Nuclear Engineering and Design 240 (2010) 35503558
Contents lists available at ScienceDirect
Nuclear Engineering and Design
journa l homepage: www.e lsev ier .com/
HossamFaculty of Ener orth,
a r t i c l
Article history:Received 11 NReceived in reAccepted 14 Ju
mewject-oed htegraosed tmantemsuclea.
Process ccedures ofor service iprocess conFrom the otsafety of the underlying system against any possible hazard sce-nario. In nuclear power plant (NPP), safety systems are representedin the form of independent layers of protections, or barriers. Theselayers could provide prevention or mitigation means to all pos-sible hazards. Elements of safety systems are represented withinprocess conrules/constof these conor dynamiclimiting temsafety margand safety dtroldesign.control desCurrently, cthe gaps beinterruptionor safety sy
Traditionseparate froexplained b
d coclear. Innd imdricparacomm
safety regulations and verications in all adopted safety systems.Control design is mainly based on specifying main processes andidentifying and analyzing control variables as manipulated, distur-bance, and output control variables (Prez et al., 1997). However,this should include possible deviations in each control variables
0029-5493/$ doi:10.1016/j.trol systems such as alarms, process limits, or controlraints which are translated into control actions. Sometrol actions are dedicated for process control stabilitys, while other actions are for safety purposes, such asperature in a steam generator to be controlled withinins. From these two views, i.e. process control designesign, the overlap between them represents safety con-There is a lackof structured framework to support safetyign, which is important for nuclear power industries.ontrol and safety design practices are fragmented andtween them cause increased risks, cost, and productionin terms of frequent installation or upgrade of control
stems.ally, safety system design is implemented completelym control design (Davey, 2002). Control systems asy many control and simulation experts show dis-
and possible propagation time, speed, and escalation factors aswellas the associated safety controls. In case of safety systems, suchas shutdown systems, it is required to identify safety limits andidentify adequate safety margins before activating the appropri-ate shutdown system. Simulation practices are used to adequatelycalculate safety margins such as steam level/pressure, moderatortemperature, etc. (Futao et al., 2000). In fact, effective safety controldesign can optimize operating cost, by optimizing safetymargins toreduce unnecessary shutdown cases (OHara, 1994). This includeshuman factors involved in plant operation to ensure that safetymargins are appropriately matched with required operator actions(Moray and Huey, 1988; Lee and Seong, 2004). From engineeringand operating companies views, it might not be the case whenadopting new safety system or upgrade existing system where sys-tematic safety control design framework is required to reduce timeand efforts in specifying the target safety system and to reduce thecost and improve the accuracy by developing appropriate integra-tion with existing safety and control systems.
Safety design is usually performed during process design wheresafety limits are identied and appropriate safety protection sys-
see front matter 2010 Elsevier B.V. All rights reserved.nucengdes.2010.07.024ted framework for safety control design
A. Gabbargy and Nuclear Science, University of Ontario Institute of Technology, 2000 Simcoe St. N
e i n f o
ovember 2009vised form 30 June 2010ly 2010
a b s t r a c t
This paper presents an integrated fraplants. It shows the use of process obintegrate safety requirements, identiframework is proposed to show the inarchical control charts (HCC) are propassociated fault models in systematicthat are involved in safety control systhe control design and operation of nfacilities such as hydrogen production
ontrollers are responsible for executing operating pro-the underlying system to produce the target productn steady, safe, and optimum manner. This means thattrol systems should include aspects of process safety.her hand, safety systems are designed to ensure overall
tributefor nu2001a)ied aand Heed sesafetylocate /nucengdes
f nuclear power plants
Oshawa, Ontario, Canada L1H7K4
ork for safety control analysis and design for nuclear powerriented modeling methodology (POOM) and fault models to
azards, and fault propagation scenarios. Safety control designtion between control systems and safety control design. Hier-o integrate process, control, and safety models along with thener. Process and the associated process and control variables. The proposed safety control design framework will supportr power plants, as well as the integration with cogeneration
