risk-informed design issues of digital instrumentation and control system in npp

7/22/2019 Risk-Informed Design Issues of Digital Instrumentation and Control System in NPP

1/10

Risk-Informed Design Issues of Digital Instrumentation and Control System

in Nuclear Power Plant

Danying Gu, Ming Hu, Binbin Zhang, Shuhui Zhang

Shanghai Nuclear Engineering Research and Design Institute,29 Hongcao Rd, Shanghai, P.R. China, 200233

[email protected]; [email protected]

zhangbb@ snerdi.com.cn; zhangsh@ snerdi.com.cn

ABSTRACT

With the increasing use of digital instrumentation and control (I&C) technologies, the

reliability and safety analysis of digital I&C systems in the nuclear power plants has been one ofthe most challenging issues. One significant reason is that digital systems have unique failure

modes due to the combination of hardware components and software. The common cause failures

(CCF) can propagate to multiple safety channels and divisionsthereby defeat the defense-in-

depth and diversity that was considered adequate for an analog I&C system. Furthermore,

commonly used hardware redundancy techniques may not improve the software reliability.

Probabilistic Safety Assessment (PSA) techniques are frequently used in the nuclear industry

to assess the relative effects of contributing events on system reliability and plant risk. For the

reliability and safety analysis of I&C systems, the introduction of the risk concept and

application of PSA methodology deserve further investigation.

China Nuclear Safety Administration also attaches importance to the application of risk-

informed decision-making technology and PSA methods into the digital I&C system safety

evaluation and risk regulation, especial for the new third-generation reactors under construction inChina. As a key research and design institute in China, Shanghai Nuclear Engineering Research

and Design Institute (SNERDI) has carried out PSA studies in many NPPs, and now is focusing on

the research of the risk assessment method with application of PSA modeling of digital I&C

systems for supporting the risk-informed regulatory activities and licensing application, and also

on the research of risk-informed digital I&C system design method in NPP, such as system

structure design, hardware or software reliability analysis and so on.

This paper presents our research progress on digital I&C system risk assessment and

discusses some key points and challenging issues of risk-informed digital I&C system design.

Firstly, our insights into digital I&C system risk assessment are provided, including the concept

and characteristics of risk-informed technology; the relationship between risk-informed

technology and PSA. Secondly, a survey on the research of digital system failure modes, cause of

failure, risk assessment and safety analysis is introduced. Thirdly, some key points and challengingissues of risk-informed digital I&C system design, especially for the implementation in China NPP,

are discussed. Further investigation is still needed for facilitating the digital system reviews to be

performed in a risk-informed manner in China NPPs.

Key Words: probabilistic safety assessment (PSA), digital instrumentation and control (I&C)

systems, risk-informed, common cause failure (CCF), failure mode

268NPIC&HMIT 2012, San Diego, CA, Jul y 22-26, 2012


2/10

1 INTRODUCTIONInstrumentation and control (I&C) system is one of the most important systems of a nuclear power

plant (NPP). The I&C system collects and monitors instruments data, and controls the plant operations incompliance with the engineering designed functions of safety and protection. As a well developed

technology since 1960s, NPP is continually improving nuclear technology to be more safe and

economical because the reactor has mega amount of radioactive nuclear fuels and engineering complexity.

Following the changes of the globe energy situation, nuclear power becomes the necessary and

dependable while China decided to have nuclear power to be its energy solution. Then the safety concernis addressed to be the first priority and play an important role of Chinas energy structure distribution,

environmental health protection, clean energy technology and power generation technology improvement.

Compared with other industries, the safety requirements of NPP is quite different. As digital

technologies are introduced to nuclear power plant recently, plant safety and reliability are improved, but

many issues related to risk analysis of the digitalized safety-critical systems in NPPs arise, such as

software reliability issues. As a state of art technology, the digital I&C system should at least have same

capability of the analog system on safety and reliability. The core issue of how to find a proper

quantitative method estimates and evaluates the safety and reliability becomes a worldwide issue when

the factors of failure modes including hardware and the software are discovered. This issue is much

tougher when multiple plant systems are all designed by software based digital system combining the

statistical evaluation of computer fault dada and estimation and verification of common cause failure.

