Keywords

1 Introduction

Nuclear safety-class DCS in nuclear power plant mainly realizes important functions such as reactor tripping, engineered safety features driving. It is used to ensure the intactness of reactor fuel envelope, reactor coolant loop pressure and safety hulk, and thus the power plant is in a safe state. When the operation parameters of the power plant reach the reading value set by the reactor protection system, the emergency shutdown of the reactor can be triggered safely and reliably, and special safety facilities can be operated when necessary. It can be seen that the reliability of DCS directly affects the safety of the reactor.

Nuclear safety-class DCS typically consists of reactor tripping system (RTS), engineered safety features actuation system (ESFAS), Priority actuator control system (PACS), Gateway system (GW) and maintenance system, et al. Among them, ESFAS and PACS jointly realize safety injection, containment isolation, containment spray, main feed water isolation, main steam isolation, auxiliary feed water start-up and other special functions.

ESFAS generates driving instructions and sends them to PACS. Through the selection logic inside PACS, the driving instructions are finally output to drive the local equipment. ESFAS contains two diverse sub-groups, and the driving instructions of two sub-groups are logical “OR” in PACS.

2 Research Object and Research Status

2.1 Research Analysis

With the improvement of digitization degree of instrument and control (I&C) system in power plant, reliability research of I&C system has gradually become a research hotspot. In literature [1], for the structure of DCS basic components in the thermal power plant, Markov method was adopted to analyze the transition relationship of system space and influence of component repair rate on system reliability. In literature [2], nuclear safety-class DCS was taken as the object to bulid a fuzzy fault tree (FT) model and analyze its reliability parameters, and DCS module level was taken as the research object, however, system level was not analyzed. Literature [3] lists the important reliability parameters of DCS and their calculation methods, and puts forward the parameter verification method of “model + test + evaluation”. In view of the fact that the traditional fault tree analysis (FTA) method cannot describe the dynamic interaction during the operation of the I&C system, Dynamic Flowgraph Methodology was used in literature [4] to analyze the sensor failures, output latching device and hot MPU failure, and hot-standby MPU failures of nuclear safety-class DCS. In literature [5], Petri net was used to analyze the influence of periodic tests and maintenance on the reliability of the reactor protection system, and it was verified that Petri net could be well applied to the reliability assessment of the reactor protection system. In this paper, based on the above researches, the reliability analysis of nuclear safety-class DCS ESFAS is carried out.

2.2 Structural Analysis

Generally speaking, in nuclear safety-class DCS, RTS consists of 4 channels (I/II/III/IV), each channel contains two diverse sub-groups. ESFAS consists of two logical trains A/B, each train contains two diverse sub-groups. PACS system receives drive instructions from ESFAS and hardwiring signals from ECP/BUP (emergency control panel/backup panel), DAS (diverse actuation system), NC (non-classified) DCS and other systems, and drives field equipment after selecting the priority logic. The brief architecture diagram of safety-class DCS is shown in Fig. 1.

Fig. 1.
figure 1

Schematic Diagram of Safety-class DCS

Full size image

In main feed water isolation function of train-A sub-group 1 (ESFAC-A1), the control instruction of TFM031VL of main feed water loop 1# steam generator (SG1) is taken as an example. ESFAC-A1 receives local tripping signal from four channels of RTS and take 2 out of 4 logic, and then takes “OR” logic with other logic, and output the driver instruction of TFM031VL. A brief logic diagram is shown in Fig. 2.

Fig. 2.
figure 2

Logic Diagram of TFM031VL Close Driver Command

Full size image

3 ESFAS System Reliably Model

3.1 FTA Method

FT is a special logical causality diagram of inverted tree. FTA takes a product failure event as the top event, through top-down in strict accordance with the level of fault causal logic analysis, find out a proximate cause of the failure event of necessary and sufficient step by step to draw the FT, finally all possible causes and combination of causes leading to occurrence of the top event can be found out, and the probability of top event and the importance degree of bottom events can be calculated when basic data is available. The FT analysis method has a good ability to describe and express the internal structure relations and organizational level of the analyzed object. FT usually uses logic such as “AND” gate, “OR” gate to describe the relationship between events, and determine the calculation expression from bottom to top according to the relationship. The bottom event is usually selected with a clear reliability model and known reliability parameters, and the probability of the event is calculated layer by layer based on the reliability parameters of the bottom events. FTA is widely used in various industrial fields due to its clear expression and strong expansibility [6].

3.2 Reliably Parameters Calculation Method

MTBF (Mean Time Between Failure) refers to the average time for a product or system to work correctly within the interval between failures, which is a commonly used reliability calculation parameter for repairable products. The main components of nuclear safety-class DCS are electronic products, and the life distribution can adopt the general analysis method of electronic products, which is generally considered to conform to the exponential distribution. The failure rate can be expressed as the formula (1).

$$ \lambda { = }\frac{{1}}{MTBF} $$
(1)

Product reliability \(\mathrm{R}(\mathrm{t})\) can be expressed as formula (2) [7].

$$ R(t) = e^{ - \lambda \times t} = e^{{\frac{ - t}{{MTBF}}}} $$
(2)

Thus, the trend of the reliability of the analyzed object with time can be obtained.

3.3 FT Model

The TFM031EL1 instruction realized by control station ESFAC-A1 must meet the requirements of normal operation of communication, MPU and output module. Among them, the communication takes 2 out of 4 configuration, each channel has two communication modules redundancy, and MPU takes hot-standby redundancy mode. The architecture is as shown in Fig. 3.