2010 Elsevier B.V. All rights reserved.
ntrol systems to deal with single output controllerspower plants, such as the case of CANDU (Bereznai,
all nuclear power stations, control systems are spec-plemented separately from safety systems (Erickson
k, 1999). In particular, CANDU control design is speci-tely from safety systems (Harber et al., 2010). Nuclearissioningagencies are requiring strict compliancewith
H.A. Gabbar / Nuclear Engineering and Design 240 (2010) 35503558 3551
tems are cooperation wamending sdesign as exconcepts. Iare mappedinstrumenttems (or nelements (s(actuators/vtem or safetsafety contrministic safare used tolimited effoand in parti
One moformulate ssafety analmajor limitcation andIEC61511 adetailed de
In view oneering growho implemrequiremenprocesses afor researchattention invalidation fand automavalidation aimplement
This papdesign as aand safety cgrated contmodeling frcontrol andbased on saplant.
ety control analysis
oposed integrated system architecture
ically, safety control systems are implemented as safety pro-able logic controller (or SPLC) or as shutdown systems (orhese systems run completely independent from other con-stems. The proposed approach is to develop set of smartcontrollers that are dynamic and adaptive to any possiblesituplanent
on oFig. 1. Integrated safety contro
nsidered. Also, safety design is considered during planthere plant modications or expansion might require
afety design. Thiswill include different aspects of safetyplained by IEC-61508 as well typical defence-in-depth
n case of safety control design, safety requirementsinto safety functions that are categorized into safety
ed systems (or SIS) and non-safety instrumented sys-on-SIS). Safety instrumented systems include inputensors), logic solvers (controllers) and nal elementsalves). SIS is commonly referred to as shutdown sys-y control system. Current practices to design advancedol systemsare focusedon treatingquantitativeordeter-ety analysis data. In addition, probabilistic safety dataestimate risks for identied hazard scenarios. There arerts to integrate these two views in safety control design,cular to map safety control instructions.re challenge in current practices is to systematicallyafety requirements, which are typically initiated fromysis of process safety margins. In addition, there areations to link safety requirement with safety speci-implementation of shutdown systems. IEC61508 andre widely used to specify safety protection layers and
TypgrammSDS). Ttrol sysafetyhazardpowerequipmticatisign of shutdown systems (SIS).f current practices, safety design is conducted by engi-up who dictates the safety requirements to vendorsent the target safety systemwhile conrming all safetyts with nuclear safety commissioning agencies. Thesere not well described for operating companies anders. On the other hand, safety systems require highterms of verication and relatively long compliance
romnuclear safety commissioning. The systematizationtion of safety control system design will support thend verication process which will optimize design andation costs and time.er describes a practical framework for safety controlsmooth integration between process control design
ontrol design. The following section describes the inte-rol and safety framework, followed by description ofamework that integrates process design models withsafetymodels. Section 4 describes control recipe designfety verication using a case study from nuclear poweration that might arise during the operation of nuclearts. This includes situations like degradation in plant, operator error, environmental hazards, etc. The iden-f risk scenario will trigger appropriate safety controlFig. 2. Integrated process control and safety.
3552 H.A. Gabbar / Nuclear Engineering and Design 240 (2010) 35503558
Fig. 3. Integrated safety control design framework.
actions that will be executed in the form of safety control instruc-tions. In order to achieve the proposed target, an overview of theproposed safety control system is illustrated, as shown in Fig. 1.
In the proposed system, real time and simulation data areused as inputs via distributed control systems (DCS), pro-grammableanalyze propredict posspossible sceprocess moare activate
tially and/or to move the plant to a safe state. To facilitate themodeling of fault propagation scenarios, POOM or plant processobject-oriented modeling methodology is proposed to associatefault and safety models along with control and behavioral models.Fault semantic network or FSN is used to structure fault models
ithriabact fndenr LOPsystelogic controller (PLC), or equipment controllers tocess/equipment/environment/human conditions andible hazard scenarios. Risk levels are estimated for eachnario based on fault/failure propagation models anddels. Accordingly, appropriate safety control programsd to optimally shutdown the power plant fully or par-
along wcess vato extrIndepeysis (osafetyFig. 4. Mapping defence in depth to independent pthe associated process variables. Trends of related pro-les are analyzed using trend fusion algorithm or TFAeatures from all trends related to each fault scenario.t protection layers (or IPL) and layersofprotectionanal-A) are used to analyze safety requirements and map toms. And nally safety instructions are mapped to con-rotection layers.
