I

HF

a

ARRA

1

copFsnilsproolsatcCtio

se

0d

Nuclear Engineering and Design 240 (2010) 3550–3558

Contents lists available at ScienceDirect

Nuclear Engineering and Design

journa l homepage: www.e lsev ier .com/ locate /nucengdes

ntegrated framework for safety control design of nuclear power plants

ossam A. Gabbaraculty of Energy and Nuclear Science, University of Ontario Institute of Technology, 2000 Simcoe St. North, Oshawa, Ontario, Canada L1H7K4

r t i c l e i n f o

rticle history:eceived 11 November 2009eceived in revised form 30 June 2010

a b s t r a c t

This paper presents an integrated framework for safety control analysis and design for nuclear powerplants. It shows the use of process object-oriented modeling methodology (POOM) and fault models to

ccepted 14 July 2010integrate safety requirements, identified hazards, and fault propagation scenarios. Safety control designframework is proposed to show the integration between control systems and safety control design. Hier-archical control charts (HCC) are proposed to integrate process, control, and safety models along with theassociated fault models in systematic manner. Process and the associated process and control variablesthat are involved in safety control systems. The proposed safety control design framework will supportthe control design and operation of nuclear power plants, as well as the integration with cogeneration

n pro

facilities such as hydroge

. Introduction

Process controllers are responsible for executing operating pro-edures of the underlying system to produce the target productr service in steady, safe, and optimum manner. This means thatrocess control systems should include aspects of process safety.rom the other hand, safety systems are designed to ensure overallafety of the underlying system against any possible hazard sce-ario. In nuclear power plant (NPP), safety systems are represented

n the form of independent layers of protections, or barriers. Theseayers could provide prevention or mitigation means to all pos-ible hazards. Elements of safety systems are represented withinrocess control systems such as alarms, process limits, or controlules/constraints which are translated into control actions. Somef these control actions are dedicated for process control stabilityr dynamics, while other actions are for safety purposes, such asimiting temperature in a steam generator to be controlled withinafety margins. From these two views, i.e. process control designnd safety design, the overlap between them represents safety con-rol design. There is a lack of structured framework to support safetyontrol design, which is important for nuclear power industries.urrently, control and safety design practices are fragmented andhe gaps between them cause increased risks, cost, and productionnterruption in terms of frequent installation or upgrade of control

r safety systems.

Traditionally, safety system design is implemented completelyeparate from control design (Davey, 2002). Control systems asxplained by many control and simulation experts show dis-

E-mail address: hossam.gabbar@uoit.ca.

029-5493/$ – see front matter © 2010 Elsevier B.V. All rights reserved.oi:10.1016/j.nucengdes.2010.07.024

duction.© 2010 Elsevier B.V. All rights reserved.

tributed control systems to deal with single output controllersfor nuclear power plants, such as the case of CANDU (Bereznai,2001a). In all nuclear power stations, control systems are spec-ified and implemented separately from safety systems (Ericksonand Hedrick, 1999). In particular, CANDU control design is speci-fied separately from safety systems (Harber et al., 2010). Nuclearsafety commissioning agencies are requiring strict compliance withsafety regulations and verifications in all adopted safety systems.Control design is mainly based on specifying main processes andidentifying and analyzing control variables as manipulated, distur-bance, and output control variables (Pérez et al., 1997). However,this should include possible deviations in each control variablesand possible propagation time, speed, and escalation factors as wellas the associated safety controls. In case of safety systems, suchas shutdown systems, it is required to identify safety limits andidentify adequate safety margins before activating the appropri-ate shutdown system. Simulation practices are used to adequatelycalculate safety margins such as steam level/pressure, moderatortemperature, etc. (Futao et al., 2000). In fact, effective safety controldesign can optimize operating cost, by optimizing safety margins toreduce unnecessary shutdown cases (O’Hara, 1994). This includeshuman factors involved in plant operation to ensure that safetymargins are appropriately matched with required operator actions(Moray and Huey, 1988; Lee and Seong, 2004). From engineeringand operating companies’ views, it might not be the case whenadopting new safety system or upgrade existing system where sys-tematic safety control design framework is required to reduce time

and efforts in specifying the target safety system and to reduce thecost and improve the accuracy by developing appropriate integra-tion with existing safety and control systems.

