Embed Size (px)
Citation preview
IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 40, NO. 1, FEBRUARY 1993 21
Development Strategies of an Expert System for Multiple Alarm Processing and Diagnosis in Nuclear Power Plants
Se Woo Cheon, Student Member, ZEEE, Soon Heung Chang, and H a k Yeong Chung
Absfract-This paper describes the development strategies of a prototype expert system, called ESAPD, for multiple alarm processing and diagnosis in nuclear power plants. The main objectives of the system are to assist operators to identify a primary causal alarm among multiple fired alarms and to diagnose the plant malfunction quickly. The overall plant-wide diagnosis is performed at the alarm processing stage which can identify a primary causal alarm and can diagnose possible failure modes and failed systems, and automatic interlock ac- tions. The knowledge base for the alarm processing is repre- sented as object-oriented concepts. The specific root cause diag- nosis for the primary causal alarm can be performed at the alarm diagnosis stage. The system can provide operators with the possible causes of the primary causal alarm, emergency actions, and follow-up treatments. The diagnostic method adopted in this system is a “hypothesize and test” paradigm.
I. INTRODUCTION UCLEAR power plants (NPPs) are large in scale N and complex, so the information from local fields is
excessive, and therefore plant operators cannot properly process it. When a plant malfunction occurs, there are enormous data influxes, so the cause of the malfunction cannot be easily and promptly identified. A typical NPP may have around 2,000 alarms in a main control room in addition to the displays of analog data. During plant transients, mode changes and component trips, hundreds of alarms may be activated in a short time. Hence, to increase the plant safety, the operator support systems such as alarm processing systems become more important.
The significant aggravating factor of the Three Mile Island (TMI) accident in 1979 was the large number of fired alarms [l]. In one simulated loss-of-coolant accident (LOCA), 500 lights, went on or off within the first min- utes, and 800 in the second [21.
The objectives of the alarm processing systems are to reduce the number of alarms presented; to organize the alarms so that they could be grouped in relation to a single cause, to order the alarms within a group, and to display suitable alarm messages.
Manuscript received June 4, 1992; revised August 31, 1992. This work was supported by the Korea Electric Power Corporation (KEPCO).
S. W. Cheon and S . H. Chang are with Department of Nuclear Engineering, Korea Advanced Institute of Science and Technology, 373-1 Ku Song Dong, Yu Song Gu, Taejon 305-701, Korea.
H. Y. Chung is with Research Center, Korea Electric Power Corpora- tion, Korea.
IEEE Log Number 9204862.
From the aftermath of the TMI accident, various works for the development of the alarm processing system have been carried out [2]-[16]. An exhaustive review of the state-of-the-art alarm processing system was given by Lees [l]. Various alarm processing methods such as decision tables, fault trees, alarm trees [3], goal-trees [4], cause- consequence trees [5], and alarm transition tables [6] were proposed. However, these methods are costly to develop, subject to error and difficult to modify. Corsberg has proposed the method of object-oriented approach using artificial intelligence (AI) techniques [71, [SI. Also, Domenico et al. [9] have developed an alarm processing system using the model-based reasoning and the object- oriented techniques.
A prototype expert system, called expert system for alarm processing and diagnosis (ESAPD), has been devel- oped for the alarm processing and diagnosis. The main objectives of the system are to assist operators to identify a primary causal alarm among multiple fired alarms and to diagnose the plant malfunction quickly. The system is a result of a joint research project between the Korea Advanced Institute of Science and Technology and the Korea Electric Power Corporation (KEPCO).
At this work, the overall plant-wide diagnosis is per- formed at the alarm processing stage which can identify a primary causal alarm, and can diagnose possible failure modes and failed systems, and automatic interlock ac- tions. At the alarm diagnosis stage, specific root cause diagnosis for the primary causal alarm can be performed using the symptoms, such as indication lamps, parameter values, and valve lineup that can be acquired at the main control room. Also, the system can provide emergency actions and follow-up treatments to the operator.