Varies of safety analysis methods had been created for NPP in the past. The admitted solution is the

Probabilistic Safety Assessment (PSA) which uses the probability and statistical methods quantitatively

analyze and estimate the NPPs design basis accidents (DBA) for the possibility of accidents and itsrelated results. It is also U.S. Nuclear Regulatory Commission (NRC) approved method which had

already being used for NPP licensing. Therefore, NRC and industry all hope that a reasonable PSA

solution would be used for current and further NPP digital I&C system reviews and licensing to help the

decision making. But the difficulties are a viable regulatory guide by NRC which hasnt given yet and therecommended version based on the current digital I&C system PSA method is also not being widely

accepted by the NPP industry. This risk-informed method defines a process which giving a mathematical

analysis and numerical results of the risk variation at NPP design changes.

All countries that have nuclear power plant are on the actions of self-checking the safety condition at

the post accident scenarios after Japans Fukusima accident, the biggest nuclear accident in the nuclear

history. As a key research and design institute in China, Shanghai Nuclear Engineering Research and

Design Institute (SNERDI) has carried out PSA studies in many NPPs, and now is focusing on the

research of the risk assessment method with application of PSA modeling of digital I&C systems forsupporting the risk-informed regulatory activities and licensing application, and also on the research of

risk-informed digital I&C system design method in NPP, such as system structure design, hardware or

software reliability analysis and so on.

This paper presents the research progress on digital I&C system risk assessment and discusses some

key points and challenging issues of risk-informed digital I&C system design. Insights into digital I&C

system risk assessment are provided. A survey on the research of digital system failure modes, cause of

failure, risk assessment and safety analysis is introduced. Furthermore, some key points and challenging

issues of risk-informed digital I&C system design are addressed. Further investigation is still needed for

facilitating the digital system reviews to be performed in a risk-informed manner in China NPPs.



3/10

2 CURRENT RESEARCH ACTUALITY ANALYSIS

2.1 Digital I&C Key Technology Research of NRCTo regulate the application of digital I&C technology, and improve the developments and

applications of digital I&C system of nuclear power plant ensuring the safety and economical operations,

U.S., France and others have all established their own set of applicable design and verification laws,

guides and standards. The publishing and implementation of these new laws, standards, and UtilityRequirements Documents (URD) of USA and European Utility Requirements (EUR) of Europe, regulate

the requirements and directions of the design, productivity, and reviews. Leading by the USA, NRCsresearches of key issues identification and study of digital I&C applications in NPP usually give a

forward-looking and valuable references at the study of key technologies of digital I&C systems.

The U.S. Nuclear Regulatory Commission (NRC) has established digital instrumentation and control

(I&C) steering committee to give management and guidance focusing on the NRC regulatory activities,

industry key issues, technical challenges resolving in January, 2007. With a series of discussions, NRCpointed seven topics and formed task working groups responsible of each topic, as needed, to develop

seven Interim Staff Guidance (ISG) for the review of digital I&C technology for new reactors, operating

reactors, and fuel cycle facilities. These seven ISG are specific for Cyber Security, Diversity and Defense-

in-Depth, Risk-Informed Digital I&C, Highly-Integrated Control Room Communications, Highly-

Integrated Control Room - Human Factors, Licensing Process Issues, and Fuel Cycle Facilities provide a

viable solution and related standards, and will continuously revise them with better solutions and

technologies.

2.2 PSA/PRA research2.2.1 History of PSA

Current operating plant and new reactors are mostly using a deterministic methodologies at safety

evaluations of digital I&C system, which is ensuring the process of digital I&C development, test,

deployment and maintenance to give a management of system failure. Different with these, DI&C-ISG-

03[3] is a guidance based on productivity and development which provides a design that can enhance the

diversities and quality assurance of hardware and software to prevent system failures and common cause

failures. ISG 03 guidance falls in the NRCs defense-in-depth and diversity regulatory guides through an

identification of the weak key points that cause the safety failure and then aim on these points implement

multi-solutions. But fully complying ISG 03 needs extra cost and man power to determine the sufficiency

of diversity and defense-in-depth.

In 1960s, following the deep development of the knowledge of dependability, risk assessment and

probability, nuclear power plant started to use a comprehensive and objective technique doing a safety

assessment, the probability safety assessment (PSA). The PSA, also called probability risk analysis (PRA)is a method quantitatively and qualitatively analyzed the NPP risk related of plant operation and

maintenance activities. The PSA analysis estimates a numerical probability values based on the initiation

frequency of events under the pre-defined scenarios. IAEA said that PSA method provides an integrated

standardized solution to predict the situations of a NPP failure of design basis accident scenario,

furthermore giving a calculation result of the risk to the plant operation staff and public when an accident

was happened of a NPP. In more detail, the data being analyzed by PSA includes many information of

NPP such as frequency of initiation event, NPP design characteristics, experiences and historical recordsof plant operations, the equipment reliability data, general human errors, effects of radioactive material

from plant to public environment and more factors which werent being fully considered by other

methods.



4/10

In 1995, the U.S. Nuclear Regulatory Commission (NRC) issued the Probabilistic Risk Assessment

(PRA) Policy Statement, which encourages the increased use of PRA and associated analyses in all

regulatory matters to the extent supported by the state-of-the-art in PRA and the data. This policy applies,

in part, to the review of digital systems, which offer the potential to improve nuclear power plant safetyand reliability through such features as increased hardware reliability and stability and improved failure

detection capability.

However, there are presently no universally accepted methods for modeling digital systems in

current-generation nuclear power plant PRAs. Further, there are ongoing debates among the PRA

technical community regarding the level of detail that any digital system reliability model should have to

adequately model the complex system interactions that can contribute to digital system failure modes.

Moreover, for PRA modeling of digital reactor protection and control systems, direct interactions between

system components and indirect interactions through controlled/supervised plant processes may

necessitate the use of dynamic PRA methodologies.

In response to the Commission PRA policy statement, NRC has developed the related regulatory

guides (RG 1.174, 1.175, 1.176 and 1.177) and the safety review plan (SRP) chapter 19. They are generalguidance, inservice testing, graded quality assurance, and technical specifications, four areas of risk-

informed decision-making of PSA applications. The purposes of this set of guidance are to describe a

solution to reduce the unnecessary conservative management without any effectiveness of safety. All

these manipulations lead the PSA solution on the track of the development of nuclear plant I&C systemreliability analysis when the safety concerns of digital system becomes more and more significant to the

overall plant safety.

2.2.2 NRCs PSA ResearchThe task working groups (TWGs) 3 of U.S. NRC digital I&C steering committee was formed in

2007. Its primary responsibility is to process and resolve the issues related with digital I&C systems risk-

informed assessment claimed by NRCs PRA policy statement that the technology it supported is the

state-of-the-art in digital system. It is also a replenishment of deterministic methodologies and thetraditional defense-in-depth.

The task working group 3 is addressing on the following key problems:

PROBLEM 1: Modeling Digital Systems in PRA: Existing guidance does not provide sufficient

clarity on how to use current methods to properly model digital systems in PRAs for design certificate

applications or license applications (COL) under Part 52. The issue includes addressing common-causefailure modeling and uncertainty analysis associated with digital systems.

PROBLEM 2: Risk Insights: Using current methods for PRAs, NRC has not determined how or if

risk-insights can be used to assist in the resolution of specific key digital system issues.

PROBLEM 3: State-of-the-Art: An acceptable state-of-the-art method for detailed modeling of

digital systems has not been established. An advancement in the state-of-the-art is needed to permit acomprehensive risk-informed decision making framework in licensing reviews of digital systems. [9]

After listing the above three problems, the task working groups 3 contribute its works on finding an

acceptable solution. The published NRC Interim Staff Guidance ISG-03 only describes a potential safety

related with digital I&C system PRA method. The main purpose of the interim staff guidance is to provide

a specific guide for NRC review staff evaluate the technology of digital I&C PRA. ISG-03 is consistent

with the newest NRC laws, 10 CFR Part 52 for the risk-informed of new reactor and the policy about thesafety goal of PRA. There are no specific graded areas and the technique acceptability of digital I&C

system. Therefore, it cannot be used to support the risk-informed decision-marking.



5/10

NRC review staffs consider that the time and basis of applying the risk-informed methodology

werent mature. The traditional solution of using diversity, defense-in-depth and redundancy technologies

are still working fine and only needs to enhance the requirements to keep the deterministic method to

solve the issue of the uncertainty of the digital I&C system. The replacement of using the new risk-informed decision-making technology to the new reactor review just has not had yet. Thus, the long term

goal is to conduct group 3 to have a viable regulatory guide of risk insight and risk informed.

3 DIGITAL I&C SYSTEM RELIABILITY ANALYSIS TECHNOLOGY

Engineering reliability can provide an understanding of system condition to a plant engineer when

the equipments and hardware are at the situation of failures. China has a national standard, GB 9225, the

nuclear power plant safety related system reliability analysis general principle. It defines that the system

reliability qualitatively analysis is used to estimate a possible path that the system would have a failure

and the method of how to prevent it in order to eliminated the frequency and effective results. The mostcommon reliability technologies are Failure Mode and Effect Analysis (FMEA), Fault Tree Analysis, and

Markov analysis method. Because of the simplicity of FMEA and Fault Tree Analysis requiring

unnecessary mathematics knowledge, these combination has used in the most of case of analysis for NPP

licensing.

3.1 FMEA TechnologyFMEA technology was first presented at 1950s. It was being used at the design analysis of U.S.

fighter jets operating system, and gained very good results. During the system or equipment design,FMEA analyzed all potential failure modes and the effects to the functions of the product component unit.

FMEA also classes the modes by the effective levels into different categories with a prevention action in

order to improve the reliability of system or equipment. There are two basic analysis methods, thehardware method and the function method. There is a highly likely condition to have a combination of

these two methods together for the complex case using features of FEMA:

To ensure the consideration and list of all the potentials failures and effects to the systems; Helpful for selecting the high reliable and safe designs; Helpful for preparing the test plan; To provide a support for a reliability and availability quantitative analysis; To provide historical records for future analysis of local failure analysis and design change

information.

3.2 Fault Tree Analysis TechnologyFault tree analysis is a method that connects the graphical displays of the information analyzed of

the failure mode and results. The fault tree is a system failure module which organizing the Boer

invalidation logic pictures representing the event which trigger a special top event systems. The advances

are:

Deductive method to look for failure event Intuitionistic and simple A mathematical model displays how the system failed;



6/10

It is the most used method of reliability analysis Can provide a document consistent with failure characteristics of the design.

3.3 Dynamic PSADynamic methodologies are defined as those that explicitly account for the time element in

probabilistic system evolution. Dynamic methodologies are usually needed when the system has more

than one failure mode, control loops and/or hardware/process/software/human interaction. The typicaldynamic PSA approaches include Markov/CCMT approach, dynamic flowgraph methodology(DFM) and

dynamic event tree approach, and so on. Among these approaches, Markov/CCMT approach is widely

used by showing condition changes of the system from normal condition to fail conditions. This approachsimulates the reliability and safety with a graphical condition picture. Markov/CCMT method can model

all three of the none-maintainable system, partial-maintainable system and fully-maintainable systems, or

as required, it can use multi-failure conditions to build the failure model.

4 KEY ISSUES OF THE RESEARCH IN RISK-INFORMED DIGITAL I&CDESIGN

In China, the PSA study for digital I&C system in NPPs has started since short time ago, thus the

technology is still under research and development. Many potential problems havent been solved yet.

Based on current technology basis and engineering project requirements, this paper summarizes the

following key issues and research points.

4.1 Modeling and Evaluation method of Digital I&CNRC and nuclear industry are all hope to have the risk-informed decision-making methods to be

used to review the digital I&C system. According to the guidance of risk-informed, the current simulationmodels of digital system, common cause failure and the detail level, reliability data, and uncertainty and

interface between other PSA portion are still have either the Interim Staff Guidance or the limited version.

The key issues during a modeling of digital system may have the following problems that need to be

addressed.

Preparing a completed logical identification for the specific event by DFM deterministic model as

the pre-computation for the Markov/CCMT simulation systems is the preliminary process of the dynamicPSA method. Figure 1 shows the process flow diagram of using the both DFM and Markov/CCMT

methods. [10] To create a model with a high level of sensitivity and response to the factor of time element

in PSA analysis, the model should including the interactive relationship that affects the failure mode of

digital system. Additionally, dynamic PSA analysis model requires all control initiation times which are

provided by other NPP simulation models. This changes the PSA analysis into a condition that is based on

simulations probability affective elements. The results may decrease the independencies and accuracies

of PSA model. Therefore, in order to have better mode of PSA, the functions of the system components

and control/monitoring of the process of NPP with different time affected scenarios should be considered

into the model, which must increase the complexity of the model. Obviously, there is also another

influence according to the time element. The feedback of the closed loop control has significant effects of

time factor. It makes difference with various event/accident scenarios integrated components availability

and self-test responding time. Thus the control system with closed loop control logic would fit into the

dynamic PSA method better than a safety related protection and monitoring system due to the PMSs

control logic flow is one direction open loop.

There is a gap between the digital system reliability analysis and other monitoring and controlsystem. So once the PSA model hasnt included enough details, then the results would not be considered



7/10

as strong reference for risk-informed decision-making. Which of the method is better or can be

comprehensively accepted? What is the best balance of accuracy and complexity? They are always being

the challenge questions.

Figure 1 Flow diagram of using the both DFM and Markov/CCMT

Conventional ET/FT method has been universally used to develop full scope of PSA models for

nuclear power plants. In fact, ET/FT method may yield satisfactory results for most of the systems which

does not include dynamic interactions between the systems and plant physical processes and also between

the components of the systems themselves. [11]For the systems that include dynamic interactions (e.g.

digital I&C systems), it may be acceptable that the systems are modeled by dynamic methodologies and

the results are integrated into conventional ET/FT model. However, issues listed below need further

research and improvement.

1) Comparing with conventional methodologies, it is more difficult and time consuming for analyststo implement dynamic methodologies. Therefore, it is necessary to formulate guidance for the

purpose of identification of scope and level of dynamic methodologies application.

2)No single dynamic method can solve all the problems in the digital I&C systems modelingprocess. Consequently, for those specific cases that are suitable for the use of dynamic

methodologies, a widely accepted criteria is needed to help determine which dynamic method is

more applicable.

3) Technical standards are then required to be developed in order to standardize the implementationdetails.

4.2 Software Reliability ResearchKnight and Leveon [8] demonstrated that to change the probability of failures are not possible no

matter going to have a redundant software platform or to design a different type of software. The existing

system operating experiences also proved that to eliminate all potential failure modes in a complex digital

system is not possible. There is always a chance to cause a system to fail at over design conditions, or at

the un-test/un-used environments. Thus we consider a system failure is very likely appeared when these

off design conditions happened in the system with very large number of NPP I&C input and output data.

Since the digital I&C system including software is very unique when trying to evaluate it, the method of

using cross system data to estimate anther system is an activity with meaningless. Similarly, it shows no

acceptable prediction results by using the same set of statistical data at two different environments and

conditions.



8/10

The combination system of software and hardware is not going to gain more software failures when

the hardware was aging. If the failures were triggered by the common causes integrated inside the

systems software itself, the redundant process sub-systems would not prevent the failures occurs. Thus,

the general methods of designing a hardware system with redundant capability are not useful for softwarereliability improvement. NRC given file, the ISG-03 introduces the common cause failures of digital I&C

system may affect system, communications, equipments and parts, and trains simultaneously. The

effective solutions for software reliability improvement in this guidance are to increase the design quality

of software and digital system development process in order to prevent, avoid and contain the failureeffects. Because of these process and method havent had proved yet, to establish a digital I&C systems

acceptable guidance needs to consider the overall system features.

4.3 PSA and Digital I&C structuresThe actual purpose of digital I&C system PSA modeling and evaluation is to provide the support of

I&C systems safety and reliability insights. It guides the special designs change measures on the

variation of I&C system which may affect the risk of the nuclear power plant, indeed, guides the digitalI&C system designs by using risk-informed decision-making. Figure 2 shows the risk-informed design

process for digital I&C system.

Probabilitstic

Organization

Deterministic

Others

Digital

I&C system

design

Regulatory

Issues

Usability

Risk

assessment

Design basis, Safety

criteria

Regulation,

Standards,Guidelines

Operational

experience feedback

Defense-in-depth and

diversity (D3)

Safety margin

Probability Goal

PSA qualitative

assessment & scope

Management

Training & proceduer

Security

Radiation level

Economic

Research application

ModificationPerformance

monitering

Design

complementation

Integrated

dicision-making

Figure 2. Risk-informed digital I&C system design process



9/10

Although the risk-informed decision-making is not yet to be applied for the operating NPP and new

built reactor and the arguments of the significances of dynamic PSA for digital I&C system is still going,

to study the risk-informed method based on ISG-03 is our future work, most importantly, is going to find

out the grade and technical acceptability of digital I&C system of NPP.

5 CONCLUSIONSBecause the software and hardware failure modes is very complicated of the digital instrumentation

and control system of nuclear power plant, how to use PSA method modeling and evaluating the failures

becomes the most challenge issue of the nuclear industry in the recent years. Especially when U.S. NRC

was published the Interim Staff Guidance introduce the new technology of risk-informed decision-making

method, it becomes the highly focused research topic. After the summarizing of digital I&C systems

failure mode, failure cause, risk estimation and PSA modeling, and reliability evaluation, few important

risk-informed digital I&C system design issues have been addressed. This will leads the digital I&C

researches to a direction and areas, then will improve the digital system design in China.

6 ACKNOWLEDGMENTSThis research is supported by SNPTC innovation project SNP-KJ-CX-2011-0006.

7 REFERENCES1. NRC Policy Statement. Use of Probabilistic Risk Assessment Method in Nuclear Regulatory

Activities. 60 Federal Register (FR) 42622, August 16,1995.

2. DI&C-ISG-01Interim Staff Guidance on Digital Instrumentation and ControlCyberSecurity[S]December 312007

3. DI&C-ISG-02Interim Staff Guidance on Diversity and Defense-in-DepthIssues[S]September 262007

4. DI&C-ISG-03Interim Staff Guidance on Review of New Reactor Digital Instrumentation andControl Probabilistic Risk Assessments[S]August 112008

5. DI&C-ISG-04Interim Staff Guidance on Highly-Integrated Control Rooms Communications Issues (HICRc) [S]September 282007

6. DI&C-ISG-05Interim Staff Guidance on Highly-Integrated Control RoomsHuman FactorsIssues (HICR-HF)[S]September 282007

7. Yongzhong Ren, Cuifang Wang, Key Points of Digital Technology in Nuclear Power Plant SafetySystem, Instrument Standardization & Metrology, May 2009

8. John C. Knight and Nancy G. LevesonAn experimental evaluation of the assumption ofindependence in multi-version programmingIEEE Transactions on Software Engineering, SE-

12(1):96-109January 1996



10/10

9. ML071900253, Project Plan Digital Instrumentation and Control, Approved by the DigitalI&C Steering Committee, December 2007

10.T. AldemirS.Guarro b, D.Mandelli a, Probabilistic risk assessment modeling of digitalinstrumentation and control systems using two dynamic methodologiesElsevier, April 201011.NUREG6901Current State of Reliability Modeling Methodologies for Digital Systems and

Their Acceptance Criteria for Nuclear Power Plant AssessmentsFebruary 2006
