Keywords

1 Introduction

Application of digital instrumentation and control (I&C) technology has been more and more prevalent in the worldwide nuclear power plants (NPPs) considering multiple benefits, e.g. the ability to perform more complex functions, improved numerical precision and stability, higher availability due to on-line diagnostic, less risk of providing the available spare components compared with the ageing analog-based equipment, etc. and present the increasing usage of digital I&C technology in NPPs operating in Belgium, Canada, Finland, France, Germany and India among other countries [1, 2].

The digital I&C technology application introduces substantial advantages mentioned above, but it also bring the unique challenges. As mentioned in [3] and [4], the errors, deficiencies, or defects at any stage of digital I&C systems’ life cycle may result in systematic faults that may remain undetected until specific conditions activate the faulted state to result in a failure of a critical function. Because the digital technology is used in redundant channels with a system (or multiple systems), a potential common cause failure (CCF) could cause the misbehaviors in redundant channels with a system (or multiple systems) simultaneously and then leads to undesirable plant consequences. Hence, the whole nuclear industry accepted that the additional potential for CCF vulnerabilities posed by digital I&C systems is not negligible and requires special consideration.

As regard to the potential effects of CCF, a simple metric is described in Table 1 (quoted from [5]) and two scenarios are defined: (a) the digital I&C systems do not initiate when plant conditions require safety functions delivery, and (b) the digital I&C systems spuriously initiate when plant conditions do not require a safety functions delivery.

Table 1. Potential effects of CCF
Full size table

In recent decades, great care has been taken to research and analysis the measures for scenario a (safety system does not actuate the required safety functions due to the CCF). To cope with the consequence of scenario a, diverse actuation system (DAS) is developed and recognized worldwide as an effective way. The UK was deliberately cautious about the digital I&C technology adoption and a hardwired back-up to the digital I&C system was placed in service at the UK Sizewell B [6]. Such system design is required by radiation and nuclear safety authority (STUK) of Finland, and a diverse automatic hardwired backup system is configured in Olkiluoto-3. In the US, nuclear regulatory commission (NRC) has issued guidelines such as staff requirements memoranda on SECY-93-087 [7], Branch Technical Position (BTP) 7–19, NUREG/CR-6303 [8] and NUREG/CR-7007 [9] to provide defensive strategies (including the DAS system design) to address CCF. More DAS practices of international NPPs are summarized in [10]. Aside from the international nuclear regulations’ guidelines and associated good practices, the international standards are developed, which provide a general method for addressing CCF vulnerability in safety digital I&C systems. For example, international electrotechnical commission (IEC) standard IEC 61513 provides the high-level guidance of I&C system architecture design and individual I&C system design [11]; IEC 60880 specifies the requirements of software design and development for I&C systems performing category A functions [12]; IEC 62340 establishes a CCF coping strategy for digital I&C systems.

Until now, existing practices and applications have been focus on these defensive measures coping with a CCF of scenario a. None of these backup systems was targeted to solve the problem of the digital I&C system spurious actuation (scenario b). Moreover, as for potential CCF effects of scenario b, there is insufficient research or elaborated nuclear industry guidance. Therefore, the development of spurious actuation analysis methodology to cope with the scenario b has become an important and urgent issue, which has obtained considerable attentions by many countries. In 2017, the common position on spurious actuation of digital I&C systems was achieved and presented in [13] by digital instrumentation and controls working group (DICWG). Although this common position provides high-level evaluation guidance, including the measures to prevent, respond to spurious actuations to maintain plant safety, etc., the detailed and clear analysis approach was not presented.

This paper establishes a newly functional group methodology to evaluate the spurious actuation influence of digital I&C systems.

2 Identification of Spurious Actuation

The spurious actuation of digital I&C systems analysis methodology is a top-down process which begins with a basic identification of the spurious actuation event (including the events evaluation if the actuation could challenge plant safety). Subsequently, the identified spurious actuation of I&C functions are analyzed following the safety analysis.

2.1 Failure Scope and Types

It is known that the failures are further subdivided into random failures and systematic failures. Hardware technology is subject to random failure due to manufacturing defects, ageing, wear or environmental effects and the associated failures are a result of degradation over time [14]. The digital technology does not fail randomly like the hardware. On the other hand, both of them are subject to systematic failure resulting from design errors or requirements deficiencies. Generally, the random failure dominates the overall failure rate of hardware and measures (e.g. redundancy, self-monitoring, etc.) could make the generally accepted assumption that for well designed and tested hardware, design faults are rare and can be neglected. However, these faults cannot be ignored for digital technology, which is more likely to exist in digital I&C systems because of the unique nature (a full verification of its correctness practically impossible), increased complexity and associated inability to execute exhaustive testing [15].