The alarm processing knowledge base was implemented as object-oriented concepts. The object-oriented structure provides modularity which greatly aids development and maintenance of the knowledge base. The diagnostic method adopted in this system is a “hypothesize and test” paradigm; i.e., all possible hypotheses about the possible causes are first generated and then validated or invali- dated by searching cause inference rules.
ESAPD was implemented on an IBM-compatible 386 personal computer (PC) by using Prolog and C languages. Prolog provides a strong capability for pattern matching
0018-9499/93$03.00 0 1993 IEEE
I I I
22 IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 40, NO. 1, FEBRUARY 1993
and a built-in inference engine (i.e., backward-chaining and depth-first search) 1171. The use of Prolog rather than an expert system shell was chosen to avoid the pre-defined limitation inherent in any shell. In the implementation of the knowledge base, we use an Arity/Prologm software 1181. The graphics module, which is used for the displays of various alarm input menus, is built using the C lan- guage.
Section I1 describes general alarm processing concepts. Section I11 describes the development strategies of ESAPD, including functional structure, prioritization of multiple alarms, diagnosis of multiple alarms, overall con- trol process, and structure of knowledge base. Also, Sec- tion IV presents demonstration of ESAPD. Finally, con- clusions are drawn in Section V.
11. GENERAL ALARM hOCEsSING CONCEPTS
Alarms are generally designed to report the operator the overall plant status, such as interlock action signals, the operating conditions during plant startup, and the signals of failed system, etc. Firing of an alarm is due to one of the following reasons 1141:
1) an analog value measured by a transducer exceeds a threshold; 2) a digital value change state; 3) a signal generated by an application program.
Because of the functional relationships between alarms, multiple alarms may be simultaneously or consecutively fired. The operator must attempt to identify failed equip- ment and instrument and to recognize a primary causal alarm among multiple fired alarms.
Broadly, alarms are divided into two categories; the failure alarms and the nonfailure alarms, as shown in Table I. The failure alarms inform of the operator the failure states of the plant. Whereas the nonfailure alarms are caused by plant interlock signals rather than failure signals. The failure alarms can be further classified into two classes; the plant-wide alarms and the system-wide alarms. The failure alarms that may cause other system’s alarm is classified as the plant-wide alarms. Typically, these alarms are associated with the plant heat balance between the primary and the secondary sides, and are regarded as urgent and safety-related alarms. The system-wide alarms are the failure alarms that may propa- gate only within a single system. These alarms are gener- ally unrelated to the plant safety and regarded as nonur- gent alarms. The occurrence of the nonfailure alarm, such as plant state alarm, interlock action alarm and operator action alarm, means that this alarm may be caused by a plant interlock signal rather than failure signal produced by a transducer. As shown in Fig. 1, a number of different alarms may
be fired due to the cascading effects of a primary causal alarm. In this figure, the primary causal alarm occurs by one of several possible root causes. Several alarms in the same system and/or in the other system may be fired due to the primary causal alarm. Also, plant state alarms such as trip alarms may occur when a trip level is reached. The operator’s response, such as valve operating action
TABLE I CLASSIFICATION OF ALARMS
Alarms that may cause Plant-wide alarms other system’s alarm(s)
Failure Alarms that may propagate alarms System-wide alarms only in a single system
Plant state alarms Trip alarms
Non- Interlock action alarms failure Component operating state alarms alarms Operator action alarms
Instrument maintenance alarms Control mode (remote/local) alarms spurious alarms
(open/closed) to restore abnormal plant state to normal condition, may also cause an operator action alarm. The interlock logic circuits also cause some alarms, such as interlock action alarms and component operating state alarms.
At this work, the target plant for the alarm processing and diagnosis is the Kori-2 NPP, in which 20 annunciators are implemented on the main control board, as listed in Table 11. Each annunciator consists of an array of alarms, and the total number of the target alarms is up to 712.