Safety design is usually performed during process design wheresafety limits are identified and appropriate safety protection sys-

H.A. Gabbar / Nuclear Engineering and Design 240 (2010) 3550–3558 3551

safet

toadcaite(tsmala

fsmcId

nwrpfavavi

dagmcbp

safety controllers that are dynamic and adaptive to any possiblehazard situation that might arise during the operation of nuclearpower plants. This includes situations like degradation in plantequipment, operator error, environmental hazards, etc. The iden-tification of risk scenario will trigger appropriate safety control

Fig. 1. Integrated

ems are considered. Also, safety design is considered during plantperation where plant modifications or expansion might requiremending safety design. This will include different aspects of safetyesign as explained by IEC-61508 as well typical defence-in-depthoncepts. In case of safety control design, safety requirementsre mapped into safety functions that are categorized into safetynstrumented systems (or SIS) and non-safety instrumented sys-ems (or non-SIS). Safety instrumented systems include inputlements (sensors), logic solvers (controllers) and final elementsactuators/valves). SIS is commonly referred to as shutdown sys-em or safety control system. Current practices to design advancedafety control systems are focused on treating quantitative or deter-inistic safety analysis data. In addition, probabilistic safety data

re used to estimate risks for identified hazard scenarios. There areimited efforts to integrate these two views in safety control design,nd in particular to map safety control instructions.

One more challenge in current practices is to systematicallyormulate safety requirements, which are typically initiated fromafety analysis of process safety margins. In addition, there areajor limitations to link safety requirement with safety specifi-

ation and implementation of shutdown systems. IEC61508 andEC61511 are widely used to specify safety protection layers andetailed design of shutdown systems (SIS).

In view of current practices, safety design is conducted by engi-eering group who dictates the safety requirements to vendorsho implement the target safety system while confirming all safety

equirements with nuclear safety commissioning agencies. Theserocesses are not well described for operating companies andor researchers. On the other hand, safety systems require highttention in terms of verification and relatively long compliancealidation from nuclear safety commissioning. The systematizationnd automation of safety control system design will support thealidation and verification process which will optimize design andmplementation costs and time.

This paper describes a practical framework for safety controlesign as a smooth integration between process control designnd safety control design. The following section describes the inte-

rated control and safety framework, followed by description ofodeling framework that integrates process design models with

ontrol and safety models. Section 4 describes control recipe designased on safety verification using a case study from nuclear powerlant.

y control system.

2. Safety control analysis

2.1. Proposed integrated system architecture

Typically, safety control systems are implemented as safety pro-grammable logic controller (or SPLC) or as shutdown systems (orSDS). These systems run completely independent from other con-trol systems. The proposed approach is to develop set of smart

Fig. 2. Integrated process control and safety.

3552 H.A. Gabbar / Nuclear Engineering and Design 240 (2010) 3550–3558

y cont

atp

ugapppa

Fig. 3. Integrated safet

ctions that will be executed in the form of safety control instruc-ions. In order to achieve the proposed target, an overview of theroposed safety control system is illustrated, as shown in Fig. 1.

In the proposed system, real time and simulation data aresed as inputs via distributed control systems (DCS), pro-rammable logic controller (PLC), or equipment controllers tonalyze process/equipment/environment/human conditions and

redict possible hazard scenarios. Risk levels are estimated for eachossible scenario based on fault/failure propagation models androcess models. Accordingly, appropriate safety control programsre activated to optimally shutdown the power plant fully or par-

Fig. 4. Mapping defence in depth to i

rol design framework.

tially and/or to move the plant to a safe state. To facilitate themodeling of fault propagation scenarios, POOM or plant processobject-oriented modeling methodology is proposed to associatefault and safety models along with control and behavioral models.Fault semantic network or FSN is used to structure fault modelsalong with the associated process variables. Trends of related pro-cess variables are analyzed using trend fusion algorithm or TFA

to extract features from all trends related to each fault scenario.Independent protection layers (or IPL) and layers of protection anal-ysis (or LOPA) are used to analyze safety requirements and map tosafety systems. And finally safety instructions are mapped to con-

ndependent protection layers.

H.A. Gabbar / Nuclear Engineering and

Table 1Defence-in-depth levels.

