Embed Size (px)
Citation preview
R
Fi
Aa
7b
c
a
ARRA
C
1
mepNrs
l
0d
Nuclear Engineering and Design 241 (2011) 3967– 3976
Contents lists available at ScienceDirect
Nuclear Engineering and Design
j ourna l ho me page: www.elsev ier .com/ locate /nucengdes
eview
uzzy methodology applied to Probabilistic Safety Assessment for digital systemn nuclear power plants
ntonio César Ferreira Guimarãesa,∗, Celso Marcelo Franklin Lapab,c, Maria de Lourdes Moreirab,c
Instituto de Engenharia Nuclear (IEN), Divisão de Reatores, Via Cinco, s/n◦ , Cidade Universitária, Rua Hélio de Almeida, Postal Box 68550,5 – Zip Code 21941-906 Rio de Janeiro, BrazilPrograma de Pós-Graduac ão em Ciência e Tecnologia Nucleares do IEN, BrazilInstituto Nacional de C&T de Reatores Nucleares Inovadores, Brazil
r t i c l e i n f o
rticle history:eceived 2 September 2010eceived in revised form 8 June 2011ccepted 25 June 2011
a b s t r a c t
A fuzzy inference system (FIS) modeling technique to treat a nuclear reliability engineering problem ispresented. Recently, many nuclear power plants (NPPs) have performed a shift in technology to digitalsystems due to analog obsolescence and digital advantages. The fuzzy inference engine uses these fuzzy
IF-THEN rules to determine a mapping of the input universe of discourse over the output universe ofdiscourse based on fuzzy logic principles. The risk priority number (RPN) (typical of a traditional failuremode and effects analysis – FMEA) is calculated and compared to fuzzy risk priority number (FRPN),obtained by the use of the scores from expert opinions. It was adopted the digital feedwater controlsystem as a practical example in the case study. The results demonstrated the potential of the inferencesystem to this class of problem.© 2011 Elsevier B.V. All rights reserved.
ontents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39672. Description of digital feedwater control system (DFWCS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39683. Description of fuzzy inference system approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39684. Application of the proposed approach to DFWCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3970
4.1. Fuzzy membership function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39714.2. Fuzzy rule base application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3972
5. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39746. Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3976
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3976References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3976
. Introduction
Traditionally, nuclear power plants (NPP) have functions foronitoring, protecting and control that use analog systems. Some
xisting plants have replaced current analog systems while newlant designs have fully incorporated digital systems. The U.S.
is used to the current licensing process for digital systems. How-ever, at present, there are no consensus methods for quantifying thereliability of digital systems. The objective of the NRC digital systemrisk research is to identify and develop methods, analytical tools,and regulatory guidance to support (1) NPP regulatory decisionsusing information on the risks of digital systems, and (2) including
uclear Regulatory Commission (NRC) defined a digital systemesearch plan that establishes a coherent set of research programsupporting regulatory needs. A deterministic engineering criterion
∗ Corresponding author. Tel.: +55 21 21733899; fax: +55 21 21733909.E-mail addresses: [email protected], [email protected] (A.C.F. Guimarães),
[email protected] (C.M.F. Lapa), [email protected] (M.d.L. Moreira).
029-5493/$ – see front matter © 2011 Elsevier B.V. All rights reserved.oi:10.1016/j.nucengdes.2011.06.044
models of digital systems into NPP PRAs (Probabilistic Risk Assess-ments). An example of this type of method is the traditional EventTree/Fault Tree (ET/FT) approach that does not explicitly modelthe interactions between the plant system that is being modeledand the plant physical processes, nor the exact timing of these
interactions. In the past few years, methods and tools for probabilis-tic modeling of digital systems were investigated. The reviewingwork in Chu et al. (2008) has analyzed operating experience,
3 neerin
dyow(umt
nosmu(twfcaawiaitiq
iai
iwettrndtdct
iTDtM(frld
ciot
naam
968 A.C.F. Guimarães et al. / Nuclear Engi
eveloping failure rate estimates using Hierarchical Bayesian anal-sis, and performing failure modes and effects analyses (FMEAs)f digital systems. The experience has been acquired with theorks presented in the review. The NRC together with the BNL
Brookhaven National Laboratory) has conducted research on these of traditional reliability modeling methods for digital instru-entation and control (I&C) systems, which is one the subject of
his paper.Failure mode and effects analysis (FMEA) is an important tech-
ique (Stamatis, 1995) that is used to identify and eliminate knownr potential failures to enhance reliability and safety of complexystems and is intended to provide information for making riskanagement decisions. It is being proposed here a modified fail-
re mode and effects analysis (FMEA) and knowledge base systemKBS) to estimate the risk using scores from experts. Fuzzy logic sys-em (Zadeh, 1987) is a name for the systems that have relationshipith fuzzy concepts (like fuzzy sets and linguistic variables) and
uzzy logic. The most popular fuzzy logic systems in the literaturean be classified into three types: pure fuzzy logic systems, Takagind Sugeno’s fuzzy system, and fuzzy logic systems with fuzzifiernd defuzzifier (Wang, 1993). The methodology used in this paperas the fuzzy logic systems with fuzzifier and defuzzifier, as used
n most investigations, e.g. Pillay and Wang (2003), Xu et al. (2002)nd Guimarães and Lapa (2004a,b). In Guimarães and Lapa (2006),t was developed a methodology which uses risk priority numbero scale any parameter characteristics of the system and a fuzzynference system for estimating risk from expert opinion about theuantification of the variables.