111. DEVELOPMENT STRATEGIES OF BAPD
A. Functional Structure of E W D The functional structure of ESAPD is shown in Fig. 2.
In this figure, the intelligent alarm processor in the alarm processing part can filter out consequential alarms among multiple fired alarms using the alarm processing meta rules and the alarm processing frames in the knowledge base. The intelligent alarm processor determines possible failure modes and failed systems, automatic actions, and causal alarms.
The alarm diagnosis part consists of three modules; the emergency action module, the failure diagnosis module and the follow-up treatment module. The inference en- gine controls the search through the knowledge base, matching appropriate rules and facts, executing the rules, tracking the inference process through the three modules, and interacting with the user interface. And, finally the inference engine diagnoses possible causes and provides emergency actions and follow-up treatments by interact- ing with the three modules.
The knowledge base is broadly divided into two cate- gories; one for the alarm processing part, and the other for the alarm diagnosis part. It is available on request to the intelligent alarm processor and the inference engine. The knowledge units for the alarm processing consist of the alarm processing meta rules, the alarm processing frames, the plant state identification rules, and the inter- lock action rules. Also, the knowledge units for the alarm diagnosis consist of the emergency action rules, the symp tom classification rules, the cause inference rules, and the follow-up treatment rules. The details of the knowledge base will be discussed in Sec. 1II.E.
CHEON et al.: MULTIPLE ALARM PROCESSING IN NUCLEAR POWER PLANTS 23
Fig. 1. Typical cause-consequence relationships among multiple alarms.
TABLE I1 CLASSIFICATION OF THE ANNUNCIATORS ON THE MAIN CONTROL BOARD
Annunciator Alarm tag Annunciator name numbers
ALB-01 ALB-02 ALB-03 ALB-04 ALB-05 ALB-06 ALB-07 ALB-08 ALB-09 ALB-10 ALB-11 ALB-12 ALB-13 ALB-14 ALB- 15 ALB-16 ALB-17 ALB-18 ALB-19 ALB-20
Generator 30 Electrical system I 35 Electrical system I1 35
Feedwater/Awiliaxy feedwater 47
Turbine I 35 Turbine I1 44
Main steam & steam generators 48 Reactor coolant system I (Pressurizer) 29 Reactor coolant system I1 25 First-out alarms (Trip alarms) 36 Nuclear instrumentation and rod control 33 Chemical & volume control system I 35 Chemical & volume control system I1 32 SIS & RHRS 34 Auxiliaries I, NSSS-BOP 35 Component cooling water system 34 Component cooling & service water 34 Auxiliaries I1 35 Containment ventilation 36 Circulating water & condensates 40 Total numbers of alarms 712
The user interface controls window displays and menu- driven operation to interact with the user. The alarm inputs can be made possible through an annunciator board input menu and 20 alarm input menus. This part is essential for aiding the user to interact with the system.
B. Prioritization of Multiple Alarms At this work, the prioritization of multiple alarms is
performed using two methods; one for the priority grading of the plant-wide global alarms, and the other for that of the system-wide local alarms.
1) Prioritization of plant-wide alarms: As shown in Fig. 3, the plant-wide alarms are prioritized in terms of the cause-consequence relations that are based on the overall plant heat balance between the primary and secondary sides via steam generators (S/Gs). Suppose a “S/G high- high level” alarm occurs. Due to high S/G level, heat removal capability from the primary to the secondary sides is increased. In this case, several primary side alarms, such as “pressurizer low pressure,” “pressurizer low level,” and “average loop temperature low’, alarms, may occur consecutively because of increased heat removal capabil- ity.
For further illustration, an example of multiple alarm propagation in the case of main feedwater pump trips is shown in Fig. 4. An initiating fault (86 relays operated) causes trips of three main feedwater pumps, and, in turn, several alarms associated with the pump trips are fired. Due to loss of main feedwater, S/G level is abruptly decreased, and several alarms such as “S/G low-low level” alarm are consecutively fired. Also, two interlock actions are automatically performed. As one of the trip setpoints is reached, the first-out alarms such as a “S/G low-low level reactor trip” or a “low feedwater flow reac- tor trip” alarms may occur. Therefore, the plant state alarms associated with the reactor, turbine and generator trips may be simultaneously fired. Although the fault was initiated from the secondary side, the decrease of heat removal capability due to the low S/G level may cause some primary side alarms such as “average loop tempera- ture high,” “pressurizer pressure high,” and “pressurizer level high” alarms. When the pressurizer pressure exceeds more than 2,335 psig, two power-operated-relief valves
I I I
24
I
IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 40, NO. 1, FEBRUARY 1993
1
User Interface
I I I Fig. 2. Functional structure of ESAPD.