Level 1 Prevention of abnormal operation and of malfunctionsLevel 2 Control of abnormal operation and detection of malfunctionsLevel 3 Control of accidents included in the design basisLevel 4 Control of severe accident conditions of the plant, including the

prevention of accident progression and mitigation of

tomn

2

stdBtSofstpoflot

faqi

consequencesLevel 5 Mitigation of the environmental/radiological consequences of

significant releases of harmful products

rol programs that are implemented using international standardsf control programming like IEC61131. To facilitate the systematicapping from safety requirements into control programs, engi-

eering formal language or EFL is proposed (Gabbar, 2007).

.2. Integrated safety and control design

Based on the proposed system architecture for typical integratedafety control system, it is required to explain practical frameworko integrate safety and control design. Typically, process controlesign goes through different stages starting from process design.ased on control block diagram, control functions are defined. Con-rol recipes are defined that are mapped to control systems (ISA-88 Standard, 1995; ISA, 1995, 1996; Lamb et al., 2000). On thether hand, safety design starts with hazard identification that isollowed by risk assessment and treatment. This is followed byafety requirement specifications. First layer of safety systems ishe inherent safety where opportunities are considered to changerocess design for safety purposes. Other safety functions are devel-ped based on IPL or independent protection layers. This is usuallyollows the concept of defence in depth, which is typically fol-owed in nuclear power plants. Safety instrumented systems (SIS)r non-SIS are designed accordingly, and linked with control func-ion design stage. The proposed framework is illustrated in Fig. 2.

IEC61508 proposed high level process safety managementramework that describes basic steps to perform safety life cyclectivities. The first step is to identify hazards using qualitative anduantitative methods, such as HAZOP, FTA, and FMEA. This step will

dentify set of possible hazard scenarios along with risks of worst

Fig. 5. POOM-based process design, co

Design 240 (2010) 3550–3558 3553

case scenarios. Risk acceptance and treatment/mitigation analysiswill be performed to suggest ways to reduce or mitigate risks forcases where risks are unacceptable.

2.3. Proposed safety control design framework

Safety control design framework shows the mapping betweenprocess design, control, and safety design. Fig. 3 shows the proposedframework where safety requirements are mapped to processdesign and linked with fault models. On the other side, safetyrequirements are mapped to control system design to identify thespecific needs for shutdown systems.

2.4. Safety control design and protection layers

The safety control design process is performed in iterativemanner via risk assessment and reduction practices using quali-tative and quantitative risk assessment techniques. Some of thesafety requirements are implemented as set of safety design e.g.inherent safety. Safety specifications will be examined in viewof independent protection layers (IPL) that include: IPL1: safetydesign; IPL2: basic process control/alarm; IPL3: critical alarm; IPL4:safety instrumented systems (SIS); IPL5: relief devices; IPL6: phys-ical protection; IPL7: plant/site emergency procedures; and IPL8:community protection. These are developed based on the generalframework of defence in depth, which is described in Table 1. Theproposed mapping between IPL and defence in depth is shown inFig. 4.

Fig. 4 shows the mapping between defence-in depth and safetyprotection layers. It shows that defence-in-depth levels are mappedto all safety protection layers, which is logic where each defence-in-depth level should be covered by more than one protection layer.

3. POOM-based safety control design

In this section, safety control recipe design is presented based onprocess object-oriented modeling methodology (POOM) and hier-archical control chart (HCC) support tool.

ntrol design, and safety design.

3554 H.A. Gabbar / Nuclear Engineering and Design 240 (2010) 3550–3558

y verifi

3

ictaemds(tmTcatcscms

Fig. 6. Activity modeling for safet

.1. POOM and process design

POOM or plant/process object-oriented modeling methodologys developed to facilitate the formulation and verification of pro-ess design (Gabbar, 2007). In this research, POOM is enhancedo cover process control and safety design where process vari-bles are linked with manipulated and disturbance variables withinach structural model element and associated with safety require-ents and procedures. POOM covers all process dimensions: static,

ynamic, functional / operation, safety, and control. Static dimen-ion includes facility, materials/products, topology, and humanBereznai, 2001a). In other word it includes static elements ofhe underlying process. The dynamic dimension includes behavior

odels, which are represented as states, transitions, and messages.he operation dimension includes purposes and methods to be exe-uted and evaluated as a response to incoming message (Ericksonnd Hedrick, 1999; Futao et al., 2000). These three main views arehe base of the traditional object-oriented modeling approach andan be used to model both process (i.e. controlled) and control

ystem (i.e. controller), as shown in Fig. 5. The complete modelan be formalized as building blocks of structural static model ele-ents; each is associated with operation, behavior, control, and

afety model elements.

