Development of automated operating procedure system using fuzzy colored petri nets for nuclear power plants

Development of automated operating proceduresystem using fuzzy colored petri nets for nuclear

power plants

Seung Jun Lee, Poong Hyun Seong*

Department of Nuclear and Quantum Engineering, Korea Advanced Institute of Science and Technology,

373-1 Guseong-dong, Yuseong-gu, Daejeon, South Korea 305-701

Received 20 October 2003; received in revised form 1 December 2003; accepted 1 December 2003

Abstract

In this work, AuTomated Operating Procedure System (ATOPS) is developed. ATOPS isan automation system for emergency operation of a nuclear power plant (NPP) and it canmonitor signals, diagnose statuses, and generate control actions according to correspondingoperating procedures without any human operator’s help. Main functions of ATOPS are an

anomaly detection function and a procedure execution function but only the procedureexecution function is implemented in this work because this work is just the first step. In theprocedure execution function, operating procedures of NPPs are analyzed and modeled using

Fuzzy Colored Petri Nets (FCPN) and executed depending on decision making of the inferenceengine. In this work, ATOPS prototype is developed to demonstrate its feasibility and it isalso validated using the FISA-2/WS simulator. The validation is performed for the cases of a

loss of coolant accident (LOCA) and a steam generator tube rupture (SGTR). The simulationresults show that ATOPS works correctly in the emergency situations.# 2003 Elsevier Ltd. All rights reserved.

1. Introduction

In large and complex machine systems, many operations have become more difficultfor users, resulting in a greater potential for operation errors. Such mistakes maycause serious accidents, especially in aircraft industries and power plants. Hence,many machine systems have been automated through the introduction of moderncomputer and information technologies (Shimoda et al., 1999). A computerized

Annals of Nuclear Energy 31 (2004) 849–869

www.elsevier.com/locate/anucene

0306-4549/$ - see front matter # 2003 Elsevier Ltd. All rights reserved.

doi:10.1016/j.anucene.2003.12.002

* Corresponding author. Fax: +82-42-869-3810.

E-mail addresses: [email protected] (S.J. Lee), [email protected] (P.H. Seong).

http://www.sciencedirect.com



http://www.elsevier.com/locate/anucene/a4.3d

mailto:[email protected]

mailto:[email protected]

procedure system is an example of such an automated system. Various computerizedprocedure systems have been developed during the past decade (Lee and Seong,2001). They are operator supporting systems which supply necessary information to ahuman operator quickly and conveniently in order to reduce human errors througheasy and accurate decisions. Owing to recent progress in computer control, informationprocessing, and human interface devices, the design of instrumentation and control(I&C) systems for various plant systems is rapidly moving toward fully digital I&Csystems with an increased proportion of automation (Kim et al., 2000; Sheridan, 1976).In modern nuclear power plants (NPP), many computerized operating procedure

systems such as computer based procedures (CBP), computer procedures (COMPRO),computer procedure systems (CPS), nuclear emergency operating support systems(NEOS), computerized control rooms (CR), emergency operating procedure trackingsystems (EOPTS), and so on have been developed and some of them have beenalready installed in real plants. They convert text-based operating procedures to aprocedure database in a computer and show the procedure database to humanoperators through a graphics or text-based display. They also support an operator’sinteractions with the system, procedure maintenance, and configuration control.There are also other researches which focus on an automation system. One of

them is a ‘‘virtual collaborator,’’ an agent robot, which is realized in virtual reality(Shimoda et al., 1999). The virtual collaborator is a new type of human-machineinterface, which works as an ‘‘intelligent interface agent’’ to help machine operatorsmanipulate large scale machine systems such as a power plant. It is a kind of virtualrobot’’ that behaves like an intelligent agent robot in virtual reality space and com-municates naturally with humans akin to the manner in which humans do with eachother. It can behave like a plant operator in a simulated control room of a NPP invirtual reality space.These systems appear to be similar to AuTomated Operating Procedure System

(ATOPS) developed in this work, but they are very different in many aspects. Thecrucial difference is that they are only operator-supporting systems, whereas ATOPSis an automated system which does not need the help of a human operator.In this work, operating procedures of a NPP are converted to a procedure data-

base and they are used in ATOPS through Fuzzy Colored Petri Nets (FCPN). Andan inference engine which consists of fuzzy functions, the time versus cognitivereliability (TCR) curve, and a knowledge database performs a decision makinginstead of human operators in the NPP. A prototype of ATOPS is developed andsimulated using FISA-2/WS simulator. ATOPS is a prototype of a system that willhelp a NPP become fully automated for next generation NPP operation. Moreover,ATOPS is a very long-term research project. This study, in which the feasibility ofATOPS is verified, is just the first step for the full automation.