<Descendant Alarms> <Precedent Alarms>
Fig. 3. Priority grading of plant-wide global alarms.
(PORVs) are automatically to be open, and, in turn, the subsystem alarms such as “pressurizer PORV discharge temperature high” and “pressurizer relief tank pressure high” alarms may o a r .
2) Prioritization of system-wide a l a m : The system-wide alarms can be prioritized by the functional relationship among various types of alarms, as shown in Fig. 5. Careful consideration of the functional relationships among the
system-wide alarms enables to identify the precedent and the descedant alarms. Generally, the functional relation- ships among multiple alarms are as follows.
1) Flow direction. 2) Interrelationship of parameters. 3) Pipe connectivity. 4) Time delay. 5 ) Interlock relation. As an example. for a reactor coolant pump (RCP)
system, the cause-consequence relationships are shown in Fig. 6. The direction of arrows represents the relation-
CHEON er ai.: MULTIPLE ALARM PROCESSING I N NUCLEAR POWER PLANTS 25
<,A-. < 40 X 01 Feodwala Flow
Reactor Trip State Alarms Turbim Top Slala A l a r m
Gamrator Trip slprul +
Generator Trlp Slala A I r m
Fig. 4. Propagation of multiple alarms in the case of feedwater pump trips.
ships between the precedent and the descendant alarms. For example, suppose “thermal barrier low flow” and “thermal barrier high temperature” alarms occur simulta- neously. In this case, the former triggers the latter be- cause insufficient cooling flow increases the temperature of the thermal barrier. Therefore, the former is deter- mined as a precedent alarm.
C. Diagnosis of Multiple Alarms In ESAPD, the diagnosis of multiple alarms is carried
out at two stages; the plant-wide failure mode diagnosis and the specific root cause diagnosis for a primary causal alarm. At the first stage, the diagnosis involves determina- tion of a primary causal alarm, possible failure modes and failed systems, and automatic interlock action. Once the primary causal alarm was identified, the next stage is to determine the possible root causes from the specific symp- toms, such as indication lamps, parameter values, and valve lineup that can be acquired at the main control room.
The diagnostic method adopted in this system is a “hypothesize and test” paradigm; i.e., all possible hy- potheses about the possible failure modes are first gener- ated and then validated or invalidated by searching (IF- THEN) form rules. The diagnostic process begins with the consideration of failure hypotheses about broad fail-
ure modes of the plant. If the plant symptoms suggest that a failure hypothesis is valid, then the diagnostic process continues with more refined hypotheses about more de- tailed possible causes of that failure mode. On the other hand, if a failure hypothesis is rejected, then the entire failure mode can be excluded from further consideration.
Also, the diagnosis must be performed with a treatment of uncertainty since uncertain or insufficient symptoms are present. At this work, the certainty factor (CF) method as originated in MYCIN [19] is adopted. The CFs, which are not probabilities, represent the degree to which we believe that evidence is true. They vary between - 1 and + 1, where - 1 means that the symptom or hypothesis is definitely false, +1 means definitely true, and 0 corre- sponds to the unknown (completely uncertainty) or mean- ingless case.
D. Overall Control Process of ESAPD As shown in Fig. 7, the overall control process of
ESAPD is divided into two routines; the alarm processing routine and the alarm diagnosis routine.