Fig. 7. Safety requirement hierarchy of NPP.

cation and control recipe design.

3.2. Activity modeling for safety verification and control recipedesign

As part of control design, safety recovery actions, shutdownrecovery actions and process control recovery actions are speci-fied using ISA S88 standards (Davey, 2002; Moray and Huey, 1988;Lee and Seong, 2004; ISA S-88 Standard, 1995; ISA, 1995) wheregeneral recipe, master recipe, and control recipe are synthesizedfor each safety and control action (O’Hara, 1994). Activity modelsare developed for the proposed safety control practice, as shown inFig. 6. Process design modeling activities are developed on the basisof POOM or process object-oriented modeling methodology, whichis used to express nuclear power plant process as building blocksin hierarchical manner on the basis of ISA-S88: site, cell, unit, andequipment (Davey, 2002). Each process block includes structuralinformation such as input/output ports, materials, and other phys-ical properties. In addition, each process block includes dynamicinformation such as process variables, states and the correspond-ing behavioral equations, and function and operational models. Inorder to systematically design the target control and safety sys-tems fault models are structured and specified within each processand control block. Such fault models are expressed in qualitativeand quantitative forms and tuned using real time operational data,simulation data, as well as human experience (Bereznai, 2001a).This is tuned using computational intelligence algorithms that areused to estimate risks at all levels dynamically with each designstep and with the considerations of all possible fault propagationscenarios.

3.3. Safety requirements analysis

The fundamental safety requirements are governed by the Cana-dian Nuclear Safety Commission (CNSC) and are based on thefollowing Golden Rules: control of the reactivity; removal of heatfrom the core; and containment of the radioactivity. Removal ofheat from the core function is correlated with the processes that

occur in the Primary Heat Transport System (PHT). In such system,the coolant is the working medium for the removal of the heat formthe core.

The coolant travels from the inlet of the reactor, through thefuel, and comes out with higher energy from the reactor outlet.

H.A. Gabbar / Nuclear Engineering and Design 240 (2010) 3550–3558 3555

contr

Ttfttfihc

Fig. 8. Simulation based safety

he coolant is cooled by the working medium in the steam genera-or called the feedwater. The coolant comes out with lower energyrom the steam generator outlet, and the cycle begins again. In allhese stages, safety requirements are concerned with the moni-oring of coolant inventory, ensuring the removal of residual heat

orm the core, maintaining acceptable temperatures in the contain-ng structures, and lastly to ensure that a heat sink is provided atigh reliability. This safety requirement has been translated intoontrol steps of maintaining a steam generator level at appropri-

Fig. 9. HCC for nuclea

ol recipe synthesis framework.

ate levels, as shown in Fig. 7. The maintenance of steam generatorlevel, among others factors, will ensure that a heat sink is pro-vided at high reliability. The case study will model the exampleof steam generator level maintenance throughout the rest of theseprocesses.

4. Safety control recipe design framework

Safety procedures are synthesized in the form of safety controlrecipe, which are converted into control programs. The proposed

r power plant.

3556 H.A. Gabbar / Nuclear Engineering and

fFispibbIg

of IEC61131 standards (Morris, 2000; Toon, 2002). Fig. 9 showsexample of HCC to represent nuclear power plant connected within

Fig. 10. Shutdown systems SDS1 and SDS2 (Bereznai, 2001b).

ramework for safety control program development is shown inig. 8. The process starts with safety requirements specificationn generic and plant specific form where safety requirements aretructured within knowledgebase. Safety requirement validationrocess will provide possible symptoms of failure and correspond-

ng general recipe for recovery. Control recipe will be generatedased on failure analysis and general recipe. Control recipe will

e validated and accumulated to the knowledgebase. Based on

EC61131-3 standard languages, the corresponding control pro-rams will be developed and translated into DCS/SIS systems.