The knowledge-based fuzzy systems allow a descriptive or qual-tative representation of expressions such as “remote” or “high”,nd incorporate symbolic statements that are more natural andntuitive than mathematical equation.
In this article, it is applied the new approach and concept to dig-tal feedwater control system (DFWCS) of a two-loop pressurized
ater reactor (PWR). The DFWCS was analyzed in detail in (Chut al., 2008), including its function, components, associated con-rollers, dependencies and interfaces, and digital features, in ordero gain a full understanding of the way the DFWCS and each of itselevant components operate. The failure modes of DFWCS compo-ents and the impact of each of them on the system function wereetermined by performing an FMEA. In the traditional Probabilis-ic Safety Assessment (PSA) study, operational, historic and failureata are absolutely necessities, however using the FMEA, the criti-al initiating events and its consequences can be determined fromhe experts’ opinions.
The three different levels of detail of the FMEA that can be stud-ed for this system are defined as: The first level FMEA, namedop-Level (for the system level), includes the analysis of the wholeFWCS system. The second level of the FMEA includes modules of
he DFWCS, with the major ones being the Main CPU, Backup CPU,ain Feedwater Valve (MFV) Controller, Bypass Feedwater Valve
BFV) controller, Feedwater Pump (FWP) controller, Pressure Dif-erential Indication (PDI) controller, and the optical isolator that iselated to the watchdog timer (WDT) signal. The third level (theowest level or components) is the one in which more probabilisticata were available from publicly available sources.
In this paper, the first level (named Top-Level) as well as FWPontroller, a main module of the DFWCS, was considered for apply-ng the proposed approach. In a future paper the second level (Levelf Module) combined with the third level (Level of Components) ofhe Main CPU will be considered.
The new approach proposed combining FMEA and Fuzzy Logic,
amed Fuzzy FMEA, and the set of results demonstrated the greatdherence of the Fuzzy FMEA approach to this kind of problems. Itlso endorses the advantages of using a fuzzy inference system toodel the uncertainty parameters levels in risk analysis.g and Design 241 (2011) 3967– 3976
2. Description of digital feedwater control system (DFWCS)
The test case for applying the approach proposed involves adigital feedwater control system (DFWCS) of a two-loop pressur-ized water reactor. Each of the two reactor-coolant loops contains areactor coolant pump and a steam generator (S/G). The main feed-water system (FWS) consists of steam-turbine-driven FeedwaterPumps (FWPs), minimum flow control valves, a pump-seal watersystem, main feedwater regulating valves (MFRVs), bypass feed-water regulating valves (BFRVs), high-pressure feedwater heaters,and associated piping and instrumentation. The feedwater of eachsecondary loop is controlled by a DFWCS, which is described indetail in Chu et al. (2008) in Section 4. During plant operation, thefunction of the FWS is to remove heat from the primary system byproviding feedwater to the S/Gs. Degradation that exceeds certainoperational parameters or total loss of the FWS during this opera-tion causes a reactor trip. The plant contains two secondary loops;the feedwater in each loop is controlled by an identical DFWCS,so that the analysis of a single DFWCS is applicable to the other.When the plant is in the power operation mode, a DFWCS auto-matically controls the feedwater in its associated secondary loop,unless the plant operators have set the DFWCS in the manual mode.For the purpose of this study, failure of a DFWCS is defined as lossof automatic and manual control of its related loop. This loss isassumed to cause a reactor trip because it can result in undesiredimpacts. Section 4 provides a functional and physical overview of adigital feedwater control system (DFWCS) of an operating nuclearpower plant (NPP). The information is the basis for performing fail-ure modes and effects analysis (FMEA). The NPP has two units, eachconsisting of two reactor coolant loops. There are a reactor coolantpump and a steam generator (S/G) for each reactor coolant loop.Fig. 1 presents a simplified diagram of the FWS (without mini-flow valves, seal water system, and high pressure feedwater heater)which shows the location of some of the sensors that provide inputto the DFWCSs of the two FWS trains. Note that the two trains ofthe FWS are aligned together at the discharge as well as the suctionof the FWPs. The sensors from the reactor coolant loops are sharedby the DFWCSs of the two FWS trains. Typically, the FWS is man-ually controlled below 2% power and automatically controlled bythe DFWCS above 2%. It has two automatic modes of operation, low(2–15%) and high (above 15%) power, operating in three-element(S/G level, feedwater flow, and steam flow) and single-element (S/Glevel) controls, respectively. In Fig. 2 is a simplified diagram thatshows only one of the reactor coolant loops with its associatedDFWCS. System level description, Control Modes and algorithms,Description of Azonix �MAC 7000 Controllers and Fischer & Porter53MC5000 Controllers, Dependencies and Interfaces, and DigitalFeatures of the DFWCS, can be found in detail in Chu et al. (2008).