1) Alarm processing routine: In the alarm processing routine, upon receipt of obvious symptoms, i.e., the fired alarm signals, the knowledge units related to the fired alarms, are loaded into the dynamic memory. The alarm processing is performed by execution of the alarm pro-
26
LoMi L o - W i - H i
(a) Alarm thresholds of parameters
A Rm Level
(c) H i flow -> H/Lo level
RcMlrrloIy h”6- nowlow
(e) Low pressure -> low flow
*.?”
hmplrip Flowlow
(g) Pump trip -> low flow
H i Wi
(i) Tank H i pressure -> inkt flow Mi
IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 40, NO. 1, FEBRUARY 1993
A - A now now
(b) Flow direction
Flow low Temp. hi&
(d) Low flow ->high temperature
blakage .-&Ae h m high Flow low
(f) High pressure -> low flow
(h) Interlock action
LOW High
(j) Pressure low -> radiation high
Precedent alarm: A + Descendant alarm:
Fig. 5. Priority grading of system-wide local alarms.
cessing frames and the five meta rules. By activation of the meta rules on the frames that are related to the fired alarms, the intelligent alarm processor can filter out the descendant alarms among multiple fired alarms that are stored in the dynamic memory. Finally, the alarm proces- sor displays causal alarms, possible failure modes and failed systems, and automatic interlock actions.
2) Alarm diagnosis routine: The specific alarm diagnosis can be possible by loading of the knowledge unit of the primary causal alarm. The next step begins with the query operation for cause diagnosis. The inference engine inter- rogates the nonobvious symptoms (e.g., instrument read- ings, valve lineup, and various parameter trends) to the operator. The operator can be acquired the information of these symptoms from the plant computer or instrument readings in the main control room. In parallel with the query operation, if an input parameter is dangerous to the plant state, the system tells the operator to take an emergency action. All symptoms extracted from the operator’s responses
are placed in the dynamic memory for use by the infer- ence engine. Also, analog inputs are qualitatively labeled as classified evidence forms, e.g., danger, warning and
normal ranges, according to the pre-defined ranges of the values.
When all symptoms required to get the diagnostic result are input, the system displays possible causes. Once the cause has been diagnosed, a query operation for appropri- ate follow-up treatments begins. By using the symptoms, especially the parameter trends, the system displays fol- low-up treatments.
E. Structure of Knowledge Base 1) Alarm processing knowledge units: The alarm process-
ing knowledge units are represented as object-oriented concepts. The object-oriented programming is a powerful technique used in AI and provides the advantages of modularity, expressiveness, and data and procedure ab- straction. In this approach, the knowledge base can be easily built and updated, thus reducing development and maintenance costs.
The knowledge units for the alarm processing consist of alarm processing meta rules, alarm processing frames, plant state identification rules, and interlock action rules.
(a) Ahrm processing meta rules: The alarm processing meta rules are the strategic rules for the alarm processing. In Table 111, five alarm processing meta rules are de- scribed. Ekecution of these rules on the alarm processing frames, the descendant alarms can be suppressed from the dynamic memory.
(b) Alarm processingframes: The cause-consequence re- lations among alarms are represented as alarm processing frames. A frame is a structure particularly suitable for representing alarm objects. The alarm processing frame for each alarm is represented as the information slots, such as alarm identification tag, alarm name, alarm class, precedent alarm list, descendant alarm list, failure mode list, and failed system list. A sample frame for a “pres- surizer high pressure” alarm is as follows.
alarm(id-tag: alb09-dl, name:$PRZR high pressure$, c1ass:failure -alarm(plant), precedent-alarm: [albog-al, albO8-c3, I, descendant-alarm: [alb09-cl, alb09-d3, - * . 1, failure-mode: [trstl:0.8, trst2:0.61, failed-system: [przr:O.8, feedwater: 0.7,
steam-line:OJI).
(c) Plant state identification rules: These rules are used for the identification of current plant states. A plant state alarms that are coalesced are maintained in a list within a specific plant state. A sample rule is as follows.
one of the first-out-alarms is fired [IF] [THEN] plant state = [reactor-trip, turbine-trip,
generator-trip].
By using these rules and the No. 5 alarm processing meta rule, the plant state alarms associated with the normal reactor, turbine and generator trips can be suppressed from the dynamic memory.
