Sensitivity Analysis of Digital I&C Modules in Protection and Safety Systems

This research is performed to examine the sensitivity of digital Instrumentation and Control (I&C) components and modules used in regulating and protection systems architectures of nuclear industry. Fault Tree Analysis (FTA) was performed for four configurations of RPS channel architecture. The channel unavailability has been calculated by using AIMS-PSA, which comes out 4.517E-03, 2.551E-03, 2.246E-03 and 2.7613-04 for architecture configuration I, II, III and IV respectively. It is observed that unavailability decreases by 43.5 % & 50.4% by inserting partial redundancy whereas maximum reduction of 93.9 % in unavailability happens when double redundancy is inserted in architecture. Coincidence module output failure and bi-stable output failures are identified as sensitive failures by Risk Reduction Worth (RRW) and Fussell-Vesely (FV) importance. RRW highlights that risk from coincidence processor output failure can reduced by 48.83 folds and FV indicates that BP output is sensitive by 0.9796 (on a scale of 1).


Introduction
Nuclear Industry has lot of application in power generation, water desalination, thermal heat source, testing, well logging, food sterilization and preservation, material research and education. It is therefore essential that all these application must be applied safely and securely in order to keep public, environment and operating staff protected from harmful effects of radiation. Reliability and safety of components and systems used in this industry has become high level objective of prime importance. Commercial nuclear power plants and research reactors can be categorized broadly under the umbrella of nuclear industry. The further discussion in this article will be focused on research reactor.
The primary objectives of research reactors are education, research and analysis, so these are generally designed in the range of several kilo watts to few megawatts. According to IAEA TECDOC-1234, Research reactors with 0.250-2.0 MW power rating or 2.5 x 10 11 to 10 x 10 11 n/cm 2 .s flux are termed low power reactor whereas research reactors ranging from 2-10 MW power rating or 0.1 x 10 13 to 10 x 10 13 n/cm 2 . s are considered as medium to high power research reactors [1]. Instrumentation & Control (I&C) systems used in early designs of research reactors were analogue whereas recently these are either designed using digital ones or being replaced with the digital I&C. The novel kind of issues has been observed with the use of digital I&C, which were not relevant in case of analogue. The salient issues are (1) weakness of digital systems for Common Cause Failure (CCF), (2) threat to cyber security and inter-channel communication, (3) need for highly integrated control room and (4) difficulty to assess the digital I&C reliability [2].
Research objective, in this article, is sensitivity analysis of I&C components and modules in Instrumentation and Control (I&C) architecture. In order to achieve this objective, the preventive maintenance optimization process has been developed to reduce unavailability and different architecture configurations were formulated and their fault trees were developed using AIMS PSA to estimate the unavailability. The failure combination or Minimal Cut Sets (MCS) related to Bi-stable Processor (BP) and Coincidence Processor (CP) are monitored and their risk importance measures are estimated in this study. The current article presents the analysis of four architectures.

Literature Review
Safety analysis of nuclear facilities specially research reactors and power plants can be divided into two categories viz. Deterministic Safety Analysis (DSA) and Probabilistic Safety Assessment (PSA). Regulatory bodies and operating organizations in nuclear operating nations have to perform both these analysis. IAEA is playing a key and leading role in these areas specially PSA. IAEA experts evaluated reliability data sources [3] analysed and complied the component reliability data for PSA [4]. United State National Regulatory Commission (USNRC) performed a lot of study in the field of PSA. USNRC performed a reactor safety study jointly with education institutes in 1975 [5] and published a detail PSA procedure guide in 1983 [6]. USNRC consultants are working in the area of digital I&C systems [7] and industry averaged failure data analysis based on initiating events of PSA study [8].
Research institutes and design companies are also focusing on PSA, as it can be used in risk based designing and operation. PSA has ability to identify the importance of I&C systems in nuclear facilities based on risks. Risk significance deriving sensitivity analysis of reactor trip system due to software induced common cause failure was performed by Shahabeddin et al [9]. M. Zubair et al performed quantitative and qualitative analyses of safety parameters by using an online risk monitor system (ORMS), which can check the availability of I&C systems and monitor it during sever accident [10]. Human reliability analysis is an important constituent of PSA and human error probabilities are highly contributing failures during operation and maintenance activities. Poong et al attempted to introduce advanced Man Machine Interface System (MMIS) which will be reduce human error probability [11]. In this article, I&C component based sensitivity analysis was performed first time and it is a novel concept to identify the risk significant components instead of system and addressing them in designing I&C architecture, which will be leading towards risk based designing approach.

