly completed by technical experts, so the positioning efficiency is not high. In addition, there is no systematic introduction of testability design in the development and application of nuclear safety level instrument control products which results in the low rate of the fault detection and fault isolation. The research focus of this paper is to introduce testability theory and methods for the existing product design in the nuclear safety DCS field to improve the design of DCS products and increase the diagnostic ability of DCS system. This can make sure a failure of the system internal parts can be detected and located in time, in order to achieve rapid and economical maintenance.

2 General Technical Scheme The standard process of the testability design and evaluation method is performed in the following four steps. Step1: Determine the testability requirements based on usage and maintenance requirements and preliminary diagnostic plans; Step2: Perform the testability allocation and testability design; Step3: Perform the testability prediction, testability verification, production and use evaluation; Step4: Perform improvements based on evaluation results [2]. At present, there are two main methods for system testability analysis and evaluation: one is engineering weighting method based on experience, the other is model-based analysis method. The model-based method can model the design information of the system, then analyze and process, thus can obtain more accurate testability data than manual weighted calculation. As a modeling and analysis method of testability model, dependence model based on graph theory is characterized by high modeling efficiency and accuracy, which makes it widely used in testability and diagnostic design, system engineering, reliability and maintainability [1, 3]. In this paper, combined with the characteristics of existing nuclear safety level DCS, the general technical scheme of the testability analysis based on dependence model is developed as follows: 1. Testability Modeling Based on Diagnostic Design: Collect the Design Information of Diagnostic Parameters and Establish Testability Model;

602

G.-L. Shi et al.

2. Testability prediction based on dependence model: testability model analysis, identification, diagnosis and isolation ability. The testability prediction table is used to further analyze the quantitative indicators. Evaluation of testability use. 3. Improved testability comprehensive design scheme.

3 Testability Modeling Based on Diagnostic Design Testability modeling based on diagnostic design is based on FMECA, combined with fault related information and conducted at system level, control station level, module group level and LRU level (see Fig. 1). Testability modeling consists of two parts, one is diagnosis point and diagnosis information sorting, the other is dependence modeling analysis [2]. The system, control station, module group and LRU with testability design requirements should comb the existing diagnostic points and diagnostic information to obtain testability design information of products which supports testability modeling, detailed design and testability prediction, etc.

System

Control Station 1

Module Group 1

LRU1

...

...

...

Control Station N

Module Group M

LRUi

Fig. 1. Hierarchical division of nuclear safety DCS system

This work is based on the product system level and LRU level FMEA reports, product diagnosis design document, system self-diagnosis design specification and so on to output product fault mode, system fault mode, product and system diagnosis point (test point) information. The combing results should be filled in the corresponding table and the necessary conclusions should be given. Diagnosis points and diagnosis information combing mainly includes the following three aspects (see Fig. 2). First, the functional failure mode of the analyzed product is determined based on the product/system composition and FMECA results. After the failure mode is determined, the diagnostic points (that is, test points) are further processed. On the basis of combing test points, the used diagnostic methods (test methods), including BIT, external ATE and manual test are further combed.

Research on Testability Analysis Technology

Combing the failure modes of product functions

Combing diagnostic points (test points)

603

Combing the test methods used

Fig. 2. Main contents of combing diagnostic points and diagnostic information

Examples of diagnosis points and diagnosis information are listed in the following Table 1. Table 1. Examples of diagnosis points and diagnosis information System/component Functional Failure Test The test method Minimum unit failure rate points/diagnostic BIT ATE artificial diagnostic mode points granularity System

1 2 …

Control station 1

1 2 …

Module group 1

1 2 …

LRU1

1 2 …

… A combined

Based on the fault mode and diagnosis information, dependence modeling analysis is carried out. Dependence model is a method to design fault detection and isolation which is based on dependence reasoning and according to the process of faults being discovered [4]. Dependence model is a model that expresses the relationship between unit (or unit fault) and testability logic, including graphical model and mathematical model.

604

G.-L. Shi et al.

Dependence modeling analysis firstly establishes dependence graphical model [5]. First, after the reasonable dividing of the tested product features and structure, the dependence graphical model is established based on functional block diagram to clearly indicate function information flow direction and the mutual connection relationship. The position and number of the test points should be marked clearly to indicate the dependence relationship of each component and test point, as shown in the figure below. Note: the box represents the failure mode of each functional unit, the circle represents the test point, and the arrow indicates the direction of functional information transmission (see Fig. 3).

Fig. 3. Dependence graphical model

Secondly, the dependence mathematical model, namely D matrix (1), is established according to the dependence graphical model [6]. ⎤ ⎡ d11 · · · d1n ⎥ ⎢ (1) Dm×n = ⎣ ... . . . ... ⎦ dm1 · · · dmn

The row matrix identifies the response information of each component fault of the row at each test point, it indicates the dependence between Fi and Tj of each test point. The column matrix identifies the fault information of each component that can be measured at each column test point, it indicates the dependence between Tj and Fi of each component. When Tj can measure Fi fault information (that is, Tj is related to Fi ), dij = 1; When Tj cannot measure Fi fault information (that is, Tj is not related with Fi ), dij = 0.

4 Testability Prediction Based on Dependence Model 4.1 Qualitative Analysis After the D-matrix model of the tested unit is established, the test points for fault detection and fault isolation can be selected to conduct qualitative analysis of the testability of the tested unit [7]. The analysis steps are shown below. STEP1: Identify redundant test points according to the D-matrix;

Research on Testability Analysis Technology

605

Comparing the columns of the D-matrix model, if there is Tk = Tl and k = l, the corresponding test points Tk and Tl are mutually redundant. All redundant test points are identified by the same way. STEP2: Simplify D-matrix 1. For redundant test points, only the one that is easy to implement and costs less to test should be selected, and the columns corresponding to unselected test points should be removed from D-matrix. STEP3: Qualitative analysis of detection ability: calculate the ambiguity and determine the fuzzy group. Comparing the rows of the D-matrix model, if there is Fx = Fy and x = y, their corresponding fault categories (or replaceable components) are indistinguishable and can be treated as a fault isolation fuzzy group. The ambiguity is 2 when there are two same rows, and the corresponding Fx and Fy are the fuzzy groups. Calculate the maximum ambiguity and the corresponding fuzzy group. STEP4: Simplify D-matrix 2. By merging these equal rows into one row, a simplified D-matrix model is obtained, and a fuzzy group of fault isolation is also obtained. STEP5: Qualitative analysis of isolation ability. The test points for detection and fault isolation are determined by the method of split in half. STEP6: Conduct qualitative evaluation on testability model. Conduct qualitative evaluation of whether the current design has multiple redundant test points, the maximum fuzzy number, and the system fault detection and isolation ability. 4.2 Quantitative Analysis Based on the combing results of testability design, the key testability indicators are predicted as follows: • • • •

Failure detection rate Fault isolation rate Fault detection time Fault isolation time

Testability prediction mainly includes system testability prediction, LRU testability analysis prediction, SRU testability analysis prediction, and other parameters prediction [8]. The main steps of testability prediction are as follows: (1) Analysis of object hierarchy and composition. Combined with the function of the object, the structure and composition information of the system are analyzed. (2) Obtain failure mode and failure rate data and BIT prediction results. The failure mode and failure rate data of each functional block are the basis for testability analysis and prediction. These data can be obtained from FMECA and reliability prediction data.

606

G.-L. Shi et al.

(3) Obtain FMECA data and reliability prediction data, so as to list all failure modes, master the failure impact, failure rate of functional units or components, and frequency ratio of failure modes. (4) Fill in the work order of testability analysis prediction. According to the results of the previous analysis, identify whether each fault mode can be detected by external tests, which fault mode can be detected, analyze whether the fault mode detected by external tests can be isolated, how many replaceable units on which the fault mode detected by external tests can be isolated, and fill the data into the work order of testability analysis prediction. (5) Use testability prediction table to further analyze quantitative indicators. Calculate the fault detection rate and fault isolation rate. The testability prediction table is shown in the following Table 2. Table 2. Testability prediction table Project The serial number

The name of the LRU

1

U1

2

U2

3

…

Component

Failure rate

Failure rate λSR

Fault mode FM

Frequency ratio α

Isolation of λIL Failure rate λFM

1LRU

2LRU

Note 4LRU

Total failure rate Estimated fault isolation rate

The contents in each column are as follows. • Project column: fill in the name of the analyzed system and its subordinate system. • Component column: fill in the failure rate λSR of the analyzed functional unit within the system. • Failure rate column: fill in the failure mode FM, frequency ratio α and failure rate λFM . λFM = α λSR . • Isolation of λIL column: fill in the failure rate isolated to 1 component, 2 components, 3 components and 4 components. • Remarks: fill in the remarks of each status. • Total failure rate: fill in the summary results of various failure rates in the corresponding table. • Failure detection rate: γFD = λD / λ. • Failure isolation rate: γFI = λIL /λD .

Research on Testability Analysis Technology

607

5 Improvement of Testability Comprehensive Scheme Based on the needs of fault location in maintenance, the nuclear safety level DCS comprehensive diagnosis improvement scheme is developed. The improvement scheme and preliminary scheme design of DCS internal diagnosis and external operation and maintenance support system in various application scenarios are proposed respectively. Redesign method is adopted to improve the comprehensive design scheme based on the difference between demand and current situation. The improvement measures mainly include the following three (see Table 3). Table 3. Improvement measures of testability comprehensive scheme Improvement measures

Subordinate to the level

Improve testability point design

Improve test detection and data acquisition methods

Insufficient

Applicable scenario

Inside the DCS The most accurate device solution to the problem of large fuzzy positioning group, improve the diagnosis rate and isolation rate

Device modification is difficult and may affect the reliability of the original device

Product design, engineering design can be upgraded and modified

Inside the DCS device DCS external operation and maintenance support system

1.Reduce the manual test time and impact on security 2.Improve the speed of diagnosis and positioning

It involves equipment modification, online detection and data transmission, affecting the operation (load and security) of the original equipment, and requires the development of a dedicated security network

Product design, engineering design can be upgraded and modified

It does not affect DCS, and improves the location and analysis of complex faults significantly

Failure diagnosis rate and isolation rate cannot be improved

This mode is applicable to all scenarios, but requires online data transmission

Improved the DCS external fault location operation and analysis method maintenance support system

Advantage

608

G.-L. Shi et al.

6 Application Practice The testability analysis technology of nuclear safety level DCS system based on dependence model is introduced with the example of harmony system which is the first independent nuclear safety level instrument control platform in China. (1) Dependence modeling The dependence modeling analysis of I/O module groups is taken as an example. Assume that an AI module group is configured with only one conditioning board and one AI board. Establish dependence model (see Fig. 4 as below).

Fig. 4. Dependence graphical model of AI module group

The D-matrix model is shown in the Table 4 as below. Table 4. D-matrix model of AI module group FM

T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2- T1-2T1-2- T1-21(1)- 1(2)- 2(1)- 2(1)- 2(1)- 2(1)- 2(1z)- 2(2)- 2(2)- 2(2)- 2(2)- 2(2)- 2(2)- 2(2)- 2(2)- 2(2)B1 B2 M1 M1 M1 M1 M3 M2 M1 M1 M2 M3 M4 M5 A1 1-A1 2-A1 3-A1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0

F1

The sensor

F2

Cable 1

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

F3

Terminal 1

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

F4

Cable 2

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

F 5-1 F 5-2

Regulate the case

1

1

1

1

0

0

0

0

0

0

0

0

0

0

1

0

1

0

F6

Regulate the board

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

F7

Cable 3

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

F8

Terminal 2

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

F9

Semi-prefabricated cable

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

F 10

AI switch board card

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

1

1

0

0

0

0

0

0

0

0

0

0

0

0

1

0

1

0

1

1

0

0

1

1

0

1

1

1

1

1

1

1

1

0

1

0

1

1

0

0

0

0

0

0

0

0

1

1

0

0

1

1

0

0

1

1

0

0

0

0

0

0

0

0

1

1

0

0

1

0

1

0

F 11-1 F 11-2 F 12-1 F 12-2

IO chassis AI card

F 13

CSS board 1

1

1

0

0

0

0

1

1

1

0

0

0

1

0

1

0

0

1

F 14

CSS conversion board 1

1

1

0

0

0

0

0

1

1

0

0

0

1

0

1

0

0

1

F 15

Line 1

1

1

0

0

0

0

0

1

1

0

0

0

1

0

1

0

0

1

(2) Testability prediction The combing results of the testability of current diagnostic design:

Research on Testability Analysis Technology

609

a. Serving the fault diagnosis and isolation of IO module groups, the current design has multiple redundant test points; b. Non-intelligent self-products and non-self-products in IO module group have a large fuzzy group (maximum 11), it’s impossible to effectively locate faults without supplementary design; c. For IO module group, system level diagnosis (KIC Warning alarm) has complete detection ability, but does not have isolation ability; d. For the 6 simplified devices/fuzzy groups, 5 test points are required to achieve isolation by the classical split method, most of which are ATE and manual, and the locating efficiency is relatively low; e. The estimated fault isolation rates are 59.39% (1LRU), 71.90% (2LRU) and 71.9% (4LRU), respectively(see Table 5).

Table 5. Testability prediction of AI module group Isolation of λIL

Project

Components Failure rate

The The name of the serial LRU number

Failure rate λSR

Fault mode FM

Frequency Failure 1LRU ratio rate α λFM

1

The sensor

100

Data from the sensor to the DCS is abnormal

1

100

2

Cable 1

100

Cable 1 is faulty

1

100

3

Terminal 1

100

Terminal 1 fault

1

100

4

Cable 2

100

Cable 2 is faulty

1

100

5

Regulate the case

100

The chassis hardware is faulty

0.4

40

The chassis is powered off

0.6

60

6

Regulate the board

249.5

The hardware of the conditioning board is faulty

1

249.5

7

Cable 3

100

Cable 3 fault

1

100

8

Terminal 2

100

Terminal 2 fault

1

100

9

Semi-prefabricated 100 cable

The 1 semi-prefabricated cable is faulty

100

10

AI switch board card

500

The AI conversion 1 board hardware is faulty

500

11

IO chassis

100

The chassis hardware is faulty

0.4

40

The chassis is powered off

0.6

60

2LRU

Note 4LRU

60

60

(continued)

610

G.-L. Shi et al. Table 5. (continued) Isolation of λIL

Project

Components Failure rate

The The name of the serial LRU number

Failure rate λSR

Fault mode FM

Frequency Failure 1LRU ratio rate α λFM

12

1052.3

AI card device fault (non-collection channel)

0.7

757.7

757.7

The AI card collection channel is faulty

0.3

294.6

294.6

AI card

2LRU

13

CSS board 1

2061.0

1 The hardware of the CSS is faulty

1.0

2061.0 2061.0

14

CSS conversion board 1

581.2

CSS conversion board 1 The hardware is faulty

1.0

581.2

581.2

15

Line 1

100.0

Network cable 1 fault

1.0

100.0

100.0

Total failure rate Estimated fault isolation rate

5444.0

Note 4LRU

3233.3 3914.5 3914.5 59.4%

71.9%

71.9%

(3) Testability improvement. The AI board of the I/O module group is taken as an example, the typical solution is as follows to achieve the expected testability design improvement: • Diagnostic point improvement (New): 1) Conditioning board: key faults such as disconnection and short circuit of input signals entering the conditioning board, and equipment fault of conditioning board itself, can be diagnosed; 2) Field sensor to DCS input end: sensor input side fault can be detected; 3) AI adapter card: key faults such as disconnection and short circuit of input signals entering AI adapter card can be diagnosed; • Improvement of diagnosis scheme: 1) The new diagnostic point adopts BIT mode, which can be collected and transmitted online periodically; 2) The way (by EAST) of monitoring the system variable information of the AI board is changed by BIT mode, which can be collected and transmitted online periodically; 3) The remote analysis system (iSMP) is deployed on site to collect the above information online and perform expert automatic diagnosis analysis to give fault isolation conclusions.