CHEON et al.: MULTIPLE ALARM PROCESSING IN NUCLEAR POWER PLANTS 21
Fig. 6. Cause-consequence relationships among RCP domain alarms.
Fired alarm input TABLE 111 ALARM PROCESSING META RULES
Loading of the alarm diagnosis knowledge unit corresponding Rule
no. to the primary causal alarm Rule description
No. 1 [IF] there are descendant alarms against a
Loading of the knowledge units d a t e d
Execution of alarm processing meta rules No.l .2 .3 .4 and 5
causal alarm(s)
actions, and causal alarms)
Alarm processing routine
Query operation . .
selected alarm
dvnamic memow. [THEN] remove the descendant alarms from the
No. 2 [IF] theie is a precedent alarm against a
[THEN] remove the selected alarm from the selected alarm
dynamic memory. No. 3 [IF] there are both failure and nonfailure
alarms
dynamic memory.
alarms
dynamic memory.
Display of possible causes
1 I
[THEN] remove the nonfailure alarms from the Query operation
for treatments No. 4 [IF] there are both plant-wide and system-wide
[THEN] remove the system-wide alarms from the
Display of No. 5 [IF] there is a group of plant state alarms [THEN] remove this group of alarms from the follow-up treatments
Alarm diagnosis routine
dynamic memory.
Fig. 7. Flowchart of the alarm processing and diagnosis.
fd) Interlock action rules: These rules represent the in- terlock actions of fired alarms, and the various plant logic relations are represented as these rules. The logic flow diagram of the steam generator low-low level reactor trip is shown in Fig. 8. In this figure, the four interlock action rules are described in Table IV. By using these rules, automatic interlock actions and component operating states can be definitely identified.
2) Alarm diagnosis knowledge units: The alarm diagno- sis knowledge units consist of symptom classification rules, emergency action rules, cause inference rules, and follow- up treatment rules.
(a) Symptom class@cation rules: Using the symptom classification rules, various parameter values can be dis- cretized according to their numerical ranges. For example, RCP lower bearing temperature is qualitatively classified into three ranges: a dunger range (> 104.4 "C), a warning range (between 82.4 "C and 104.4 "C), and a normal range (< 82.4 "C). These ranges were set according to system technical manuals. Therefore, analog symptoms can be easily applied to the condition part of the (IF-THEN) rules.
(b) Emergency action rules: During the query operation, if a parameter value is dangerous to the normal plant state, the system can guide the operator with an allowable emergency action by using these rules. For example, if the RCP motor bearing temperature exceeds 90.5 "C, then an
~
r ..
28 IEEE TRANSACTTONS ON NUCLEAR SCIENCE. VOL. 40, NO. 1, FEBRUARY 1993
tn, b
: OR gate
: Coincidence
: Level bistable (2 out of 3)
I , 1
undervoltage signal
Automatic interlock actions
Fig. 8. Logic flow diagram of the steam generator low-low level reactor trip.
TABLE IV INTERLOCK ACl‘lON RULES
Rule no.
A [IF)
[THEN] [IF1
OR
OR
B OR OR
Rule description
“S/G 1 low-low level reactor trip” alarm (A,) = on “S/G 2 low-low level reactor trip” alarm (A,) = on interlock action =“reactor trip, turbine trip and generator trip” PS/G 1 low-low level reactor trip” alarm (A,) = on OR “S/G 2 low-low level reactor trip” alarm (A4) = on)
(“main feedwater pump A trip” alarm (As) = on OR “main feedwater pump B trip” alarm (A6) = on OR “main feedwater pump C trip” alarm (A,) = on)
safety injection signal is generated blackout signal is generated interlock action =“startup of motor-driven am. feedwater pumps A and B” interlock action =“startup of motor-driven aux. feedwater pumps A and B interlock action =“startup of turbine-driven aux. feedwater pump” interlock action =“close of blowdown isolation & sample valves” (“S/G 1 low-low level reactor trip” alarm (A,) = on AND “S/G 2 low-low level reactor trip” alarm (A,) = on)
undervoltage signal is generated interlock action = “startup of turbine-driven auxiliarv feedwater pump”
emergency action guides the operators to trip the affected RCP. AND charging pump is operating well
(c) Cause inference d e s : Using these rules, the system can find possible causes. For example, in the case of “RCP seal injection flow low” alarm diagnosis, a sample rule is as follows.