2. AuTomated Operating Procedure System (ATOPS)

ATOPS is a kind of automation system that operates a machine system accordingto prescribed procedures without any human operators’ help. Since ATOPS is not

850 S.J. Lee, P.H. Seong /Annals of Nuclear Energy 31 (2004) 849–869

an operator supporting system but rather an automation system, a man-machineinterface (MMI) is not considered. Operators in the main control rooms (MCR) ofNPPs monitor signals, diagnose current status, and perform suitable actionsaccording to corresponding operating procedures. ATOPS performs such actions asthe operators do: It monitors the plant status, detects anomalies, diagnoses the status,and operates the plant according to corresponding operating procedures in order tomaintain the plant in a stable state.Main functions of ATOPS are an anomaly detection function and a procedure

execution function. The anomaly detection function includes plant status monitoringand anomaly status detecting. In an anomaly status, a human operator sees alarmsand considers the potential causes of the alarms, mostly using his own knowledgeand experience because it is impossible to search all of the possible anomaly statuscases. In contrast, a computer-based system cannot think, but it can search allpossible cases in a short time due to its very fast calculating speed compared to ahuman operator. When alarms occur, the anomaly detection function cuts off caseswhich do not relate to the alarms in order to reduce possible cases. If the reason ofthe any anomaly status is detected, the procedure execution function starts operatingthe plant itself according to the corresponding operating procedures. That is, themost important role of the procedure execution function is to perform a procedureperfectly and guarantee integrity. A procedure execution function consists of fourcomponents: a procedure database, an inference engine, a real factor database, and aknowledge database. In the procedure execution function, text operating proceduresare converted to a procedure database, and then a procedure database is modeledusing FCPN. Lastly it is executed using fuzzy membership functions and theinference engine.Human operators can always potentially cause an unexpected error, and this is a

serious problem. On the other hand, an unexpected error related operations arenegligible for ATOPS. For ATOPS, validation and verification however is animportant problem to apply ATOPS to NPPs, because it is software based. In thiswork, a prototype ATOPS is constructed through implementation of the procedureexecution function only. A simulation of the prototype ATOPS is performed for thecases of a loss of coolant accident (LOCA) and a steam generator tube rupture(SGTR) using accident mode-simulation with FISA-2/WS, which is the simulator ofthe KORI 2 NPP unit in Korea.

2.1. ATOPS Architecture

The architecture of ATOPS is shown in Fig. 1. The monitoring engine and theexecution engine are not included in ATOPS, therefore ATOPS has three databasesand one engine: a real factor database, a procedure database, a knowledge database,and an inference engine. The real factor database is a storage that contains all staticand dynamic parameters of the plant, and the parameters of plant instruments areaccumulated in the real factor database continuously. And the procedure databasehas all procedure data such as alarm recovery procedures (ARP), system operatingprocedures (SOP), general operating procedures (GOP), abnormal operating

S.J. Lee, P.H. Seong /Annals of Nuclear Energy 31 (2004) 849–869 851

procedures (AOP), and emergency operating procedures (EOP). Also, the proceduredatabase has relationships among these procedures and among steps in same procedure.The knowledge database is for flexible decision making, and it must have variousdata as human operators have their own experiences. In this work, however theknowledge database is simply implemented, so it is just a storage that has supple-mentary data such as appendices of operating procedures. Parameters of the plantinstruments are monitored by the monitoring engine and stored in the real factordatabase. Then the inference engine decides on actions through the procedure data-base, and the execution engine performs the actions. If some information in theprocedure database is ambiguous or needs supplementary data, the inference enginehandles the information using the knowledge database.

2.2. Procedure analysis

The operating procedures for NPPs consist of five components, as shown in Fig. 2.Operators in a NPP operate the plant according to the SOP and the GOP in normalstate. When an alarm occurs, the operators monitor necessary signals and manipulateappropriate devices through the ARP. When multiple alarms occur, the operatorsact through the AOP. If the reactor is tripped and safety injection (SI) is operated inan abnormal state, the operators monitor necessary signals and manipulate necessarydevices to put the NPP in a hot standby (HSB) state through the EOP.In this work, the target operating procedures of the ATOPS are the EOP. The

EOP consists of four large categories, as shown in Table 1. The EOP outlines theprocedures for emergency situations such as LOCA or SGTR. If the reactor is tripped

