Risk Analysis, Vol. 33, No. 6, 2013 DOI: 10.1111/j.1539-6924.2012.01899.x
Fuzzy-Logic-Based Safety Verification Frameworkfor Nuclear Power Plants
Achint Rastogi and Hossam A. Gabbar
This article presents a practical implementation of a safety verification framework for nuclearpower plants (NPPs) based on fuzzy logic where hazard scenarios are identified in view ofsafety and control limits in different plant process values. Risk is estimated quantitativelyand compared with safety limits in real time so that safety verification can be achieved. Fuzzylogic is used to define safety rules that map hazard condition with required safety protectionin view of risk estimate. Case studies are analyzed from NPP to realize the proposed real-timesafety verification framework. An automated system is developed to demonstrate the safetylimit for different hazard scenarios.
KEY WORDS: Fuzzy logic; NPP safety; nuclear power plant safety; safety verification
Safety is an important task in nuclear powerplants and plays a significant role throughout theplant life cycle.(1) Governmental safety regulationsand international standards support overall processsafety.(2) Lack of plant safety might lead to haz-ardous events with high risks to human life, plant,and environment. It is important to describe a prac-tical integrated framework for plant safety basedon independent protection layers and defense-in-depth concepts. Safety control is one important layerwithin overall safety protection layers. Safety con-trol systems are designed and evaluated in view ofsafety requirement specifications and correspond-ing safety rules and constraints are mapped toprotection layers or barriers. The proposed risk-based safety verification framework can be applied
Faculty of Energy Systems and Nuclear Science, University ofOntario Institute of Technology (UOIT), 2000 Simcoe StreetNorth, Oshawa L1H7K4 ON, Canada; Hossam.firstname.lastname@example.org.
Address correspondence to Hossam A. Gabbar, Faculty of En-ergy Systems and Nuclear Science, University of Ontario, Insti-tute of Technology, UOIT, 2000 Simcoe St. N., Oshawa L1H7K4ON, Canada; Hossam.email@example.com.
on nuclear power plants, smart grids, oil and gasproduction plants, or other manufacturing plants.Industrial facilities are required to provide a safeatmosphere by proper implementation of safetyverification techniques, proper safety instrumentedsystems (SIS), and frameworks for safety design ofenergy and production plants, as per IEC61508.(36)
Verification is the evaluation of an implementationto determine that applicable safety-critical require-ments for any plant and its operations are met. Theverification process ensures that the design solu-tion meets or exceeds all validated safety require-ments.(7,8) A verified system shows measurable evi-dence that it complies with the overall system safetyneeds by incorporating an efficient safety verificationframework.(8)
2. PROPOSED FRAMEWORK
The proposed risk-based safety verificationframework is shown in Fig. 1. Fig. 2 shows the pro-posed activity model using IDEF0. It should be notedthat the main purpose of this framework is not to re-place existing technologies but to integrate them sothat they may become more effective when it comes
1128 0272-4332/13/0100-1128$22.00/1 C 2012 Society for Risk Analysis
Fuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 1129
Fig. 1. Flowchart of safety verification framework.
to accident prevention. This is a five-step frame-work and helps in verifying the safety of a processin a nuclear power plant. It starts with control limitsestimation based on upper control limits (UCLs) andlower control limits (LCLs). Data points that maycause a hazard (usually the data points that lie out-side these limits) are identified. Once these limitsare identified, the next step is hazards identification.All possible hazards that could be caused by a singleevent are identified. After hazard identification, thenext step is risk estimation and evaluation. The riskassociated with a particular event is calculated. For
this, a particular event is selected, and it is furtherbroken down into all the possible fault propagationscenarios that it could take to cause the hazard. Therisk associated with each individual fault propagationscenario is calculated and then combined to estimatethe total risk associated (TRA) with the event. Thenext step is safety verification. Once the TRA is es-timated, it is compared with the value of the targetrisk for that event. If the TRA is more than the tar-get risk, the process is unsafe and vice versa. The laststep of the framework, i.e., risk reduction, only comesinto play if the TRA with a particular event is morethan the target risk and the process is unsafe to oper-ate. It is needed, at this stage, that the risk should bereduced to such an extent that it no longer exceedsthe maximum allowable risk. This step is facilitatedby step five of the framework, risk reduction. Eachpart of the framework is discussed in more detail inthe following sections.
2.1. Step 1: Control Limit Estimation
Estimating the control limits forms the first blockof the framework. In general, defining the control orsafety limits requires the following key points to bekept in mind whenever risk is assessed:
Determining the requirements of the machineor process
Determining both the use and operation andmisuse and malfunction
User training, expertise, and knowledge Possibility of people being exposed to machine
Fig. 2. The proposed risk-based safetyverification framework for nuclear powerplants.
1130 Rastogi and Gabbar
Fig. 3. Theoretical basis of a control chart showing the centerline,upper control limit (UCL), and the lower control limit (LCL) forany set of random data.
There are two types of limits that are needed tobe estimated for any process occurring in a nuclearpower plant:
Control limits Safety limits(9)
The control limits are the limits within whichthe process operates with maximum efficiency, bothin terms of operations and economic costs. When-ever the process exceeds their limits, its operationbecomes undesirable. The process may, however, besafe to operate, but is highly undesirable as it leads toinefficient operation and economic losses. The UCLand the LCL are the two control limits, and the zonebetween them is known as the zone of most efficientoperation. This area is shown by the violet band inFig. 3 (colors visible in online version). The safetylimits, on the other hand, are the limits beyond whichthe operation of a given process becomes unsafe. Ifthe process operates in a region beyond the safetylimits, it may cause hazards, fatalities, and accidents.Whenever a process goes beyond the safety limits,shutdown is the only option left to ensure safety. Sim-ilar to the control limits, there are two safety limits,the upper safety limit and the lower safety limit, andthe zone between them is called the zone of safe op-eration. The red bands depict the area of unsafe op-eration.
For the purpose of calculating the safety limits,we can make use of control charts. Control charts instatistical process control (SPC; also known as She-whart charts or process-behavior charts) are toolsused to determine whether or not a manufacturingor business process is in a state of statistical control.SPC is a powerful collection of problem-solving toolsuseful in understanding process variability, achiev-ing process stability, and improving process perfor-mance through the reduction of avoidable variabil-
Fig. 4. EWMA curve for a statistically moving random data set.
ity.(10) SPC is not a new term and has been used inmanufacturing industries for years. It has also beenshown that use of SPC can enhance safety in a nu-clear power plant.
SPC methods can be applied as an early warningsystem capable of identifying significant equipmentproblems well in advance of traditional control roomalarm indicators. Such a system would provide oper-ators with ample time to respond to possible emer-gency situations and thus improve plant safety andreliability.(11,12,5)
Control limits can be estimated effectively andefficiently by using any SPC charts.
No matter which control chart is chosen for aparticular process, the basic idea remains the same.In general, the chart contains a centerline that repre-sents the mean value for the in-control process. Twoother horizontal lines, called the UCL and the LCL,are also shown on the chart. These control limits arechosen so that almost all of the data points will fallwithin these limits as long as the process remains in-control. The theoretical basis of a control chart isshown in Fig. 3.
EWMA stands for exponentially weighted mov-ing average. EWMA is a statistic for monitoring theprocess that averages the data in a way that gives lessand less weight to data as they are further removedin time, as shown in Fig. 4. The statistic calculated isshown in Equation (1):(13)
EWMAt = Yt + (1 ) EWMAt1for t = 1, 2, 3 . . . n, (1)
EWMAt is the mean of historical data (target)Yt is the observation at time tn is the number of observations to be moni-
tored including EWMA0
Fuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 1131
0 < 1 is a constant that determines thedepth of memory of the EWMAt .
In this project, we will be using EWMA tech-nique as it is best suited for processes where the dataset is not constant and where the older data valuesare not as important as the recent ones.
2.2. Step 2: Hazard Identification
A hazard, in simple words, can be defined as asituation having a potential to cause harm.(14) In alittle more detail, it could be best described as anunsafe physical condition which is always in one ofthe three modes: dormant (unable to cause harm),armed (able to cause harm), and active (causing in-jury, death, and/or damage by releasing unwantedenergy).(15) It is very clear from this definition thathazards, in any form, are highly undesirable. Thuspredicting and identifying hazards, so that they maybe stopped before causing any harm, is the main ob-jective of this block of the framework.
Once the control limits are estimated, the nextstep is to identify the potential hazards. There is nodirect interconnection between the control limit es-timation step and the hazard identification step, andany of the steps could be performed earlier. This re-port chooses the control limit estimation as the firststep followed by the hazard identification step.
Hazard identification is fundamental to the safedesign and operation of any system, be it a processplant or any other facility.(16) Thus, the hazards iden-tification block forms the second step of the frame-work. Hazard identification means checking for allthe hazardous conditions and hazardous events as-sociated with the machine. Hazard identification in-cludes predicting hazards, which may be caused bya process. These hazards can be mechanical, electri-cal, thermal, chemical, radiological, or environmen-tal in nature. There are a lot of hazard identificationtools available in the literature of hazard analy-sis. Some of the most common techniques are: haz-ard and operability analysis; failure mode and effectanalysis (FMEA); event tree analysis; fault tree anal-ysis; and what-if analysis.
Although there are many more techniques, itusually requires a combination of two or moretechniques to effectively predict and identify haz-ards. An effective risk analysis requires basic knowl-edge about possible risks, characteristics of poten-tial hazards, and comprehensive understanding ofthe associated cause-effect relationships, for nuclearfacilities.(9)
2.3. Step 3: Risk Estimation and Evaluation
Once the hazards are estimated, the next impor-tant step is to evaluate the risk. Risk can be defined asa combination of a predicted frequency of an unde-sired initiating event and the predicted damage suchan event might cause if the ensuing follow-up eventswere to occur.(17)
Again, there are many risk estimation methodsavailable that could be used in nuclear industries.Some of them are shown in detail in Refs (18) and(19). As per them, the risk estimation methods couldbe classified into three main categories: qualitative,quantitative, and hybrid. These are further subclas-sified into various methods depending upon the typeand the evaluation process. We shall be using the pro-portional risk assessment technique (PRAT) as illus-trated by Ref. (18) and (19). PRAT is a quantitativetechnique of risk evaluation that uses a proportionalformula for calculating the quantized risk because ofhazard. The risk is calculated considering the poten-tial consequences of an accident, the exposure factor,and the probability factor.(1822)
In general, risk associated with an event (Ri )could be understood as the product of the probabilityof that event ( fi ) and the magnitude of consequencescaused by the event (Di ):
Ri = fi Di . (2)Risk analysis consists of two distinct phases: a
qualitative step of identifying, characterizing, andranking hazards; and a quantitative step of risk eval-uation that includes the estimation of likelihood(frequencies) and consequences of hazards occur-rence.(13) Both the steps are equally important.
2.4. Step 4: Safety Verification
The main task performed in this step is to ver-ify whether the process is safe or not. At this step itis checked whether the actual risk associated with aprocess (calculated in the earlier step using PRAT)is above or below the allowable risk (or targetrisk/threshold risk [TR]). The process has to operatein accordance with the regulatory requirements listedin the Nuclear Safety and Control Act and those ofthe Canadian Nuclear Safety Commission. The pro-cess is verified as to whether it meets the various stan-dards and guidelines set in the Act.
If the calculated actual risk is below the TR, theprocess is said to be safe and no further action istaken until any further developments. But, if the cal-culated actual risk is above the TR, the process is
1132 Rastogi and Gabbar
not safe. The plant cannot be operated in an unsafemanner. Hence risk reduction techniques are used soas to reduce the risk below the TR limit. These riskreduction techniques are described in the followingsection.
Safety verification is carried out using fuzzy logic.A fuzzy logic rule base is created and the corre-sponding membership functions are defined. TheMATLAB fuzzy logic toolbox is used for buildingmembership functions. We will make use of the fuzzyinference system for verifying the process safety. It isa method that interprets the values in the input vec-tor and, based on user-defined rules, assigns values tothe output vector.
2.5. Step 5: Risk Reduction
The risk reduction block forms the last and the fi-nal block of the proposed framework. Whenever theactual risk is more than the TR,1 the process is un-safe.
It is required to reduce the risk to such an extentthat it is no longer greater than the TR. For risk re-duction, the following actio...