Failure rate λSR

The sensor

Cable 1

Terminal 1

Cable 2

Regulate the case

Regulate the board

Cable 3

Terminal 2

Semi-prefabricated cable

The serial number

1

2

3

4

5

6

7

8

9

100

100

100

249.5

100

100

100

100

100

Components

The name of the LRU

Project

The semi-prefabricated cable is faulty

Terminal 2 fault

Cable 3 fault

The hardware of the conditioning board is faulty

1

1

1

1

100

100

100

249.5

60

The chassis is powered 0.6 off

100

100

100

100

Failure rate λFM

40

1

1

1

1

Frequency ratio α

0.4

The chassis hardware is faulty

Cable 2 is faulty

Terminal 1 fault

Cable 1 is faulty

Data from the sensor to the DCS is abnormal

Fault mode FM

Failure rate

Table 6. Testability improvement of AI module group

249.5

60

100

1LRU

2LRU

Isolation of λIL

100

100

100

40

100

100

100

Note

(continued)

4LRU

Research on Testability Analysis Technology 611

Failure rate λSR

The name of the LRU

AI switch board card 500

IO chassis

AI card

CSS board 1

CSS conversion board 1

Line 1

The serial number

10

11

12

13

14

15

Network cable 1 fault

CSS conversion board 1 The hardware is faulty

It can be seen that the method is feasible and effective.

Estimated fault isolation rate

5444.0

1

1

1

100

581.2

2061

294.644

The AI card collection 0.28 channel is faulty 1 The hardware of the CSS is faulty

757.656

0.72

AI card device fault (non-collection channel)

60

The chassis is powered 0.6 off

500

Failure rate λFM

40

1

Frequency ratio α

0.4

The chassis hardware is faulty

The AI conversion board hardware is faulty

Fault mode FM

Failure rate

Total failure rate

100.0

581.2

2061.0

1052.3

100

Components

Project

Table 6. (continued)

66.55%

3622.8

2061

294.644

757.656

60

40

1LRU

79.06%

4304

100

581.2

2LRU

Isolation of λIL

100%

5444

50

4LRU

Note

612 G.-L. Shi et al.

Research on Testability Analysis Technology

613

For the improved scheme, the key testability indicators are predicted again, and the estimated value of fault isolation rate is 66.55% (1LRU), 79.06% (2LRU), 100% (4LRU) respectively (see Table 6).

7 Conclusion In this paper, a dependence model is established for nuclear safety level DCS. The model uses directed graph to describe the causal dependence between module and test. Considering the failure modes of system modules, probability and available tools, a fault diagnosis design prediction and improvement method for nuclear safety level DCS system based on dependence model is implemented. The modeling method and diagnosis method are verified in the test of a nuclear safety level DCS system. The results show that the modeling method is simple and can clearly describe the testability of the system.

References 1. Song, D., Ma, F., Wang, C.Q.: Research and application of testability model for electronic system. J. Electron. Measur. Instr. 24(9), 853–859 (2010) 2. Shi, J.-Y.: Testability Design Analysis and Verification. National Defense Industry Press, Beijing (2011) 3. Qiu, J., Liu, G.J., Yang, P., et al.: Modeling and Design Technology on Testability of Equipment, pp. 210–213. Science Press, Beijing (2012) 4. Deb, S., Pattipati, K.R., Raghavan, V., et al.: Multi-signal flow graphs: a novel approach for system testability analysis and fault diagnosis. Aerosp. Electron. Syst. Mag. 10(5), 14–25 (1995) 5. Lv, X.M., Huang, K.L., Lian, G.Y.: Modeling and analyzing for testability of hierarchy system based on multi-signal flow graph model. J. Beijing Univ. Aeronaut. Astronaut. 37(9), 1151– 1155 (2011) 6. Lin, Z.W., He, Z., Guo, L.H.: Application of D-matrix in vessel ultra-short wave equipment integrated diagnostics. Comput. Measur. Control 17(11), 2105–2108 (2009) 7. Simpson, W.R., Sheppard, J.W.: Dependency modeling pitfall. IEEE Autotestcon. 717–720 (1994). https://doi.org/10.1109/AUTEST.1994.381546 8. Lin, Z.W., He, Z., Yang, S.Y.: Multi-signal model based method for radar testability analysis. Syst. Eng. Electron. 31(11), 2781–2784 (2009)

On Key Technical Issues of Protection System Design Lan Zhang1 , Tao Bai1(B) , Zhe-Ming Liu2 , and Qun-Feng Wang3 1 China United Heavy Duty Gas Turbine Technology Co., Ltd., Shanghai, China

[email protected]

2 Product Information Committee of China Instrument and Control Society Beijing, Beijing,

China 3 China Guangdong Nuclear Engineering Co., Ltd., Shenzhen, China

Abstract. The protection system design is one of the key issues no matter for nuclear station or for the heavy-duty gas turbine due to the complicity of heavyduty gas turbine design and manufacturing, which needs to be solved urgently in the process of its independent development. Based on the example of heavy-duty gas turbine and steam turbine, the differences of work mechanism and process characteristics are analyzed firstly in this note. Based on the qualitative and quantitative analysis of the operating safety and reliability requirements, the protection function items and its detailed requirements for the protection platform are developed. Moreover, the characteristics of the existing typical protection implementation schemes are summarized. Finally, some considerations and suggestions are proposed for the design of protection system. Keywords: Protection function · Protection platform · Operating safety · Reliability

1 The Introduction The global climate situation is becoming increasingly serious, both nuclear and natural gas are important clean energy. Especially the gas turbine is flexible clean energy equipment to achieve safe, reliable, peak-adjustable, sustainable and stable power generation because of its flexible start-up, frequent start-up and rapid response to power grid demand. However, due to the complexity of design and manufacturing, the protection system is one of the key issues that needs to be solved urgently in the independent development, not matter for nuclear or gas turbine power station. Especially, it is worth to evaluate the suitability of the control and protection strategies to the platform. For example, some opinions hold that the steam turbine protection platform ETS can be directly used for the protection system of heavy-duty gas turbine. Aiming at this issue, the differences of work mechanism and process characteristics between the heavy duty gas turbine and steam turbine generator are analyzed firstly. On the basis of qualitative and quantitative analysis of safety and reliability requirements of the heavy-duty gas turbine, the protection function items and its detailed requirements for protect platform © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 614–624, 2022. https://doi.org/10.1007/978-981-19-1181-1_59

On Key Technical Issues of Protection System Design

615

are developed. Moreover, the characteristics of the existing typical protection implementation schemes are analyzed and summarized. Finally, some considerations and suggestions are proposed for the design of protection system.

2 Analysis of the Operation Characteristics 2.1 The Operation Characteristics of Heavy-Duty Gas Turbine The structural schematic diagram of heavy-duty gas turbine and its thermal cycle principle block diagram are shown in Fig. 1. It works based on Brayton thermal cycle, which is composed of isentropic compression, isobaric heating, isentropic expansion and isobaric heat removal. During the operation of gas turbine, the compressor sucks in air from the external atmosphere and compresses it through axial flow compressor Graduated Compressed air is sent to the combustion chamber, mixed and burned with the injected fuel to generate high-temperature and high-pressure gas, then it enters to and expands in the turbine to do work, driving the turbine to rotate the compressor and the external load rotor together at high speed [3].

Fig. 1. Schematic diagram of heavy gas turbine structure and block diagram of thermal cycle principle

2.2 The Operation Characteristics of Steam Turbine The steam turbine power plant works based on the Rankine thermal cycle with water steam as working medium, which is composed of isentropic compression, isobaric heating, isentropic expansion and an isobaric condensation process. Among them, steam turbine work is the isentropic expansion process, which converts the thermal potential energy of steam into mechanical energy, and then into electrical energy.

616

L. Zhang et al. Table 1. Comparison of heavy-duty turbine and steam turbine

Parameters

Steam turbine

Heavy-duty gas turbine

Thermodynamic process

Expansion progress of Rankine cycle

Breton cycle: compression endothermic rise - expansion enthalpy drop

Rotational speed (rpm)

3000

3000

Working medium

Water steam

Natural gas

Inlet temperature for Working medium °C

≥500 (HP main steam inlet temperature)

≥1300 (turbine inlet)

Exhaust temperature °C

About 30

≥580

Exhaust flow kg/s

>100

>700

Working medium pressure (MPa)

HP Main steam pressure: 14.66

Compressor outlet pressure

Working medium exhaust pressure (KPa)

About 4

About 100

The comparison of heavy-duty gas turbine and steam turbine with key parameters is given in Table 1 based on the typical class F Gas Turbines [1]. It can be seen from Table 1, compared with the steam turbine, the heavy-duty gas turbine works under more critical conditions with higher working fluid temperature, larger exhaust flow more drastic dynamic process changes drastically. The mixture of nature gas and high-pressure air is burned violently in combustion, and the high-temperature thermal energy is pushed directly into the turbine to do work, which lead to strongly nonlinearity and strong coupling among the compressor, combustion chamber and turbine. Moreover, requirements for temperature resistance, pressure bearing and fatigue aging resistance of key equipment and components are more critical. On the other hand, in order to improve the efficiency and power of the heavy-duty gas turbine unit, its body structure is continuously improved and more adjustable parts are added and used, which makes the control and protection measure more complexed with the larger scale. As the result, requirements for high stability, high reliability, safety operation after the accident, rapidly response and high precision for control and protection are becoming more and more critical.

3 Analysis of Protection Function Requirements Based on equipment operation characteristics, the protection function requirements of the main equipment of heavy-duty gas turbine and steam turbine are analyzed.

On Key Technical Issues of Protection System Design

617

3.1 Qualitative Analysis 3.1.1 Protection Requirements Analysis of Heavy-Duty Gas Turbine For the protection requirements of gas turbine, the following factors should be considered [6, 7]. 1. Compressor Multistage axial flow design is generally adopted for Compressor to improve air pressure and meet combustion condition. In the range below the rated speed, the first several stages of the compressor will carry very high aerodynamic load, and lead to the airflow be separated at the back of the moving blade, which would result in the flow rate decline. In this condition, the compressor will have no ability to increase presser, will surge and become unstable. The gas flow direction is changed periodically, the outlet pressure fluctuates periodically, the unit vibrates violently, and impulsive noise will be produced with the pressure fluctuation at the same time. It will cause the compressor blade damaged by the alternating bending stress. Anti-surge is an important protection requirement for compressor. 2. Combustor The high-pressure air is discharged from the compressor and the mixture with fuel in the combustor is burned to convert the chemical energy of the fuel into heat energy. The stability of combustion process could be affected by many factors, such as fuel to air ratio, airflow velocity field, gas turbulence, harshness of combustion, load of gas turbine, combustion chamber cooling and so on. It would easily lead to flameout, detonation, pulsation, over acceleration by burn, or even gas turbine vibration. Especially in the case of ignition failure or flameout during operation, if natural gas continues to enter the combustion chamber, it will accumulate in the combustion chamber and turbine and cause accident of explosion or Turbine burned. At the same time, long-term high-temperature operation condition will cause cracks, damage and other faults of the combustion chamber, combustion transition and other components. Therefore, fuel protection to stop further fuel injection in the case of flameout or ignition failure is necessary during operation. In addition, the protection of the combustion equipment itself, such as pulsation and vibration protection is necessary. 3. Turbine The high-temperature and high-pressure gas from combustion directly rush into the turbine to do work through expansion. The energy in high-temperature and highpressure gas is transferred into mechanical work in turbine. The inlet temperature of turbine directly determines the power and efficiency of gas turbine. The temperature at the working point of the turbine is usually above 1300 °C for F class gas turbine. Under such high-temperature, if the temperature fluctuation range is too large, it will easily lead to fatigue aging of the hot end parts, the life reduction of the turbine blade, even the broken of turbine blade, which will seriously endanger the safety of the unit. Therefore, preventing the temperature too high and avoiding cooling failure is the primary protection item of the turbine.

618

L. Zhang et al.

4. Structure integrity Ensuring structural integrity and avoiding malignant events caused by collision of static part and rolling part are the key considerations in protection design, such as vibration protection, bearing temperature protection, axial displacement protection, key direction protection, expansion difference protection, etc. 5. Overspeed protection Gas turbine is a machine running at high speed. Its rotating parts bear huge centrifugal force. With the increase of rotational speed, the centrifugal force increases rapidly in the square relation of rotational speed. Once the speed exceeds its strength limit, it will cause blade fracture, dynamic and static rubbing, even shaft breakage and other serious accidents. In the design of closely matched rotating parts such as blades and impellers, the allowable speed is usually considered within 20% higher than the rated speed. The rotor strength is generally designed according to 115%–120% of the rated speed. In addition, after cutting off the fuel, the remaining fuel in the gas turbine continues to burn, generates heat and works, leading to the gas turbine continue to accelerate. Therefore, the influence of this part of work should be taken into account for the gas turbine overspeed protection. It is required that the operation time of equipment contained in the entire trip loop should be less than 1s from the detection time when the speed reaches the value of jump-off to the time when the fuel is cut off. 6. Auxiliary systems Auxiliary systems provide operating environment and conditions for gas turbine, Auxiliary systems protection includes lube oil system protection, fuel system protection, air inlet system protection, shell system protection, fire protection, dangerous gas monitoring protection and so on. 3.1.2 Protection Requirements Analysis of Steam Gas Turbine For the protection requirements of steam turbine, the following factors should be considered: 1. Overspeed protection As for the overspeed protection, steam turbine and gas turbine has the similar requirements. However, because of its relatively low operating temperature and pressure, the accident consequences are relatively minor. The speed immediately go down as main valve intake valve cutting off steam intake by the Overspeed protection. 2. Condenser Low vacuum of condenser (high exhaust pressure) will cause the exhaust temperature to rise, which will cause the temperature of low-pressure cylinder, low-pressure rotor blade and condenser to rise accordingly, and lead to turbine vibration, static and static friction, final stage blade fracture, metal deformation, condenser steel pipe leakage and other consequences. Therefore, low vacuum protection is necessary for turbine protection. 3. Structure integrity The protection requirements for structural integrity are similar as for gas turbines.

On Key Technical Issues of Protection System Design

619

3.1.3 Comparison of Protection Requirements Between Gas Turbine and Steam Turbine According to the above analysis, as high-speed rotating machinery, both heavy-duty gas turbines and steam turbines have the similar protection requirements in terms of overspeed and structural integrity protection, including: 1. 2. 3. 4. 5. 6.

Over speed protection Over vibration protection High bearing temperature protection Axis displacement protection lubricating oil/control oil protection Expansion differential protection

However, due to the higher working temperature, higher pressure and larger exhaust flow, more rapid dynamic process and more drastic change of the process of the heavygas turbine, its equipment parts would suffer greater harm from high-temperature, highpressure, violent vibration and fatigue aging. Therefore, the fatigue life evaluation of hot end components are great influenced by emergency tripping, which requires that the impact of process safety time should be fully evaluated and more gentle protection measures should be taken before tripping. In addition, the protection requirements should consider the impact of remaining fuel to continue burning work after fuel cutting, which requires more stringent and complex operation time of equipment contained in the entire trip loop. Combined with the above protection function requirement of the gas turbine’s main and auxiliary equipment, the number of protection items and performance requirements of the heavy gas turbine are much higher than the existing steam turbine protection. 3.2 Quantitative Analysis The risk-based functional safety analysis method is adopted to analyze the protection function quantitatively. Accordingly, further details for the protection function requirements, design and implementation scheme and requirements for the platform is proposed. This is general rule no matter for nuclear power station, or gas turbine equipment. According to the defined graded hazards and risks, the protection capability and failure risk of the existing protective layer for the potential hazards in operation are obtained by the protective layer analysis method. The analysis for personal injury, environmental damage, equipment damage and power generation outage shall be included, and then severity definition will be defined based on classification, consequences of frequency. Based on this, the possibility of risk occurrence and risk definition and classification are calculated. The evaluation of the protection capability and failure risk of the existing protection layer is the basis for formulating protection measures. If the analysis and calculation results reach an acceptable risk level, it indicates that the existing protective function measures are reasonable and feasible. If the risk level is not acceptable, it indicates that the protective measures are insufficient and need to be improved or redesigned.