Thus, in this paper, a systematic failure is assumed to take effect in a deterministic way to initiate the functions spuriously. As the digital technology is perfectly replicated in each of the redundant channels, the following two types of spurious actuation consequences for digital I&C system illustrated need to be considered:

  1. a)

    Consequence 1: spurious actuation of single equipment produced by I&C systems;

  2. b)

    Consequence 2: spurious actuation of multiple equipment produced by I&C systems (Fig. 1).

Fig. 1.
figure 1

Spurious actuation consequence of digital I&C systems

Full size image

2.2 Approach Assumption

The events identification for spurious actuation of digital I&C systems presented in this paper follows the assumptions below. Moreover, the available scope for event mitigation and priority management are important assumptions that will be used in subsequent consequence analysis.

  1. a)

    The identification of event assumes that NPP is under the normal operation. Initially, the NPP status in which the digital I&C systems initiate spuriously certain function need to be defined. To guarantee an adequate degree of analysis, all possible plant conditions should be considered. These initiating conditions cover the standard conditions within normal operation (e.g. full power operation, shutdown modes and core totally unloaded). The detailed operating states are introduced for the spurious actuation event identification considering the characteristic of thermodynamic and reactor physics. Moreover, considering that under normal operation, some of the spurious actuation produced by I&C functional group are inhibited (e.g. a permissive signal or inhibitive signal), associated spurious actuations are assumed to implausible and they will not analyzed under these condition;

  2. b)

    The spurious actuation analysis of digital I&C systems is not considered in combination with other independent events (e.g. the loss of off-site power, loss of coolant accident).Although the CCF of digital technology cannot be eliminated, many measures are applied to minimize the potential CCF (e.g. the equipment qualification, field proven products, mature system software verification and validation), which indicates that the likelihood of the spurious actuation probability caused by I&C system CCF is very low. Hence, the combined probability of a spurious actuation event with an extra independent event is extremely low. Even though the spurious actuation caused by digital I&C systems takes effect, the associated influence is detectable. It can be corrected and could not still exit at the time of occurrence of an independent event (not caused by digital I&C system). So, every independent single spurious actuation event is analyzed without considering the combined case.

  3. c)

    To avoid the infinite number of combination of spurious actuation, two kinds of multiple spurious actuations are excluded: spurious actuation of multiple independent I&C functions among different, independent I&C systems and spurious actuation of multiple independent I&C functions within an I&C system. According to the experience of DICWG-13, spurious actuations of concern would be those which are plausible. This is because there is no way to know the worst combination of all positions in time of all such actuations (except by doing an infinite number of studies, which is infeasible). Similar position was presented in office for nuclear regulation (ONR)’s website through [16]. Take a digital I&C system including 100 outputs for example, given that they are also simple two state functions, approximately 1 × 1030 combinations of output states need to be considered. Therefore, it is implausible to consider the infinite combinations. Based on I&C architecture and design features, the adequate independence is achieved, which could remove or reduce the spurious actuation to an acceptable level. Therefore, the occurrence of such actuations is not considered.

  4. d)

    Available scope for event mitigation is defined. If specific spurious actuation of a digital I&C system is postulated, the other mitigation functions provided by the same system are considered as unavailable in the view of conservative consideration. In this scenario, other I&C systems which have been demonstrated to be adequate independent from this I&C system are considered available.

  5. e)

    Priority management is required to be considered. It is known that the conflicting signals may be sent coincidentally by different digital I&C systems to control the same actuator. To cope with this circumstance, the priority management is introduced in I&C systems design and ensure only one specific signal is sent to the actuator. Generally, two typical priority management methods are applied in NPP. The first one is state-based priority management. With the state-based priority, one direction of signals (e.g., energize or de-energize, open or close) always has higher priority over the opposite direction, regardless of the system generating the input signal. The latter is system-based priority management, which means that the signal of the specific system input (e.g., protection system (PS)) has priority over signals from other systems, regardless of the state demanded by that signal. Based on the priority management feature, it is confirmed that if the spurious actuation of the equipment caused by high priority I&C system can be terminated by an opposite command by low priority I&C system.

