630 likes | 671 Views
Reliability Modeling of Digital Control Systems Using the Markov/Cell-to-Cell Mapping Technique. The Ohio State University – Nuclear Engineering Program. Diego Mandelli. Master Thesis Defense. Overview. Introduction Objectives System description
E N D
Reliability Modeling of Digital Control Systems Using the Markov/Cell-to-Cell Mapping Technique The Ohio State University – Nuclear Engineering Program Diego Mandelli Master Thesis Defense
Overview • Introduction • Objectives • System description • Markov/Cell-to-Cell Mapping Technique (CCMT) • Failure Modes and Effect Analysis (FMEA) • Finite State Machine modeling • Markov Modeling • Cell-To-Cell Mapping Technique • Example Initiating Event (EIE) • Conclusions
Introduction • Instrumentation and control systems (I&C) are widely used in nuclear power plants for: • Monitoring • Control • Protection • Since 1940s analog systems have accomplished these tasks satisfactorily, however: • inaccurate design specifications • susceptibility to certain environmental conditions • effects of aging such as mechanical failures • environmental degradation.
Introduction • Digital systems are essentially free of drift that afflicts analog systems (they maintain their calibration better): • Self testing • Signal validation • Process system diagnostics • Fault tolerance • Higher data handling • Storage capabilities • Nuclear power plants are replacing/upgrading obsolete I&Cs Transition from analog to digital technology
Introduction The replacement with a new component affects the safety and the reliability of the overall system. • Considerations: • Probability Risk Assessment (PRA) is a commonly used tool to examine the safety and reliability of specific systems • Conventional PRA tools are based on Fault Trees and Event Trees (FT and ET)
The starting point…. Are ET/FT able to model I&C? • What if we have the following: • The presence of phenomena which dictates the system’s response (e.g. depending on threshold of process variable values) • The effect of process dynamics on the hardware component failure behavior • Interactions between controller’s components • Multiple failure modes which affects differently the system response In these cases the answer is NO.
The starting point…. What do we need? A type of PRA able to perform also the simulation of both the controller and the process A “Dynamic PRA” What are the goals? • show how it is possible to model digital I&C systems for PRA purposes using dynamic methodologies • How can I fit the information coming from these methodologies to actual PRA?
Objectives What did we chose to model digital I&Cs? The Markov/Cell-to-Cell Mapping Technique What are the requirements? • dependence of the control action on system history, • dependence of system failure modes on exact timing of failures, • functional as well as intermittent failures, • error detection capability, • possible system recovery from failure modes What will be the output? • CDF of the Top Events • Event sequences or Dynamic Event Trees (DET)
Initiating event Reactor Trip ECCS Core damage Success No Success Large LOCA Failure Yes Failure Yes Event Trees and Dynamic Event Trees Simple Event Tree:
Event Trees and Dynamic Event Trees Dynamic Event tree: Success Success Event Sequence Failure 1 Initiating Event Failure 2 Failure State 1 Failure State 2 t t = 0 t = Δt t = Δt t = 2·Δt
Type I Interactions Type II Interactions Process Controller 1 Sensor 1 Actuator 1 Actuator 2 ….. Controller 2 Actuator 3 Sensor n Controller Type I and II Interactions The classical “Controller + Process” system:
The Markov/CCMT methodology Stochastic description of the system evolution: • Dynamic interactions between physical process variables (e.g., temperature, pressure, etc.) and the I&C systems that monitor and manage the process • Dynamic interactions within the I&C system itself due to the presence of software/firmware (e.g., multi-tasking and multiplexing)
An overview of the Markov/CCMT System Description Type I Interactions Analysis Type II Interactions Analysis FMEA Control Laws: Simulink Model System Modeling Finite State Machine Description Markov/CCMT Approach CCMT Markov modeling System Analysis
System description System Description Type I Interactions Analysis Type II Interactions Analysis FMEA Control Laws: Simulink Model System Modeling Finite State Machine Description Markov/CCMT Approach CCMT Markov modeling System Analysis
System description Digital Feedwater Control System (DFWCS) • Main Feedwater System Components: • Main Feedwater Valve (MFV) • Bypass Flow Valve (BFV) • Feedwater Pump (FP) • The purpose is to maintain the water level inside each of the SGs optimally within ± 2 inches • The controller is regarded as failed if water level in a SG is: • above 2.5 ft (+30 inches) → High Failure • below 2 ft (-24 inches) → Low Failure
System description Digital Feedwater Control System (DFWCS) • 5 Pairs of sensors • 2 Computers (MC,BC) • MFV Controller • BFV Controller • FP Controller • PDI Controller
System description Operating modes: BFV (MFV closed) FP (minimum speed) 1 Low power automatic mode (Power < 15%) 2 High power automatic mode (15% < Power < 100%) 3 Automatic transfer from Low to High power mode 4 Automatic transfer from High to Low power mode MFV (BFV closed) FP
Control laws The control logic and the control laws and have been derived from the code of DFWCS of an existing plant written in C++
Control laws Control laws determine the feedwater flow demand which is translated into position (MFV) and speed (FP) through look-up tables.