620

L. Zhang et al.

As for gas turbine, it evaluates and selects appropriate protection measures for each dangerous situation to avoid damage to gas turbine by thermal shock as far as possible. There are about more than 50 protection items for typical heavy gas turbine, such as: 1) Overspeed protection 2) Turbine related protection: such as over temperature protection, cooling failure protection, etc.; 3) Combustion related protection items: such as flameout protection, combustion pulsation protection, etc. 4) Compressor related protection items: anti-surge protection, IGV/VGV position abnormal protection, etc. 5) Overall structure protection: high bearing temperature protection, high vibration protection, etc. 6) Other auxiliary system protection, such as lube oil system, fuel module, shell system protection, etc. The graded protection measures to be taken, including: alarm, protective load reduction shutdown/trip, normal load gradient protection shutdown, trip, lockout, trip of highvoltage circuit breaker, trip of generator circuit breaker, etc.

4 Requirements of Protection Platform 4.1 Requirements of Protection Platform 1. According to the analysis of the protection function, the protection platform can be selected. For example, as for the gas turbine, it should be capable of processing various input signals such as digital signal, analog signal (including: thermal resistance, thermocouple), pulse signal and other types of input signal capacity. Signals from protection cabinets can directly drive and control motors, intermediate relays or contactors. 2. The response time also need to be evaluated according to the progress protection function. As for the gas turbine, the most critical process safety time is less than 1s, which means the response time of the protection platform (terminal to terminal) is better to be less than 150 ms. Detailed performance requirements of protection platform for gas turbine are shown in Table 2. 4.2 The Limitation Analysis of ETS Protection Platform In general, the ability of the protection platform need to match the progress protection function requirement. The gas turbine protection function has larger system scale and higher requirements on reliability and rapidity than gas turbine progress. The platform for gas turbine has larger system scale and higher requirements on reliability and rapidity. It limits the ETS platform to be directly used for gas turbine protection. ETS platforms, typically used for steam turbine protection, can provide the following system capabilities usually:

On Key Technical Issues of Protection System Design

621

Table 2. Protecting platform performance Items

Platform performance

System response time

Terminal to terminal response time ≤ 150 ms. (The above response time does not include instrument detection and actuator action time) (continued)

Table 2. (continued) Items

Platform performance

System accuracy

Analog module accuracy 1% (full range) Pulse volume (rotational speed) accuracy: 0.5 RPM/3 krpm

Time synchronization precision All clocks in the system are unified, and the time synchronization precision is not less than 1ms SOE resolution and accuracy

SOE resolution ≤ 1ms

System capacity

The system capacity is greater than 250 IO points. The scale of DO output points should be kept above 60 points to cope with the output of multiple protection measures and the demand of mutual monitoring It should be able to handle 3000 basic functional modules in a single processor in a single channel, to provide SOE recording and transmission and capable of transmitting 2000 point alarm and process variable data to control system through network

Reliability

Gas turbine control and protection system availability shall be at least 99.9% Mean time to failure repair (MTTR) ≤ 5 h

Safety & Security

Meets IEC 61508 SIL level and has the functions of fail-safe, information security, self-diagnosis, periodic testing, and equipment in present mode after power supply is restored

1) Typical protection items dealed by ETS protection platform is generally less than 10 items, such as overspeed protection, shaft vibration protection, axial displacement protection, expansion difference protection, bearing oil temperature protection, generator main protection linkage protection. 2) The platform could process about 100 points digital signals. The voting logic function for digital signals could be processed, but analog signal and logic processing function could not be supported. 3) The configuration is relatively solidified and not convenient to be modified on site. 4) Redundant configuration of two independent processors to ensure that the protection function of the system will not be lost or delayed. The redundant power distribution to prevent power supply loss. Power supply loss is a recoverable fault of the system,

622

L. Zhang et al.

Once the system is powered again, the system can automatically resume normal operation without any intervention of operators. 5) The system has self-check function with channel state indicator and alarm outputs for system faults. The corresponding safety command signal output when the system failure. 6) Online test function. When online test, the shutdown and trip protection function could be acted correctly. Based on the above analysis, the limitations of ETS platform are as follows: 1) Compare to 10 protection items of ETS protection requirement, typical gas turbine protection functions are much larger in scale as more than 50 protection items with complex logic need to be considered. The ability to deal with analog signals and complex analog logic is required which has exceed the platform ability and need to be improved. 2) Protect implementation for different gas turbines are slightly different, and for first design, protection function requirement could not completely fixed in design stage, which request protection logic to be facilitated to be modified, debugged. The service capability of current ETS platform configuration tool needs to be improved. Based on this, ETS platform can not be directly used in gas turbine protection system. It is necessary to do more detailed study work to implement scheme of heavy gas turbine protection function.

5 Typical Protection System Scheme and Characteristics Analysis Combined with the functional requirements of gas turbine protection and the basic requirements of the protection platform, the current international mainstream protection schemes and their implementation are analyzed as follows. 5.1 Siemens Protection System Architecture In the early stage of Siemens F-class gas turbine control system, there was no dedicated protection cabinet. The tripping protection function realized in redundant and diversified way by adopting hardware, together with FM458 controller and T3000 computer controller to realize the protection scheme, by which not only the SIL level safety functional requirements are met, but also the risk of common cause failure caused by software failure is effectively avoided [2]. Now, the dedicated protection cabinet meeting the SIL level requirements is used to implement all protection functions [8]. 5.2 Mitsubishi’s Protection System Architecture The gas turbine protection cabinet is composed of TPS1, TPS2 and TPS3 sub-systems, which receive three power supplies respectively. The three protection signals from the

On Key Technical Issues of Protection System Design

623

site are sent to the three sub-systems respectively, and the digital signal is output after the two out of three logic calculation of respectively in each sub-system and sent into the relay circuit for the combination of related trip protection functions to realize the redundancy of protection functions [5]. 5.3 GE Protection System Architecture MARK system, as a part of supporting system of GE gas turbine, has been designed and updated following the gas turbine customized design from origination. For example, the hardware architecture is typical of triple redundancy with a high degree of software logic and hardware integration, and a special overspeed protection controller is designed for the fast response requirement of overspeed [4]. In addition to the triple redundancy, main controller with protection and trip functions, the dedicated protection module also has triple redundancy structure to achieve overspeed protection function. The local signal is input to the input terminal board, and then calculated by the controller, and then the outputs three tripping signals to drive three blocking electromagnetic coils. The dedicated speed protection module which as redundancy protection module receives the other three speed input and then output the trip signal to the electromagnetic coil after 2/3 voting to disable the action of the three cut-off electromagnetic coils from the other end of its power supply [1]. From the analysis of the international mainstream protection platform, it can be seen that the gas turbine protection function has large scale, complex protection logic, rapid response and high safety and reliability requirements. The early protection function is realized by the control cabinet together with dedicated devices meeting SIL requirements. With the development of the platform technology, the platform developed which can not only meet the protection of the SIL certification but also meet the application requirement of high safety reliability, supporting larger scale of complex protective function, flexible logic configuration and more friendly man-machine operating interface which simplifies gas turbine protection system design, implementation, and commissioning test. It is beneficial to the whole life cycle maintenance of gas turbine protection system.

6 Considerations and Suggestion of Independent Protection Scheme Based on the above analyze, the protection platform need to be capable for the requirement of protection function. The following considerations and suggestions are given for independent design and development of protection system. Development of a platform with simple architecture and high system efficiency that meets the requirements of reliability and rapidity requirements of standard gas turbine should be considered from the very beginning time. During the design for the protection system, the protection function should be formulated from both forward and reverse design.

624

L. Zhang et al.

1. Reverse design includes sorting out typical protection items and characteristics. It is necessary to find the process system requirements for each protection item and to clearly know how. 2. Forward design is mainly carried out based on functional safety design process. Probability and risk level are calculated through qualitative and quantitative analysis for risk events, so as to define the protection measures requirements, including the definition of functional safety integrity level and equipment damage level. Based on the current technical capability, the definition of key data still needs to be verified by the test. Since the tripping has a great impact on the life of hot end components, the impact of process safety time should be fully evaluated and more moderate protection measures should be taken before emergency tripping. In conclusion, the protection system design is not only the systemic design oriented functional safety requirements, but also is based on the matching design of instrument protection platform. To study these two aspects and master the protection requirements for equipment are the basis of engine protection design, which would provide the more reliable, simpler and more efficient protection scheme.

References 1. Zhang, S.: Gas turbine generator control system. China Electric Power Press (2013) 2. Beijing Energy Investment group Co., LTD., Siemens Power Station Automation Co., LTD.: Analysis of Siemens Gas Turbine control system. China Electric Power Press (2016) 3. Gas Turbine and Gas-steam Combined Cycle, pp. 96–135. China Electric Power Press, Beijing (2007) 4. Zhu, C.-J., Chuang, X.-H.: Analysis of the protection system function of MARK VI control system of GE gas turbine. Northeast Electric Power Technology. 1004-7913 04-0038-04 (2006) 5. Shenzhen Energy Yueliangwan Power Plant: Training of M701F gas turbine/steam turbine combined cycle power plant of China Mechanical and Electrical Association. Chongqing University Press. isBN-978-7-5624-787-1 (2014) 6. Chang, Y., Chen, W., Li, W., et al.: Analysis of protection system based on STG_4000F. Industrial Technology 2016. 1761–5799 10-0052-02 (2016) 7. Zheng Y.: Research on SGT-4000F gas turbine protection control system. mechanical management development 2020. 1003-773X 11-0060-03 (2020) 8. Siemens HL-Class, Siemens: The next generation of Siemens advanced air-cooled gas turbines. siemens.com/gas turbines (2018)

Development and Application of Self-diagnosis and Analysis Function of FirmSys Gui-Lian Shi1,2(B) , Jing-Wei Wang1 , Zhi-Hui Zhang1 , Min-Ling Zhang1 , and Le Li1 1 China Techenergy Co., Ltd., Beijing 100094, China

[email protected] 2 Institute of Nuclear and New Energy Technology, Tsinghua University, Beijing 100084, China

Abstract. The digital control system of a nuclear power plant is mainly used in the protection system of nuclear power plants. The reliability and safety of the protection system directly affect the safe and stable operation of nuclear power plants. Self-diagnosis technology is a key character to improve the system fault handling mechanism. A complete self-diagnosis design could find all kinds of faults in the system in a real-time and comprehensive condition. Self-diagnosis refers to the technology that the system self-detects and processes faults or failure events by setting the diagnosis function. Its goal is to detect failure (failure) events as early as possible, support the system for maintenance recovery or failure safety treatment, reduce the operation time of the system in dangerous or degraded mode, and improve the reliability and safety of the system. The system self-diagnosis and analysis function can effectively reduce human errors and shorten the period and frequency of periodic test. In this case, the function is strongly required by system users. However, there is no public literature on this issue in the field of nuclear safety digital I&C in China, due to a wide range of products, the complexity of implementation and the difficulty of evaluating the impact on safety functions involved. The FirmSys is the first nuclear safety digital control and protection system platform developed and applied in China. Based on the requirement analysis of the fault self-diagnosis and analysis function of the FirmSys, and referring to the requirements of IEC60800 and IEC61508 standards, a design scheme, ’online self-diagnosis and off-line analysis of fault log’, is proposed in this paper. Furthermore, the factors affecting the function realization from the perspective of safety analysis is also stated, followed by carrying out targeted safety design. For the products that achieve this function, verification, validation and identification are implemented. The FirmSys platform, which realizes the function of fault selfdiagnosis and analysis, has been successfully applied in Unit 5&6 of YangJiang NPP, Unit 5&6 of HongYanHe NPP, Unit 5&6 of TianWan NPP and Unit 3&4 of FangChengGang NPP. Keywords: FirmSys · Self-diagnosis · Reactor protection system · Nuclear safety level

1 Introduction As the ‘central nervous system’ of nuclear power plant, the reliability of digital I&C system of nuclear power plant is directly related to the overall safety and economy © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 625–649, 2022. https://doi.org/10.1007/978-981-19-1181-1_60

626

G.-L. Shi et al.

of nuclear power plant. It is an important index of system design. At the design level of safety level I&C system, standards and regulations put forward a variety of design measures to ensure reliability, such as single fault, independence, software verification and confirmation, reliability analysis and evaluation, etc. The safety level I&C system is based on the digital I&C system (hereinafter referred to as DCS) platform products of and I&C equipment manufacturer. Obviously, the reliability of DCS platform equipment is also the basic factor of the reliability of the whole I&C system. Self-diagnosis is an effective and important method to improve the reliability of DCS equipment. At present, the mature safety DCS products in the industry have been fully considered in the selection of components. Generally, high reliability commercial components are used, and even some military components are used. However, under the current technical level, random failure cannot be avoided, and the safety level DCS system is complex. For example, the main control board is composed of thousands of components, and the structure is relatively complex [7]. According to the reliability analysis theory, the superposition effect of component failure rate is obvious. Even if the components with high reliability are used, it is difficult to ensure the overall safety of the system without other measures. Therefore, improving the system fault handling mechanism is an indispensable key means to improve the safety of safety level DCS. Self-diagnosis technology is a key link to improve the system fault handling mechanism. A complete self-diagnosis design can timely and comprehensively find various faults in the system. Based on the system self-diagnosis information, further measures such as alarm and fault handling can be taken, mainly including: 1) Timely alarm the faults of the system; 2) The system can use self-diagnosis information to deal with faults, such as logical degradation, active and standby switching, fault safety output, etc.; 3) The system self-diagnosis can indicate and locate the system fault, facilitate the maintenance personnel to quickly troubleshoot the system fault and restore the normal operation of the system, so as to greatly shorten the system MTTR time and improve the maintainability of the system. 4) The complete self-diagnosis design can prolong the periodic test cycle of safety level protection system, greatly simplify the periodic test design, reduce the test introduction risk and reduce the maintenance cost. On this basis, the construction and operation and maintenance personnel of the power station put forward further requirements for the maintainability of DCS: in case of system equipment failure during commissioning and operation, the maintenance personnel can locate the IO warning, alarm and failure faults of a control station through the instrument control alarm list on the NC-DCS side. For the detailed faults of the control station, It is necessary to find and locate by connecting maintenance tools. In this case, it restricts the efficiency of on-site problem solving and R&D problem troubleshooting and positioning. In particular, it is extremely difficult to locate flash faults. According to the operation regulations of the power station and other relevant requirements, if the equipment is unavailable, it must be located and solved within the specified time. In short, the selfdiagnosis function makes a considerable contribution to the safety and economy of the power station [8].

Development and Application of Self-diagnosis

627

Foreign nuclear DCS products such as Common-Q (USA), TRICON (USA), MeltecN (Japan) and TXS (France) have realized self-diagnosis functions for main control, network and IO, such as self-diagnosis for ram, EPROM and watchdog by TXS system function processing module, and the Common-Q system function processing module detects the consistency of data between redundant SRAM, tests the instruction set of CPU, and tests the watchdog. Through comprehensive analysis, there are two deficiencies in fault self-diagnosis of foreign mainstream nuclear DCS system: 1) The self-diagnosis coverage is low, for example, the diagnosis coverage of Meltec-N platform is less than 90%, and there is also a lack of online reading of online self-diagnosis information, Offline fault analysis function; 2) For the off-line fault analysis function, Meltec-N platform has realized this function, and the public literature has discussed the use of the function of ’on-line self-diagnosis and off-line analysis’, but this key design technology has not been studied. The difficulties of this key technology are summarized as follows: 1) Fault identification method, 2) Realize the requirements of high diagnostic coverage and meet the overall requirements of IEC61508, 3) Meet the specific performance index requirements of nuclear power plant, 4) Meet the safety requirements of nuclear safety level DCS. FirmSys is the first nuclear safety level digital control and protection system platform developed and applied in China. This paper discusses and studies the technical scheme of fault self-diagnosis and analysis of FirmSys.