2.3 Identification Process

A potential spurious actuation of digital I&C system means that an I&C system or its associated equipment produce an unintended operation. However, not all the unintended operation has adverse effects on the plant safety. Figure 2 below shows a framework for detailed identification process of spurious actuation events. With the framework, the spurious actuation which could lead to abnormal operating NPP state is screened and defined as an independent event.

Fig. 2.
figure 2

Identification process of spurious actuation produced for I&C systems

Full size image

The identification process includes the following four steps:

  1. a)

    Identify the system scope and make the associated system functions list. Generally, the I&C technologies can be based on software, complex hardware and simple hardware [17]. Provides the available and representative I&C technologies, as shown in Fig. 3 shown. As introduced in Sect. 1, the simple hardware is not considered due to the technology nature. These I&C systems based on complex hardware-based technology or software technology are considered in subsequent analysis. The overall I&C architecture analyzed in this paper is described in [18], which mainly includes centralized I&C system (e.g. the protection system (PS), safety automation system (SAS), plant standard automation system (PSAS), etc.) and Non-centralized I&C systems. Moreover, the component interface module used to perform the priority management is based on simple hardware technology, the spurious actuation of which is not considered.

Fig. 3.
figure 3

Categorization of technologies

Full size image
  1. b)

    Define the preliminary screening principles to form the short-list. To form the short-list for simplification of the analysis, the preliminary screening principles are defined. According to the following 7 principles listed in Table 2, the screening has been developed.

Table 2. Preliminary screening principles
Full size table
  1. c)

    Forming the functional group based on the signal features. Functional group list is formed with the signal features including the similar I&C system allocation, similar spurious actuation states and similar actuation modes (including the similar actuation types and actuation signals). The functional group is assembly of functions, including an I&C output function and any consequential function(s) which activated from it. Based on the illustration of Fig. 4, the functions that own the similar features mentioned above are distributed to a functional group. The lines with same colors in Fig. 4 represent the similar initiation condition in the same NPP state. For example:

  2. 1)

    The function 1 allocated in the PS and the function 3/4/5 also allocated in the PS are actuated on the same actuation signal. In addition, these functions are actuated in the same NPP states. Therefore, these functions are combined with a functional group and analyzed together;

  3. 2)

    In different NPP state, the function 1 allocated in the PS only leads to the actuation of function 2. For this NPP sate, function 1 and function 2 are combined to be analyzed together;

  4. 3)

    The function 6 allocated in the PS is connected to the function 7 allocated in the SAS. For the foregoing functions, although the allocated I&C systems are different, the spurious actuation of the function 6 will lead to the initiation of function 7. So the two functions are considered together and combined into a functional group in the case of PS failure.

Fig. 4.
figure 4

Illustration of functional groups

Full size image
  1. d)

    Determine the event list of spurious actuation for digital I&C systems. The following two aspects are taken in consideration to screen the final event list of spurious actuation for digital I&C systems.

  2. 1)

    For a given functional group, identify whether the consequence could lead to an abnormal operating NPP state (including but not limited to reactivity or power control abnormality, increase/reduction in primary side temperature, increase/reduction in primary side flow, loss of spent fuel pool inventory, etc.);

  3. 2)

    For a given functional group, identify whether the consequence could be enveloped by that caused by other functional group.

3 Consequence Analysis of Typical Spurious Actuation Event

Through the identification methodology, the functional groups leading to an abnormal operating NPP state due to unintended actuation are acquired and defined as spurious actuation events. For them, detailed analysis is processed to confirm that if the current mitigation systems and safety functions are adequate.

In this chapter, the identified event due to emergency feedwater spurious actuation is analyzed as an example. The emergency feedwater system (EFWS) is designed to supply the water to the steam generator for residual heat removal and associated startup function is implemented in the PS. The CCF in PS may actuate this function spuriously and lead to the increase in feedwater flow. The following initial conditions are considered.

  1. a)

    This spurious actuation occurring in three different NPP states are considered, including full power state, hot standby state and hot shutdown state.

  2. b)

    According the predefined priority assignment in [18], it is defined that the system-based priority is applied and the PS owing the highest priority. If the identified functions are actuated spuriously by PS, the opposite order derived from the mitigation system is invalid. Therefore, the emergency feedwater injection cannot be isolated until the local operation is carried.