Control logic The position and the speed of the actuated devices may depend on the status of the MC and BC. FP: MFV: BFV: PDI:
Control Laws System Description Type I Interactions Analysis Type II Interactions Analysis FMEA Control Laws: Simulink Model System Modeling Finite State Machine Description Markov/CCMT Approach CCMT Markov modeling System Analysis
Simulink model The control logic and the control laws and have been implemented in a Simulink in order to tune and to verify the control laws
Simulink model: an example scenario The control logic and the control laws and have been implemented in a Simulink model in order to tune and to verify the control laws. The scenario is a power transient from 70% to 72.5%. This has been modeled thorugh a sequence of finite ramps of 0.5% each. • The purposes were the following: • Obtain a stable response of the controller • Obtain a reasonable response of the actuated devices
Simulink model: an example scenario Results:
Simulink model: an example scenario MFV response:
Failure Modes and Effect Analysis System Description Type I Interactions Analysis Type II Interactions Analysis FMEA Control Laws: Simulink Model System Modeling Finite State Machine Description Markov/CCMT Approach CCMT Markov modeling System Analysis
FMEA and Finite State Machine Failure Modes and Effect Analysis (FMEA): tool to analyze the possible failure modes and their consequences on the dynamic of the system • Failure type • Detection of the failure • Effect of the failure on the controller • Effect on the process Finite State Machine: is a model of behavior composed of a finite number of states, transitions between these states, and actions. • Transition Conditions • Transition • Actions
Computer FMEA • Communications: Loss of one or both inputs Sensor out of range or impossible rate of change • Input from sensors • Output to the controllers Loss of output • Loss of Power Roundoff/truncation/sampling rate errors Unable to meet needed response requirements Watchdog timer fails to activate Watchdog timer activates when computer has not failed Arbitrary value output • Internal Failures Define the intra-computer and computer-computer interactions
Intra-Computer interactions A. Operating:Computer is operating correctly B. Loss of One Input:Computer is operating correctly but data are not received from one of the two sensors (for each measured quantity). C. Loss of Both Inputs:Computer is operating correctly but data are not received from both sensors (for each measured quantity). D. Computer Down:Computer itself recognizes loss of input(s) or input(s) being out of range and takes itself down. The other computer takes the control of the process automatically (if it is operating correctly) . E. Arbitrary output:Computer does not realize input(s) out of range or error in processing data. Random data are generated.