2 Self-diagnosis and Functional Requirements Analysis By analyzing the application scenarios, standards and regulatory requirements of online and offline installation of DCS in nuclear power plant, the key requirements of fault self-diagnosis and analysis functions are identified as follows: 2.1 Fault Identification Fault identification is the basis of self-diagnosis technology. The following table is the fault distribution table of large complex electronic system in its life cycle (from the research results of UK HSE) (Table 1). The system definition and design implementation stage in the above table is commonly referred to as the R&D stage. The faults introduced in the R&D stage account for 60% of the whole life cycle, which shows that the R&D stage is the main stage for introducing system faults and random hardware faults. Therefore, necessary fault identification measures are taken in the R&D stage. It can effectively control system faults and random hardware faults during system operation. When selecting fault identification technology, the R&D team of FirmSys systematically investigated the current mainstream fault analysis and identification technology,

628

G.-L. Shi et al. Table 1. Fault distribution table of large complex electronic system in its life cycle Lift cycle

Percentage

System definition

44%

Design and Implementation

15%

Installation and commissioning

6%

Operation and maintenance

15%

Modification

20%

and selected FMEA and FTA technology for fault identification. FMEA needs to be carried out in two steps. The first is system FMEA, which defines key faults and diagnosis principles. Next is the board level FMEA, which further subdivides the key faults on the basis of the system FMEA and identifies the key faults at the board level. 2.2 Fault Handling Requirements After the fault is identified, if there are no complete fault treatment measures for subsequent treatment, the fault will eventually lead to disastrous consequences. Therefore, a complete self-diagnosis technology should not only have strong fault identification ability, but also have perfect fault handling mechanism. The main fault handling measures include fault safety and fault alarm. 2.3 Self-diagnosis Measures and Coverage Requirements At present, nuclear safety regulations and standards require digital I&C system to have self-diagnosis function, including the core standard IEC61508 in the field of functional safety. The completeness of self-diagnosis technology is the key to improve safety integrity level (SIL) [3]. The effectiveness of diagnostic measures is often measured by diagnostic coverage (DC). DC directly affects the diagnosable failure efficiency of the system λ DD and undiagnostic failure rate λ Du, and these two failure rates are directly related to system failure probability, misoperation rate and system SIL level (SIL level is determined by system dangerous failure rate PFD, PDF: Probability of Dangerous Failures on Demand/PFH, PFH: Probability of Dangerous Failures per Hour). The example formula is as follows:  PFDG = 2((1 − βD )λDD + (1 − βD )λDU )2 tCE tGE + βD λDD MTTR + βλDU

T1 + MRT 2



(1)

To sum up, as a nuclear safety level control and protection system platform, the system self-diagnosis design goal of FirmSys is to optimize the system self-diagnosis design on the basis of meeting the system reliability indexes (failure probability, misoperation rate, MTTR, etc.), comprehensively considering the system complexity and other factors, so that the overall DC of the system is more than 90%, and can meet the requirements of IEC 61508 for sil3 level [2].

Development and Application of Self-diagnosis

629

2.4 Self-diagnosis Online Recording Requirements The main control station (MCS), security display control station (SCID) and gateway station (GWS) build up special storage areas in RAM. After generating system selfdiagnosis log records, they are successively added to the special storage area, with a maximum of 512 records. When the storage area is full, the new records cover the earliest records in turn. After the MCS, SCID and GWS connection maintenance tools report the data in the system status log area to the engineer station, the maintenance tools store the system status log records to the local hard disk for offline query and analysis. 2.5 Requirements for Maintenance (Reading, Analysis) Tools 2.5.1 Reading 1) When MCS is running in maintenance mode, connect the maintenance tool to upload system status log records interactively. At least two system status log records shall be uploaded in each operation cycle to avoid data confusion caused by MCS generating new fault logs to cover the original logs during log uploading. 2) When SCID operates in the normal operation mode, put SCID in the bypass mode, connect the maintenance tool, turn on the log upload function through the switch button or operation mode button on the display screen, SCID sends the system status log record to the maintenance tool by broadcasting, restore SCID to the normal operation mode after reporting, and turn off the log upload function. 3) When GWS is running in normal mode, the connection maintenance tool uploads system status log records interactively. 4) When MCS, SCID and GWS are in failure mode, directly connect the maintenance tool to read the system status log record. 2.5.2 Parsing and Displaying After reading the system status log records (hereinafter referred to as fault log) from MCS, SCID and GWS, the maintenance tool parses the fault log records according to the definition of status area and engineering equipment configuration information, and displays them in list form, including but not limited to station number, chassis number, slot number and board type; Fault code and detailed text description; Time and duration of fault occurrence and elimination. 2.6 Performance Index Requirements In the whole process of self-diagnosis, the control station normally performs its functions. Therefore, during the process of performing self-diagnosis, generating self-diagnosis log and sending self-diagnosis information, the relevant performance indexes of the control station also need to meet relevant requirements to ensure the normal operation of the functions of the control station. Generally, during the process of self-diagnosis, the relevant performance indicators of the control station are consistent with those during normal operation. These indicators include CPU load, storage area margin, network

630

G.-L. Shi et al.

load, etc. Another performance index that needs to be defined is that considering the operating conditions and relevant operating steps of the nuclear power plant, there are the following two performance requirements: 1) According to the requirements of IEC61508, the self-diagnosis cycle shall be less than 1 h, that is, the interval from fault occurrence to fault discovery shall be less than 1 h [2]; 2) The maintenance tool shall analyze the fault generation time and fault elimination time in the self-diagnosis fault log offline, and the minimum unit of time shall be milliseconds. 2.7 Safety Requirements Comply with relevant requirements of nuclear level I&C standards and regulations, including general requirements and general safety oriented requirements for self-diagnosis and abnormal fault handling, specifically [4]: 1) Fault shielding. Each functional unit operates asynchronously and independently, and its own operation state is not affected by the other party. When a functional unit fails, other functional units will not be affected and lose their operation ability. 2) Fail safe. In case of failure, the functional unit shall perform the safety function, sometimes referred to as guided safety. This safety function depends on different functional units, and the goal is to make the controlled object safe. For example, for the shutdown protection system, when the output unit fails, the signal related to the shutdown action will be output. In these processes, processing involving data quality bits usually does not output valid data, that is, the quality bits of these data are invalid. 3) Fault record. Fault information shall be recorded after failure of functional unit for accident location and fault inspection. 4) Fault output. After a fault occurs, the functional unit shall output fault information as much as possible, even if some faults may not be output (for example, error information cannot be reported through the network after network interruption). Try to output directly. If it is inconvenient to output directly, try to transmit it to the unit that can output directly for centralized output. Personnel operation is involved in the process of reading and parsing the fault log, and human factor risk shall be analyzed and designed accordingly in the scheme design; The process of reading and parsing the fault log involves the interaction between the control station and tools. Generally, the safety level and quality level of tools are lower than that of the control station, and the impact of tools on the control station shall be considered [6].

Development and Application of Self-diagnosis

631

3 Conceptual Design 3.1 Overall Design Scheme of ‘Online Self-diagnosis, Offline Analysis’ Technology The status information of all FirmSys smart cards are collected into the system status area of MCS, SCID and GWS respectively. The fault log information of specific products can be determined through the system status area data, combined with the status information definition and engineering equipment configuration (Fig. 1). Engineer staon

SCID

Maintenance network

…… MCS

GWS Maintenance network Fault log

Fig. 1. Schematic diagram of fault log reporting scheme

MPU, SCID and GWS are responsible for comparing the data in the system status area in two adjacent operation cycles. If there is any change, record the effective data in the system status area in the log recording area. The process of MPU, SCID and GWS recording system status area differences is shown in the following figure (Fig. 2):

632

G.-L. Shi et al.

Cycle start

Other processing ... System status area data of the previous cycle

System status area data comparison

Difference record storage

Current cycle system status area data

System status logging

System status log storage area

Log report

PC

Other processing ...

Cycle end Fig. 2. Processing flow of software fault log of L1

Development and Application of Self-diagnosis

633

3.2 Realization of Each Step The following describes each sub step and gives the processing flow of each sub step, especially considering the safety requirements. 3.2.1 S1: Each Functional Unit Performs Periodic Self-diagnosis Self-diagnosis function design: the diagnosis measures run periodically, covering equipment such as signal acquisition, signal processing, data communication and signal output. Once an abnormality is detected, the fault will be reported through data quality bit or equipment status information as the basis for subsequent alarm indication. Of which: 1) Design of self-diagnosis measures for processing unit [2]:

Table 2. Self-diagnosis design of processing unit No

Diagnostic object

Diagnostic measures

Remarks

1

CPU self-diagnosis design

Power supply and clock Processing unit includes monitoring: real-time processing unit of MCS, monitoring of the SCID, GWS station voltage/current peak value of the CPU power supply, and timely smoothing or cutting off the power supply under abnormal conditions can protect the CPU device from damage Temperature monitoring: Excessive operating temperature is an important factor that causes CPU damage. At the same time, high temperature may also cause abnormal bus communication. Therefore, it is necessary to continuously monitor the operating temperature of the CPU Operation function monitoring: make the software execute a series of commonly used arithmetic operations, and judge whether the operation unit is normal by comparing the actual operation result and the expected result (continued)

634

G.-L. Shi et al. Table 2. (continued)

No

Diagnostic object

Diagnostic measures

Remarks

On-chip storage function monitoring: Pre-judge the performance of the control station’s software and hardware from the trend through statistical methods through cache hit flags, page faults and other information Software execution sequence monitoring: The software is divided into multiple tasks by function, and a global flag is set when the software task is executed. After the main control unit executes a cycle, it is judged whether the execution sequence of the software task meets the expectations according to the flag 6

ROM self-diagnosis design

Initialize the slice to calculate the CRC value of the ROM area and save it in a fixed area [5] Calculate the CRC value of the ROM area by periodic segmentation and compare it with the previously saved value

7

RAM self-diagnosis design

Use March C-algorithm to verify The basic idea of March C-algorithm: read and write 0/1 operations on each address repeatedly to ensure that the test code between each byte appears at least once in the four cases of 00, 01, 10, and 11, and the addresses are incremented separately And decrement two operations to ensure checking of high and low address read and write sequence failures (continued)

Development and Application of Self-diagnosis

635

Table 2. (continued) No

Diagnostic object

Diagnostic measures

8

Watchdog self-diagnosis design

When the embedded software feeds the dog normally, it will flip the WTD_FED signal, and the CPLD directly transmits this signal to the watchdog chip. When the watchdog chip reads this flip, it will set the WDO signal high, indicating that the dog is fed normally. If the embedded software performs a dog feeding operation, WTD_FED does not flip, and the clock cannot detect this inversion signal within a certain period of time (such as 200ms), and the watchdog chip will set WDO low. When CPLD detects that WDO is set low It is considered that the feeding of the dog failed, which triggers the embedded software reset and enters the fault state

9

Program sequence monitoring design

Program sequence monitoring is a method for detecting whether programs are executed in the expected order in an embedded system. Its function serves as a supplement to the watchdog self-diagnosis function. On the basis of the watchdog self-diagnosis, it can further monitor the order and each execution of the program. Time-consuming detection of a section of program, when the program is not executed in the expected order or time, an error is reported and the fault processing mode is entered

Remarks

(continued)

636

G.-L. Shi et al. Table 2. (continued)

No

Diagnostic object

Diagnostic measures

Remarks

10

Timer self-diagnosis design

The timer of the nuclear safety level DCS system is used to realize its cycle control and diagnose its function every cycle. Read the current system time t0 , delay the fixed time, read the system time t1 , and judge whether the time difference is within the expected diagnosis range, and then you can judge whether the timer function is normal

2) Design of communication diagnosis measures: Diagnose 8 kinds of network errors in IEC 61784-3-2007, specifically: corruption, unintended repetition, incorrect sequence, loss, unacceptable delay, insertion, masquerade and addressing [1, 5] (Table 3).

Table 3. Control coverage of protocol safety measures on transmission errors Communication errors

Corruption Unintended repetition Incorrect sequence Loss Unacceptable delay Insertion Masquerade Addressing

Safety Measures Sequence number

√

Time stamp

Time expectation

Connection authorization

NA

Feedback message

NA

√

Data integrity assurance

Redundancy with cross checking

Different data integrity assurance systems

√ √ √

√

√ √

√

√ √ √

3) Design of I/O diagnostic measures:

√ √

Development and Application of Self-diagnosis

637

I/O refers to input and output units. In detail, there are digital input, digital output, analog input and analog output units. In addition to meeting the self-diagnosis requirements of functional units (see Table 2 for details), the following self-diagnosis requirements need to be realized. The diagnosis measures are shown in Table 4. Table 4. I/O unit diagnostic measures No

Diagnostic object

Diagnostic measures

Remarks

11

Channel power self-diagnosis

During periodic operation, measure the channel power supply regularly every week; Read the pin status collected by the channel power supply. Reading the low level indicates normal; If the level read for two consecutive cycles is high, it is considered that the channel power supply is faulty

12

Channel self-diagnosis

The two-way optocoupler mutually exclusive sampling output judgment, and if the two-way outputs are continuously equal, the self-test fails

Only for DI

Channel readback: dynamically monitor the output value and readback value, which are not equal, self-inspection fault

Only for DO

During ad channel self-test, MCU Only for AI sends command analog switch input to switch to self-test voltage terminal. At this time, the collected value of back-end ADC is self-test signal. MCU compares the voltage read by ADC with the code value written into DAC to judge whether ADC works normally, so as to complete ad channel self-test The MCU judges whether the D/A and Only for AO the whole output channel work normally by comparing the read back data with the code value written in D/A, and judges whether the board output signal is normal by reading the pressure flow conversion unit

638

G.-L. Shi et al.

3.2.2 S2: Self-diagnosis Information Collection 1. MCS: 1) IO unit diagnosis information collection: Transmitted to IO communication board card (SCU for short) through network protocol; 2) Collection of diagnostic information of communication unit: It is sent to MCS processing unit (MPU) through various types of communication unit backplane protocol. The following figure is the schematic diagram of MCS self-diagnosis information collection (Fig. 3).

MCS MPU

Point to Point Communication Unit

SCU

Point to Multipoint Communication Unit

IO IO Diagnostic information

DI

DO

AI

AO

Fig. 3. Schematic diagram of MCS station self-diagnosis information collection

2. SCID: The corresponding ring network node unit is transferred to SCID through the network. 3. GWS: The corresponding ring network node unit is transmitted to GWS through the network. 3.2.3 S3: Troubleshooting According to the general principles of fault handling in Chapter 2.7, the fault level is divided into two levels: serious and warning. See Table 5 below for the detailed handling contents:

Development and Application of Self-diagnosis

639

Table 5. Self-diagnosis and abnormal fault handling of FirmSys Diagnostic object

Tolerance times Fault level Fault handling

CPU

1

Serious

RAM

1

Serious

ROM

1

Serious

Timer

1

Serious

Watch dog

When the board is in the fail safe state (shutdown), record the log and report the failure cause through the dot matrix

1

Serious

Program monitoring 1

Serious

Network

3

Warning

The board operates normally, reports the diagnostic information, and modifies the corresponding transmission data quality bit to be invalid

IO channel

3

Warning

The board operates normally, reports the diagnostic information, and modifies the corresponding transmission data quality bit to be invalid

Power Supply

2

Serious

The board is in fail safe state (shutdown), and the indicator shows error state

3.2.4 S4: Generate Fault Log The diagnostic information of each functional board of the control station includes ‘main process board (MPU) diagnostic information area’ and ‘I/O board diagnostic information area’. The fault information of the control station can be determined through the data content of the diagnostic information area. The system status area data records the status information and board diagnosis information in bits. Different bits or a combination of several bits represent the status information of the system or equipment. Bit 0 indicates normal, and non 0 indicates corresponding alarm/fault. Take MCS diagnostic information as an example, as shown in the figure below (Table 6):

640

G.-L. Shi et al. Table 6. MPU board diagnosis information structure table

Bit

Name

Length

Description

31:24

Reserved

8 bits

23:22

Redundant function status

2 bits

00b---Normal 11b--- Redundant function failure

21

Cycle run timeout

1 bit

0----Normal; 1---Time out

20

Timer status

1 bit

0----Normal; 1--- Timer failure

19

Watchdog status

1 bit

0----Normal; 1--- Watchdog failure

18

ROM

1 bit

0----Normal; 1--- ROM failure

17

RAM

1 bit

0----Normal; 1--- RAM failure

16

CPU

1 bit

0----Normal; 1---CPU failure

15:4

Reserved

12 bits

3:0

Status of slave MPU

4 bits

0000b --- -Normal 0001b --- The master MPU diagnoses that the slave MPU does not exist