Analysis technique
Probabilistic Safety Assessment (PSA) is a systematic approach which is used in nuclear, chemical and aviation industry to analyze the system failure in terms of system unavailability and to predict the failure scenarios. In PSA it is also important to identify primary function of each component. In nuclear industry, PSA is used to validate the design of nuclear power plant against set of Postulated Initiating Events (PIEs) [12]. PSA analysis frame work consists of Initiating Event Analysis, Accident Sequence Analysis, and System Analysis etc. Since this article is focused on sensitivity analysis of a system, so Fault Tree Analysis (FTA) technique was opted for system analysis. Fault tree is a good technique for the analysis of complex system, as it yields cut sets showing the failure of components in combinations. The tool, used to perform Fault Tree Analysis, is AIMS-PSA package. This tool is developed by Korean Atomic Energy Research Institute (KAERI). AIMS software performs the analysis of risk models that are composed of event tree and fault tree. It is used in risk evaluations of nuclear plant's PSAs or risk assessment of chemical plants.

System Configuration
Instrumentation and Control (I&C) systems are designed to control, protect and monitor the safe operation of commercial power plants and research reactors in order to maintain safety functions: a) Controlling the reactivity in the core, b) Cooling the core to avoid Departure from Nucleate Boiling Ratio (DNBR) violation, c) Confining the radioactivity Reactor Control System is responsible for regulating the reactor power level using Control Rods (CRs) within set margin of operation during normal operation. It can perform the reactor control function including reactor start up, changing power levels, and maintaining the power at required level. Reactor Protection System (RPS) is a scram system that initiates the reactor trip to protect the core by inserting shutdown control rods, when operating parameters exceeds the set point or external hazard happens. Monitoring system is responsible to monitor the reactor parameters after and before the design basis accident. The system of interest in this research is reactor protection system and from now on architecture description will be related to RPS. Architecture of RPS consists of field sensors, Bi-stable Processors (BP), coincidence logic, and circuit breakers to release control rods. Reactor protection system has inter-channel redundancy as well as intra-channel redundancy and this redundancy varies from plant to plant based on design features. Usually RPS consists of four channels in high power reactors with trip logic of 2/4 whereas three redundant and physically separated channels may work 2/3 trip logic for small or low power reactors. Instead of overall reactor protection system, only architecture of a single channel is articulated with four different configurations to see sensitivity effect.

Architecture Configuration-1
RPS single channel architecture configuration-1 is shown in Figure. 1. Configuration-1 consists of a single bi-stable processor BP_A and single coincidence processor CP_A and circuit breakers to trip with 2/3 logic. This configuration is very basic for a channel and has no inter-channel redundancy. Inter-channel redundancy means redundant modules within a channel whereas intra-channel redundancy is based on number of channels.

Architecture Configuration-II
In architecture configuration-II, redundancy is added in bi-stable processors to evaluate the impact on single channel. Configuration-II is depicted in Figure.2. RPS channel configuration -II consists of a bi-stable processor BP_A1 & BP_A2, a CP processor CP_A and circuit breakers to trip with 2/3 logic.  Figure. 2. RPS single Channel architecture configuration-II

Architecture Configuration-III
In order to observe the sensitivity of CP module on single channel failure, coincidence processors is added in the channel, the configuration-III is given in the Figure. 3. RPS channel configuration -II consists of a bi-stable processor BP_A, redundant pair of CP processors CP_A1 & CP -A2 and circuit breakers to trip with 2/3 logic. Architecture with inter-channel redundancy of BP &CP modules is shown in Figure. 4