H.A. Gabbar / Nuclear Engineering and Design 240 (2010) 35503558 3553
Table 1Defence-in-depth levels.
Level 1 Prevention of abnormal operation and of malfunctionsLevel 2 Control of abnormal operation and detection of malfunctionsLevel 3 Control of accidents included in the design basisLevel 4 Control of severe accident conditions of the plant, including the
prevention of accident progression and mitigation ofconsequences
Level 5 Mitigation of the environmental/radiological consequences ofsignicant releases of harmful products
trol programs that are implemented using international standardsof control programming like IEC61131. To facilitate the systematicmapping from safety requirements into control programs, engi-neering formal language or EFL is proposed (Gabbar, 2007).
2.2. Integrated safety and control design
Basedon theproposedsystemarchitecture for typical integratedsafety control system, it is required to explain practical frameworkto integrate safety and control design. Typically, process controldesign goes through different stages starting from process design.Based on control block diagram, control functions are dened. Con-trol recipes are dened that are mapped to control systems (ISAS-88 Standard, 1995; ISA, 1995, 1996; Lamb et al., 2000). On theother hand, safety design starts with hazard identication that isfollowed by risk assessment and treatment. This is followed bysafety requirement specications. First layer of safety systems isthe inherent safety where opportunities are considered to changeprocessdesign for safetypurposes.Other safety functionsaredevel-oped basedfollows thelowed in nuor non-SIS ation design
IEC6150frameworkactivities. Tquantitatividentify set
case scenarios. Risk acceptance and treatment/mitigation analysiswill be performed to suggest ways to reduce or mitigate risks forcases where risks are unacceptable.
2.3. Proposed safety control design framework
Safety control design framework shows the mapping betweenprocessdesign, control, andsafetydesign. Fig. 3 shows theproposedframework where safety requirements are mapped to processdesign and linked with fault models. On the other side, safetyrequirements are mapped to control system design to identify thespecic needs for shutdown systems.
2.4. Safety control design and protection layers
The safety control design process is performed in iterativemanner via risk assessment and reduction practices using quali-tative and quantitative risk assessment techniques. Some of thesafety requirements are implemented as set of safety design e.g.inherent safety. Safety specications will be examined in viewof independent protection layers (IPL) that include: IPL1: safetydesign; IPL2: basic process control/alarm; IPL3: critical alarm; IPL4:safety instrumented systems (SIS); IPL5: relief devices; IPL6: phys-ical protection; IPL7: plant/site emergency procedures; and IPL8:community protection. These are developed based on the generalframework of defence in depth, which is described in Table 1. Theproposed mapping between IPL and defence in depth is shown inFig. 4.
Fig. 4 shows the mapping between defence-in depth and safetytion layers. It shows thatdefence-in-depth levels aremappedfety
his ses objl conon IPL or independent protection layers. This is usuallyconcept of defence in depth, which is typically fol-clear power plants. Safety instrumented systems (SIS)re designed accordingly, and linked with control func-stage. The proposed framework is illustrated in Fig. 2.8 proposed high level process safety managementthat describes basic steps to perform safety life cyclehe rst step is to identify hazards using qualitative andemethods, such asHAZOP, FTA, and FMEA. This stepwillof possible hazard scenarios along with risks of worst
protecto all sadepth
In tprocesarchicaFig. 5. POOM-based process design, control design,protection layers,which is logicwhere eachdefence-in-should be covered by more than one protection layer.
ased safety control design
ction, safety control recipedesign is presentedbasedonect-oriented modeling methodology (POOM) and hier-trol chart (HCC) support tool.
and safety design.
3554 H.A. Gabbar / Nuclear Engineering and Design 240 (2010) 35503558
POOM ois developecess designto cover prables are lineach structuments and pdynamic, fusion includ(Bereznai, 2the underlymodels, whTheoperaticuted and eand Hedrickthe base ofcan be usesystem (i.ecan be formments; eacsafety mode
partry acing ISd Seol rech safeloproceM orto e
to syFig. 6. Activity modeling for safety verication
and process design
r plant/process object-oriented modeling methodologyd to facilitate the formulation and verication of pro-(Gabbar, 2007). In this resear...