Fig. 1. ATOPS architecture.


or SI begins, operators should operate the plant according to the E-0 procedure. TheE-1 procedure is for LOCA, and the E-2, E-3 procedures are for SGTR.The EOP consists of ‘‘If-then-else’’ statements. And the types of statements are

classified into four categories. The first type are statements which require checkingthe values or states of devices. The second type are control statements which requiremanipulating devices such as valves. The third type are ambiguous statements whichconsist of vague and ambiguous information such as ‘‘increase’’, ‘‘decrease’’, and‘‘keep’’. The last type are statements that require supplementary data. Examples ofstatement types in operating procedures are shown in follows.

Definition (Statement types in EOP)

Type 1: Check state and value of a deviceEx) Confirm that the seam tube isolation valve of failed S/G is closed.

Fig. 2. Procedure analysis.

Table 1

Emergency operating procedure analysis

E-0: Reactor trip or SI
ES-0.0: Accident diagnosis
ES-0.1: Action for reactor trip

ES-0.2: Cooling by natural cycle

E-1: LOCA of primary or secondary loop
ES-1.1: SI termination
ES-1.2: Cooling and depressurizing after LOCA

ES-1.3: Transition to cold leg recirculation

ES-1.4: Transition to hot leg recirculation

E-2: Failed S/G isolation

E-3: S/G tube rupture
ES-3.1: Cooling after S/G tube rupture using
reverse supplement method

ES-3.2: Cooling after S/G tube rupture using

B/D method


Type 2: Simple controlEx) Block feedwater supply to failed S/G

Type 3: Ambiguous expressionEx) Keep the narrow range level of S/G within 6-50% by controlling feed-water flowrate.

Type 4: Expressions require some supplementary dataEx) Proceed to step 1.0 if the pressure of failed S/G is lower than healthy S/Gand keep decreasing.

2.3. Procedure database

The procedure database is a translated form of text-based operating procedures.ATOPS works on it. It includes steps, actions, necessary signals, and data of oper-ating procedures. Operating procedures have some steps which should be executedconcurrently and steps which have ambiguous information. Therefore, in modelingthe procedure database, there are three important points to confirm. The first is thatthe model for the procedure database can convert text-based operating proceduresto the procedure database. The second is that the model can handle sequences andconcurrent events and it can clearly show current status. And the last is that themodel has not only powerful expressive methods but also various methods whichcan handle vague or ambiguous information. In this work, the FCPN, which is akind of Petri Nets (PN), is used for the procedure database modeling. The statementsof text-based operating procedures are ‘‘If-then-else’’ statements, so procedure can beeasily converted to PNs. Each instruction can be converted to a place and transition,which are components of a PN. Since a PN has powerful expressive abilities, it canshow the procedure structure and a current status through graphics-based display. APN has the ability to represent and analyze concurrency and synchronizationphenomena, like concurrent evolutions, where various processes that evolve simulta-neously are partially independent. Furthermore, the PN approach can be easilycombined with other techniques and theories such as object-oriented programming,fuzzy theory, neural networks, etc. These combined PN are widely used in computers,manufacturing, robotics, knowledge-based systems, process control, as well as otherkinds of engineering applications (Li & Lara-Rosano, 2000). For procedure modeling,therefore, we use the FCPN, which can handle normal and fuzzy variables,and represent various kinds of transition such as fuzzification, defuzzification, andchanging the fuzzy membership function transition.

2.4. Inference engine

ATOPS has an inference engine because the current operating procedures still haveambiguous and unclear information that cannot be handled without the inferencesof a human or supplementary data. The inference engine in ATOPS uses two data-bases. The first is the real factor database which stores plant parameters data and


the second is the knowledge database which stores supplementary data such asappendices of operating procedures.ATOPS has three types of decisions and these are basic decision, simple decision,

and complex decision. A basic decision is a decision that needs no judgment. Asimple decision is an action that has ambiguous information for a computer such as‘‘if – increase - ’’, ‘‘if – decrease - ’’, and so on. Human operators can handle suchinformation through their own judgments or experiments but a computer cannot.Simple and easy expressions for human operators can be difficult expressions forcomputer. Therefore, such statements are handled by a fuzzy membership function.Lastly, the complex decision is an expression that requires some supplementary dataor information, and it is handled by a knowledge database. Thus ATOPS has fuzzymembership functions and the knowledge database to judge unclear expressions.