Fig. 11. HCC for steam genera

Design 240 (2010) 3550–3558

4.1. Safety control design within HCC

The design of modern control systems starts with the analysisof control goals and control hierarchy, which requires knowledgeof all measured and control variables as well as determinationof all of the components, processes and their relation. Controldesign is systematized using hierarchical control chart (HCC) whichsupports control designers to build control functions and block dia-grams in hierarchical manner as integrated with process design.HCC links process design models with the corresponding con-trol models in hierarchical manner using POOM and in view ofISA-S88 standards. The proposed automated hierarchical controlchart is integrated with an interactive knowledge database thatenables the access to processes and parameters across the under-lying process domain. Process and control information are storedin database and captures at different levels of process and controlhierarchy.

Standard legend for HCC is presented where blocks are markedwith “P” for process blocks and “C” for control blocks. Num-bering mechanism is proposed where hierarchical numbering isused as “P1.1”, “C1.2”, etc. HCC enables control designer to con-struct the target control system as integrated with the underlyingprocess so that lines between control and process blocks willidentify the process–process; process–control; control–process;and control–control integration. This is essential to specify andvalidate the relationships between process variables, control vari-ables, manipulated variables, and disturbance variables within eachprocess and control block. The control blocks will be expanded hier-archically till it reaches the lowest level where control programs arespecified in the form of function block diagrams or FBD on the basis

electricity grid. HCC will provide detailed mapping between pro-cess variables, control variables and their relationships with safetyrequirements.

tor process and control.

H.A. Gabbar / Nuclear Engineering and Design 240 (2010) 3550–3558 3557

ogram represented using FBD.

Fbicu

5

ssSswpsspc

5

CucrTwdsmgiha

npgtsad

Table 2Safety control logic.

If Neutron-Power Is High (>SDS1-UL) Then Trigger SDS1If Neutron-Power Is High (>SDS2-UL) Then Trigger SDS2If Neutron-Rise-Rate Is High (>SDS1-UL) Then Trigger SDS1If Neutron-Rise-Rate Is High (>SDS2-UL) Then Trigger SDS2If HEX-Flow Is Low (<SDS1-UL) Then Trigger SDS1If HEX-Flow Is Low (<SDS2-UL) Then Trigger SDS2If two-channels are tripped Then Trigger SDS1 [Delay 2 seconds to monitor the

action]

Fig. 12. Safety control pr

The lowest-level control programs are mainly the control recipe.or safety control design, safety control programs are designedased on hazard scenario and possible prevention, control, and mit-

gation scenarios. The next section describes the process of safetyontrol recipe synthesis using safety requirements and process sim-lation.

. Case study

Safety control design of shutdown system is selected as a casetudy. Safety control recipe is the procedures required to executeafety actions, such as shutdown operation. The Canadian Nationalafety Commissioning (CNSC) requires well defined and verifiedafety procedures that are known and documented. The difficultyith this approach is the limitations to completely identify allossible fault propagation scenarios and design the correspondingafety control recipe. The proposed safety control recipe synthe-is is based on automatic and real time identification of new faultropagation scenarios that are simulated and corresponding safetyontrol recipe is synthesized.

.1. CANDU shutdown systems

To understand the proposed system, shutdown systems forANDU reactors are considered. Shutdown system-1, or SDS1,tilizes neutron absorbing cadmium rods, which are inserted verti-ally into the reactor core. The rods are dropped by gravity after theelease of an electro-magnetic clutch to trigger the shutdown state.here are mechanical requirements such as full insertion should beithin 2 s to be able to control the excess reactivity as a fail-safeesign. Shutdown system-2, or SDS2, has six nozzles placed at theide of the Calandria, which are horizontally mounted across theoderator. Each nozzle is connected to a liquid tank filled with

adolinium nitrate (GdNO3), which acts as poison that is injectednto moderator by opening the valve between the high pressureelium tank and the poison tanks. Fig. 10 shows both shutdown 1nd 2 as connected to the Calandria.

Trip parameters that trigger the shutdown actions include: higheutron power, high rate of rise of neutron power, high coolantressure, low coolant pressure, high building pressure, low steam

enerator level, low pressurizer level, high moderator tempera-ure, low coolant flow, low, and steam generator pressure. Thehutdown control system is triggered once parameter thresholdsre exceeded. Typically, independent channels are used indepen-ently for each shutdown system where any trip to two of the three

If Dropped-Rods < n Then Trigger SDS2 with %-Parameter [as SDS1 is notadequate, SDS2 should run with amount of poison]

UL means upper limit, HEX means heat exchanger.

channels will trip the reactor by triggering the shutdown system.Table 2 shows the safety control parameters used to synthesizesafety control programs.