Inter-Computer interactions • Two types of failure have been identified: • Recoverable (e.g., Loss of input) • Not recoverable (e.g., Watchdog timer fails to activate) By this, it is more convenient to talk about primary and secondary computer: • Primary computer: computer sending output to the controllers • Secondary computer: computer in stand-by
2: Operating with 1 computer, possible recovery 1: 3: Operating with 2 computers Operating with 1 computer, no recovery 3 Macro States (MS) Inter-Computer interactions D D D B C B C B C E E E A A A
Controller FMEA Define the Computer-Controller-Actuated Device interactions High Output Low Output Arbitrary Value Output • Internal Failures • Loss of Power • Communications • Input from computer (Loss of input): included in the Computer-Computer interactions • Output to the actuated Device Loss of output Computer erroneously reported failed Computer erroneously reported not failed MFV, BFV, FP controllers do not agree from which computer to accept input. • Error in the communications
Computer-Controller-Actuated device interaction Output Low Arbitrary Output Output High Freeze Device Stuck 0 vdc output
The Markov/CCMT Approach Recall: Stochastic description of the system evolution But, so far the system modeling has given a deterministic description of the system. The Markov/CCMT approach convert the information contained in the system modeling step from a deterministic to a statical view point
Cell-to-Cell Mapping Technique System Description Type I Interactions Analysis Type II Interactions Analysis FMEA Control Laws: Simulink Model System Modeling Finite State Machine Description Markov/CCMT Approach CCMT Markov modeling System Analysis
CCMT • CCMT is a technique used to represent the dynamics of the system • The state space (CVSS) is an n-dimensional space (one dimension for each internal variable) • CVSS is divided into cellsVj (possibility to capture uncertainties and errors in the monitoring phase of the process) • Setpoints must fall on the boundary of Vj and not within Vj • Note: coupling between the discretization of the CVSS and the time step (Δt) of the simulation • Top Events (Fail High or Fail Low) • are modeled as sink cells
CCMT The goal is to determine the probability at time t to transit from cell j’ to j given component state combination n’. g(j|j’,n’,t) • the dynamic behavior of the system • control logic of the control system • hardware/firmware/software states j j’ The algorithm: j’ j” t t = (k+1)·Δt t = (k)·Δt
Markov modeling System Description Type I Interactions Analysis Type II Interactions Analysis FMEA Control Laws: Simulink Model System Modeling Finite State Machine Description Markov/CCMT Approach CCMT Markov modeling System Analysis
Markov modeling Goal: determine a probabilistic model which can describe the evolution of all the components of the controller Markov transition diagrams have been chosen What do I need? • a set of mutually exclusive and exhaustive states • probability of transitions between states has been determined Markov transition diagrams have been deducted from the Finite State Machine description.
Markov modeling For each component, a Markov transition diagram has been determined
Markov modeling The goal is to determine: h(n|n’,j’→j) or h(n|n’,j’→j,k) Probability that a component state combination change from n’ to n during a transition from j to j’. • Note: • failure rates may depend on process variables like temperature, pressure…. • failure rates may depend on time
System Analysis System Description Type I Interactions Analysis Type II Interactions Analysis FMEA Control Laws: Simulink Model System Modeling Finite State Machine Description Markov/CCMT Approach CCMT Markov modeling System Analysis
System Analysis • Markov Modeling: h(n|n’,j’→j) • CCMT: g(j|j’,n’,t) Since these two transition probabilities are independent: q(n, j|n’, j’,t) = h(n|n’,j’→j) · g(j|j’,n’,t)
System Analysis Graphically: q(n, j|n’, j’,t) = h(n|n’,j’→j) · g(j|j’,n’,t) J CCMT g(j|j’,n’,t) j q(n, j|n’, j’,t) Markov Modeling h(n|n’,j’→j) j’ N n n’
Markov/CCMT and Dynamic Event Trees (N, J) (2, j2) (2, j2) (2, j2) 1 (1, j0) (1, j3) (1, j0) (1, j3) 2 t (2, j2) (2, j2) (1, j0) (1, j0) (2, j2) (1, j3) (1, j3)
An Example Initiating Event Most of the analysis performed for Level 2 PRA assumes that the reactor is shutdown in all the initiating events. Assumptions: 1. Turbine trips 2. Reactor is shutdown 3. Power P(t) is generated from the decay heat 4. Reactor power and steam flow rate decay from 6.6% of initial power and the analysis starts 10 second after reactor shutdown 5. Feedwater flow and level are initially at nominal value 6. Off-site power is available 7. Main computer is failed
The Example Initiating Event: considerations • DFWCS is working in Low Power mode • MFV is not used • FP set at minimum speed • BFV only is able to change the feedwater flow • 5 internal variables: CVSS is 4-D
The Example Initiating Event Only one controller is considered: BFV controller • Hypothesis: • Only Loss of both inputs can occur (and not possibly one) • Loss of communications between the sensors and BC and between BC and BFV controller cannot be recovered. • Only the BFV controller failure can generate arbitrary output. If BC generates arbitrary output due to internal failure, it is recognized by the BC. • The BFV controller cannot fail in Output High mode. • FP cannot fail
The Example Initiating Event Controller/Device Communicating Device Stuck Arbitrary Output Freeze 0 vdc Output