Embed Size (px)
Citation preview
IEEE Transactions on Nuclear Science, Vol. NS-28, No. 5, October 1981A MICROPROCESSOR-BASED, ON-LINE DECISION AID FOR RESOLVING CONFLICTING NUCLEAR REACTOR INSTRUMENTATION*
Harry P. AlessoLawrence Livermore National Laboratory
Livermore, California 94550Submitted to IEEE, April 9, 1981.
Abstract
We describe one design for a microprocessor-based, on-line decision aid for identifying andresolving false, conflicting, or misleadinginstrument indications resulting from certainsystems interactions for a pressurized waterreactor. The system processes sensor signals fromgroups of instruments that track together undernominal transient and certain accident conditions,and alarms when they do not track together. Weexamine multiple-casualty systems interaction andformulate a trial grouping of variables that tracktogether under specified conditions. A two-of-three type redundancy check of key variablesprovides alarm and indication of conflictinginformation when one signal suddenly tracks inopposition due to multiple casualty, instrumentfailure, and/or locally abnormal conditions. Sincea vote count of two of three variables in conflictas inconclusive evidence, the system is notdesigned to provide tripping or corrective action,but improves the operator/instrument interface byproviding additional and partially digestedinformation.
1. Introduction
Nuclear power plants have a complex array ofinstrumentation designed to provide the operatorwith accurate information about essential plantconditions. The well-trained operator uses theseinstruments to operate the reactor under normalconditions and to react properly to accidents, buthe may be less prepared to react upon receivingfalse, conflicting, or misleading information.
The vital importance of operator/instrumentinterfacing was clearly demonstrated during theaccident at Three Mile Island-2 (TMI-2) on May 28,1979. There, the operators received numerous falseand conflicting bits of information from theirinstrumentation and, as a result of incorrectlyresolving this information, took action whichcompounded the casualty. Operator training,appropriate instrumenting, and operator/instrumentinterfacing all proved to be inadequate.1 Abreakdown of six major items contributed to theaccident:
* water level indication in the reactor,* electromatic relief valve (ERV) operat-ion,* auxiliary feedwater (AFW) flow indication,* containment isolation,* extended range instrumentation,* computer readout.
But the severity of the accident was a directresult of incorrectly diagnosing reactor pressurevessel water level.
*This work was supported by the United StatesNuclear Regulatory Commission under a Memorandum ofUnderstanding with the United States Department ofEnergy.
Manuscript received by NPSS April 9, 1981.
Within the first 15 min of the accident, thefollowing major conflicting bits of informationwere present:
* the ERV console valve position indicatorread closed but the ERV tail pipetemperature remained high,
* the AFW pump automatically turned onindicating flow to the steam generator butsteam generator level was dropping rapidly,
* pressurizer water level indicated increasingbut main coolant pressure was droppingrapidly,
* pressurizer water level was increasing butthe high pressure backup injection systemactuated,
* pressurizer water level was increasing butreactor contairLment pressure was increasing.
All but the second conflict explicitly relatedto reactor water level or pressure. Unfortunately,the operator was not completely aware of all ofthese conflicts and he resolved those conflicts hewas aware of by assuming that pressurizer waterlevel was correct and that conflicting informationwas false. Indeed, it was not until over two hourslater that the real conditions of a smallloss-of-coolant accident were identified. By thattime, a substantial fraction of the core had beenuncovered so that overheating of the zirconium cladand the evolution of hydrogen resulted.
The false pressurizer water level indicationwas a result of loop seals forming at low points ofthe primary system piping and a differentialpressure into the pressurizer from the stuck-openERV. Proposed solutions to such problems includedirect instrumenting of the core water level.However, an important lesson from TMI-2 is the needto become aware of and to correctly resolveconflicting information by an on-line decision aidas a first, simple step toward reactor accidentdiagnostics.