5.2. Developed safety control programs

IEC61131-3 is the international standard for control program-ming. Control programs should be structured on the basis ofIEC61131-3 so that it can be easily implemented within safety andcontrol systems. IEC61131-3 offered set of standard programminglanguages: Ladder Diagram (LD); Sequential Function Charts (SFC);Function Block Diagram (FBD); Structured Text (ST); and Instruc-tion List (IL). Safety control programs can be implemented usingIEC61131-3 for both recovery and shutdown scenarios. One safetyrecovery operation scenario is selected from steam generator.

Fig. 11 shows the high level process and control diagram for thecase study of steam generator and the corresponding controllers.Each line is identified by a number that is used to link this numberwith the detailed control chart.

Fig. 12 shows the input/output lines from the steam generator orboiler controller. While Fig. 10 shows the corresponding FunctionBlock Diagram (FBD) of the corresponding safety control program tomaintain steam generator level. It shows that once signal of steamgenerator level high is detected in the controller, it will triggerstandby valve LCV to be opened, while isolation manual valve to beclosed. In addition, it will transfer control to the secondary steamgenerator level controller.

5.3. Case study-2, nuclear–hydrogen cogeneration

In this example the safety control design is studied for cogener-ation of nuclear and hydrogen. This is applied to CANDU (CANada

3558 H.A. Gabbar / Nuclear Engineering and

D(p

smshpwap

6

iemwpmmcacppiasSadff

A

rt

Fig. 13. Control design for nuclear–hydrogen cogeneration.

euterium Uranium) power stations as integrated with hydrogenRosen et al., 2008). Fig. 13 shows the control hierarchy of the pro-osed CANDU – hydrogen power station.

The practice to design safety control design is essential to ensureafe cogeneration. For example, one hazard of high steam pressureight be interpreted within CANDU power station into shutdown

cenario. Such scenario can be eliminated with the integration withydrogen cogeneration by supplying more steam to the hydrogenrocess for more hydrogen production. The safety control programill be modified within CANDU to ensure increasing the opening

ngle of the steam valve V1 to allow more steam to the hydrogenrocess.

. Conclusions

Nuclear power plants and other production and manufacturingndustries are seeking practical integrated safety control design tonsure safety across all control activities in automatic and accurateanner. This can be achieved by integrating process design modelsith process control and safety models. In this research, POOM isroposed to provide such modeling framework where plant staticodels, dynamic behaviors, operational models, control, and safetyodels are integrated to enable the systematic design of safety

ontrol systems. HCC or hierarchical control chart is proposed toutomate such integration where it enabled the identification ofontrol and safety models as integrated with process design. Theroposed activity models to conduct safety control design are pro-osed using IDEF0. The proposed safety control design framework

s integrated within control design and safety control programsre synthesized on the basis of IEC61131-3 standards to ensuremooth and unified implementation in different plant technologies.afety requirements are identified from different hazard scenariosnd mapped to safety control recipe recovery operations and shut-own scenarios. Examples are selected for safety control designrom CANDU power station and CANDU-hydrogen cogenerationacilities.

cknowledgements

Thanks to IEEE NPSS and CNSC for the valuable informationegarding nuclear reactor safety and control design. Also, thankso students who helped in this research work.

Design 240 (2010) 3550–3558

References

Bereznai, G., 2001a. Nuclear Power Plant Operations. UOIT.Davey, E., 2002. Design principles for CANDU control centres in response to evolving

utility business needs. In: Proceedings of Canadian Nuclear Society Conference,Toronto, Ontario, pp. 1–7.

Erickson, K.T., Hedrick, J.L., 1999. Plant Process Control.Zhao, F., Ou, J., Du, W., 2000. Simulation modeling of nuclear steam generator water

level process: a case study. ISA Transactions 39, 143–151.Gabbar, H., 2007. Formal representation of meta-operation of chemical plants. In:

IEEE Transactions on Systems, Man, and Cybernetics – Part C: Applications andReviews, vol. 37, 4, July 2007.