2.4.1. Fuzzy membership functionVariables used in fuzzy membership functions are as follows:tu: unit time, xi: fuzzifier (value at ti), xs: standard value, ei: xi – xs.

cei ¼d

dte xið Þ ð1Þ

Normal variables are converted to fuzzy variables. A fuzzy variable consists ofeight values as shown in Fig. 3. A fuzzy table which is made through fuzzy rules isshown in Table 2. A fuzzifier function converts normal variables to fuzzy variableswhich are used in fuzzy membership functions. The result variables of the fuzzymembership function are converted normal variables again through defuzzifierfunctions. And the defuzzifier functions use the center average defuzzifier method.

2.4.2. Time versus cognitive reliability (TCR) curveComputers have much faster calculating speed than human. Therefore in some

decisions for operating a NPP, time must be considered. In this work the TCRcurve, as shown in Fig. 4, is used for considering time. The TCR curve representsthe trade-off relationship of affordable time and human cognitive reliability. The

Fig. 3. Fuzzy variables.


probabilistic factors influencing the relationship are clarified by analyzing the TCRsobtained from the experimental data (Li, Wen, & Lara-Rosano, 2000). The decisionsof ATOPS must be concerned with monitoring time, so in this work the TCR curve isemployed.

Pi responseð Þ ¼ Pr response time4 tið Þ �i

N þ 1ð2Þ

Pi non-responseð Þ ¼ Pr response time > tið Þ � 1�i

N þ 1i ¼ 1; 2; ::::;N ð3Þ

p ¼i

N þ 1

� �� defuzzifier epð Þ ð4Þ

Table 2

Fuzzy rule table

ei cei
NL NM NS NZ PZ PS PM PL
PL
NS NS PZ PS PM PM PL PL
PM
NS NZ PZ PS PS PM PL PL
PS
NM NS NZ PZ PS PS PM PL
PZ
NM NS NS PZ PZ PS PS PM
NZ
NM NM NS NZ PZ PZ PS PM
NS
NM NM NS NS NZ NZ PZ PM
NM
NL NL NM NS NS NS NS PS
NL
NL NL NM NM NM NM NS PS
Fig. 4. TCR curve.


re is an example using a fuzzy membership function and the TCR curve. There
Heare two trend graphs shown in Fig. 5. One is a trend graph representing slowincrease as shown in Fig. 5(a). And another is a trend graph representing rapidincrease as shown in Fig. 5(b). First, we made some assumptions for the example.
Assumption:

Maximum of fuzzy variable: 1Minimum of fuzzy variable: �1If P>0.4: increaseIf P<�0.4: decreaseN=100tu=0.1sec

We calculated each defuzzification value for Fig. 5(a) and Fig. 5(b) at 1, 3, 5, 7,and 9 seconds. And results are as follows:

at 1 sec, pa=0.05 and pb=0.09at 3 sec, pa=0.15 and pb=0.27at 5 sec, pa=0.25 and pb=0.45at 7 sec, pa=0.35 and pb=0.63at 9 sec, pa=0.45 and pb=0.81

The value of pa represents the increase probability of the graph shown in Fig. 5(a)and the value of pb represents the increase probability of the graph shown inFig. 5(b). As following our assumption, Fig. 5(a) can be confirmed to increase at 9sec and Fig. 5(b) at 5 sec.

2.4.3. Knowledge databaseThe knowledge database is the storage for additional information or data. ATOPS

can handle various information using the knowledge database. In the operatingprocedures, there are expressions that need supplementary data or information.

Fig. 5. Example of TCR curve.


Almost all of the supplementary data is in the appendices of the operating procedures.An example which represents a reactor coolant system (RCS) overcooling graph isshown in Fig. 6. Operators can judge whether a RCS is overcooled or not using thegraph. We can obtain the equation for the relationship between RCS pressure andRCS temperature from the figure by the second-order regression as follows:

CV abnormal : y ¼ 0:0101x2 � 4:274x þ 489:9 ð5Þ

CV normal : y ¼ 0:0105x2 � 4:825x þ 605:9 ð6Þ

where: x, RCS temperature, y, RCS pressure.The equation is stored in the knowledge database instead of the point data in

Fig. 6.

Fig. 6. RCS overcooling graph.


2.5. Fuzzy colored Petri net models

This work uses FCPN in order to model text-based operating procedures. FCPNis a kind of PNs, and there have been many studies on fuzzy Petri nets (FPN) thatare used to represent uncertain knowledge about a system state, combining fuzzy settheory and PN theory (Cardoso et al., 1996). This section covers an introduction toordinary Petri nets (OPN), colored Petri nets (CPN), and FCPN.