[IF]
AND AND
[THEN] the cause is “filter blockage” with CF = 1.0.
seal injection flow rate is less than normal rate
seal injection valve lineup is correct injection filter differential pressure (D/P) is > 1.3 kg/cm2
CHEON et al.: MULTIPLE ALARM PROCESSING IN NUCLEAR POWER PLANTS 29
I I ~
(a) Annunciator board input menu
(c) Results of the alarm processing
. (b) Alarm input menu
I instrument h , : aercvrrant seauentiai r a l a ~ 50. delay relay 51
rl%tpoint a instrumnt b. . Setpoint: N i l ( (owof f )
(d) Display of emergency actions
-mi rimm y r v i r t ~ t r u y s r ~ " I*ir*
(e) Diagnostic results of the causal alarm
~
Chlb1 t *. CwI1 L . i ix "6 CStl I n l t Trutnnt Ww I
(9 Display of follow-up treatments
Fig. 9. CRT displays of the alarm processing and diagnosis.
(d) Follow-up treatment rules: Using these rules, the system can offer the operator a set of operational guid- ances to restore an abnormal plant state to the normal condition. The condition part in these rules consists of several symptom items such as parameter trends, valve lineup and current plant state. A sample rule is as follow.
[IF] AND AND [THEN] follow-up treatment = [list of message items].
IV. DEMONSTRATION OF ESAPD For the demonstration purpose, suppose that a charging
pump, which injects seal injection water to RCPs, is
symptom 1 = input 1 symptom 2 = input 2 symptom 3 = input 3
tripped due to pump overload. In this case, seven alarms within the seal injection system are consecutively fired due to loss of charging flow. The inputs of the fired alarms can be performed through the operation of an annuncia- tor board input menu and the 20 alarm input menus. Figs. 9(a) and (b) show the cathode ray tube (CRT) displays of the annunciator board input menu and one of the alarm input menus, respectively. For consideration of human factors, the arrays of alarms on the alarm input menus were arranged same as that of the actual annunciator boards.
After the inputs of the fired alarms, the alarm process- ing result shows that the primary causal alarm is the "charging pump 1 overload or progress in trip" alarm, as
I I I
30 IEEE l“SACTI0NS ON NUCLEAR SCIENCE, VOL. 40, NO. 1, FEBRUARY 1993
shown in Fig. Nc). The failure mode is determined as “loss of seal injection water.” Also, the most probable failed system is the chemical and volume control system (CVCS) with CF = 0.8.
The specific root cause diagnosis for the “charging pump 1 overload or progress in trip’’ alarm begins with query operation. In parallel with the query operation, if an input parameter is dangerous to the plant state, the system tells the operator to take emergency actions. In this case, because the pump lower bearing temperature is within the warning range, the system guides a warning message and an appropriate action to the operator, as shown in Fig. Nd). When all symptoms are input, the system displays possible causes, as shown in Fig. Ne). The belief degrees of the possible causes are solved by the CF operation, as discussed in Section 1II.C. Finally, the sys- tem provides follow-up treatments to the operator, as shown in Fig. NO.
V. CONCLUSIONS A prototype expert system (ESAPD) for the multiple
alarm processing and diagnosis has been developed for the Kori-2 NPP. ESAPD is capable of assisting the opera- tor to identify a primary causal alarm among multiple fired alarms and to diagnose the plant malfunction quickly. The overall plant-wide diagnosis is performed at the alarm processing stage, and the specific diagnosis for the pri- mary causal alarm is performed at the alarm diagnosis stage. The system can also provide the emergency actions and the follow-up treatments to the operator.