Bereznai, G., 2001b. Nuclear power plant systems and operation, simulator usermanual. Faculty of Energy Systems and Nuclear Science, University of OntarioInstitute of Technology (UOIT), Oshawa, Ontario.

Harber, J., Borairi, M., Tikku, S., Josefowicz, A., 2010. Documenting Control SystemFunctionality for Digital Control Implementations. Atomic Energy of CanadaLimited, Mississauga, Ontario.

ISA, 1995. Batch Control: Batch Control Part 1: Models and Terminology. ANSI/ISA-88.01-1995.

ISA, 1996. Possible Recipe Procedure Presentation Formats. ISA-TR88.0.03-1996.ISA S-88 Standard, 1995. ISA-88 Batch Standards and User Resources, 2nd Edi-

tion, 1995 (R2006), Copyright 2007 by ISA-The Instrumentation, Systems andAutomation Society.

Lamb, L., et al., 2000. Basic Concepts of ISA-S88.01-1995 Batch Control. ISA Encyclo-pedia of Measurement and Control.

Lee, S.J., Seong, P.H., 2004. Development of automated operating procedure systemusing fuzzy colored petri nets for nuclear power plants. Journal of Annals ofNuclear Energy 31 (8), 849–869.

Moray, N.P., Huey, B.M., 1988. Human factors research and human safety. In:Proceedings of Panel on human factors research needs in nuclear regulatoryresearch, Committee on Human Factors, Commission on Behavioral and SocialSciences. National Research Council, Washington, DC, pp. 13–19.

Morris, A., 2000. IEC 61131 – A User’s Perspective From Innogy. INIS: InternationalNuclear Information System.

O’Hara, K., 1994. Cost of Operations Affects Planfulness of Problem-SolvingBehaviour. In: Proceedings of CHI’94, Conference on Human Factors in Com-puting Systems, Boston, MA, USA, pp. 105–106.

Pérez, A., Strietzel, R., Mort, N., 1997. Control Engineering Solutions. Institution ofElectrical Engineers.

Rosen, M.A., Naterer, G.F., Chukwu, C.C., Sadhankar, R., Suppiah, S., 2008. Nuclear-based hydrogen production with a thermochemical copper–chlorine cycle andsupercritical water reactor: equipment scale-up and process simulation. Inter-national Journal of Energy Research.

Toon, K., 2002. Open Automation and Control IEC 61131 in Safety Applications. INIS:International Nuclear.

Hossam A. Gabbar is Associate Professor and Directorof Energy Safety & Control Lab, in the Faculty of EnergySystems and Nuclear Science, University of Ontario Insti-tute of Technology (UOIT). He obtained his Ph.D. degree(Safety Engineering) from Okayama University (Japan).He obtained his BSc (First Class of Honors) in the area ofComputer and Automatic Control, Alexandria University.He is specialized in process control and safety engineer-ing where he initiated several research and industrialprojects, which are applied on different disciplines such asoil & gas, energy, nuclear power, and manufacturing andproduction systems. Prior to moving to Canada, he wasAssociate Professor in Okayama University (Japan) where

he established his research lab in the area of safety and green energy and produc-tion systems. He worked with Tokyo Institute of Technology and Japan ChemicalInnovative Institute (JCII) where he participated in national projects related to pro-cess control and safety engineering for green production systems, batch processoperation, oil & gas operation design & verification, biomass production systems,and plastic production chain with recycling. He developed new methods for con-trol recipe synthesis and verification, safety design, and quantitative and qualitativefault diagnosis and simulation. He proposed new process modeling and simulationtechniques for green hybrid energy supply chain planning and operation, whichfacilitate the smooth and optimum implementation of renewable and clean energytechnologies. He is a Senior Member of SMCS IEEE, the founding chair of SMC Chap-ter – Hiroshima Section, the founding chair of the technical committee on Intelligent

Green Production Systems (IGPS), and member of the technical committee on Sys-tem of Systems and Soft Computing (IEEE SMCS). He is invited speaker in severalUniversities and international events, and PC/chair/co-chair of several internationalconferences. He is the author of more than 90 publications including books, bookchapters, patent, and papers in the area of process control and safety engineeringand green hybrid energy systems.