3. Description of fuzzy inference system approach
The “pure fuzzy logic system” is the system where the fuzzy rulebase consists of a collection of fuzzy IF-THEN rules, and the fuzzyinference engine uses these fuzzy IF-THEN rules to determine amapping from fuzzy sets in the input universe of discourse U ⊂ Rn
to fuzzy sets in the output universe of discourse V ⊂ R based onfuzzy logic principles. The fuzzy IF-THEN rules are of the followingform Eq. (1):
R(l) : IF x1 is Fl1 and . . . xn is Fl
n, THEN y is Gl (1)
where Fli
and Gl are fuzzy sets, x = (x1, . . ., xn)T ∈ U and y ∈ V are
input and output linguistic variables, respectively, and l = 1, 2, . . ., M.Practice has shown that these fuzzy IF-THEN rules provide a conve-nient framework to incorporate human experts’ knowledge. Eachfuzzy IF-THEN rule (Eq. (1)) defines fuzzy set Fl1x . . . xFln ⇒ Gl in the
A.C.F. Guimarães et al. / Nuclear Engineering and Design 241 (2011) 3967– 3976 3969
Fig. 1. A simplified diagram of the feedwater system.Source: Chu et al. (2008).
Fig. 2. One of the reactor coolant loops with its associated DFWCS.Source: Chu et al. (2008).
3970 A.C.F. Guimarães et al. / Nuclear Engineerin
Table 1Traditional scales for risk priority number parameters.
Ocurrence (O), Severity(S) and notDetection (D)
Probability ofnotDetection (%) (D)
Rating
Remote 86–100 1Low 76–85 and 66–75 2 and 3
pivitdbfccaas
4
s
TT
TF
Moderate 56–65, 46–55 and36–45
4, 5 and 6
High 26–35 and 16–25 7 and 8Very High 6–15 and 0–5 9 and 10
roduct space U × V. In order to use the “pure fuzzy logic system”n engineering systems, where inputs and outputs are real-valuedariables, the most straightforward way is to add a fuzzifier to thenput and a defuzzifier to the output of the pure fuzzy logic sys-em. The fuzzifier maps crisp points in U to fuzzy sets in U, and theefuzzifier maps fuzzy sets in V to crisp points in V. The fuzzy rulease and fuzzy inference engine are the same as those in the pureuzzy logic system. In the literature, this fuzzy logic system is oftenalled the fuzzy logic controller since it has been mainly used as aontroller. It was first proposed by Mamdani and Assilian (1975),nd has been successfully applied to a variety of industrial processnd consumer products. A detailed description of this fuzzy logicystem can be found in Wang (1993).
. Application of the proposed approach to DFWCS
Initially, an “expert” with knowledge domain on the analyzedystem was adopted. The selected specialist belongs to the relia-
able 2op-Level FMEA of DFWCS.
Mode of operation of the plant: power operationMode of operation of the MFW: high power
Failure mode Detection of failure mode
No or “low” signal from DFWCS tocontrolled components
Indications in control room of lowfeedwater flow and low level in steamgenerator
“High” signal from DFWCS tocontrolled components
Indications in control room of highfeedwater flow and high level in SGs
Abnormal fluctuations of signal fromDFWCS to controlled components
Depending on frequency and severityof fluctuations, operators in controlroom may be able to detect changes infeedwater flow and in level in SGs
Failure to transfer to low-power modewhen reactor power decreasesbelow 15% and remains above 2%
Indication in control room of high levein SGs
able 3MEA of FWP controller (FIC-4516/4517).
Failure mode Detection of failure mode
Loss of analog input (Fail to 0.0 VDC)ANI0 (Main CPU Speed Demand) Fails to 0.0ID = 1 The display at the FWP controller
will be low.A deviation alarm is activated atthe controller when the Main CPUdemand signal differs from the B/UCPU demand signal by greater thana setpoint, after a time delay. Thedeviation alarm status will be sentto the BFV controller which willsend the alarm to the PlantComputer (PC).The CPU failures and deviation willbe annunciated in the control roomand sent to the PC.
g and Design 241 (2011) 3967– 3976
bility engineering and can participate in other domains. In a firstmoment, a traditional FMEA using the risk priority number (RPN)ranking system was carried out. Mathematically, RPN is repre-sented as Eq. (2):
RPN = O × S × D (2)
where “O” represents the probability of occurrence, “S” representsthe severity of the failure, and “D” represents the probability of notdetection of the failure. The values for O, S, and D are obtained byusing the values scaled presented in Table 1 (Xu et al., 2002; Pillayand Wang, 2003). The expert in the FMEA analysis was the sameperson initially adopted.
The system consists of the mechanical components (pumps,valves, heat exchangers, volume control tanks, and deionizers),instrumentation, and controls, necessary to perform these func-tions.
A failure modes and effects analysis (FMEA) was performed todetermine the effects of failure of the major system components.Each FMEA included the following items:
(a) Failure mode: the basic manner(s) that a system may fail or ceaseto perform as designed. The failure modes for this system wereconsistent with those used in industry reliability.
(b) Failure cause: the particular type of degradation mechanisms,which may cause the system to failure (stresses).
(c) Failure effects: the effects on the DFWCS system due to the sys-tem failure.
Failure effect on main feedwatersystem
O S D
Low level in SGs can cause reactor trip 3 7 2Reduction of level in SG(s) can possiblecontribute to steam generator tuberupture (SGTR)
3 10 2
Excessive feedwater to steamgenerator(s) can cause reactor trip
3 7 1
Effects are expected to be similar tothose resulting from the previous twofailure modes
4 8 4
l A mismatch between the powerproduced by the reactor and thecooling of the SGs by the DFWCS. Themismatch may result in excessivefeedwater to SGs causing a reactor trip
4 7 5
Failure effects Comments
The failed signal will be sent to theLovejoy FWP speed controllerwhich will detect the failure andmaintain the FWP speed atpre-failure value.The failed signal is sent to the CPUsfor tracking, and after a delay willcause the CPUs to be failed due todeviation logic. As a result, theMFV, BFV and FWP controllers willtransfer to manual control. It is notlikely that the FWP controller canbe used to manually control theFWP in this condition.
Need to confirm operation ofthe Lovejoy controller.
A.C.F. Guimarães et al. / Nuclear Engineering and Design 241 (2011) 3967– 3976 3971
Table 4FMEA of FWP controller (FIC-4516/4517) (cont’d).
Failure mode Detection of failure mode Failure effects Comments
ANI2 (Bias Signal fromPotentialmeter, also sent to theCPUs) Fails to 0.0ID = 2
The BFV controller will send an alarmto the Plant Computer, upon receiptof the Bias Potential Rate Alarm fromthe FWP controller.
The failed signal corresponds to a−100% bias. The rate of change of thebias is monitored by the FWPcontroller, and if a pre-set limit isexceeded, the FWP controllerswitches to manual mode with thepre-failure value, and a Bias PotentialRate Alarm signal is sent to the BFVcontroller via the Microlinkconnection. The BFV controller willthen send the alarm to the PlantComputer.
The bias signal is also sent to theMain and B/U CPUs where it is addedto the calculated pump speed. It isassumed that the failure is a localfailure and a correct signal is sent tothe CPUs.
ANI3 (B/U CPU Speed Demand)Fails to 0.0ID = 3
A deviation alarm at the controller isactivated when the Main CPUdemand signal differs from the B/UCPU demand signal by greater than asettable, predetermined setpointafter a time delay. The deviationalarm is also sent to the BFVcontroller via Microlink, and the BFVcontroller will send it to the PlantComputer.
The controller will continue sendingthe demand from the Main CPU to itsoutput, and the system operation isnot affected.
Table 5FMEA of FWP controller (FIC-4516/4517) (cont’d).
Failure mode Detection of failure mode Failure effects Comments
Loss of analog output (Fail to 0.0 VDC)ANO0 (Output to the Lovejoy
Control System) Fails to 0.0ID = 4
The CPU failures and deviation will bedetected by the BFV controller whichwill activate an annunciator in thecontrol room and send the alarm to thePlant Computer.
The failed signal will be sent to theLovejoy FWP speed controller whichwill detect the failure and maintain theFWP speed at pre-failure value. Thefailed signal is sent to the CPUs fortracking, and after a time delay willcause the CPUs to be failed due todeviation logic. As a result, the MFV,BFV and FWP controllers will transferto manual control. A complete loss ofautomatic control will take place. It isnot likely that the FWP controller canbe used to manually control the FWP inthis condition. The FWP has to bemanually controlled using the Lovejoycontroller.
Need to confirm operation of theLovejoy controller.
ANO2 (Bias PotentialExcitation) Fails to 0.0(This failure mode is alsoapplicable to failure to 0.0 ofthe potential meter.)ID = 5
The BFV controller will send an alarmto the Plant Computer, upon receipt ofthe Bias Potential Rate Alarm from theFWP controller.
The failed signal corresponds to a−100% bias. The rate of change of thebias is monitored by the FWPcontroller, and if a pre-set limit isexceeded, the FWP controller switchesto manual mode with the pre-failurevalue, and a Bias Potential Rate Alarmsignal is sent to the BFV controller viathcoth
The failed bias signal is also sent tothe Main and B/U CPUs where it isadded to the calculated pumpspeed. At the CPU, a FWP biasdeviation logic is used to detect outof range condition of the signal. Itis probably not going to initiate analarm, because the bias should be
(
(itt
4
ev
d) Detection methods: functional indicators or system and plantoperating characteristics, which would alert the operator ofsystem failure.
The Top-Level of FMEA for digital feedwater control systemDFWCS) is summarized in Table 2. FMEA of FWP (Level of Module)s presented in Tables 3–10. In Chu et al. (2008) it was developedhe FMEA and in this paper the numbers for O, S and D, defined byhe experts as resulted of work developed.
.1. Fuzzy membership function
Making use of the toolbox simulator of MatLab (2000), thexpert was invited to define each membership function and thealues in the universe of discourse using the interpretations of
e Microlink connection. The BFVntroller will then send the alarm toe Plant Computer.
in the expected range. The outputof the CPUs will not be used by theFWP controller which is in manual.
the linguistic terms described in Table 11 (Pillay and Wang,2003). The expert chose the triangular membership function (a,b, c). After that, the expert may answer the following ques-tion: “Which elements x(a,b,c) have the degree of membership˛a = zero, ˛b = one and ˛c = zero”. Direct methods with one expert(Klir and Yuan, 1995) were used. The linguistic terms describ-ing the input are Remote (R), Low (L), Moderate (M), High (H)and Very High (VH), and for output risk are Low (l), Moderate(mod), and high (h), both linguistic terms with small variations.The membership functions with ten linguistic terms to inputare shown in Fig. 3. Fig. 4 shows the ten membership func-
tions for output. The graphical representation of membershipfunction to occurrence, severity, and not detection are identicalin the Top-Level and FWP cases, and only one occurrence wasshown.
3972 A.C.F. Guimarães et al. / Nuclear Engineering and Design 241 (2011) 3967– 3976
Table 6FMEA of FWP controller (FIC-4516/4517) (cont’d).
Failure mode Detection of failure mode Failure effects Comments
Digital Inputs Fail OpenCCI0 (B/U CPU Power Fail or in Test)
Fails OpenID = 6
The controller will indicate that theB/U CPU is failed, and the B/U CPUstatus will be sent throughMicrolink to the BFV controllerwhich will activate an alarm to thePlant Computer.
The controller will block the B/U CPUdemand signal from its output. Systemoperation will not be affected.
The signal is normally closedindicating the B/U CPU is OK. TheB/U CPU status is not sent back tothe CPUs. This is true for the BFVcontroller also.
CCI1 (B/U CPU Fail) Fails OpenID = 7
None. The operation is not affected unlessother failures occur.
The signal is normally openindicating the B/U CPU is OK.
CCI2 (Main CPU Power Fail or in Test)Fails OpenID = 8
The BFV controller will actuate analarm to the Plant Computer.
Failover from the Main CPU to the B/UCPU will take place. The controller willsend a Main CPU Fail signal to the BFVcontroller through Microlink. The MainCPU status is not sent back to the CPUsand the CPUs do not know that thecontroller thinks the Main CPU hasfailed. The Main CPU continuesthinking it is in control, and the B/UCPU continues tracking the output ofthe controller. Therefore, the FWPdemand may remain unchanged, i.e., aloss of automatic control, until theMain CPU detects a deviation and failsitself, and the B/U CPU takes over. It isprobably not likely that a reactor triptakes place due to loss of FWP control.
The signal is normally closedindicating the Main CPU is OK. It isassumed that the Main CPU statusinformation to other controllers iscorrect.
CCI3 (Main CPU Fail) Fails Open None. The controller does not have the The signal is normally open
4
tn
TF
ID = 9
.2. Fuzzy rule base application
Since there are three factors, occurrence, severity and not detec-ion, and ten linguistic terms describing each factor, the totalumber of rules is up to 1000 (or else, 10 × 10 × 10).
able 7MEA of FWP controller (FIC-4516/4517) (cont’d).
Failure mode Detection of failure mode Failu
Digital Inputs Fail OpenCCI0 (B/U CPU Power Fail or in
Test) Fails ClosedID = 10
None. The
corroperfailu
CCI1 (B/U CPU Fail) Fails ClosedID = 11
The controller will indicate that theB/U CPU is failed, and the B/U CPUstatus will be sent through Microlink tothe BFV controller which will activatean alarm to the Plant Computer.
The
demoperothe
CCI2 (Main CPU Power Fail orin Test) Fails ClosedID = 12
None. The
corroperfailu
CCI3 (Main CPU Fail) FailsClosedID = 13
The BFV controller will actuate anannunciator in the control roomindicating the Main CPU Fail.
FailoCPUsendcontCPUand
contfailethinCPUthe
demlossMaiitselprobtake
correct status of the Main CPU. Theoperation is not affected unless otherfailures occur.
indicating the Main CPU is OK.
For illustration effect, the number of rules in the base (FRBS –fuzzy rule base system) was simplified for this application, and the
FIS was developed using experts and the values of the RPN fromFMEA methodology. We must take care with wrong interpretationswith number of rules used in this preliminary phase because there effects Comments
controller does not have theect status of the B/U CPU. Theation is not affected unless otherres occur.
The signal is normally closed indicatingthe B/U CPU is OK.
controller will block the B/U CPUand signal from its output. Systemation will not be affected unlessr failures take place.
The signal is normally open indicatingthat the CPU is OK.
controller does not have theect status of the Main CPU. Theation is not affected unless otherres occur.
The signal is normally closed.
ver from the Main CPU to the B/U will take place. The controller will
a Main CPU Fail signal to the BFVroller through Microlink. The Main
status is not sent back to the CPUsthe CPUs do not know that theroller thinks the Main CPU hasd. The Main CPU continuesking it is in control, and the B/U
continues tracking the output ofcontroller. Therefore, the FWPand may remain unchanged, i.e., a
of automatic control, until then CPU detects a deviation and failsf, and the B/U CPU takes over. It isably not likely that a reactor trips place due to loss of FWP control.
The signal is normally open indicatingthe Main CPU is OK. It is assumed thatthe Main CPU status information toother controllers is correct.
A.C.F. Guimarães et al. / Nuclear Engineering and Design 241 (2011) 3967– 3976 3973
Table 8FMEA of FWP controller (FIC-4516/4517) (cont’d).
Failure mode Detection of failure mode Failure effects Comments
Digital Inputs Fail OpenCCO0 (A/M Status to the Main CPU)
Fails OpenID = 14
None. A Manual status signal will be sent tothe Main CPU. Assuming the Main CPUis in control, and the FWP controller isin auto, the Main CPU will switch totracking mode and continue sendingits output to the FWP controller, withthe controller remaining in Auto. TheB/U CPU will continue with its trackingalso. There will be no Transfer InhibitAlarm. The automatic control iseffectively lost. The output of thecontroller may drift with no directindication.
The signal is normally closed when inauto mode. Need to confirm whetheror not there will be a Transfer InhibitAlarm.
CCO1 (A/M Status to the B/U CPU) FailsOpenID = 15
None. Assuming the Main CPU is in controland the controller is in auto, theoperation will not be affected. Therewill be no Transfer Inhibit Alarm.
The signal is normally closed when inauto mode. Need to confirm whetheror not there will be a Transfer InhibitAlarm.
Digital Outputs Fail ClosedCCO0 (A/M Status to the Main CPU)
Fails ClosedID = 16
None. The system operation is not affectedunless other failures occur.
The signal is normally closed when inauto mode.
CCO1 (A/M Status to the B/U CPU) FailsCldID = 17
None. If the Main CPU is in control, and thecontroller is in auto, then the systemoperation is not affected.
The signal is normally closed when thecontroller is in auto.
Table 9FMEA of FWP controller (FIC-4516/4517) (cont’d).
Failure mode Detection of failure mode Failure effects Comments
ID = 17 If the B/U CPU is in control, and theoperator changes the controller to manual,the B/U CPU will not be able to detect it.The B/U CPU continues sending its FWPdemand to the controller, until thedeviation between the FWP demandcalculated by the B/U CPU and the FWPcontroller output exceeds the setpoint,when the B/U CPU will fail and the FWPcontroller will transfer to manual.
Loss of power to controllerLoss of power
ID = 18The FWP controller will be off. All analog outputs fail to 0. All digital
outputs fail to Open status. The failedsignal will be sent to the Lovejoy FWPspeed controller which will detect thefailure and maintain the FWP speed atpre-failure value. The failed signal issent to the CPUs for tracking, and aftera delay will cause the CPUs to be failed
Need to confirm operation of theLovejoy controller.
FdnFcPwabn
i
1
2
IS presented in this study was created to specific inference usingata set from Tables 2 and 3–10, and for future inferences usingew data set, different rules can be considered in the FRBS easily.ig. 5 shows the Mamdani inference system used in this work in thease of Top-Level FMEA of DFWCS. In the case of FWP (Feedwaterump) controller, the same Mamdani inference system was used,ith the number of linguistic variables for input and output similar,
nd number of membership function for each variables identical,ut with different number of rules (Mamdani inference system wasot shown here).
The rules defined and used in the case of Top-Level are presentedn version of verbose:
. If (occurrence is L2) and (severity is H1) and (not detection is L1)then (risk is mi) (1)
. If (occurrence is L2) and (severity is VH2) and (not detection isL1) then (risk is vl) (1)
due to deviation logic. As a result, theMFV, BFV and FWP controllers willtransfer to manual control.
3. If (occurrence is L2) and (severity is H1) and (not detection is R)then (risk is U) (1)
4. If (occurrence is M1) and (severity is H2) and (not detection isM1) then (risk is h) (1)
5. If (occurrence is M1) and (severity is H1) and (not detection isM2) then (risk is M-h) (1)
6. If (occurrence is M3) and (severity is VH2) and (not detection isR) then (risk is vl) (1)
The rules defined and used in the case of FWP controller arepresented in version of verbose:
1. If (occurrence is L2) and (severity is VH1) and (not detection isR) then (risk is mi) (1)
2. If (occurrence is L1) and (severity is M2) and (not detection isL1) then (risk is U) (1)
3974 A.C.F. Guimarães et al. / Nuclear Engineering and Design 241 (2011) 3967– 3976
Table 10FMEA (Level of Module) of FWP controller (FIC-4516/4517).
ID O S D
1 3 9 12 2 5 23 3 2 24 2 9 25 1 6 46 3 2 17 1 2 108 3 1 19 1 1 10
10 2 7 1011 2 5 212 2 2 513 2 2 214 2 4 715 2 2 716 2 1 817 2 2 818 1 10 1
Fs
Table 12Ranking comparison between RPN and Fuzzy approach of DFWCS Top-Level.
ID RPN Fuzzy Ranking RPN Ranking Fuzzy
1 42 1.9667 40 40
2 60 2.9697 30 30
3 21 1.0000 50 50
RPN and fuzzy are the risk numbers and Ranking RPN and Ranking
TI
ig. 3. Membership function generated by the expert for occurrence (identical foreverity and not detection).
3. If (occurrence is L2) and (severity is L1) and (not detection isL1) then (risk is U) (1)
4. If (occurrence is L1) and (severity is VH1) and (not detection isL1) then (risk is mi) (1)
able 11nterpretations of the linguistic terms for developing the fuzzy rule system.
Linguistic term Estimated occurrence probability Severity
Remote It would be very unlikely for these failuresto be observed even once
A failure thatperformance,not notice
Low Likely to occur once, but unlikely to occurmore frequently
A failure thatannoyance tocause no dete
Moderate Likely to occur more than once A failure thatoperator dissnoticeable busystem perfo
High Near certain to occur at least once A failure thatdeteriorationand/or leads t
Very High Near certain to occur several times A failure thatability to comdamage, serio
4 128 5.9412 20 20
5 140 6.9313 10 10
5. If (occurrence is R) and (severity is M3) and (not detection isM1) then (risk is U) (1)
6. If (occurrence is L2) and (severity is L1) and (not detection is R)then (risk is U) (1)
7. If (occurrence is R) and (severity is L1) and (not detection isVH2) then (risk is U) (1)
8. If (occurrence is L2) and (severity is R) and (not detection is R)then (risk is U) (1)
9. If (occurrence is R) and (severity is R) and (not detection is VH2)then (risk is U) (1)
10. If (occurrence is L1) and (severity is H1) and (not detection isVH2) then (risk is M-h) (1)
11. If (occurrence is L1) and (severity is M2) and (not detection isL1) then (risk is U) (1)
12. If (occurrence is L1) and (severity is L1) and (not detection isM2) then (risk is U) (1)
13. If (occurrence is L1) and (severity is L1) and (not detection isL1) then (risk is U) (1)
14. If (occurrence is L1) and (severity is M1) and (not detection isH1) then (risk is vl) (1)
15. If (occurrence is L1) and (severity is L1) and (not detection isH1) then (risk is mi) (1)
16. If (occurrence is L1) and (severity is R) and (not detection is H2)then (risk is U) (1)
17. If (occurrence is L1) and (severity is L1) and (not detection isH2) then (risk is mi) (1)
18. If (occurrence is R) and (severity is VH2) and (not detection isR) then (risk is U) (1)
5. Results
The results for RPN and fuzzy approach are presented inTables 12 and 13. “ID” is the five events described in the Top-Level FMEA of DFWCS, and eighteen in the case of FWP controller.
Fuzzy are the ranking of RPN and fuzzy methodology, respectively.The results with fuzzy methodology confirm the results obtainedwith FMEA analysis (see Table 12). High level of uncertainty in the
Detection
has no effect on the system the operator probably will
Defect remains undetected until thesystem performance degrades to theextent that the task will not be completed
would cause slight the operator, but that wouldrioration to the system
Defect remains undetected until systemperformance is severely reduced
would cause a high degree ofatisfaction or that causest slight deterioration inrmance
Defect remains undetected until systemperformance is affected
causes significant in system performanceo minor injuries
Defect remains undetected until inspectionor test is carried out
would seriously affect theplete the task or causeus injury or death
Failure remains undetected, such a defectwould almost certainly be detected duringinspection or test (Fig. 3)
A.C.F. Guimarães et al. / Nuclear Engineering and Design 241 (2011) 3967– 3976 3975
for th
sofbt
Fig. 4. Membership function
afety analysis data could represent a problem. The Fuzzy method-
logy classified events (identified as ID) from 1 through 18, intoour groups. The first place (10) identified was the event of num-er 10, the second place (20) was the event of number 14, and thehird (30) event was of the numbers 1, 4, 15 and 17. The remain-Fig. 5. Mamdani infe
e risk generated by expert.
ing events (2, 3, 5, 6, 7, 8, 9, 11, 12, 13, 16, and 18) were placed in
the fourth group (40). The first, second and third places confirm theresult obtained with the analysis of the traditional FMEA.Considering the two studies, the classification obtained is equalin the first, second and third places. Absence of a more realistic
rence system.
3976 A.C.F. Guimarães et al. / Nuclear Engineerin
Table 13Ranking comparison between RPN and Fuzzy approach of FWP controller.
ID RPN Fuzzy Ranking RPN Ranking Fuzzy
1 27 1.97 60 30
2 20 1.00 80 40
3 12 1.00 100 40
4 36 1.97 30 30
5 24 1.00 70 40
6 6 1.00 130 40
7 20 1.00 80 40
8 3 1.00 140 40
9 10 1.00 110 40
10 140 6.93 10 10
11 20 1.00 80 40
12 20 1.00 80 40
13 8 1.00 120 40
14 56 2.97 20 20
15 28 1.97 50 30
0 0
srepvmws
6
ibTtt
mtwrs
ttair
ar
t
16 16 1.00 9 417 32 1.97 40 30
18 20 1.00 80 40
ituation in the case of the FMEA analysis, using numbers for theisk compared to linguistic variables, can thus lead to classificationrrors. A greater number of events are classified as third and fourthlace in case of Fuzzy FMEA. This is due to the use of the linguisticariable that groups some events. Furthermore, the Fuzzy FMEAethodology is presented as promising in the case of lack of datahen compared with FMEA analysis and an alternative to reliability
tudy aiming at obtaining a PSA.
. Conclusion
In this paper, a new approach was proposed using the “fuzzynference system” (FIS) applied to estimate fuzzy risk priority num-er (FRPN) using the expert opinion to quantify linguistic variables.his article introduces in the nuclear area a new methodology ableo support projects for new reactors through the fuzzy identifica-ion of critical systems and components and possible failure modes.
In order to exemplify the methodology, the extensive failureode and effects analysis (FMEA) of digital feedwater control sys-
em (DFWCS), was used in a nuclear power plant application. Thisas a simple and complete example, where a reduced number of
ules in the knowledge base were necessary for mapping all analysisituations.
In the case of Top-Level, the methodology proposed confirmshe results using the traditional FMEA analysis. The judgments ofhe experts using linguistic terms enable the experts to the situ-tion more realistic. In the case of FWP controller, the results aremportant to step 1 of the formal safety assessment, where onlyelative ranking order is necessary.
If a more detailed analysis is desired, step 2 of the formal safety
ssessment, it should be applied some additional theory, like Greyelation theory, in order to classify a number of larger groups.The advantages of the proposed fuzzy rule base for applicationo FMEA of DFWCS can be summarized as follows:
g and Design 241 (2011) 3967– 3976
• This fuzzy approach combines (i) expert knowledge and experi-ence for use in an FMEA study, and (ii) it can be used for systemswhere safety data is unavailable or unreliable.
• Converting the scale of RPN traditional in (i) variable linguisticwith values defined as input by expert is the great situation and(ii) not force precision and use of the system by people with-out knowledge about interpretations of these linguistic terms.Therefore, permitting to use the fuzzy system in a simple way.
• If some change is made in part of the system or module of the sys-tem analyzed as result of FMEA study, new ranking results afterimprovements can be obtained quickly using the “fuzzy inferencesystem” (FIS).
• The failures in FMEA analysis have not prevented the systemfrom responding as designed in an emergency situation, but haveresulted in normal plant operation perturbations. These occur-rences have resulted in unnecessary actuation and operationof other system components in response, causing unnecessarystresses. And, the Fuzzy FMEA approach assists in a more realisticset a risk.
Future work for risk will be presented in another paper consid-ering the second level (Level of Module) and the lowest level (Levelof Components) to the Main CPU of the DFWCS.
Acknowledgements
This research has been supported by CNPq (Conselho Nacionalde Pesquisa e Desenvolvimento – National Council of Research andDevelopment), FAPERJ (Fundac ão Carlos Chagas Filho de Amparo àPesquisa do Estado do Rio de Janeiro – Research Support Foundationof State of the Rio de Janeiro) and FINEP (Financiadora de Estudos eProjeto – Financier of Studies and Project).
References
Chu, T.L., Martinez-Guridi, G., Yue, M., Lehner, J., Samanta, P., 2008. Traditionalprobabilistic risk assessment methods for digital systems. NUREG/CT-6962,BNL-NUREG-80141-2008.
Guimarães, A.C.F., Lapa, C.M.F., 2004a. Fuzzy FMEA applied to PWR chemical andvolume control system. Prog. Nucl. Energy 44 (3), 191–213.
Guimarães, A.C.F., Lapa, C.M.F., 2004b. Fuzzy inference system for evaluating andimproving nuclear power plant operating performance. Ann. Nucl. Eng. 31 (3),311–322.
Guimarães, A.C.F., Lapa, C.M.F., 2006. Hazard and operability study using approx-imate reasoning in light-water reactors passive systems. Nucl. Eng. Des. 236,1256–1263.
Klir, G.J., Yuan, B., 1995. Fuzzy Sets and Fuzzy logic: Theory and Application. PrenticeHall, New Jersey.
Mamdani, E.H., Assilian, S., 1975. An experiment in linguistic synthesis with a fuzzylogic controller. Int. J. Man-Machine Stud. 7 (1), 1–13.
MatLab 6, 2000. Users Guide of the Fuzzy Logic Toolbox.Pillay, A., Wang, J., 2003. Modified failure mode and effects analysis using approxi-
mate reasoning. Reliab. Eng. Syst. Saf. 79, 69–85.Stamatis, D.H., 1995. Failure Mode and Effects Analysis – FMEA from Theory to
Execution. ASQC Quality Press, New York.
Xu, K., Tang, L.C., Xie, M., Ho, S.L., Zhu, M.L., 2002. Fuzzy assessment of FMEA forengine systems. Reliab. Eng. Syst. Saf. 75, 17–29.Wang, L.X., 1993. Adaptive Fuzzy Systems and Control – Design and Stability Anal-
ysis. University of California at Berkeley, PTR Prentice Hall.Zadeh, L.A., 1987. Fuzzy Sets and Applications: Selected Papers. Wiley, New York.