The knowledge base is partitioned into several knowl- edge units to handle many rules effectively. Therefore, the inference engine can handle the knowledge base effi- ciently, and the knowledge units can be easily and simply updated and revised. The alarm processing knowledge units are represented as the object-oriented concepts. Also, the cause-consequence relations among alarms are
REFERENCES
[l] F. P. Lees, “Process computer alarm and disturbance analysis: Review of the state of the art,” Comp. Chem. Eng., vol. 7, pp.
[2] P. A. Sachs, A. M. Paterson, and M. H. M. Turner, “Escort-an expert system for complex operations in real time,” Expert Qs., vol.
[3] D. Patterson, “Application of a computerized alarm analysis sys- tem to a nuclear power station,” Pm. IEE, vol. 115, pp. 1858, 1%8.
[4] M. Modarres and T. Cadman, “A Method of alarm system analysis for process plants,” Comp. Chem. E%., vol. 10, pp. 557465,1986.
[5] B. Frogner and C. H. Meijer, On-line Power Plant Alarm and Disturbance Analysis System, EPRI Report-13!97,1980.
[6] Functional Specifications for AI Software Tools for Electric Power Applications, EPRI Report NP-4141 Final Report, Aug. 1985.
[7] D. Corsberg, “Extending an object-oriented alarm filtering system,” Expert Systems in Government Symposium, Mclean, Virginia, Oct. 1986.
[8] D. Corsberg and L. Johnson, “A nuclear reactor alarm display system utilizing AI techniques for alarm filtering,” Proc. Amer. Nucl. Soc. Topical Meeting on Artificial Intelligence and Other Innovative Computer Applications, Snowbird, UT, Aug. 1987.
[9] P. D. Domenim, E. Mah, D. Corsberg, J. Somsel, J. K. Channant, and J. Naser, “Alarm Processing System,” Conference on EKpert Systems Applications for the Electric Power Industry, Orlando, Florida, June 1989.
[lo] P. Visuri and F. &er, Forming and Presenting Process Control Room Alarms using Computers: the HALO Concept, OECD Halden Reactor Project HPR-283, Norway, March 1982.
[ll] P. Legaud, “Processing of alarms by means of an expert system,” Rel. Eng. Sys. Safety, vol. 22, pp. 401-409,1988.
[12] P. Kaflra and P. Poke, “Intelligent decision aids for abnormal events in nuclear power plants,” ReL Eng. 9 s . Safety, vol. 22, pp.
[13] D. S. Kirschen, B. F. Wollenberg, G. D. Irisarri, J. J. Bann, and B. N. Miller, “Controlling power systems during emergencies: The role of expert systems,” IEEE Comp. Appl. Power, pp. 41-45, Apr. 1989.
[14] H. E. Dijk, “AI-Based Techniques for Alarm Handling,” 3rd Symposium on Expert Systems Application to Power Systems, Tokyo-Kobe, Japan, April 1-5,1991.
1151 A. Maizener, A. Lestien, E. Euxibie, and P. Jourdm, “The Use of AI Techniques in the Design of an Alarm Specification Aid,” 3rd Symposium on Expert Systems Application to Power Systems, Tokyo-Kobe, Japan, April 1991.
669-694, 1983.
3, pp. 22-29,1986.
355-370,1988.
represented as the alarm processing frames. In this way, the development process and the management of the
traditional alarm processing methods. Based on this prototyping and a better understanding of
the development problems, we are planning to develop an on-line alarm processing system in connection with a plant computer.
1161 J. 0. Yang andS. H. chang, “An alarm processing system for a nuclear power plant using artificial intelligence techniques,” Nucl. TechnoL, vol. 95, pp. 266-271, 1991.
Springer-Verlag, 1981. [181 The Arity / PrologTMLanguage Reference Manual, Massachusetts:
f i ~ [19] E. H. Shortliffe, Computer-Based Medical Consultation: MYCIN,
New York Elsevier, 1976.
base are to be “paring with the [IT] W. F. (Jocksin and C. S. Mellish, h m - i n g in f+o[q, Berlin:
