FINDING THE BEST APPROACH FOR I&C MODELING IN THE PSA

Transcription

1 FINDING THE BEST APPROACH FOR I&C MODELING IN THE PSA H. BRUNELIERE, C. LEROY, L. MICHAUD AREVA NP SAS La Défense, France N. SABRI AREVA NP Inc Malborough, United States of America P. OTTO AREVA NP GmbH Erlangen, Germany Abstract I&C systems are an important part of the design of nuclear power plants regarding their safe and reliable operation. This implies that proper I&C modeling in the Probabilistic Safety Assessment (PSA) is a key tool for the plant designer to ensure that the design meets the safety goals with high confidence and an adequate level of margin taking into account that this shall be fulfilled during all the life cycle of the facility. For example, the following objectives have to be taken into account when implementing I&C in the PSA. The PSA I&C model shall provide: A support to design in all design phases (including easy and comprehensive analysis of the minimal cutsets). A support to licensing by giving high confidence to the plant owner and the regulator in the modeling. The capacity to assess whether the final design meets the probabilistic objectives with high level of confidence. An assessment that diversity of systems and components in the overall I&C architecture is sufficient from a probabilistic point of view. The mapping of the I&C component dependencies (including support systems). In addition, the I&C model should be easy to update and suitable for Risk-Informed Applications and Risk Monitoring. This paper explains: 1. How AREVA NP is using feedback from I&C modeling performed for PSAs for EPR reactor of Olkiluoto 3, Taishan 1&2 and US EPR in order to build a methodology for an efficient I&C modeling during the different phases of a PSA, from conceptual design to detailed design. 2. How the different modeling assumptions are documented. 3. How hardware and software reliability data are substantiated. 4. How links can be made with specific detailed I&C systems reliability analysis that can be performed apart from the PSA in order to justify that modeling in the PSA is adequate.. 1. INTRODUCTION This paper aims at describing the methodology developed by AREVA for the modeling of probabilities of failure per demand of I&C functions in the PSAs of Nuclear Power Plants for which the I&C detailed design (allocation of functions in the units) is defined. It is applicable to new and existing plants.

2 Some I&C reliability analyses (fault trees for modeling I&C in a dedicated model out of the PSA) can be performed in order to prove the fulfillment of objectives that are specific to I&C. They are not in the scope of this paper. 2. ELABORATION AND DOCUMENTATION OF THE METHODOLOGY The methodology is based on: - A comparison performed at the beginning of 2011 between I&C models in EPR PSAs (Olkiluoto 3, Taishan 1&2 and US EPR) - Expert and engineering judgments based on these models, on detailed I&C reliability studies as well as on knowledge of the systems behavior - Work between AREVA NP PSA teams (SAS, Inc and GmbH) during 2011, including four dedicated meetings (nine people involved, including the EPR I&C PSA practitioners) addressing all aspects of the comparison, explaining the background and assessing the best way to proceed. The main conclusions of this work are given in next paragraphs. In parallel, a methodology document has been written. It has been verified by all involved teams and includes: - Results of the work. - Bases for modeling assumptions and reliability data substantiation. - Details for practical implementation. Some examples have already been performed and are included in the methodology. - Modeling recommendations. The methodology document has been written in such a way that it can be easily used in the frame of a project as part of PSA documentation. 3. THE STRUCTURE OF A NUCLEAR POWER PLANT I&C ARCHITECTURE The NPP I&C architecture is structured into four levels as described below: - Level 0 (field equipment) is dedicated to the process interface and comprises instrumentation interfacing functions such as analog and logical sensors, or transducers, and interfacing functions acting on the process. - Level 1 (automation) is made of the different I&C systems. I&C functions are distributed to the different I&C systems in accordance with their safety classification and associated requirements as well as seismic loading requirements. The I&C Level 1 is interfaced with the process via the I&C Level 0 and with the operators HMI. - Level 2 (human machine interface) comprises all the Human Machine Interface I&C systems dedicated to the operation and the monitoring in all unit conditions (normal, incident, accident). Level 2 I&C is in charge of the direct interface with the plant operators. - Level 3 (plant support I&C functions) gathers different kinds of I&C systems developed for the purpose of supporting, for instance: maintenance activities or plant information to external services.. Level 3 I&C functions are not necessary to operate the Unit neither in normal conditions, nor in post-accidental conditions, but deal with plant management functions. I&C Levels 0, 1 and 2 are modeled in the PSA as explained in the following sections. I&C Level 3 systems are not required for the PSA modeling since they do not rely on plant safety and plant operation and are not credited in the global safety demonstration; 4. IMPLEMENTATION OF THE I&C SIGNALS IN THE PSA

3 The I&C systems are composed of several elementary I&C functions, also called channels, each one being represented by a specific Fault Tree (and sometimes sub-fault Trees) in the PSA. Each single function is composed of two main parts: - The instrumentation part - The processing part 4.1. Instrumentation Part This part corresponds to the sensors (i.e. the measuring cell module) used as input to the I&C functions, and to their related conditioning (the electronic converter and the transmission connector technology). Figure 1 presents a general overview of the instrumentation part, including the sensors and their related conditioning. The conditioning parts are made of combinations of modules. Figure 1: Instrumentation part overview 4.2. Processing Part The processing part corresponds to the processing functions implemented in the Level 1 I&C systems. These functions receive and process (calculations, thresholds, voting logic, etc.) the signal(s) coming from the instrumentation part. For a given I&C function, the processing part, as modeled in the PSA, includes: - A part specific to each single I&C function, which models all the units that are especially used by the concerned function, and the combination of these units: this is the so-called specific processing part. - A part common to all the functions processed in the same I&C platform, and which particularly represents the common cause failures that may be introduced by use of same platform.

4 5. MODELING OF THE INSTRUMENTATION PART 5.1. Structure of the Modeling Sensors required for the elaboration of each I&C signal are individually modeled as well as their related conditioning. In terms of modeling this means that each sensor required by an I&C function modeled in the PSA is represented by one event. In the case of sensors that would be numerous, composite events are modeled ( composite means that the voting logic is included in the calculation of the group of redundant sensors). Additionally, each conditioning part (there is one conditioning part per sensor) is represented by a single event. Therefore, each instrumentation part is modeled by an OR gate between two events: one event modeling the sensor, and the second event modeling the corresponding conditioning part (See Figure 2). Failure of the instrumentation part OR Failure of the sensor XXX XXX Failure of the conditioning module YYY XXX_COND Figure 2: Modeling of the instrumentation part Besides, when redundant sensors are required for the elaboration of the signal, a logic gate is modeled in the PSA in order to represent the failure criterion of the voting logic between these instruments. The following table lists some examples: Table 1: Correspondence between voting logic and logic gate used in the PSA model Voting logic Number of sensors Logic gate used in the PSA (failure criterion) 2/4 4 sensors 3 2/3 3 sensors 2 2/2 2 sensors OR 1/2 2 sensors AND 1/1 1 sensor OR Degradation of voting logics are conservatively not considered in the PSA modeling as it would make it more complex and as detailed I&C reliability studies performed by AREVA NP show that the conservatism is negligible.

5 5.2. Reliability Data Sensor and conditioning module unavailability values are calculated based on: - The hourly failure rate of sensors. - The efficiency of the internal self-tests. - The time interval between periodic tests. - The Mean Time to Repair (MTTR) the component Common Cause Failures Common cause failures are applied for: - Sensors - Conditioning modules on a case by case basis CCF on the sensors are introduced in the PSA model when they can affect a group of redundant sensors for which diversity is not proven. It is noteworthy that Risk Spectrum software is not able to model all combinations in case of CCF groups that include more than four components. The table presented below summarizes what is taken into account by Risk Spectrum when calculating CCF groups. Table 2: Combinations of failures considered by Risk Spectrum for a given size of CCF group Consequently, for large groups of redundant sensors, additional events need to be modeled in order to consider all the relevant combinations of failures. For example, to model a group of 16 redundant sensors, shared out in 4 sensors per train, as is the case for steam generator level sensors, the chosen solution is the following one: - 4 CCF groups of 4 sensors (using the Risk Spectrum CCF groups), - 1 CCF event modeling the loss of all 16 redundant sensors. 6. MODELING OF THE PROCESSING PART 6.1. Principle Number of redundant sensors Combinations of failures considered by the model 2 2 failures 3 2 or 3 failures N (with N 4) 2, 3 or N failures The elementary components used for the modeling of I&C processing parts are the single processing units. Based on analyses of I&C systems, specific reliability values are determined for each unit. In this part, a typical example of I&C design with a Reactor Protection System and a Diversified Automation System is considered Modeling of the Reactor Protection System (example of a TELEPERM XS platform)

6 Hardware Failures Elementary events used for the modeling of TELEPERM XS functions represent the elementary TELEPERM XS units. The latter are composed of TELEPERM XS components and consist of: - One or more TELEPERM XS sub racks for mounting the TELEPERM XS modules. - One or more TELEPERM XS processing modules. - Some TELEPERM XS I/O modules. - Some TELEPERM XS communication modules Reliability Data Used for the TELEPERM XS Units Unavailability data assigned to the TELEPERM XS units come from combinations of: - Reliability data (failure rates for each failure mode), assessed in detail in TELEPERM XS module FMEAs. - Periodic test frequencies and Mean Times to Repair CCF between TELEPERM XS Units CCF are considered between TELEPERM XS units that perform redundant processing. Based on this general rule, a generic approach depending on the structure of the I&C system and using cutset analysis is defined for the elaboration of CCF groups. This approach is refined project by project Software Failures For every TELEPERM XS signal required in the PSA, a Basic Event TELEPERM XS platform software failure mode is modeled in the fault tree corresponding to the signal. This basic event allows for: - CCF due to errors in the operating software and data exchanges on network - Internal common points in the software (data buses, communication protocols common to all boards, etc.) Values are currently based on expert judgment. Some internal projects involving I&C and PSA experts are in progress in order to estimate this value more precisely depending on the application Example Figure 3 shows an example of a fault tree for modeling of a Reactor Protection System function. ALUB1_DIV1 and ALUB2_DIV1 are two TELEPERM XS units that both can actuate SIS (Safety Injection System) Train 1. They both perform a 2 out of 4 voting logic between input signals coming from acquisition units. The signal is then lost in case of: - Failures of both ALUB1_DIV1 and ALUB2_DIV1 units. - Failures of at least three signals coming from acquisition units. - Failure of the whole TELEPERM XS platform due to a common cause.

7 This leads to the following fault tree to model the probability of failure per demand of actuation of SIS (Safety Injection System) Train 1: Failure of SIS actuation train 1 on low delta P sat SIS_DPSAT_TRAIN1 failure of acquisition part (APU + sensors) Failure of ALU division 1 processing part Failure of non-specific processing Failure of the w hole TXS platform ALUB1_DIV1 ALUB2_DIV1 CCF_TXS failure acquisition division failure of acquisition division 2 Failure of acquisition division 3 failure of acquisition division 4 SIS_DPSAT_AC_TR1_1 SIS_DPSAT_AC_TR1_2 SIS_DPSAT_AC_TR1_3 SIS_DPSAT_AC_TR1_4 Figure 3: Example of Reactor Protection System fault tree 6.3. Modeling of the Diversified Automation System (DAS) Hardware Failures The level of detail of the modeling for a digital system used for diversification of the Reactor Protection System is similar. This system is assumed to be made of units in hot / standby configuration. The chosen modeling considers one single event per couple of master / slave unit. Indeed, the undetected failure of the master unit has proven to be the most frequent failure mode and is conservatively considered as preventing the switchover to the redundant slave unit. Other failure modes are then not modeled explicitly in the PSA. Elementary events used for the modeling of DAS functions represent the elementary units. The latter consists of: - Sub racks - Processing modules - I/O modules - Communication modules - Networks Reliability Data used for DAS Unavailability data are based on analyses performed by the manufacturer CCF between Units CCF are considered between the master units that perform redundant processing. Based on this general rule, a generic approach depending on the structure of the I&C system and using cutset analysis is defined for the elaboration of CCF groups. This approach is refined project by project.

8 For every DAS signal required in the PSA, a Basic Event DAS platform common cause failure mode is modeled in the FT corresponding to the signal. This basic event allows for: - CCF due to errors in the operating software and data exchanges on network. - Internal common points in the hardware or software (data buses, communication protocols common to all boards, etc.). - CCF due to use of the same platform (design, manufacturing, etc.). 7. SUPPORT SYSTEMS Each I&C component (sensor, unit, etc.) is linked to its support systems in the PSA model. This means that the event modeling the I&C components shall be replaced for instance by transfers to fault trees including both the event modeling the I&C component and a transfer to the component s power supply busbar. 8. CONCLUSION This paper has described the methodology developed by AREVA NP for the modeling of probabilities of failure per demand of I&C functions in the PSAs of Nuclear Power Plants for which the I&C detailed design (allocation of functions in the units) is clearly defined. It is applicable to new and existing plants. Sensors required for the elaboration of each I&C signal are individually modeled as well as their related conditioning part. Common cause failures are applied for sensors as well as for conditioning modules on a case by case basis. The elementary components used for the modeling of I&C processing parts are the single processing units. CCF for the processing parts are modeled at the functional level as well as the platform level. The principle of the method (except the need for modeling software failures) remains applicable for analog platforms. This methodology, based on a comparison performed at the beginning of 2011 between I&C models in EPR PSAs and on harmonization work between AREVA NP PSA teams in 2011, has many advantages: - The links between I&C and support systems are easy to implement in the model. - The hazards analyses integrates I&C. - A detailed modeling of units allows the detection of asymmetries or imbalances in the I&C design (inadequate allocation of signals in the processing units). - This modeling is easily understandable with respect to the PSA cutsets analysis. - The I&C architecture is accurately represented in the PSA.