Therefore, by judging whether the corresponding bit in the system status area is ‘0’, it can judge whether the corresponding equipment has alarm/abnormality. A fault log record can be generated when an alarm or abnormality occurs to a device. MCS, SCID and GWS compare the system status of the current cycle and the previous cycle, and generate the system status log according to the difference between them. The format is as follows:

CurLC (4B)

CurTicks (4B)

ID (2B)

LC (2B)

Ticks (4B)

Length (4B)

MCS diagnosis informaƟon(128B)

I/O diagnosis informaƟon(960B)

Reserved (172B)

Description: Name

Length(B)

Description

CurLc

4

The number of times that the current ticks is reset to zero. Starting from 0, each time the tick’s value is reset to zero, the value is increased by 1

CurTicks

4

MPU current cycle running tick value

ID

2

Record the serial number, starting from 1 and increasing in steps of 1

LC

2

The number of times ticks are reset to zero, starting from 0. Every time ticks is reset to zero, the value is added by 1

Ticks

4

MPU cycle running tick value when this record is generated (continued)

Development and Application of Self-diagnosis

641

(continued) Name

Length(B)

Description

Length

4

The total length of this record, including ID and ticks fields

Diagnostic area data

1088

MCS diagnosis information area and I/O unit diagnosis area data

Reserved

172

The generation rules of system status log are as follows: 1) If the system status area of the previous cycle is inconsistent with that of the current cycle, then: 2) Extract the data from the diagnosis information area of the main control board and the diagnosis area of the I/O board; 3) Calculate the ID, length and LC of the record, add the periodic tick value, and generate a system status log. The above scheme effectively compresses the storage space of fault log, reduces data copy, and minimizes the impact of this function on CPU load rate; by recording the ticks and LC of each fault log, the recording time of the fault log can be accurate to the millisecond level to meet the performance and accuracy requirements. 3.2.5 S5: Fault Log Storage MCS, SCID and GWS build up special storage areas in RAM. After generating system status log records, they are copied to the special storage area in turn, with a maximum of 512 records. When the storage area is full, the new records cover the earliest records in turn. After the MCS, SCID and GWS connection maintenance tools report the data in the system status log area to the engineer station, the maintenance tools store the system status log records to the local hard disk for offline query. 3.2.6 S6: Send Fault Log The maintenance tool of the engineer station initiates the command to read the fault log. In order to minimize the impact of CPU load rate, the lower computer (MCS, SCID, and GWS) sends it in cycles and subcontracts. See the following process for details (Fig. 4).

642

G.-L. Shi et al.

Fig. 4. Schematic diagram of fault log sending process

3.3 Software Tool Related Design 3.3.1 Overall Introduction FirmSys equipment status diagnosis software: the full English name is FirmSys equipment diagnosis software (hereinafter referred to as FEDIS). FEDIS software realizes the functions of reading, analyzing and displaying the fault log of each control station of FirmSys system. FEDIS provides two functions to query the system fault log, one is to read and display the current system fault log online, and the other is to view the historical system fault log. FEDIS includes the following sub functions: login authentication, online reading fault log, querying historical fault log, parsing fault log, storing fault log, exporting fault log, printing fault log, querying user log, printing user log, software authorization, time correction and other functions. Software authorization belongs to the content of the framework, and other functional modules are shown in the figure below (Fig. 5).

Development and Application of Self-diagnosis

643

FEDIS

FEDIS Framework

Project

Fault log

management module

management module

login

Read faultlog

User log management module

Load project

Parsing faultlog

Record user log

Corrected faultlog

Save faultlog

Query

historical faultlog

Show user Export log user log

Show

Export

Print

faultlog

faultlog

faultlog

Fig. 5. FEDIS function module

644

G.-L. Shi et al.

3.3.2 Reading Function 1. The flow chart of FEDIS reading MCS and GWS is as follows (Fig. 6):

Fig. 6. Schematic diagram of fault log sending process with MCS&GWS

1) 2) 3) 4)

The engineer station FEDIS initiates the connection request command first Reply connection request of main control station MCS or gateway station GWS FEDIS fault log request command MCS or GWS replies to the fault log request command, and then starts sending the fault log content 5) FEDIS receives the fault log, sends the data receiving completion instruction after receiving and saving the fault log, and then the fault log reading completion command occurs to end the fault log reading process. 2. The flow chart of FEDIS reading SCID is as follows (Fig. 7):

1) When SCID operates in the normal operation mode, the log upload function is enabled through the switch button or operation mode button on the display screen. SCID sends the system status log record to the maintenance tool by broadcasting. After sending the fault log, turn off the log upload function.

Development and Application of Self-diagnosis

645

Fig. 7. Schematic diagram of fault log sending process with SCID

2) The user receives a complete fault log in the maintenance network through FEDIS, and saves the received fault log after reading the fault log. 3.3.3 Parsing Function The fault log parsing process is mainly divided into the following four steps, 1) Read fault log: The FEDIS software reads the fault log of MCS\GWS\GCS. 2) Circular analysis of fault logs: arrange the read fault logs in order, and analyze the fault logs one by one in combination with the fault log model. 3) Delete duplicate fault logs: sort out the fault logs parsed in the previous step, delete the duplicate fault logs, and then store the fault logs in the database. 4) Display fault log: display the fault log processed in the previous step on the software interface (Fig. 8).

646

G.-L. Shi et al.

Fig. 8. Flow chart of fault log parsing function

3.3.4 Storage Function The fault log data is saved in the database file under the primary directory of the project file. The data file name is the same with the project name like ’project name. MDB’, and the database table structure is shown in the figure below (Fig. 9).

Fig. 9. Fault log storage structure

Development and Application of Self-diagnosis

647

3.3.5 Display Function The display interface of FEDIS is as follows (Fig. 10):

Fig. 10. FEIDS Fault log analysis display

The meaning of the FEDIS display field is as follows (Table 7): Table 7. FEDIS display meaning description Index

Column Name

note

16

Serial

Index

17

Fault Code

The code for fault

18

Fault Content

The description of fault

19

Cabinet No

The number of the cabinet which the fault in

20

Cabinet Name

The mane of the cabinet which the fault in

21

Chassis

The number of the chassis which the fault in

22

Slot

The slot number of the card which the fault in

23

Port

The port number of the net card which the fault in

24

Occurred Time

Time of failure

25

OccurredTick

The tick value of the MCS\GWS\GCS when the fault occurs

26

Recovery Time

The time of fault recovery. If the fault is not recovered, it is marked with ‘-’ (continued)

648

G.-L. Shi et al. Table 7. (continued)

Index

Column Name

note

27

Recovery Tick

During fault recovery, the tick value of the MCS\GWS\GCS. If the fault is not recovered, it is marked with ‘-’

28

Duration

The number of cycles of fault duration, which refers to the cycle count of the station

29

Legend

Remark information

4 Scheme Implementation and Application According to the scheme proposed in Chapter 3, the design realization, software verification and confirmation, change identification and so on are carried out according to the development process of safety grade products. At present, FirmSys supporting selfdiagnosis and analysis technology has been widely used in 8 large-scale nuclear power units such as Unit 5&6 of YangJiang NPP, Unit 5&6 of HongYanHe NPP, Unit 5&6 of TianWan NPP and Unit 3&4 of FangChengGang NPP. The scheme meets the relevant requirements of nuclear safety standards. The system self-diagnosis coverage rate is as high as 93.5%, and the core function board self-diagnosis coverage rate is 98.5%. The periodic test cycle is reduced to 72 months/time, which is significantly higher than 18 months/time of Meltec-N the scheme significantly improves the maintainability of harmony system and the positioning, processing and maintenance of operation and maintenance personnel Analyze the efficiency and accuracy of flash failure, reduce the number of equipment isolation on the DCS transformation site, shorten the construction period of major modification, reduce human factors risk, provide guarantee for the safe and stable operation of the unit, well meet the needs of the site, are highly praised by the owner, and have good innovation.

5 Conclusion This paper systematically analyzes the background and expected problems of the selfdiagnosis and off-line analysis function of digital nuclear safety level controller, and further carries out the detailed demand analysis of self-diagnosis and off-line. For a nuclear safety level controller, it is necessary to consider the self-diagnosis measures in combination with various factors and IEC 61508 specification. Perform the functions of self-diagnosis, recording, summarizing, storing and sending fault logs without affecting the performance of the controller. This paper puts forward a complete set of fault log processing scheme of ’on-line diagnosis and off-line analysis’. The scheme includes ten steps. The scheme meets the relevant requirements of nuclear safety standards. The system self-diagnosis coverage is as high as 93.5%, and the core function board selfdiagnosis coverage is 98.5%, and has passed the German TVU SIL3 certification. This scheme has been implemented on the FirmSys platform, the first digital control and protection system in China, and has been used in many nuclear power projects. The application experience shows that the function, performance, safety and reliability of

Development and Application of Self-diagnosis

649

the scheme meet the requirements of nuclear safety regulations and nuclear power plant applications. At the same time, it is convenient for nuclear power plant maintenance personnel to quickly troubleshoot system faults and shorten the system MTTR time, On the other hand, improving the maintainability of the system will also prolong the periodic test cycle of the safety level protection system, greatly simplify the periodic test design, reduce the test introduction risk, and reduce the maintenance cost. FirmSys, which supports self-diagnosis and off-line analysis technology, greatly improves the self-diagnosis performance and system operation reliability of safety DCS system; At the same time, it significantly improves the efficiency and accuracy of operation and maintenance personnel in locating, handling and analyzing flash faults, reduces the number of equipment isolation on the DCS transformation site, shortens the construction period of major modification, reduces human factor risks, and provides guarantee for the safe and stable operation of the unit. The project has brought huge social benefits. The results of the project have been applied to Unit 5&6 of YangJiang NPP, Unit 5&6 of HongYanHe NPP, Unit 5&6 of TianWan NPP and Unit 3&4 of FangChengGang NPP, so as to provide high-value experience feedback for subsequent multi bases. Looking forward to the future, as FirmSys is put into use in more and more nuclear power units and the accumulation of operation time, the self-diagnosis data will be more and more abundant. After the formation of big data, combined with intelligent technology, the next step is to study the predictive maintenance of FirmSys on the basis of big data, so as to essentially improve the intelligent level of FirmSys and ensure that continues to maintain its leading technology.

References 1. IEC 61784-3: Industrial communication networks – Profiles –Part 3: Functional safety fieldbuses – General rules and profile definitions (2007) 2. IEC 61508-2: Functional safety of electrical/electronic/programmable electronic safety-related systems - Part Requirements for electrical/electronic/programmable electronic safety-related systems (2010) 3. IEC 61508-3: Functional safety of electrical/electronic/programmable electronic safety-related systems –Part 3: Software requirements (2010) 4. IEC 60880: Nuclear power plants –Instrumentation and control systems important to safety –Software aspects for computer-based systems performing category A functions (2006) 5. Cyclic Redundancy Code (CRC): Polynomial Selection For Embedded Networks Philip Koopman (2004) 6. National Nuclear Safety Administration: HAF103 regulations on operation safety of nuclear power plants. National nuclear safety administration (2004) 7. Wang, J., Luo, Z., Xue, P.: Analysis of factors affecting DCS reliability. East China Elec. Power, (004): 109–111(2008). ( in Chinese) 8. Ying, Y., Lv, X., Zhou, A.: Discussion on DCS reliability of nuclear power plant. Autom. Expo, 26 (2), 79–81 (2009). ( in Chinese)

Study for Human Reliability Analysis on Emergency Feedwater Injection Under Severe Accident in Nuclear Power Plant Zhi-Hui Xu(B) , De-Song Su, Zhao-Peng Liu, and Hua-Qing Peng State Key Laboratory of Nuclear Power Safety Monitoring Technology and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, China [email protected]

Abstract. The reliability of the operator’s response process in severe accident has an important impact on the overall reliability of large release frequency mitigation. Severe accident involve a complex diagnostic process that need weighing the pros and cons carefully before making final decisions. Such decisions are likely to have negative effects, such as while preventing the progress of the accident in some aspects, but also aggravating others, either intentionally or unintentionally. At the same time, severe accident also involve more complex plant emergency organization, technical support organization and accident evolution mechanism than design basis accident. However, due to the lack of a clear and suitable severe accident procedure, the study on operator’s response process and its reliability are relatively insufficient, unable to effectively find the weak links in operators, procedure, organizations and other influencing factors, and make targeted improvements of human reliability in SA situation are very difficult. The purpose of this paper is to study the reliability of the operator actions required to establish Emergency Feedwater (EFW) injection following reactor core damage, a typical severe accident condition of nuclear power plant. The EFW injection are described by task analysis and subject to qualitative and quantitative assessment of the safety significant potential errors and associated Performance Shaping Factors base on the foundation of SPAR-H method. A Human Error Probability of 6.11E-01(Pwd) is derived, the result shows that there is little margin for error recovery due to the short timescales in which the response is required by the operators and technical support teams. The main recommendations are providing more training for operators and technical support teams to ensuring the crew has adequate situational awareness before diagnoses or decision-making are required. The SAMGs should provide clear guidance and instructions for regular, periodic checking of key plant parameters critical to mitigating a severe accident. A wide range and narrow range value comparison of the steam generator level need to provide to support timely diagnosis. Consideration should be given to designing the SAMG initial response such that EFW injection is always diagnosed and performed by the MCR crew following SADV failure, with Technical Support Team (TST) providing support if operational. This ensures that the task can be progressed quickly following SADV failure and removes the need for handover and allowing the TST to obtain situational awareness. The task analysis and reliability assessment helpful to improve the human factor suitability, provide guidance for optimize the operator’s response © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 650–665, 2022. https://doi.org/10.1007/978-981-19-1181-1_61

Study for Human Reliability Analysis

651

process and effectively improve the reliability of engineering design under a severe accident scenario. Keywords: Severe accident · EFW injection · Human reliability analysis · Performance shaping factors · Severe accident management guideline · Plant emergency organization · Technical support team

1 Introduction After the Fukushima nuclear accident, the reliability of important human action in the context of Severe Accident (SA) has attracted widespread attention. However, due to factors such as incomplete clear development mechanism of severe accident, complex organizational structure involved, and lack of clear rules and guidelines for human actions, the study on operator’s response process and its reliability are relatively insufficient. Relevant research work is unable to effectively find the weak links in operators, procedure, organizations and other influencing factors, and make targeted improvements of human reliability in SA situation are very difficult [1–3]. A study for the reliability assessment for the EFW injection are carried out in this paper, which is a typical important human action and is required in SA caused by severe accident dedicated valves (SADVs) that cannot successfully open, and then the high primary loop pressure may lead to a steam generator tuber rupture (SGTR) event. Based on the existing engineering design, its reliability is evaluated in qualitatively and quantitatively, detail substantiation is provided by analysis the required operator actions are achievable or not to mitigate further adverse consequences, i.e. degradation of the fuel. This paper divided into four parts. The first part introduces severe accident and EFW injection accident sequence, and identifies the important human actions involved. The second part gives the qualitative analysis of the reliability of the operator in the response process of the accident. The third part gives the quantitative analysis results. The final part summarizes and discusses the analysis results of this assessment.

2 Accident Scenarios Analysis 2.1 Severe Accident Introduction Severe accidents can be defined as events that are beyond the Design Basis Conditions (DBCs). The additional protection and mitigation measures that are part of the design against severe accidents are termed Design Extension Conditions (DEC). DEC events assess two different methodologies: • DEC-A: These sequences involve failures beyond the design basis analyses, however as with DBC events, the protection measures are designed to prevent core damage. • DEC-B: These sequences involve failures where core degradation or damage has occurred, and protection measures are designed to provide a substantial reduction in radiological release by maintaining containment integrity.

652

Z.-H. Xu et al.