2.5.1. Ordinary Petri netsA marked OPN is a 4-tuple, OPN=(P, T, A, m0), where P is the set of places, T

the set of transitions, and A � P � TS

T � P the set of arcs between places andtransitions. The marking of a PN, m: P!{0, 1, . . .}, is the marking function thatmaps a non-negative number of tokens to each place. The initial marking m0 is thestarting state of the PN model. The transition firing rule of an OPN is described asfollows: A transition is said to be enabled if all its input places have at least onetoken. When an enabled transition fires, it removes a token from each one of itsinput places and adds one to each one of its output places. A marking function mj isdirectly reachable from a marking function mi if the firing of a transition while theOPN is in mi results in mj. A marking mj is reachable from mi through a firingsequence s=t0t1. . .tk if the marking before the firing of t0 is mi and the markingafter the firing of the sequence is mj. The reachability set R(m) is the set of allmarkings reachable from m, and the valid firing sequences set F(m0) is the set {s| schanges m0 to m, 8m 2 R(m0)}. For all markings reachable from m0, if the numberof tokens in place p, |p|4k, then the OPN is said to be k-bounded. A 1-boundedOPN is also called a safe OPN. An OPN is said to be live if each transition t is amember of at least one valid firing sequence s2F(m0).

2.5.2. Colored Petri netsOPN can visualize the actual system with ease due to the concurrency support and

formal semantics. However, PNs are so primitive that modeling complex systems isa big task. CPN have been developed by Jensen in order to overcome this limit(Jensen and Rozenburg, 1991). Without compromising the ability to perform formalanalysis, CPN can be much more succinct and manageable than their OPN coun-terparts. CPN consist of three parts: net structure, declarations, and net inscriptions.CPN have the same structure as OPN. In particular, an OPN is simply a bipartitegraph with one partition being called places and the other partition being calledtransitions. A CPN distinguishes itself from other OPN by allowing its tokens tohave complex data types called colors.

CPN is a tuple CPN=(�, P, T, A, N, C, G, E, I), where� is a finite set of non-empty types, called color sets.P is a finite set of places.T is a finite set of transitions.A is the set of arcs such that P

TT ¼ P

TA ¼ T

TA ¼ Ø.

N is a node function. It is defined from A into P � TS

T � P.


C is a color function. It is defined from P into �.G is a guard function. It is defined from T into expressions such that 8t 2 T:[Type(G(t))=Bool ^ Type(Var(G(t))) ��]E is an arc expression function.I is an initialization function.

CPN make use of data types, data objects, and variables that hold data values.CPN data types are called color sets (related to �). And CPN data objects are calledtokens. CPN contain variables that can take on token values as needed. A place(related to P) is a location that can contain zero or more tokens (a multiset) of someparticular color set. All tokens in a place must be of that color set. The multiset in aplace is called the marking of the place. This is one of the markings of a place.Taken together, the markings in all the places in a CPN model constitute the state ofthe model. A CPN transition (related to T) is an activity whose occurrence canchange the number and/or value of tokens in one or more places. An arc is a directedconnection between a place and a transition. An arc that runs from a place to atransition is called an input arc, and the place it connects to is called an input place.An arc that runs from a transition to a place is called an output arc, and the place itconnects is called an output place. An arc inscription is a multiset expression asso-ciated with an arc. A guard is a Boolean expression associated with a transition. Theassignment of token value to variables in a guard is called ‘binding’. If each inputplace of a transition contains the multiset specified by the input arc inscription of theplace, and the guard evaluates to true (i.e., the guard with binding is true), thetransition is enabled, and can occur.

2.5.3. Fuzzy colored Petri net (FCPN)FCPN is one kind of FPNs. In classical FPNs, the firing of a sequence of transi-

tions, considering the confidence factor or something of each one, defines a fuzzyfiring sequence which is more or less likely to be fired. The FPNs have a certainty orconfidence factor (Garg et al., 1991), a truth-value (Looney, 1988), or a truthfunction associated with the fuzzy transitions. However it is necessary to representthe change of membership function type and the integration of fuzzy values as wellas fuzzification and defuzzification . Therefore this work suggests the FCPN whichhas such functions for fuzzy values, multi-type places, and multi-type tokens.The definitions and behaviors can be formally described based on those of CPN as

follows:

Definition (FCPN): FCPN is a ten-tuple FCPN=(�, P, T, A, N, C, G, G0, E, I)satisfying the requirements as follows:

— The definitions of �, P, T, A, N, C, G, E, and I are the same as those for CPN.
— The definition of G0 is newly introduced for FCPN. It is defined from T into
SGE={N!F, F!N(Method), F!F, IntF(DOI)}, which is a set of specialguard expressions that denote characteristics of transitions. N represents‘normal’, F does ‘fuzzy’, and DOI does the degree of importance of evaluation


items. In order to distinguish from the special guards, we call the guardsdefined by G as general guards.

FCPN has special transitions shown in Fig. 7. FCPN can handle transitions fromnormal places to fuzzy places and those from fuzzy places to normal places. There-fore, we can implement fuzzification and defuzzification with FCPN. Fig. 7(a)describes a normal to fuzzy transition that represents the fuzzification. This showsthat FCPN represents the fuzzification with a transition from a normal variable to apair of a normal variable and a fuzzy variable. Fig. 7(b) describes a fuzzy to normaltransition that represents the defuzzification. In a reverse manner, FCPN representsthe defuzzification with a transition from a pair of a normal variable and a fuzzyvariable to a normal variable. There are various defuzzification methods. The specialguard expression F!N(Method) specifies the defuzzification method applied to thecorresponding transition. The fuzzy to fuzzy transition shown in Fig. 7(c) representsthe transformation from a fuzzy variable to another fuzzy variable. In case that thetype of an input fuzzy variable is different from that of an output variable, the fuzzyto fuzzy transition changes a membership function type. Fig. 7(d) represents anintegral fuzzy transition for the integration of FCPN models (Son and Seong, 2000).

2.6. The FCPN used in ATOPS

Current operating procedures still have vague and ambiguous expressions whichare difficult to implement in a computer. To cope with this problem, the FCPN inthis work has four types of place according to the complexity of the tasks whichoperators should do. The first type is the normal places which does nothing or onlyhas a jump action. The second type is the basic place which has simple actionsrequiring no inference. The third type is the simple place which has actions includingambiguous information such as ‘‘if – increase – ’’ and ‘‘if – decrease –’’. The last type

Fig. 7. Special transitions of FCPN.


is the complex place which has actions including information needs supplementarydata such as ‘‘properly’’ and ‘‘if needed’’. The ATOPS needs some methods toimplement the information of third and last type places. Therefore, the places areperformed through inference engine. The inference engine is to deal with vague orfuzzy information of operating procedures in order to perform places of FCPN.Each place belongs to one of three decisions in ATOPS. The second type of placesbelongs to the basic decision. Since it does not require judgment, ATOPS monitorssignals or generates control signals according to procedure database. The third typeof places belongs to the simple decision in order to handle expressions which haveambiguous information for a computer and it is performed using a fuzzy member-ship function. And the last type of places belongs to the complex decision in order tohandle expressions which need some supplementary data or information and it isperformed using a knowledge database. Each decision is also implemented usingFCPN as shown in Fig. 8.Each place of the FCPN has a color, and the color represents a place type, which

is one of the following four types:

Fig. 8. Three decisions using FCPN.


Definition (Places)

Type 1: Jump placeColor: grayExecution: Jump following transition

Type 2: Basic placeColor: blueExecution: Execution FCPN of basic decision

Jump next place following transition

Type 3: Simple placeColor: redExecution: Execution FCPN of simple decision


Type 4: Complex placeColor: greenExecution: Execution FCPN of complex decision


In the FCPN graphics, the token movement shows the current executing step; alsothe token color shows the types of executing step. The types of executing steps aregiven as follows:

Definition (Tokens)

Type 1: Black—Normal executionType 2: Orange—Continuously executionType 3: White—Stop

The FCPNs for a part of E-2 procedure are shown in Fig. 9 as an example.

3. Development of the prototype ATOPS

3.1. Implementation of the prototype ATOPS

In this work, the prototype ATOPS is implemented and validated. The prototypeATOPS is constructed by implementing the procedure execution function only.Validation of the prototype ATOPS is performed for the cases of LOCA and SGTRusing accident mode-simulation of FISA-2/WS which is the simulator for the KORI 2NPP unit and has a graphic user interface (GUI) as shown in Fig. 10. The prototypeATOPS converts the procedure database to FCPN, and shows the FCPN through agraphics-based display. Also, it shows selected variables and the description of a


Fig. 9. Example of procedure modeling using FCPN.

Fig. 10. Graphic user interface of the FISA-2/WS simulator.


selected step or an executing step. It operates the FISA-2/WS simulator auto-matically using the FCPN of the procedure database, and shows the currentexecuting place by a token. Since it is performed for the cases of LOCA and SGTR,it is implemented for operating procedures E-0, E-1, E-2, and E-3.In the prototype ATOPS, the procedure database is implemented by three databases:

an EOP database, a signal database, and an action database. The EOP database is theunderstandable form of text-based EOP procedures for ATOPS, as shown inTable 3. It consists of an index, an action and a jump statement. An index statementconsists of a step number and the description of the step, and an action statementconsists of a signal number, an action number, and an ‘‘else step’’. An example ofthe signal database is shown in Table 4 and it consists of an index, a variable used inFISA-2/WS, and a description. An index is a number used in the EOP database andit matches to the variable used in FISA-2/WS. The action database is shown inTable 5 and it consists of an index and a description. The prototype ATOPS readsthe EOP database, matches signals through the signal database, and executes state-ments according to the action database.The purpose of the prototype ATOPS is to check the feasibility and validity of

ATOPS. In the simulation, therefore, the following points are considered to beimportant for validation.

1. Does it follow and execute the corresponding procedures and steps?
2. Does it receive the variables of FISA-2/WS correctly? 3. Does it generate suitable control signals for the current situation? 4. Is FISA-2/WS correctly operated by the control signals? 5. Are steps that occur in parallel correctly executed?
The prototype ATOPS is shown in Fig. 11. If an accident occurs or any proceduredatabase is selected on the procedure database box the FCPN of the proceduredatabase is drawn graphically on the screen as shown in Fig. 11.

Table 3

Example of the E-0 procedure database

Step 1.0
#1.0 Confirm Reactor trip *1-1 1 _1.0E *1-2 3 _1.0E *1-3 6 _1.0E �2.0
Step 1.0 else
#1.0E Trip Reactor *1-4 _S.1-1.0 �2.0
Step 2.0
#2.0 Confirm Turbine trip *2-1 2 _2.0E �3.0
Step 2.0 else
#2.0E Trip Turbine *2-1 8 _2.2 �3.0

Table 4

Example of the signal database

S/G PORV valve
12-30 idlp[62] S/G A PORV valve(IPV-3066)
12-31 idlp[65] S/G B PORV valve(IPV-3067)

Value of S/G narrow range
12-14 idlp[35] S/G A narrow range
12-15 idlp[36] S/G B narrow range

Table 5

Example of the action database

Simple confirm and control
1 open
2 close

3 light up

4 light out

Ambiguous expression
5 increase
6 decrease

7 keep

Fig. 11. LOCA executing screen of AOTPS prototype.


The description of the current executing step is displayed in the description panel,which is on right bottom side of the prototype ATOPS.

3.2. Limitations of simulation

There are two problems in simulating ATOPS under current conditions. One isthe procedure problem, and the other is the FISA-2/WS simulator problem. Theoperating procedures of NPPs need to change gradually for precise and accurateexpressions for errorless operation. Also the digitalization of the NPP influences theoperating procedures to use precise and accurate expressions and information.However, current procedures have statements that are ambiguous or must be executedby human operators and the examples of these are,

— Refer to technical supporting center.— Take and analyze a sample.

The FISA-2/WS simulator was developed in 1992 for the KORI unit 2 NPP.Because the FISA-2/WS is not a full-scope simulator, it does not have all the signalvariables for a real NPP; therefore some signals in the operating procedure are notprovided by FISA-2/WS. In this situation, ATOPS neither can monitor some signalsnor execute some actions. The simulation is only partially executed. In actuality,since some signals do not exist in the FISA-2/WS simulator such as variablesconcerning radiation, ATOPS cannot execute E-3 procedure in the SGTR simulation.

3.3. Results of simulation

The simulations of the prototype ATOPS are executed for LOCA and SGTR.Procedures E-0, E-1, E-2 and E-3 cover these accidents. If LOCA or SGTR occurs, thereactor is tripped and SI operates. Then, E-0 procedure should be executed in order todiagnose the NPP and establish a stable status. If LOCA occurs, E-1 procedure shouldbe executed. If SGTR occurs, procedures E-2 and E-3 should be executed.In the LOCA and SGTR simulations, the prototype ATOPS operated the FISA-2/WS

simulator by searching the corresponding operating procedures and generatingadequate control signals. Most of the actions were fairly exact. However, in somesituations where the necessary signals were not provided by the FISA-2/WS simu-lator or when there was a step that had to be executed by a human operator, theprototype ATOPS did not work correctly.When a LOCA situation was simulated in the FISA-2/WS simulator, the reactor

was tripped and SI worked. Then the prototype ATOPS started executing step 1.0 inE-0 procedure. It jumped step 1.0 in E-1 procedure at step 35.0 in E-0 procedurebecause RCS pressure did not satisfy the specified condition. When a SGTR sit-uation was generated in the FISA-2/WS simulator, the reactor was tripped and SIworked. Then the prototype ATOPS started executing step 1.0 in E-0 procedure. Itjumped step 1.0 in E-2 procedure at step 23.0 in E-0 procedure because S/G pressuredid not satisfy the specified condition. After executing E-0 and E-2, E-3 procedures


should have been executed. However, E-3 procedure was not executed because thesignals needed to jump step 1.0 in E-3 procedure are not included in the FISA-2/WSsimulator.

4. Conclusions

In this work, ATOPS is developed. ATOPS is an automation system to operate a NPPin emergency situations by monitoring signals, diagnosing statuses, and generating con-trol actions according to corresponding operating procedures without any humanoperators’ help. Current operating procedures of NPP have some statements andinformation which are ambiguous and uncertain. In order to handle such statementsand information, we modeled operating procedure database using FCPN. FCPNhas more powerful expression capacity than other modeling tools, so that it canexpress flows of procedure executions and handle ambiguous information usingfuzzy membership functions. In order to demonstrate feasibility of ATOPS andefficiency of FCPN, ATOPS prototype is developed in this work and also validatedusing FISA-2/WS simulator. The validations are performed for the cases of LOCA andSGTR. The validation results show that ATOPS works correctly in emergency situa-tions. In LOCA and SGTR situations, ATOPS operates the FISA-2/WS simulator bysearching for corresponding operating procedures, judging the current status, andgenerating adequate control signals. Most of the actions were fairly exact.This validation just showed that ATOPS using FCPN work exactly in some states.

To adopt ATOPS in actually plants, we need more in-depth studies. This work ismerely the first step in a lengthy and ongoing research project. In the next step, theATOPS will be implemented in a wider scope in order to show its feasibility andefficiency in more certainty.

Acknowledgements

This work was supported by the Korean National Research Laboratory (NRL)Program.

References

Cardoso, J.R., Valette, Dubois, D., 1996. Fuzzy Petri Nets: An Overview. In 13th IFAC World Congress,

San Francisco USA, 30 June–5 July 1996, vol. J, pp. 443–448.

Garg, M.L., Ahson, S.I., Gupta, P.V., 1991. A fuzzy Petri net for knowledge representation and reason-

ing. Information Processing Letters 39, 165–171.

Jensen, K., Rozenberg, G. (Eds.), 1991. High-level Petri Nets: Theory and Applications. Springer-Verlag,

Heidelberg, Berlin.

Kim, J.H., Lee, S.J., Seong, P.H., 2000. Feasibility Study on Use of Virtual Collaborator for Remote NPP

Control, Proceedings of the Korea Nuclear Society Spring, May 2000, Cheju, Korea.


Lee, S.J., Seong, P.H., 2001. Automated Computer-Based Procedure System for Remote Operation System.

Proceedings of the Korea Nuclear Society Autumn, Oct 2001, Seoul, Korea.

Li, X., Lara-Rosano, F., 2000. Adaptive fuzzy petri nets for dynamic knowledge representation and

inference. Expert System with Applications 19, 235–241.

Li, X., Yu, Wen., Lara-Rosano, F., 2000. Dynamic knowledge inference and learning under adaptive

fuzzy petri net framework. IEEE SMC Conference Proceeding 30 (4).

Looney, C.G., 1988. Fuzzy Petri nets for rule-based decision making. IEEE Trans. on Systems, Man, And

Cybernetics, 18,1 178-183. (January/February)..

Sheridan, T.B., 1976. Toward a General Model of Supervisory Control. Monitoring Behavior and

Supervisory Control. Plenum Press, New York.

Shimoda, H., Ishii, H., Wu, W., Li, D., Nakagawa, T., Yoshikawa, H., 1999. A basic study on Virtual

Collaborator as an innovative human-machine interface in distributed virtual environment: the prototype

system and its implication for industrial Application. IEEE SMC Conference Proceedings 5, 697–702.

Son, H.S., Seong, P.H., 2000. A quality control method for nuclear instrumentation and control systems

based on software safety prediction. IEEE Transactions on Nuclear Science 47 (2), 408–421.


Documents

Development of automated operating procedure system using fuzzy colored petri nets for nuclear power plants