Clearly, the cost of an on-line computer systemto diagnose all plant variables and conditions andto decide on a proper course of action is presentlyprohibitive. However, there are alternative,intermediate steps that are reasonable in terms ofcost and effort and that can be immediatelyimplemented. This paper discusses such anintermediate step that will not diagnose plantaccidents, but will partially digest the instrumentinformation presented to the operator in an effortto provide him with an awareness and resolution ofconflicting information. We describe the designarchitecture for a microprocessor based, on-linedecision aid for resolvinq wihich instruments, ifany, are supplying false, conflicting, ormisleading information as a result of certainsystems interactions for a Pressurized WaterReactor (PWR). Two of three instruments supplyingconflicting information would sound an alarm andform a check to resolve the conflict. The systemcou]ld potentially be extended to perform furtherdiagnosis of the accident and recommend correctiveactions.
Microprocessors are becoming increasinglyimportant in a variety of nuclear control
U. S. Government work not protected by U. S. copyright.3919
instrumentation.2'3 Their advantages4 comparedto a full plant operations diagnostic minicomputersystem include:
* miniaturization,* reduced power consumption and dissipation,* increased reliability,* reduced cost.The architecture of the standard Intel 8085
3-bus microprocessor system is simple, and thethree characteristic buses are an 8-bitbidirectional data bus, an 8-bit monodirectionaladdress bus, and the control bus. The 8085 chip isthe central processing unit (CPU) including thearithmetic-logic unit (ALU), control unit (CU), andthe clock and crystal. It is a fourth-generationmicroprocessor and successor for small systems tothe Intel 8080. It has special components such asthe 8155 (RAM plus I/O) and the 8355 (ROM plus I/O)which provide memory, I/O, and demultiplexing ofthe data bus allowing a complete system to be builtof just three chips. Finally, a power supply isrequired. All other large scale integration (LSI)components can be interfaced either directly to thebuses or to this basic set. Analog-to-digitalconverters (ADC) are now available in a single chipfor most applications. In short, a microprocessorsystem can easily be coupled to an analog-to-digital and digital-to-analog multichannelconversion assembly.
In Sec. 2, we consider normal power transientsand specific reactor casualties to find conditionsunder which key plant variables track roughlytogether. We explore multiple casualty systemsinteractions and present an initial trial selectionof instrument groupings.
In Sec. 3, we present the design architectureand sample software for resolving conflictinginstrumentation information based on the two-of-three redundancy microprocessor hardware of Kimuraet al. Since a vote count of two-of-three keyvariables does not ensure correctness, the systemprovides no tripping or corrective action, butconstrains itself to providing additional andpartially digested information for the operator asan aid to resolving conflicting information.
2. Grouping Reactor Variables
In this section, we present a trial grouping ofreactor variables that tend to roughly tracktogether during normal operating plant transientsand during specific accident conditions. We alsoexplore multiple-casualty systems interactions dueto hidden dependencies.
We are not concerned with the detailed andcomplex interrelationships among plant variablesbecause that would involve a complete reactor
diagnostic minicomputer system, one that our
proposed design system is intended to avoid. We
are more concerned with a simple approach to
partially digest simplified relationships between
key variables in order to assist the reactoroperator in detecting conflicting information which
may restult from certain svstem interactions. To
accomplish this, it is sufficient to find usual
circumstances where key variables rotughly track
together and then to provide some parametricguidance (time delay and magnitude changes) in the
trend analysis portion of the software effort (seeSec. 3) on which to base decisions. It isimportant to realize that the proposed system will
provide no alarm for normal transients or singleplant casualties, hut only for more complicatedsituations.
The following review of normal and accidenttransient indications is not intended to be
all-encompassing since there are significant
variations among PWIR plants. However, it isintended to be a programmatic approach for trialselection of variables that roughly track together.
Consider a normal (N) PIWR plant transient5(we will examine a power increase) for a constantaverage primary coolant temperature (Tav) system
with the following initial conditions:
(1) reactor critical, self-sustaining,operating in the range of 15% power,
(2) Tav = nominal value,
(3) AT = (ThOt - Tcold) = nominal value,
(4) mp (primary coolant mass flow rate) =
slow speed pumps,(5) pressurizer liquid level = nominal value,(6) SGp (steam generator pressure) = nominal
value,(7) SGt (steam generator temperature) -
saturation temperature for SGp,(8) turbine condensers at vacuum = nominal
value.A ramp increase in electric load will now
increase steam demand to the turbine. When theturbine throttle is opened by the governor system,steam flows to the main condensers which are at aninitial vacuum. The large pressure differentialand increased valve opening increases the mass flowrate of steam from the steam generators to the maincondensers.
The steam generator is basically a tube-and-shell heat exchanger which maintains steam atsaturation temperature and pressure. Thus, whenthe mass flow rate of steam to the main condensersincreases, it reduces the partial pressure of steam
inside the steam generator and allows water to"flash" to steam, and the temperature of the steam
generator water is reduced. At the partialpressure drop of steam, a control device signalsthe steam generator water level control system to
increase make-up feed water to keep an
approximately constant level of water in the steam
generator. This make-up feedwater is colder than
the water already present, and thus it adds to a
reduction of the temperature of the steam generator.As the average temperature of this water
declines, the temperature gradient between the
primary coolant and the steam generator "secondary"water increases, thereby promoting better heattransfer. The lower average steam generatortemperature draws more heat from the primrarycoolant and reduces the exit temperature of the
primary coolant (Tcold) from the steam generator.This is obvious frorn the relationships:
Qp (heat rate primary)- QSG (heat rate secondary),
nip-p (Thot - T50p9)= UA (Tav - Tsat)'
and mhpcp AT = mSGhSG.
(1)
(2)
The saturation temperature of the steam
generator (Tsat) is the first to drop. Thus,
(Taw - Tsat) increases, restlting in Tcolddecreasing initially to maintain the balance.
Tcold has now been reduced several degrees.
This colder water returns to the reactor where,through action by tlhe negative temperaturecoefficient, it increases reactor reactivity. A
positive start-up rate for powier will now
3920
exponentially increase reactor power. However, therising power will raise the temperature of thecoolant, and through the negative temperaturecoefficient, it will begin to cause negativereactivity. This will stop the power rise andeventually, after several oscillations, power willreach a new steady-state value which will be higherthan its initial value (see Fig. 1).
If power doubled from its initial level, itfollows from Eq. (2) that since mpcp does not
change, then (ThOt Tcold) must double. Tavwould initially decrease as Tcold decreased, but
as reactor power increases, thereby increasingThot, Tav will return to its initial level.
Primary pressure and pressurizer level willvary during the transient; both resultant levelsdepend greatly upon the physical construction ofthe pressurizer piping and will thus vary fromsystem to system. We will assume here, for a
consistent argument, that pressurizer level willincrease under this type of transient. Meanwhile,steam from the steam generator flows to theturbines. The used steam is converted to water inthe main condenser and is pumped back to the steamgenerator. A simplified Rankine cycle diagramshown in Fig. 2 illustrates the process.
Fig. 1. The variation of plant parameters during a
power increase transient.
Fig. 2. A simple Rankine representation of a power;increase transient.
Cycle 1-5 is the initial condition. Cycle 6-10is the cycle after the increase in power. Theprocesses show that:
(1) From 5 - l - 2 (10 - 6 - 7) heat is addedat constant pressure. This is the heataddition that occurs in the steamgenerator.
(2) From 2 - 3 (7 - 8) expansion process isdone by accomplishing work. This is thetemperature and pressure drop that occursin driving the main turbines.
(3) From 3 - 4 (8 - 9) the heat rejectionprocess that occurs in the main condenserswhere the vapor that passed through theturbine blades is condensed by the heatexchange process with a separate coldwater source.
(4) From 4 -5 (9 - 10) the compression processthat results from the feed pumps pumpingmake-up feed water back to the steamgenerator.
The results of this power transient are:(1) lower steam generator pressure and
temperature,(2) increased mass flow rate of steam from the
steam generator,(3) increased mass flow rate of make-up feed
water into steam generator,(4) higher power level,(5) larger (Thot Tcold),(6) lesser condenser vacuum,(7) increased pressurizer liquid level,(8) increased electrical generation output.During a PWR normal (N) power plant transient,
certain key variables track roughly together.These variables include electrical load, reactorpower, AT, steam mass flow rate, SG make-up waterflow rate, and pressurizer liquid level. SGtemperature, SG pressute, and condenser vacuum alsotrack together. If reactor power were increasing,we would be suspicious if AT decreased. Likewise,we would not expect to see SG temperature increasingwhile SG pressure decreased; therefore, if weconstruct an alarm system that allows theseinstruments to track together, it will provide no
alarm unless the added problems of systemsinteraction (such as instrument failure or a
casualty during the transient) occur.However, Fig. 1 shows that power increases in
an oscillatory manner while AT increasesmonotonically. These parameter characteristics,complex and plant-specific issues, must beaccounted for by limits of time constants andallcwable magnitude changes which would beincorporated into the trend analysis portion of themicrocomputers software package.