The generic features of severe accident progression are mainly dominated by physical processes relating to fuel degradation, and therefore the overall strategy to mitigate a severe accident is defined as “to maintain as many barriers between the core and environment as possible, for as long as possible”. This strategy can be largely achieved by maintaining the integrity of the reactor pressure vessel and containment. Following any accident, if the core outlet temperature increases to above 650 °C, then severe accident management conditions are entered. Upon entry into severe accident conditions, operators in the mian control room (MCR) are required to implement the procedurally led initial response outlined in the Severe Accident Management Guidelines (SAMGs) to open the SADVs to reduce primary loop pressure. The initial response is performed before emergency technical and decision teams would be required to support the MCR crew. 2.2 EFW Injection Scenarios Analysis and Bounding Following a severe accident, the SAMG initial response will result in the operations team opening the SADVs to reduce primary loop pressure. In the event where the SADVs have failed to open as part of the initial response (most likely due to mechanical failure), operators must ensure that Steam Generators (SGs) are supplied with feedwater to remove heat from the high pressure primary loop prevent the occurrence of a SGTR event. Therefore, EFW injection would be required as a mitigation strategy to remove heat from the primary loop and minimise the likelihood of a SGTR. An extract from the L2 PSA Event Tree is presented in Fig. 1, the first event ‘IE’ shows a plant damage state with high primary loop pressure as an initiating event. The second event ‘CI’ shows containment isolation. The third event ‘DEP’ represents primary depressurisation using the SADVs, and the final event ‘SG_FW’ represents SG feedwater. IE

CI

DEP

SG_FW

Conseq.

Controlled

Controlled Uncontrolled Uncontrolled

Equipment failure event Operator Acon

Fig. 1. L2 Event tree extract from L2 PSA

The EFW is the preferred means to inject water to the SGs to remove residual heat from the primary loop following a severe accident. The EFW consists of three

Study for Human Reliability Analysis

653

identical trains corresponding to each SG, each with a dedicated feedwater storage tank. Common headers exist on the suction and discharge lines which are normally isolated. The dedicated tanks can support of water demand. Each train of the EFW is located in an individual safeguard building. See Fig. 2 for a diagrammatic overview of the EFW injection system.

Fig. 2. Diagram of the EFW system

Manual EFW start is performed for the following DEC-B events: • Anticipated Transient without Trip (ATWT). • Station Blackout (SBO). ATWT events involve the failure of the reactor trip system whenever it is called on during a nuclear power plant transient. An ATWT leading to a severe accident places a requirement for EFW to be started within 30 min following an SG low level alert, if SADVs have failed to open. SBO events occur following a loss of offsite power and the failure of backup/emergency diesel generators. For SBO events if the recovery of the external power source of the NPP is successful, then it is possible to restore EFW injection. If the recovery of the external power source fails, then the L2 PSA claims that EFW injection is not available. A severe accident following an SBO event allows up to 60 min achieving this objective. This assessment therefore considers the bounding scenario to be ATWT, based on the most onerous timescale for task completion. 2.3 Human Response Process Analysis In the assessed scenario, once the SADVs failure is confirmed and a further cue of low SG level limit initiated is provided, operators would subsequently be required to check whether the TST is operational and can to act as the lead for diagnosing the correct response. It is reasonable to assume that the TST Crew are functional and assembled before entry into severe accident conditions, on the basis that severe accidents would

654

Z.-H. Xu et al.

be anticipated at core outlet temperature increases and the controlled state cannot be achieved. If the TST are operational, the plant emergency organization will grant approval for the TST to take over as the primary decision-making body and will be responsible for performing the severe accident diagnoses, with instructions relayed by the TST crew to the MCR crew to control the plant. It is noted that in the event that the TST are not functional following SADVs failure, then the MCR crew are directed by the SAMG initial response to inject water into the SGs without TST input, therefore ensuring that completion of this action is not dependent upon the TST being assembled. Achievement of EFW injection requires operators to determine a viable EFW injection and discharge route with sufficient water supplies, and to start injection from the MCR within 30 min from the low SG level limit initiated. The assessment defines tasks as follows: • Diagnosis Tasks (DT) – performed by the TST Crew, with support and error recovery opportunities provided by the MCR Crew. • Action Tasks (AT) – performed by the TST Crew (giving instructions) and MCR (execution and error recovery). The success criteria for this human action is summarised as: operators start EFW injection within 30 min from the low SG level limit initiated following an ATWT event leading to a severe accident.

3 Tasks Analysis 3.1 Tasks Overview Figure 3 presents the guidelines used for the severe accident scenario including the actions that are expected to be undertaken prior to the requirement for EFW injection. Iniang Event: Severe Accident

[any EOP]

Core Outlet T ı 650° C State Permanent Monitoring via Plant Emergency Director if TSC are funconal

SAMG (Inial Response) – MCR Crew open SADVs if TSC not funconal

SAMG (SA diagnosis) – MCR Crew start EFW

Alarm Low SG Level limit EFW injecon Start EFW (skill-based task) MCR CREW

Fig. 3. Tasks overview

SAMG (SA diagnosis) – MCR Crew start EFW Technical Support Centre

Study for Human Reliability Analysis

655

The task steps necessary to complete EFW injection are described by the HTA in Fig. 4. Plan 0: TST: Do 1 connuously. Once 2 is completed, do 3 and 4, in order. MCR: Do 2, as required.

1

2

3

Perform SAMG periodic checks

Detect severe accident condions

Determine the required response

Plan 2 (MCR): Do 2.1 and 2.2, as required

2.1

2.2

Detect SG level low

Detect failure of SADVs to open

Plan 3: MCR: Do 3.1 TST: When 3.1 is complete, do 3.2

4

Implement the required response

Plan 4: TST: Do 4.1 and 4.2 in order. Do 4.5 aer MCR crew start EFW injecon. MCR: Do 4.3 once injecon strategy is communicated, then do 4.4.

3.1

3.2

4.1

4.2

4.3

4.4

4.5

Confirm alarm with TST

Determine requirement for EFW Injecon

Devise injecon strategy

Communicate strategy to MCR crew

Verify SAMG strategy

Inject EFW into SGs

Confirm EFW strategy has succeeded

Plan 4.1 (TST): Do all, in order.

Plan 4.1.1 (TST): Do 4.1.1.1. Do 4.1.1.2 if SG pressure is above EFW injecon pressure

Plan 4.1.1.2 (TST): Do 4.1.1.2.1. If steam dump valves are not available, do 4.1.1.2.2.

0

Start EFW injecon following a Severe Accident

4.1.1

4.1.2

4.1.3

4.4.1

4.4.2

Check SG pressure for EFW injecon

Select SGs for injecon

Select EFW injecon route

Perform EFW system checks

Start EFW

4.1.1.1

4.1.1.2

Determine SG pressure

Select SG depressurisaon strategy

4.1.1.2.1

Select ‘Open steam dump valves’ strategy

Plan 4.4 (MCR): Do all, in order.

4.1.1.2.2 Select ‘Open condenser dump valves’ strategy

Plan 4.1.3 (TST): Do all, in order.

4.1.3.1

4.1.3.2

4.1.3.3

Select water source

Select discharge route

Idenfy safe injecon limits

Plan 4.4.2 (MCR): Do 4.1 and 4.2, in order. Do 4.3 connually unl SA is migated.

4.4.2.1

4.4.2.2

4.4.2.3

Open EFW valves

Acvate EFW pump(s)

Control and monitor flow rate

Fig. 4. Task steps described by HTA

The safety significant tasks steps associated with EFW injection are therefore identified and grouped as follows: DT: Determine the required strategy for EFW injection: • • • • • •

Perform SAMG periodic checks. Detect the SG level low limit alert. Detect SADV failure to open. Determine requirement for EFW injection. Devise EFW injection strategy. Communicate strategy to MCR crew.

AT: Implement the EFW injection strategy that has selected depending on the specific injection strategy: • Depressurisation of SGs below EFW injection pressure. • Reconfiguration of EFW trains with EFW tanks and selected SGs via interconnector valves. • Configuration of discharge routes (VDA/VVP/GCT), as required. • Opening valves and starting the EFW pumps from the Hardwired Control Panel (HCP).

656

Z.-H. Xu et al.

3.2 Diagnosis Task Once the requirement for EFW injection has been determined, the TST are required to liaise with the operations team to devise an appropriate strategy for injection using the EFWs, based on the available plant. The strategy is then communicated to the operations team for implementation. The initial cues for operator response are provided by confirmation that SADVs have failed to open and the low SG level alert is present. The low SG level alert may occur before the initial task to open SADVs. 3.3 Action Task The action task for EFW injection is performed by the operations team, once the strategy for EFW injection has been devised and communicated by the TST. The operations team are required to follow the strategy, configure the EFW system for injection and control/monitor flow rate to minimise the possibility of water hammer in the secondary loop. The cues for this action task are provided by the TST who will outline the various tasks required to configure water tanks, injection and discharges routes for the EFW, as well as the safe injection limits. The TST crew may be consulted during this task for advice and support but cannot control plant, as the TST working place is configured in monitoring mode only. EFW will be configured as a knowledge based task, without procedures. Success of this action will lead to success of EFW injection.

4 Performance Shaping Factors Analysis 4.1 Cues and Human-Machine Interface (HMI) There are two key cues for detecting the requirement for diagnosis task: • SG low level limit alert on the KIC and TST working place. • Operations Team recognising that the SADVs have failed to open. The precise timing of these cues is variable, however the most onerous scenario is defined as the SG low level alert occurring before an attempt has been made to open the SADVs as part of the initial response. It is considered multiple alarms would be present in the MCR following a severe accident that could lead to a masking effect, however key indications, including low SG level, are provided on the KIC via a banner that is permanently displayed at the top of each screen. It is noted that the current design does not intend for low SG level to be associated with an alarm, as this low level is frequently reached as part of normal operation of plant. It is recommended that the SAMGs support regular checking of key parameters including SG level in order to support anticipation for EFW injection. In addition, a further recommendation for the provision of a wide range and narrow range level value comparison of the SG to support timely diagnosis. The cues to recognise that SADVs have failed to open should be straightforward, as the SAMGs instruct the operation teams to open SADVs as part of the initial response,

Study for Human Reliability Analysis

657

and will subsequently instruct operators to establish EFW injection if primary loop pressure remains high. The SAMGs provide the necessary instructions for the TST to determine the required response and begin to devise a strategy for EFW injection. The TST would be required to collect a wide range of information using the TST working place and from consulting with the operations team in the MCR. The series of key cues and feedback to devise the strategy are consist of: • • • • • • • • • • • •

SG pressure. SG status (i.e. working, malfunctioning, damaged). SG level. EFW injection pressure. Steam dump valve and/or condenser dump valve position. EFW tank volume. EFW pump status and flowrate. EFW loop valve positions and mode (AUTO/MANUAL). Primary loop temperature. Core outlet temperature. Atmospheric Steam Dump/Main Steam/Turbine Bypass valve positions. Containment pressure (if injecting into faulty SGs, or to detect SGTR).

Operators would use this information, in conjunction with the SAMGs, to identify the SG injection limit and for how long continuous water supply is required. Implementing EFW is performed without procedures, noting that the precise actions required are dependent on the strategy selected and instructions would be developed when devising the strategy. Both MCR and TST are equipped with telephones to relay instructions, and to contact the on-site emergency control center as needed. 4.2 Time Required The assessed scenario considers up to 30 min are available to establish EFW injection once the low SG level limit (T0) has been reached to mitigate the accident and prevent further radiological release. Conservatively, the assessed scenario assumes that T0 occurs before the SADVs have been opened as part of the SAMG initial response. Therefore, the time at which operators are made aware of the need for a response (T1) and the time at which operators will respond (T2) occurs after SADVs have failed to open, and the time between T1/T2 and completion of AT (T3) is less than 30 min. The TLA analysis assumes expected task duration of 15 min to determine the ASG injection strategy and expected task duration of 6 min to implement ASG injection on the basis of operating experience, To support the derivation of PSFs, this paper allocates up to 17.5 min for completion of DT and allocates up to 7.5 min for completion of AT. Therefore, the task is demonstrated to be achievable, with a small time margin available, for the most conservative onerous severe accident using conservative task duration data. It is noted that the duration of SG depressurisation is identified as not critical to whether this task can be achieved within 30 min (Fig. 6).

658

Z.-H. Xu et al.

TST crew and Operaons Team

SG Level Low Limit

1

Perform SAMG Periodic Checks

2.1 2.2 3.1 3.2 4.1.1.1 4.1.1.2 4.1.2 4.1.3 4.2 4.4

Detect SG Level Low Alert Check SADV Failure to Open Confirm alert and SADV failure with TST Determine Requirement for EFW Injecon Determine SG Pressure Select SG Depressurisaon Strategy Select SGs for Injecon Select EFW Injecon Route and Safe Limits Communicate Strategy to MCR Crew Check and Start EFW Injecon

EFW Injecon Required

SADV Failure

SPAR-H Assessments DT

AT 5

10

15

20

25

30

Fig. 5. Timeline analysis

SG Level Low Limit

DT

Determine the required strategy for EFW Injecon

AT

Check and Start EFW Injecon

SADV Failure

EFW Injecon Required

SPAR-H Assessments DT

AT 5

10

15

20

25

30

Fig. 6. Time allocation plan for PSFs

4.3 Procedure A dedicated procedure is not available to operators for this task, however instructions already be developed to support. The operations team and TST possess copies of all SAMGs, will liaise to communicate information and determine the required response. The purpose and structure of the SAMGs is aimed at limiting the release of fission products and maintaining containment integrity. The management guideline will identify key parameters to be monitored and will prioritise mitigation strategies according to these parameters. Due to the significant number of steps required to configure the route. It is recommended that procedures or written aids considered enabling efficient and reliable configuration of the EFW by removing the need for knowledge based tasks. 4.4 Workplace and Environment The EFW injection task conducted in the MCR and the TST working place. During a severe accident, appropriate MCR and TST working environmental conditions can support reliable operation. If normal and standby lighting systems have failed following the severe accident (e.g. during a SBO), the MCR safety lighting system will provide the necessary illumination for the MCR. The TST safety lighting system is supplied by the common uninterruptable power supply that provides the MCR safety lighting. The design of the MCR and the TST working place, and their supporting systems are suitably resilient against the effects of a severe accident and ensure the environment remains sufficiently benign to support reliable operation.

Study for Human Reliability Analysis

659

4.5 Familiarity Responding to a severe accident is an extremely rare event, experience of which will be limited to that providing by training. It is considered that training on severe accident conditions is likely to be infrequent and would provide limited familiarity on the conditions and stressors that would be present during an actual event. 4.6 Cognitive Workload For DT, the operations team are required to respond to a single alert and determine failure of the SADVs, which is a straightforward task. Guidance is provided in the SAMG to help operators prioritise the severe accident mitigation strategy. To determine the strategy for injection, the TST crew are required to gather information from TST working place and the operations team according to the SAMG instructions, and process the information to determine the necessary response. The use of SAMG flowcharts and calculation aids will support TST decision making and selection of the appropriate strategy. The most cognitively demanding task relates to the calculation of SG injection limit, which is dependent on EFW flow rate, the level in each SG and the EFW water stocks. Failure to determine an acceptable injection limit could result in water hammer effects, leading to a SGTR in one or more SG tubes. DT is therefore judged moderately complex based on task analysis, however, it is considered that operators are sufficiently supported by guidance, HMI and the operations team to support task completion [4]. For AT, procedures are unavailable to support operation, however the required tasks for injection will have been devised by the operations team and TST crew and the checking sheet can be used to support the task. Actions are undertaken from the plant computer information & control system or hardwired control panel and are familiar to operators who would have experience using, or training on, the EFW system but would need to identify the necessary controls to configure and start the system as a knowledgebased task. The operations team are expected to verify the injection strategy suggested by the TST, but this consist of limited to checks on the selected strategy to confirm plant is operable and the most suitable SG is selected. The provision of a strategy supports achievability of AT, however the lack of dedicated procedure or written aid would make this task complex. During severe accident, multiple teams are required to co-ordinate as part of the overall response. The on-site emergency control organization may also be contacted to report diagnoses and confirm implementation of actions. Operators may be required to simultaneously conduct operations and operate in a manner that cognitive workload would be high for certain activities. It is recommended that a frequent and dedicated communications channels need to be provided between the TST, MCR and on-site emergency control organization to diagnose and implement mitigation strategies affecting plant. 4.7 Situational Awareness A good level of operator situational awareness depends on suitably qualified and experienced individuals operating in accordance with well-designed procedures & HMIs,

660

Z.-H. Xu et al.

clear communication channels and work process are present to support quick and precise transmission and retrieval of critical information between the operations team, TST, and the on-site emergency control organization. Although the key cues and necessary feedback are provided for the operator, and the SAMG periodic checks exist to maintain operator situational awareness by regularly checking key plant parameters. Calculation aids are also provided to help plan strategies and anticipate the need for a response on plant. However, in the present phase, restricted to the information that can be collected, this performance shaping factor cannot be analysed in detail [5]. 4.8 Errors and Recovery The key potential errors associated with the MCR operator’s task of devising the EFW injection strategy are: • • • • • • • •

Failure to detect the SG low level limit alert or failure of SADVs. Operators fail to identify the requirement for ASG injection. Failure to select a water source that can provide sufficient continuous water injection. Failure to configure the correct injection/discharge routes. Failure to start EFW pumps. Failure to calculate/correctly calculate safe ASG injection limits. Failure to control EFW injection rate to SGs. Strategy not correctly communicated to Operations Team.