  3. c)

    As mentioned in [18], the PS and SAS are based on the same I&C platform. Although the independence is established between them, it is hardly to verify that the SAS is available in this scenario. So the PS and the SAS are assumed to unavailable conservatively.

  4. d)

    In this scenario, other independent I&C systems (e.g. the DAS and PSAS) are used to provide the mitigated functions. For example, the PSAS is credited to protect the plant for regulating functions through the main feedwater flow control system (MFFCS).

  5. e)

    The emergency pumps are assumed to spuriously turn on at its nominal flow rate. According to [19], the range is from 90 m3/h to 110 m3/h and the detailed valve depends on the backpressure.

The digital I&C design verification and validation platform is developed, which provides a dynamic verification method and a strong support for engineering application [20]. The spurious actuation of emergency feedwater is simulated through this V&V platform.

For this event occurring in full power state, the short-term transient simulation is developed and the response of key parameters is shown in Fig. 5 and Fig. 6. The steam generator flow rate rises until it reaches the nominal value (slight smaller than 110 m3/h) and then the increased emergency feedwater is offset by the capacity of MFFCS (the associated flow rate is 2130.5 m3/h [21]). Based on the quick response of MFFCS, a steady state is established about 3 min later and no automatic reactor trip occurs. After 60 min the operator would perform the local action to isolate the affected steam generators and terminate this event.

Fig. 5.
figure 5

EFWS flow rate in full power state

Full size image
Fig. 6.
figure 6

Steam generator level in full power state

Full size image

For this event occurring in hot standby state and hot shutdown state, the associated significant parameters are presented in Figs. 7, 8, 9, 10, 11 and 12.

Fig. 7.
figure 7

EFWS flow rate in hot standby state

Full size image
Fig. 8.
figure 8

Steam generator level in hot standby state

Full size image
Fig. 9.
figure 9

Steam generator pressure in hot standby state

Full size image

At the beginning the event in hot standby state or standby state, the addition of large amounts of cold water to the secondary side will make the steam generator level and pressure decrease due to the cold-contraction effect. The temperature of emergency water (is between 10 ℃ to 60 ℃) is much lower than that of secondary side (about 300 ℃), which leads the water density to increase, and then the total level to decrease. This specific phenomenon does not appear is the full power state due to the very high power transferred by primary side.

Fig. 10.
figure 10

EFWS flow rate in hot shutdown state

Full size image
Fig. 11.
figure 11

Steam generator level in hot shutdown state

Full size image
Fig. 12.
figure 12

Steam generator pressure in hot shutdown state

Full size image

Additionally, in these states, the MFFCS closes the low load control valve in response to an increasing steam generator level. However, due to the full load control valves have been closed in these conditions, the remaining low load control valve is insufficient to control the level. So the steam generator level rises finally.

The primary mitigation measure for this event is EFWS isolation implemented in the DAS. Once achieving the predefined set-point, the DAS initiates the EFWS isolation function on higher steam generator level. But the isolation function is useless due to the priority configuration mentioned above. Finally, the emergency water can result in steam generator overfill. A different is that the overfill time in the event occurring in hot standby state is later than that in hot shutdown state. This is because the initial power level for hot standby state is higher than that of hot shutdown state.

It can be seen that the overfill time is approximately 28 min for shutdown state and 37 min for hot standby state, which are insufficient for the operator to manually isolate the emergency feedwater (the grace period assumption for local operation is at least 1 h after appearance of the first significant signal). Although the overfill phenomena appears, this event is not generate a more serious radiological consequence and the acceptance criteria defined in are satisfied [22].

On one hand, through the aforementioned analysis, it is known that the current mitigation functions are adequate. On the other hand, a possible but not necessary improvement is realized: if the state-based priority management is introduced to replace the current priority management for EFWS isolation function, the overfill phenomena may be avoided. This improvement needs further evaluation and the associated details are beyond the scope of this paper.

4 Summary and Discussion

A new method for spurious actuation of digital I&C systems identification is developed. The method integrates the digital I&C systems features and functions allocation characters. The identified spurious actuation events are analyzed quantitative with specific conservative assumptions and the associated results are used to demonstrate that if additional mitigation measures should be introduced. As an example, the spurious actuation of EFWS is simulated and evaluated. The evaluation results reflect that no additional mitigation functions require to be added. Moreover, the results also provide a possible improvement idea for design optimization.