Next, consider the abnormal conditions of a
reactor scram (S) where the plant responds to a
step drop in power. The following immediateindications are typical:
* reactor scram alarm,* rapid decrease in reactor power,
* rapid decrease in startup rate,* rod position indication showing all rods on
bottom,* rapid decrease in Tav,
rapid decreaserapid decreaserapid decrease
in pressurizer liquid level,in AT,in primary coolant pressure.
We observe that during condition S, all eventslisted above track strictly together with largechanges in magnitude and negligible time delay. It
would be abnormal to observe a drop in reactorpower but an increase in pressurizer liquid levelfor the single condition S.
3921
0.Ea)H-
Entropy - SEntropy-S
.
During a loss of main coolant flow (F), thefollowing indications are typical:
* low flow alarm,* reactor scram and accompanying indications,* either a loss of primary coolant pump
differential pressure or a shut indicationfrom a main coolant cutout valve.
During the abnormal conditions of a reactorsmall primary leak (L) the following indicationsare typical:
* primary pressure decrease,* pressurizer liquid level decrease,* reactor containment ambient temperature
increase,* reactor containment pressure increase and
possible blowout of rupture disk,* reactor containment sump water level
increase,* pressurizer relief valve outlet temperature
increase (if that is the leak source),* primary pressure and level alarms,* possible reactor scram and accompanying
indications due to low pressure automaticprotection.
For our present analysis, we do not include theinitiation of high pressure backup injection pumpsfor condition L.
For over-pressurization (0) of the primary, wecould find:
* high pressure alarm,* pressurizer level increase,* primary pressure increase,* Tav increase.
For over-pressurization of the primaryfollowing a reactor scram (O and S), we would seethe typical reactor scram indications followed by:
* high/low pressure alarm,* pressurizer liquid level either falling or
rising,* primary coolant pressure increase,* Tav increase/decrease.The compound casualty of S and 0 leads to
conflicting expectations. That is, the pressurizerlevel might track in opposition to variables itwould normally parallel. It should begin todecrease at the start of S, but if the over-pressure resulted in condition 0, the level wouldincrease.
From the preceding review of key trends duringnormal or specific accident conditions, we suggestthe trial grouping of reactor variables inTable 1. These variables will roughly tracktogether during either a plant transient or asingle casualty.
For more complicated situations, systemsinteractions can lead to conflicts. Then, when aninstrument fails, abnormal local conditions (suchas a fire), or compound casualties (like 0 and S)induce a conflict and the key variables will nottrack together due to systems interactions orhidden dependencies.
The problems of conflicting information arisingfrom multiple casualties, instrument failure, andabnormal local instrument conditions during systemsinteraction can be mathematically formulated in thefollowing manner:
Let G = {g g is a global transient or casualty},H = {h h is a local abnormality or failure},E = {O, 1} (event set)
and define maps,f: G - E,k: H - E,
which map the global and local conditions into theevent set. In other words, if casualty g, CG
has occurred then f (gl) = 1, otherwise it is 0.Next, considerc: f x f - E
which maps multiple casualty systems interactionsinto the event set and
c: f x k - Ewhich maps systems interactions resulting fromlocally abnormal conditions (or failures) during aglobal transient (or cassualty) into the event set.The map c is mod 2 "and" logic according to
c 0 10 0 01 0 1
Returning to our earlier considerations, letG, = {N, S, F, L, 0} be a subset of G. The set
Gl is open to discussion since G1 is by no
means complete, but merely illustrative. Let Hl= {instrument failure, locally abnormal conditionsfor instrument} be a subset of H. Then,
TABLE 1. Trial grouping of reactor variables.