A failure to correctly prioritise SGs for injection may result in EFW injection to malfunctioning or damaged SGs, when working SGs are available. This would not directly lead to scenario failure but may lead to containment pressure increase or ingress into the primary loop and therefore a requirement for further mitigating actions to minimise radiological release. The latter error, relating to safe EFW injection limits, is considered the most likely to occur in a scenario with time pressures and extreme stress. The error is irrecoverable, and the consequences are significant. Therefore, it is recommended that the SAMGs provide clear warnings relating to importance of adhering to safe injection limits, and that the TST calculations are fully verified by the operations team prior to implementation. Error of commission such as failure to select the correct mitigation strategy are minimised by the state oriented procedures. The presence of two separate teams using shared information sources and copies of the SAMGs provide credible error recovery opportunities for this diagnosis task. An opportunity for the operations team to verify the strategy exists once the strategy is devised and being communicated. Conservatively, no credit is provided for recovery to support task completion within 30 minutes in the quantitative assessment [6].

Study for Human Reliability Analysis

661

5 Quantitative Assessment 5.1 PSF Values According to the qualitative analysis, The PSFs for determining and implement the requirement of EFW injection are derived in accordance with Part 1. A of the SPAR-H (evaluate each PSF for diagnosis). Table 1 presents the PSFs for diagnosis and actions. Table 1. PSFs for operator response process PSF for diagnosis

Multiplier

PSF for action

Multiplier

Available time

10

Available time

10

Stress

5

Stress

5

Complexity

2

Complexity

2

Experience/Training

1

Experience/Training

1

Procedures

1

Procedures

1

HMI

1

HMI

1

Fitness for duty

1

Fitness for duty

1

Work processes

1

Work processes

1

5.2 HEP Calculation SPAR-H has two basic HEPs 0.01 for diagnosis and 0.001 for actions. These can be modified accordance with Part 1.B of the SPAR-H worksheet by multiplying the nominal HEP by the PSF factors given in Table 1. Human error probability P = Pd + Pa, where Pd refers to diagnosis error probability and Pa refers to action error probability. Pd and Pa are calculated according to the following equations respectively [7–9]. Pd = 0.01 ×

8 

PSFi

(1)

i=1

Pa = 0.001 ×

8 

PSFi

(2)

i=1

An adjustment factor (Part 1.C of the SPAR-H worksheet) is required for this assessment because 3 negative PSF influences are identified. Therefore, the human error probability derived in Table 2/Table 3 does not represent the final HEP. The adjustment formula is as follows: HEP =

NHEP · PSFcomposite NHEP · (PSFcomposite − 1) + 1

(3)

662

Z.-H. Xu et al. Table 2. HEP summary for diagnosis task PSFs

Task Ref

Nominal HEP Available Time Stress Complexity Overall HEP Description

DT1 Determine the 1.0E-2 SAMG requirement for EFW injection

X

X

X

=

10

5

2

1.0

Adjusted HEP = (0.01 × 100)/[(0.01 × 99)+1] = 5.0E−01. Table 3. HEP summary for action task PSFs Task

Nominal HEP

Ref

Description

AT1

Implement the EFW injection strategy

0.001

Available Time

Stress

Complexity

Overall HEP

X

X

X

=

10

5

2

1.0E−01

Using the adjustment factor for 3 or more PSFs, the final adjusted HEP is calculated as: Adjusted HEP = (0.001 × 100)/[(0.001 × 99) +1] = 9.1E−02.

5.3 Dependency This human action is required following a failure of the MCR crew to open the SADVs to reduce primary loop pressure as part of implementing the SAMG initial response section, therefore the potential for dependency exists. It is considered overly conservative to assume that TST cannot functional to support EFW injection, on the basis that severe accidents would be anticipated at core outlet temperature increases and the controlled state cannot be achieved. Dependency is assessed and presented in Fig. 5 based on the following considerations [10]: • Opening the SADVs is performed by the operations team, however, when TST is functional, who would provide support and act as the primary decision making for this task, therefore the ‘crew’ will has significantly changed. • Insufficient time is considered to exist between opening the SADVs and starting EFW injection, i.e. implementation actions are undertaken consecutively. • The task location is considered to differ due to the introduction of the TST for EFW injection. • Additional cues are provided, as opening of the SADVs is required once core outlet temperature reaches 650 °C. Determining the need for EFW injection is also indicated by an alert for SG level low which is a key parameter that operators will be required to periodically check following a severe accident scenario (Fig. 7).

Study for Human Reliability Analysis Crew same or different

Cues (additional or no additional)

Time (close in time or not close in time)

Location (same or different)

Close

663

Dependency

Moderate

Different

Different Different

Low

Fig. 7. Dependency analysis

The dependency of this task on failures made prior to core damage (i.e. the Level 1 PSA) is not considered to be a credible consideration, as the transition from an EOP oriented process to severe accident management is judged to be a decoupling mechanism. 5.4 Overall Judgement and HEP Table 4 calculates the task failure probabilities without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probabilities and the Action Failure Probabilities. The task failure probability with Formal Dependence (Pwd) are also shown. Table 4. Task failure probabilities Diagnosis HEP Start EFW Injection following a Severe Accident

DT1: 5.0E−01

Action HEPs +

AT1: 9.1E−02

=

Pw/od

Pwd

5.91E−01

6.11E−01

6 Discuss A Human Error Probability of 6.11E−01(Pwd) is derived, the result shows that there is little margin for error recovery due to the short timescales in which the response is required by the operators and technical support teams. The reliable task completion is significantly impacted by the following factors: • The short amount of time available to respond and the extremely limited margin to recover from errors. Significant errors are not recoverable to support task completion within 30 min. • The requirement to undertake a lengthy and complex process to determine the EFW injection strategy, and then implement it.

664

Z.-H. Xu et al.

• The requirement for different tasks to be completed by two separate teams, communicating by phone. • Performing the above during a severe accident, where conditions are extremely stressful, and the consequences of errors/task failures are high. • Undertaking implementation of the EFW injection strategy as a knowledge-based task. The main recommendations are providing procedures & written aids, more training for operators and technical support teams to ensuring the crew has adequate situational awareness by removing the need for knowledge based tasks before diagnoses or action are required. The SAMGs should provide clear guidance, instructions, warnings and limits for regular, periodic checking of key plant parameters critical to mitigating a severe accident. A wide range and narrow range value comparison of the SG level need to provide to support timely diagnosis. The SAMG initial response redesign need to be considered such that EFW injection is always diagnosed and performed by the MCR crew following SADV failure. A dedicated communications channels need to be provided between the TST, MCR and on-site emergency control organization. This ensures that the task can be progressed quickly following SADV failure and removes the need for handover and allowing the TST to obtain situational awareness.

7 Conclusions Usually, operator is often passively adapted to the characteristics of the design product, which often placed on the knowledge and memory of the operators to understand important information about plant configuration and is not conducive to the ascension of the reliability of operator, so it may also cause unnecessary human error. Although, the qualitative assessment demonstrates that the operator’s task of injecting EFW following the most onerous severe accident (ATWT leading to core damage) is achievable within the time available with a high HEP value. However there is little margin within the scenario timescale for the recovery of significant errors to support timely completion of EFW injection and have a negative effect on operator and technical support team reliability. It also is need noted that the conclusions of the assessment are also highly sensitive to the assumed task step durations that have been applied to support PSF evaluation. Furthermore, the required task is feasible based on the validation of recommendations that relating to the cues, procedures, organisation and operator during the severe accident scenario. This paper based on a relatively rough task analysis and SPAR-H PSF value process carries a conservative assessment, then further detailed analysis and optimization of SPAR-H PSF value criterion can help to carry out evaluation that is more accurate and find more recommendations that are useful.

References: 1. US Nuclear Regulatory Commission: Human-system interface design review guidelines. NUREG-0700, Rev 3 (2020)

Study for Human Reliability Analysis

665

2. U.S Nuclear Regulatory Commission: Human Factors Engineering Program Review Model. NUREG-0711, Rev 3 (2012) 3. Chang, Y.H.J., Mosleh, A.: Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents – Part 2 IDAC performance influencing factors model. Reliab. Eng. Syst. Saf. 92, 1014–1040 (2007) 4. Moray, N.: Mental Workload: Its Theory and Measurement. Springer Science & Business Media, Boston (2013). https://doi.org/10.1007/978-1-4757-0884-4 5. Taylor, R.M.: Situational awareness rating technique (SART): The development of a tool for aircrew systems design. In: Situational Awareness. Routledge, London, spp. 111–128 (2017) 6. Jang, I., Jung, W., Seong, P.H.: Human error and the associated recovery probabilities for soft control being used in the advanced MCRs of NPPs. Ann. Nucl. Energy 87(2), 290–298 (2016) 7. Gertman, D., Blackman, H., Marble, J., Byers, Smith, C.: The SPAR-H Human Reliability Analysis Method, NUREG/CR-6883. Idaho National Laboratory, USNRC, Washington D.C. (2004) 8. Jang, I., Kim, A.R., Jung, W., Seong, P.H.: A framework of human reliability analysis method considering soft control in digital main control rooms. In: Proceedings of 16th International Conference on Human Interface and the Management of Information: Information and Knowledge Design and Evaluation, Heraklion, Grete, Greece (2014) 9. Xu, Z., Zhang, J., Zhang, X.: Study for reliability analysis of operator response process under IBLOCA accident in nuclear power plant. In: International Symposium on Software Reliability, Industrial Safety, Cyber Security and Physical Protection for Nuclear Power Plant. Springer, Singapore, pp. 599–609 (2020) 10. Swain, A.D. Accident Sequence Evaluation Program Human Reliability Analysis Procedure, NUREG/CR-4772. USNRC, Washington D.C. (1987)

Evaluation Method for Heavy-Duty Gas Turbine Overspeed Analysis Wen-Jie Wu1 , Hua-Zhang2 , and He-Ming Bao1(B) 1 China United Gas Turbine Technology Co., Ltd., Beijing, China

[email protected] 2 Shanghai DianJi University, Shanghai, China

Abstract. During operation, failure of the governor to respond to speed changes, or any abnormal behavior should be taken seriously as they could be indications of a governor problem, or possible sticking of valves, which could under a sudden loss of load, lead to overspeed. The gas turbine will be heavily damaged if the overspeed is not well handled. In this article, the traditional steady engineering method is evaluated and a new transient rotational speed analysis method is developed for overspeed protection control and fuel system design. This method has practical application in GT overspeed evaluation, fuel piping system design, gas control valve selection and grid synchronization evaluation for GT from full load to part load, etc. Keywords: Heavy-duty gas turbine · Overspeed analysis · Control and protection system

1 Introduction Since the invention of BBC company in 1939, gas turbine has been widely used in power generation, pipeline power, ship power, locomotive power and other fields after more than 60 years of development. It is an important high-end technology equipment integrated with many technologies, and plays an important role in national defense, energy, transportation and other industrial sectors [1]. When gas turbine is running at part or full load, the turbine speed is governed by the frequency of the grid, and fuel delivered to the turbine is the amount required to maintain the generator load and overcome turbine/generator aerodynamic and parasitic drag. In the event of a load rejection, the grid no longer controls the turbine speed, the generator load is significantly decreased, and fuel flow required to maintain constant speed is significantly less than that at full or part load. Since there is a finite volume of piping downstream of the gas control valves, the fuel that has already exited the valves will enter the combustor and generate more energy in the turbine than is required to maintain speed. Consequently the turbine will accelerate until the excess fuel is consumed by the combustor. Additionally, there is a short time response for the control system to position the control valves to the no-load flow level, which also impacts the amount of excess fuel delivered to the turbine. Piping volume limits downstream of the gas valves must © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 666–677, 2022. https://doi.org/10.1007/978-981-19-1181-1_62

Evaluation Method for Heavy-Duty Gas Turbine Overspeed Analysis

667

therefore be defined to ensure turbine speed does not exceed trip limits specified in the control system. “Upon sudden loss of the maximum guaranteed load….the speed governing system…shall be capable of controlling overspeed of the turbine to a value that is less than the specified tripping speed of the Emergency governor.” [2]. The magnitude of the speed increase is controlled by the residual energy in the system, i. e. the amount of fuel that is available and how it flames out. The overseeding is also controlled by the inertia that is accelerated by the residual energy [3].

2 Overspeed Analysis of Heavy Duty Gas Turbine Overspeed analysis can be used for two different purpose. It can be used to define peak overspeed following load rejection for a given turbine/fuel system with known gas fuel piping volume. It can also be used to define maximum allowable fuel system piping volume (downstream of gas valves) for a given system based on a maximum allowable overspeed limit. Along with post-load rejection overspeed, the analysis can be used to define peak emergency overspeed (peak speed following control-induced turbine trip with one or more gas valve failures) by including the piping volume between the stop valve and the gas valves. The emergency overspeed analysis used can be traced back to ASME PTC 20.2 that breaks the response into 4 sections using the block energy method: Rotational energy, system delay energy, (emergency) valve closure energy, entrapped energy [4]. The kinetic energy of the rotor system at emergency overspeed Ne is [4] Ee = Et + E1 + E2 + E3 [kw sec]  Ne =

Ee

 4.33 × 106  rpm 2 WR

Applying this “block energy” method in gas turbine, The calculation defines peak speed as a function of initial speed, piping volume, fuel properties, turbine/generator inertia and fuel system pressures. A term is added to the calculation to account for response time of the control system. The Block of Energy method calculates excess fuel sent to the combustor based on initial (preload rejection) and final (no-load) gas piping pressures. In order for the pressure to decrease from the initial level to the final level, fuel must exit the piping and enter the combustor. The remaining terms in the analysis define the ability of the combustor/turbine to turn this fuel into rotational energy. This can be expressed below equation:    Eg + Ni2 + fcontrol × Ni rpm Ne = k Ij The first term of the equation (under the radical) accounts for the acceleration caused by the fuel that has already exited the gas valves after the control system responds to the load rejection and closes the valves to the FSNL flow level. The second term accounts

668

W.-J. Wu et al.

for the time required for the control system to detect and respond to the load rejection, this usually can be got in field test. The above analysis method is based on steady state, which is not exactly represent the overspeed process. A new Transient Rotational Speed method is developed here with HYSYS simulation and verified with real overspeed data.

3 Transient Rotational Speed for Overspeed Analysis The whole methodology can be separated into 2 models, which are physical one - simulation of transient fuel flowrate by HYSYS software and mathematical one - conversion of fuel energy into rotational energy & damping loss based on the physical model. 3.1 The Flowrate HYSYS Transient Simulation A flow rate HYSYS model is developed to simulate the transient flowrate during overspeed. The model includes the fuel volume from shutoff valve to gas turbine combustor with consideration of control system delay (Fig. 1 and Fig. 2).

Fig. 1. HYSYS model for fuel piping system from SRV to combustion

Evaluation Method for Heavy-Duty Gas Turbine Overspeed Analysis

Fig. 2. HYSYS model for manifold

The simulation result shows in Fig. 3 and Fig. 4.

Fig. 3. HYSYS transient fuel flowrate after load rejection

669

670

W.-J. Wu et al.

Fig. 4. Excel trend lines and corresponding equations based on HYSYS transient flowrate

3.2 Transient Rotational Speed Equation Deduction

Fig. 5. Inertia distribution sketch

As shown in Fig. 5, three inertias should be considered in the calculation of shaft rotational energy. There are gas turbine, load coupling and generator. The symbol which will be used below is described here, Symbol

Description

Unit

A

Parameter of damping loss

–

B

Parameter of active fuel energy

–

ED

Damping loss of GT

BTU

ET

Rotational energy of GT

BTU

GT

Rotational energy of generator shaft

BTU

LCT

Rotational energy of load coupling between GT and generator

BTU

m

Fuel mass

lb (continued)

Evaluation Method for Heavy-Duty Gas Turbine Overspeed Analysis

671

(continued) Symbol

Description

Unit

n

Rotational speed of shaft

rpm

nr

Rotational speed of shaft at base load

rpm

n1

Rotational speed of shaft at time step 1

rpm

n2

Rotational speed of shaft at time step 2

rpm

WE R2E

Moment of inertia of GT

lb · ft 2

WG

Power output of generator

BTU

WG R2G WLC R2LC

Moment of inertia of generator shaft

lb · ft 2

Moment of inertia of load coupling between GT and generator

lb · ft 2

x

Rated rotational speed ratio

%

Here we assume fuel energy multiplied by parameter B is called active fuel energy, which is used to generate power, overcome damping loss and increase rotational energy. For transient process, the equation can be expressed as the following. B · m = ET + GT + LCT + ED + WG

(1)

ED = A · n3

(2)

ET = 2.19 × 10−7 WE R2E · n2

(3)

GT = 2.19 × 10−7 WG R2G · n2

(4)

LCT = 2.19 × 10−7 WLC R2LC · n2

(5)

Where

Equation (3) can be expressed as ET = 2.19 × 10−7 WE R2E · (nr · x)2

(6)

Where x is the percentage of rated speed, such as 105%. Then Eq. (6) can be expressed to the following equation, which is plotted in Fig. 6. y=

ET = x2 2.19 × 10−7 WE R2E · n2r

(7)

Since we only focus on the range of rotational speed ratio from 100% to 115%, then Fig. 6 can be shrunk to Fig. 7.

672

W.-J. Wu et al.

Fig. 6. GT rotational energy vs. rated speed

Fig. 7. GT rotational energy vs. rated speed from 100% to 115%

Evaluation Method for Heavy-Duty Gas Turbine Overspeed Analysis

673

As shown in Fig. 7, the trend can be considered as linear at the range of 100% to 115%. Then Eq. (7) can be expressed as y=

ET −7 2.19 × 10 WE R2E

· n2r

= x2 = 2.15x − 1.1535

(8)

Which can be simplified to ET = 2.19 × 10−7 WE R2E · n2r · (2.15x − 1.1535) = 4.7085 × 10−7 WE R2E · nr · n − 2.5262 × 10−7 WE R2E · n2r

(9)

Using the same method, generator and load coupling rotational energies can be expressed as GT = 4.7085 × 10−7 WG R2G · nr · n − 2.5262 × 10−7 WG R2G · n2r

(10)

LCT = 4.7085 × 10−7 WLC R2LC · nr · n − 2.5262 × 10−7 WLC R2LC · n2r

(11)

Damping loss of GT can be expressed in the same way. Equation (2) can be expressed as ED = A · n3 = A · (nr · x)3

(12)

Which can be expressed as y=

ED = x3 A · n3r

Equation (13) can be plotted as (Fig. 8),

(13)

674

W.-J. Wu et al.

At the range of 100% to 115%, the diagram is shown the following.

Fig. 8. GT damping loss vs. rated speed

Fig. 9. GT damping loss vs. rated speed from 100% to 115%

Evaluation Method for Heavy-Duty Gas Turbine Overspeed Analysis

675

As shown in Fig. 9, the trend can also be considered as linear at the range of 100% to 115%. Then Eq. (13) can be expressed as ED = x3 = 3.4707x − 2.4818 A · n3r

y=

(14)

Which can be simplified to. ED = A · n3r · (3.4707x − 2.4818) = 3.4707A · n2r · n − 2.4818A · n3r

(15)

Here we set the time step is 0.2 s and assume m is the fuel entering the combustion for each corresponding 0.2 s. Substitute Eqs. (9), (10), (11) and (15) into Eq. (1), then   WE R2E + WG R2G · (n2 − n1 ) B · m = 4.7085 × 10−7 nr · +WLC R2LC + 3.4707A · n2r · n2 − 2.4818A · n3r + WG

(16)

 WE R2E + WG R2G · (n2 − n1 ) is part of active fuel energy +WLC R2LC used to increase the shaft rotational energy and 3.4707A · n2r · n2 − 2.4818A · n3r is part of active fuel energy used to overcome the damping loss. Moment of inertia of 7FB GT for Hunterstown project is Where 4.7085× 10−7 nr ·



WE R2E + WG R2G + WLC R2LC = 412785lb · ft 2

(17)

And base load rotational speed is nr = 3600 rpm

(18)

Substitute Eqs. (17) and (18) into Eq. (16) B · m = 4.7085 × 10−7 × 3600 × 412785 · (n2 − n1 ) + 3.4707 · A · 36002 · n2 − 2.4818A · 36003 + WG

(19)

Which can be simplified to B · m = 699.7 · (n2 − n1 ) + 3.4707 × 36002 · A · n2 − 2.4818 × 36003 · A + WG (20) Here we can see, there are only 2 unknown parameters B and A existed in the equation. We can calculate them by 2 operation statements (base load & load rejection balance statement). At the end of load rejection, the system returns balance statement. Where the input active fuel energy is only used to overcome the damping loss. Then Eq. (20) can be expressed as B · m = 3.4707 × 36002 · A · n2 − 2.4818 × 36003 · A

(21)

676

W.-J. Wu et al.

For this statement m = 4.91 lb/s × 0.2 s = 0.982 lb

(22)

n2 = 3600 rpm

(23)

Substitute Eqs. (22) and (23) into Eq. (21). Then B can be expressed by A. B = 1.007 × 36003 · A

(24)

During base load, the input active fuel energy is used to overcome the damping loss and generate power. Then Eq. (20) can be expressed as B · m = 3.4707 × 36002 · A · n2 − 2.4818 × 36003 · A + WG

(25)

m = 21.84lb/s × 0.2s = 4.368lb

(26)

n2 = 3600rpm

(27)

Here

WG = 177.621MW × 0.2s = 177.621 × 0.2 × 947.82BTU = 33670.547BTU (28) Substitute Eqs. (25), (26) and (27) into Eq. (20), it can be simplified to B · m = 3.4707 × 36003 · A − 2.4818 × 36003 · A + 33670.547

(29)

Recall Eq. (24), then A = 2.12 × 10−7

(30)

Substitute Eq. (29) into Eq. (24), B = 9944.335

(31)

For load rejection, Eq. (20) can be expressed as B · m = 699.7 · (n2 − n1 ) + 3.4707 × 36002 · A · n2 − 2.4818 × 36003 · A

(32)

Recall Eqs. (29) and (30), then transient rotational speed after load rejection can be derived from the following equation. n2 =

9944.335m + 699.7n1 + 24547.662 709.236

(33)

Combined with the acquired data in Excel spreadsheet, transient rotational speed ratios of model and real operation can be plotted in Fig. 10.

Evaluation Method for Heavy-Duty Gas Turbine Overspeed Analysis

677

Fig. 10. Rotational speed ratios of model and real

4 Conclusion The Transient Rotational Speed methodology includes two sections, which are physical one - simulation of transient fuel flowrate by HYSYS software and mathematical one conversion of fuel energy into rotational energy & damping loss based on the physical model. Figure 10 shows the rotational speed ratio of model rand real operation after load rejection. We can see the results of the model are very close to the real operation data. The trends of rotational speed are the same for these 2 lines. The highest ratio in the model is 106.6%, which is almost the same to the real one (106.1%) happening around 3 s after load rejection. This methodology gives the transient rotational speeds of rotor after load rejection, which has the practical application in GT overspeed evaluation, fuel piping system design, gas control valve selection and grid synchronization evaluation for GT from full load to part load, etc.

References 1. Saite, W.: Review on the research of application of gas turbine. Light Ind. Sci. Technol. 35(12), 52–54 (2019) 2. IEEE Recommended Practice for Functional and Performance Characteristics of Control Systems for Steam Turbine-Generator Units. IEEE Std 122–1991, 4.4.7 3. Appell, B., Hoffeld, H., Menne, A.: New method for the protection of gas turbines against overload and overspeed. Technol. Law Insurance 4(1–2), 121–125 (1999) 4. Overspeed Trip Systems for Steam Turbine-Generator Units: ASME PTC 20.2:1965, 5.02.9 – 5.02.10

Author Index

B Bai, Tao, 614 Bai, Xu-Tao, 14, 63 Bai, Yu-Jie, 301 Bao, He-Ming, 666 Bin, Yang, 479 C Cao, Ying, 25 Che, Junxia, 411 Chen, Ming, 63 Chen, Rui, 181 Chen, Shi-Yong, 490, 500, 510 Chen, Yang-Yang, 220, 462 Chen, Yi-Wei, 42 Chen, Zi-Xi, 208, 232, 239 Cheng, Bo, 274 Cheng, Xiong-Wei, 85 Cui, Cong, 247

G Gao, Chao, 572 Gu, Peng-Fei, 25 Guo, Rong, 1 guo-Xu, Chang, 201 H Hao, Zi-Jian, 254 He, Zheng-Xi, 167 Hong, Shi, 42 Hou, Rong-Bin, 479 Hu, Yan-Liang, 490 Huai, Xiao-Li, 580 Huang, Tu-Nan, 25 Huang, Wei-Jie, 247, 336 Huang, Xiao-Jin, 600 Huang, Xin-Nian, 201 Huang, Zheng-Dong, 85 Huang, Zi-Ping, 247 Hua-Zhang,, 666

D Deng, Zhi-Guang, 50, 167, 510 Dong, Chen-Long, 50, 167 Dong, De, 469 Dong, Xiao-lu, 124 Dong, Zhang-Xiao, 553 Du, Xin, 327 Du, Xiu-Li, 264 Duan, Peng-Bin, 247

J Jia, Hu-Jun, 600 Jia, Xiang-Yu, 301 Jin, Shan, 220 Jun, Liang, 190

F Fan, Hai-Ying, 135 Fang, Zi-Rui, 190

L Li, Gang, 563 Li, Guo-Ming, 521

K Kang, Xue-Dong, 254 Kong, Jing, 239

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2022 Y. Xu et al. (Eds.): ISNPP 2021, LNEE 883, pp. 679–681, 2022. https://doi.org/10.1007/978-981-19-1181-1

680 Li, Heng, 327 Li, Jian-Wei, 34 Li, Le, 625 Li, Lei, 360 Li, Liang, 247, 264, 336 Li, Xiao-Fei, 85 Li, You-Ran, 469 Li, Zhi-Zhong, 436 Li, Zhuo-Yue, 50, 167 Liang, Jun, 181 Lin, Lan, 479 Lin, Ying-Jie, 590 Liu, Chun-Ming, 572 Liu, Dan, 336 Liu, Dao-guang, 181 Liu, Dao-Guang, 190 Liu, Dong-Liang, 85 Liu, Hai-Feng, 336 Liu, Hang, 159, 419 Liu, Hong-Tao, 360 Liu, Jin-Bing, 350 Liu, Jing-Bin, 208, 232, 239 Liu, Peng, 411, 419 Liu, Sheng-Feng, 135, 201 Liu, Shuang -Jin, 411 Liu, Shuang-Jin, 190 Liu, Wei, 376 Liu, Xiao-Yu, 135 Liu, Yan, 429 Liu, Yang, 159 Liu, Zhao-Peng, 159, 436, 650 Liu, Zhe-Ming, 614 Lu, Hai-Rong, 14 Luan, Hai-Yan, 264 Luan, Zhen-hua, 181 Luan, Zhen-Hua, 190, 411, 419 M Mao, Ting, 274 Meng, Ying, 201 Mi, Wen-Zhen, 25 Mo, Chang-Yu, 563 P Pan, Rong, 264 Peng, Hai-Yang, 254 Peng, Hao, 500 Peng, Hua-Qing, 650 Peng, Ye-Shun, 167 Pu, Song-Mao, 399 Q Qiao, Jian-Feng, 411, 419 Qiao, Ning, 208, 232, 350 Qin, Yue, 50

Author Index R Ren, Li-Yong, 135 Ren, Tian-Lei, 220 S She, Jing-Ke, 451 Shi, Gui-Lian, 563, 600, 625 Shi, Tian-Zi, 451 Song, Fei, 411, 419 Song-Su, De, 283 Su, De-Song, 292, 650 Su, Yu-Jun, 385 Sun, Ao-Di, 399 Sun, Dan-Dan, 14 Sun, Guang-Zhi, 336 Sun, Pei-Wei, 399 Sun, Wei, 97 Sun, Wu, 580 Sun, Yong-Sheng, 50, 167 Sun, Yu, 360 T Tang, Yu-qi, 451 W Wang, Chao, 85 Wang, Chun-Bing, 532 Wang, Chun-Yi, 104 Wang, Hui, 201 Wang, Ji-Kun, 563 Wang, Jing-Wei, 625 Wang, Jun-Shui, 316 Wang, Ju-Zhi, 336 Wang, Qing-Ming, 572 Wang, Qun-Feng, 614 Wang, Ren-Yuan, 590 Wang, Sheng-Chao, 327 Wang, Xu-Feng, 135 Wang, Yong, 1 Wang, Yu, 85 Wei, Jiang, 479 Wei, Ming-Xiao, 580 Wei, Xin-Yu, 399 Wu, Bin, 563 Wu, Qian, 50, 542 Wu, Wen-Jie, 666 Wu, Zhi-Gang, 148 X Xi, Chu-Hao, 97 Xi, Wang, 376 Xiang, Mei-Qiong, 50, 167 Xiao, Jing, 85 Xiao, Zhou, 327

Author Index Xie, Hong-Yun, 376 Xu, Dan, 360 Xu, Guo-Bin, 34 Xu, Xiao-Mei, 274 Xu, Yang, 104, 301, 316 Xu, Zhi-Hui, 292, 650 Xu, Zhi-Yong, 254

Y Yan, Wang, 42 Yan, Xin-hong, 181, 190 Yan, Xin-Hong, 254, 532 Yang, An-Yi, 75 Yang, Dong-Fang, 436 Yang, Jian-Ming, 590 Yang, Jing-Yuan, 220, 462 Yang, Wen-Qing, 85 Yang, Yan-Xiong, 590 Yang, Zhi-Jia, 462 Yao, Yuan, 220 Yao, Zhang, 500, 510 Ye, Jing, 1 Ye, Lin, 542 Ye, Wang-Ping, 376, 532 Yin, Zi-Jian, 436 Yu, Xian-Bo, 148 Yuan, Sheng-Xin, 85

681 Z Zhang, Bing-Zhuo, 34 Zhang, Chao, 532 Zhang, Gang, 274 Zhang, Hai-Bin, 336 Zhang, Jian-Bo, 292 Zhang, Jiang-Yong, 254 Zhang, Kai, 104, 301, 316 Zhang, Lan, 614 Zhang, Li-Ming, 97, 274, 532 Zhang, Long-Qiang, 360, 385 Zhang, Mi, 336 Zhang, Min-Ling, 625 Zhang, Qi, 239 Zhang, Qiang, 1 Zhang, Qiang-Sheng, 42 Zhang, Rui-Ping, 542 Zhang, Xu, 490, 500, 510 Zhang, Xue-Gang, 274 Zhang, Yi-fan, 451 Zhang, Yuan, 580 Zhang, Zhi-Hui, 563, 625 Zhao, You-You, 521 Zheng, Jia-Kang, 208, 232, 239 Zheng, Jin-Ge, 360 Zhou, Jie, 274 Zhou, Liang, 385 Zhou, Yi-Chao, 274 Zhu, Jia-Liang, 167 Zhu, Jun, 148