Modelling and failure data
The function of each channel of RPS is to initiate a signal if the input from digital input coming from the core protection calculator (CPC) and analogue sensor input from plant field exceeds the set point parameters. The signal coming from CPC or sensor is compared with set point value in bi-stable processor of each channel and trip signal and/or engineered safety initiation signals are generated. This function failure is modelled as a top gate failure in the fault tree. The interfaces of single channel are with (1) other channels, (2) engineered safety feature actuation system (ESFAS), (3) testing module (TM), (4) control cabinets through network buses and (5) field sensors and digital inputs. The modelling of TM module and ESFAS module is ignored in this analysis. Success Criteria: The channel is said to be successful, if it generates 3/4 digital output signals from CP. The time window used for quantification of running failures is 372 hours It is based on the surveillance and testing period , which is assumed to be one month and its half (T/2), is taken as time window. CCF Modelling: Beta factor failure model is for circuit breakers common cause failure and output signal failure from coincidence processor modules. It inserts some conservativeness in the result, which may be changed to MGL or other model in future. Failure Data: Generic and online available databases are used for this analysis, as shown in  [15], IAEA TECDOC 504 [3] and failure data reports [16].

Risk Importance Measures
Risk importance analysis is a sensitivity study which is performed to find the impact of a single failure or combination of failures of basic events on the overall failure of system. Using importance measures,

Fussell-vesely (FV) Importance
FV importance is a relative measure of failure contribution of a basic event to overall system failure.
In simple calculations, it is percentage failure contribution from a basic event. In terms of minimal cut sets, FV is the ratio of unavailability Fi (x) of ith cut set to total unavailability of system, as defined in equation (1). of cutsets with ith basic event Total system failure/unavailability FV is direct indication of the unavailability of the component in the system analysis. Larger the FV importance, the higher component would be sensitive to risk.

Risk Achievement Worth (RAW)
Risk Achievement Worth is defined as factor by which the unavailability will increase, if the failure of component or basic event is certain. RAW helps to identify the most crucial and critical components or failure modes, which are significant with respect to risk.
Where = total unavailability of system that is summation of unavailability of all cut sets. F (1) = total unavailability with basic event probability or cut set unavailability set equal to 1.0.

Risk Reduction Worth (RRW)
RRW measures the amount by which total risk or unavailability will decrease, if the failure of a basic event or minimal Cut Set (MCS) is zero. RRW also helps to identify the critical components or failure modes; if these are successful system reliability would increase. The mathematical form of RRW is given by equation (3).
Where = total unavailability of system that is summation of unavailability of all cut sets. F (1) = total unavailability with basic event probability or cut set unavailability set equal to 0 (granted success).

Results and Discussion
Fault Tree Analysis was performed for four configurations of RPS channel architecture, given in Fig.  1-4. The channel unavailability for each architecture calculated using AIMS-PSA package are elaborated in table III, these are 4.517E-03, 2.551E-03, 2.246E-03 and 2.7613-04 respectively. It can be observed that unavailability decreases by 43.5 % & 50.4% by inserting partial redundancy whereas maximum reduction of 93.9 % happens when double redundancy is added in architecture configuration IV.  RRW and FV importance of cut-sets of all architecture configurations is plotted against the cut set numbers, as shown in the Figure. 5. The cut sets corresponding to cut set numbers are given in table V. It can be observed that highest RRW is from cut set # 5 which is of the order of 50, indicating that the risk will reduce by factor of fifty if CP output is reliable. On contrary to RRW, FV importance highlights cut set # 4 (CS-4) as sensitive failure, which related to output failure of BP. Moreover FV indicates that CS-2 to CS-4 has high importance. CS-2, CS-3 & CS-4 are related to BP failure modes while CS-5 and CS-6 are CP failure modes.

Conclusion
The study has been conducted to analyze risk importance of BP and CP modules and failure modes related to them. It is found that output failure from BP and CP modules is highly significant to risk. RRW highlights that risk from coincidence processor output failure can reduced by 48.83 folds and FV indicates that BP output is sensitive by 0.9796 (on a scale of 1).
In order to cope with this situation, if the redundancy is added to these components, direct failures reduce but common cause failure mode becomes prominent mode of failure, as highlighted by CS-1, CS-3, CS-7 and CS-9 of table V. The study will be continued to analyze unavailability in future, but two additional factor cost and safety category of components would be added to find an optimized architecture for research reactors and remedies to these sensitive failures would be found out.