j=l j=2 j=3
i=la Reactor power Primary coolant AT Electrical loadi=2a Reactor power Primary coolant Tav Reactor scram alarmi=3b Reactor power Primary coolant AT Pressurizer liquid leveli=4 Primary coolant pressure (loop 1) Primary coolant in pressure (loop 2) Pressurizer liquid level
i=5 Primary coolant pumps Primary coolant cutout valves Primary coolant pumpsdifferential pressure
i=6 Reactor containment water level Reactor containment pressure Reactor containment temperaturei=7 Emergency high pressure Low primary coolant Low pressurizer liquid level
injection pumps pressure alarm alarm
i=8 Turbine condenser vacuum Steam generator temperature Steam generator pressure
i=9 ERV position indication ERV tailpipe temperature Pressurizer high-level alarmi=10 Steam generator level Main feed pumps (on-off) Main feed pumps differential
pressure
i=ll Reactor power Primary coolant AT Reactor startup rate
aSmall changes in reactor power due to operator use of control rods (other than scram) are excluded by trend
analysis parameter settings.bCharging into the primary with charging pumps could initiate this alarm unless trend analysis parameters areset large enough to exclude this possibility.
3922
c: f (G1) x f (G1) O{0, 1} and
c: f (G1) x k (Hl) {0, 1}}.*Ideally, we might desirec = 1 if any two conditions in G1 x G,
(with the exception of A x A = Atypes) occurred or one condition in Gloccurred and any instrument failed (orwas subject to locally abnormalconditions like a small fire), and
c = 0 otherwise.However, we only guarantee thatc = 1 if certain two conditions in G1 x G
occurred or if one condition in G1
occurred and certain instrument failed(or were subject to locally abnormalconditions), and
c = 0 otherwise.When the plant undergoes normal transients,
single casualties, or a single instrument fails,(c = 0) we rely on the exiting plant design andoperator training to cope with the problem. Whenmultiple casualties (a plant transient and a singlecasualty) or a single casualty coupled with aninstrument failure occurs (c = 1) we expectconflicting instrumentation information and wewould like an alarm to signal us that a conflictexists and, if possible, some way to resolve theconflict. In our review of transients andcasualties, we found some key variables thattracked together. We wish now to make a judiciousselection of variables, such that three of themthat track together under transient and certaincasualty conditions that result from systeminteractions, will give the operator clues toresolve any conflicts (see Table 1). Then, whenthe operator receives a conflict alarm (c = 1) henot only becomes aware of the possibility of amultiple casualty, but has immediate clues. Forexample, the multiple casualty (O and S) will havepressurizer liquid level (PLL) in conflict with
variables it normally tracks with because thereactor protection system will provide a step dropin power causing PLL to drop and the
over-pressure initiating event (causing 0) willcause PLL to rise rapidly. An alarm system that
provided one alarm, indicating PLL was in
conflict with reactor power and AT, would alertthe operator of the conflict. A second alarmindicating that PLL was in conflict with primary
coolant pressure would resolve the conflict as an Sand an instrument failure of PLL. The absence of
the second alarm would indicate multiple casualty.A simple subroutine for classifying and sorting ina software package tied into the alarm system couldhave accomplished this task and simply notified theoperator of the conclusion.
Our goal is alarm activation whenever c = 1 tomake the operator aware of the especially selectedconflicting information and to provide aprearranged indication to resolve the conflict. Inthe next section, we present a microprocessorsystem that will alarm under conditions for c = 1.The selection of variables from Table 1 that tracktogether along with a sort-and-classificationsoftware package could then help the operator
resolve the conflicting information he isconfronted with as a result of systems interactiondue to multiple casualties.
3. System Architecture
Figure 3 presents an overview block diagram ofthe architecture of the system. Three groups ofinstruments (Xil, Xi2, Xi3) are processed by
subsystems (j = 1, 2, 3), each of which includes a
data acquisition module (Fig. 4) and a
microcomputer unit (Fig. 5) that follows, withmodifications, the hardware design of Kimura et
al.3 Each subsystem microcomputer receives itsown group of sensor readings (i = 1 ... n) whichhave been scanned by the multiplexer (MUX),sampled, and read by the ADC. The subsystemmicrocomputer takes the sensor reading for eachinstrument, in turn, and adds it to its own data
Group X1 Group Xi2 Group Xi3
Fig. 3. An overview of the architecture of thesystem design.
> ToCPU
*When an instrument fails under plant steady-state conditions, it usually fails to "safe" rangeand would not in general provide conflictinginformation. Fig. 4. The data acquisition unit and ADC.
3923
The signal relations and timing chart using an
CPU 8085 8255 for a subsystem microcomputer (A) transferringINTR data to the MM is shown in Kimura et al. and is
applicable here.The triplets (Yil' Yi2 YJi3) are
Address variables attached that normally track together.latch The idiosyncrasies of their tracking during
00.2 < I _ _(7, transits are accounted for in the trend analysis
o c _ Address bus U subroutine which adjusts for each parameter.D W r C L |1-X:The microcomputers in the three subsystems are
_ . _ Data bus > .E E - required to acquire new data and perform a trendE a r l E jnrO ffanalysis for each instrument to determine if thatl 0A instrument's parameter is Z1j = 1, 0, or -1. A
ROM RAM controller sample program flow diagram is present in Fig. 6.The MM will receive one instrument trend value
Zij from each of the microcomputers and form a
MUX ADC
Fig. 5. Microcomputer unit. Start
history record. It then performs a trend analysison the data to establish if the variable Y
which the instrument Xij monitors is: tozero
* increasing, open, or on (Zij +1),
* stable or neutral (Zij = 0) , /
* shut, off, or decreasing (Zij = -1). readinWaitr No Yii(tn ) from
The trend analysis is admittedly a difficult seconds instrument X..problem and must be tailored to each variable. It avail ble?,/must consider at what parametric limit value L, achange in the value of Zij is to occur. It is
variable and facility-specific and may require Put new Y (t ) intoexperimental analysis to determine what settings INPUT file. Deleteoldestwill avoid spurious alarms due to overshoots of data point Yj (to) andoscillatory behavior in a variable. However, we J
believe these problems can be resolved withoutresorting to detailed mathematical relationshipsbetween variables. Trend information Zij is, in Use M data points for
turn, sent to a fourth and master microcomputer linY. =At+bmod(MM) . The M1M receives the trend analysis I
conclusions for one instrument in each groupaccording to a preestablished order and forms thetriplet (Zil Zi2' Zi3) corresponding to A NO A
variables (Yil, Yi2' Yi3) and to instruments (a present (a present
(Xii, Xi2, Xi3). Algorithm C is used to lmIdetermine if the parameters of the triplet aretracking in the same or in a conflicting Set Set Setdirection. If there is a conflict, alarm and Zij 0 Zij =-1 Zi; = 1
output circuits are activated and classifying andsorting routines used. After algorithm C, the MM
prepares to receive new data for forming the next
triplet. Additional sort-and-classification Waitr NO ytsulbroutines can be applied to the MM for furtherdiagnostic analysis.
For the hardware design, we follow, with YES
appropriate modifications, Fairbrother2 and
Kimura et al.3 and select an Intel 8-bit Send
microprocessor 80856 (1.3 lus instruction cycle) Waitr NO Zi. Does MMbecause of its data manipulation capability, seconds acknow-
software developing tools, flexible configuration ledge?placement, and economic aspects. The three YES
subsystem and master microcomputers are the 8085s. o to receive nextAn 16-channel multiplexer, a high-speed input instrument X
sample-hold amplifier, an 8-bit successive J+1,approximation ADC, and CPR interface LSI are If = N last instrument,
included in accordance with the Kimura et al. data go to = 1
acquisition module. We depart f rom earlierhardware/software designs in particular with thesubsystem to MM redundancy relationship and Fig. 6. Program flowchart for each subsystem
interaction. microcomputer.
3924
Fig. 7. Program flowchart for master microcomputer.
triplet (Zil' Zi2' Zi3). It will then use
the algorithm:if (Zil = Zi2 = Zi3) is True, then ci = 0(there is no conflict),
if (Zil = Zi2 = Zi3) is False, then ci = 1
(there is a conflict and action is takenaccordingly) .If multiple triplets indicate conflicts, the MM
will sort and classify common parameters for furtherdiagnostic analysis such as deciding if a multiplecasualty has occurred and which it might be. Figure 7gives a program flowchart for the MM. Note that it isa minor complication for us to extend the flowcharts inFigs. 6 and 7 to account for instruments that monitorcommon variables for redundancy.
4. The TMI-2 Example
Consider the TMI-2 conditions listed in Table 2.The M1M would immediately find three triplets indicatingconflicts and give an alarm and output indicating thatthe corresponding parameters were tracking inopposition. It would then be up to the operator todigest this information and conduct further diagn-ostics, but this information immediately focusesattention on the questionable pressurizer liquidlevel. With an extensive listing of instruments andsort-and-classifying subroutines, the helpfulness ofthis system should be apparent.
5. Conclusions
We have described a design for a microprocessorbased, on-line decision aid that could resolvewhich instruments, if any, are providing false,conflicting, or misleading information duringcertain systems interactions. We examinedmultiple-casualty systems interaction andformulated a trial grouping of variables that tracktogether under specified conditions. The micro-processor system follows Kimura et al. and woulddetermine, by a two-of-three vote, when instrumentswhich normally track together, suddenly track inopposition. An alarm and indication would identifythe conflict for which the operator should takefurther action. Such a system would beinexpensive, highly reliable, and providesignificant improvement in operator/instrumentinterfacing by presenting key, partially digestedinformation to the operator.
Acknowledgment
It is a pleasure to acknowledge the valuablecriticism and helpful suggestions of Dr. C. Smithand J. Lim.
TABLE 2. TMI-2 example.Parameter Indication Zij value
Reactor power decreasing Z31 = -ll 3th tripletPrimary coolant AT decreasing Z32 = -l r of Table 1Pressurizer water level increasing Z33 = +1) (alarm)Primary coolant pressure (loop 1) decreasing Z41 = -1 4th tripletPrimary coolant pressure (loop 2) decreasing Z42 = -1 of Table 1Pressurizer liquid level increasing Z43 = +1 J (alarm)ERV position shut Zgi = -1 9th tripletERV tailpipe temperature increasing Z92 = +1 of Table 1Pressurizer high level alarm on Z93 = +1 J (alarm)
3925
References
1. G. E. Cumwings, "Operator/InstrumentationInteractions during the Three Mile IslandIncident," IEEE Symp. Nucl. Power Sys. (October19, 1979).
2. D. B. Fairbrother, "Reactor Protection SystemDesign Using Microprocessors," IEEE Tran. Nucl.Sci. Vol. NS-24, 766-770 (1977).
3. Y. Kimura, K. Hasegawa, and A. Sekiguchi,"Microprocessor-Based System for ProcessingRedundant Instrumentation Signals," IEEE Trans.
Indust. Elect. Control Inst., Vol. IECI-27, No.3, 218-222 (August 1980).
4. R. Zaks, Microprocessors, Sybex, Inc. Berkeley,CA (1977).
5. H. P. Alesso, 'Some Aspects of Nuclear Physicsand Safety Design for the Operational Needs ofNuclear Propelled Ships,' Nav. Eng. Journ.,Vol. 89, No. 6, 81-89 (December 1977).
6. Intel MCS-80 User's Manual, Intel Corporation(October 1977).
DISCLAIMER
This document was prepared as an account of work sponsored by an agency ofthe United States Government. Neither the United States Government nor theUniversity of Califomis nor any of their employees, makes any warranty, ex-press or implied, or assumes any legal liability or responsibility for the ac-curacy, completeness, or usefulness of any information, apparatus, product, orprocess disclosed, or represents that its use would not infringe privately ownedrights. Reference herein to any speciric commercial products, process, or serviceby trade name, trademark, manufacturer, or otherwise, does not necessarilyconstitute or imply its endorment, recommendation, or favoring by the UnitedStaten Government or the University of California. The views and opinions ofauthors expressed herein do nt necessarily state or reflect those of the UnitedStates Govemment thernf, and shall not be used for advertising or product en-dorsement purposes.
Mr. H. P. Alesso graduated from the U.S. Naval Academy in 1970, receiving
his B.S. degree in Mathematics. He served as a nuclear engineer aboard
nuclear submarines for a period of three and one-half years. He graduated
from Massachusetts Institute of Technology in 1978 at which time he received
his M.S. degree in Nuclear Engineering and an advanced special degree of
Nuclear Engineer. Currently, he is employed in the Nuclear Systems Group at
Lawrence Livermore National Laboratory.
3926