Fig. 3.
figure 3

Logic Diagram of TFM031EL1 Instruction in ESFAC-A1

Full size image

According to the instruction analysis, the top event (y7) was recorder as the TFM031EL1 instruction failure event of ESFAC-A1. The bottom events are the failure of various components, including hot-standby MPU, redundant COM modules, DO module. For the station ESFAC-A1, the bottom events are denoted as x1–x11 respectively, and the corresponding component number of ESFAC-A2 is similarly calculated. The redundant COM modules in each channel constitute the communication failure, which is denoted as event y1–y4; At least two of the four channels are required to be in normal operation, that is, communication fault y5 is the result of 3 out of 4 voting (y1–y4); The hot-standby MPU take redundant relationship, and MPU fault event is denoted as y6; Communication fault, MPU fault and DO fault together constitute the top event ESFAC-A1 TFM031EL1 command failure, which is denoted as y7. For fault of redundant system, “AND” gate is used to represent the relationship between upper and lower layers, such as single channel communication failure. For series system faults, “OR” gate is used for to represent the relationship between upper and lower layer, such as single cabinet control command failure event.

Based on the above analysis, the TFM031EL1 instruction failure FT model is shown in Fig. 4.

Fig. 4.
figure 4

FT Model of TFM031EL1 Instruction Fault in ESFAC-A1

Full size image

4 Simulation Experiment

4.1 Reliability Parameter Calculation

The components involved in the case include the MPU, COM module and DO module. The specific module parameters and MTBF are shown in Table 1.

Table 1. Equipment Model and failure rate (\(\uplambda \))
Full size table

It can be obtained from formula (2) that the reliability functions of MPU, COM and DO are as shown in formula (6)–(8).

$$ R_{MPU} = e^{{ - 1226.4 \times 10^{ - 9} \times \,t}} $$
(6)
$$ RCOM = e^{{ - 825.1 \times 10^{ - 9}\, \times \,t}} $$
(7)
$$ R_{DO} = e^{{ - 1875.9 \times 10^{ - 9\,}\, \times \,t}} $$
(8)

Thus, the function of reliability decay over time of the above components was obtained, and the reliability decay curves of MPU, COM, and DO module were further obtained, as shown in Fig. 5.

Fig. 5.
figure 5

Simulation Results of Equipment Reliability

Full size image

The reliability of all kinds of components generally shows a declining trend over time. According to the figure, DO is the weakness of reliability parameters in various components.

4.2 Sub-system and System Reliability Simulation Analysis

Combined with the TFM031EL1 instruction failure FT model, the simulation results of channel communication (I–IV) reliability is analyzed as shown in Fig. 6(a), communication sub-system as shown in Fig. 6(b), and MPU redundant system as shown in Fig. 6(c).

Fig. 6.
figure 6

Simulation Results of Sub-system Reliability

Full size image

Based on the above analysis, the reliability variation of the command in ESFAC-A1 control station can be obtained, which is as shown in Fig. 7 (Table 2).

Fig. 7.
figure 7

Simulation Results of Single Control Station Reliability

Full size image
Table 2. Deterioration of Reliability
Full size table

4.3 Minimum Cut Set and Importance Analysis

4.3.1 Minimum Cut Set Analysis

One of the purposes of FTA is to find out the path or mechanism of event occurrence, so as to put forward optimization methods and take optimization measures. In order to perform this work more efficiently, minimal cut set solution is required. Minimum cut set is one of the basic concepts of reliability statistics. It is the set of bottom events that lead to top event. The occurrence of a group of bottom events (fundamental events) in the FT can cause top event is called the minimum cut set.

The minimum cut set of TFM031EL1 instruction FT model can be transformed into a reliability block diagram, so that the six minimum cut sets leading to top event include: channel I/II/III/IV fault (3 out of 4); MPU A and B fault; DO fault.

The minimum cut set of TFM031EL1 instruction FT and its probability of occurrence in one year of operation are shown in Table 3.

Table 3. Minimum Cut Set and Probability
Full size table

4.3.2 Minimum Cut Set Analysis

Nuclear safety-class DCS components are not equally important, in order to facilitate the improvement of system design and maintenance strategy, the concept of importance degree is introduced. In this paper, the probability importance degree of the bottom events of TFM031EL1 instruction is analyzed as an example.

Probabilistic importance is defined as the improvement of system unreliability when a component changes from failure state to normal state.

$$ F_{Sys} (F_{i} = 1) - F_{Sys} (F_{i} = 0) = \Delta F $$
(9)

where i is the number of each component in a minimum cut set, \(\Delta F\) is probabilistic importance, FSys is unreliability of the system.

The reliability function of each component is known. Thus, the probabilistic importance of each component can be obtained through calculation, as shown in Table 4.

Table 4. Minimum Cut Set and Probability
Full size table

4.3.3 Failure Probability Calculation

The bottom events are calculated step by step according to the logical relationship in FT. The calculated probability of events y1–y4, y5, y6, y7 occurring within 8760 h are shown in Table 5.

Table 5. Minimum Cut Set and Probability
Full size table

4.4 Control Station Redundancy Design

It is obvious from the reliability decline curve that the reliability decline rate is faster in the early period of use. In order to further improve the system reliability, the same logic is designed in ESFAC-B1, and two output take “OR” logic to achieve logic redundancy and improve system reliability.

Similar to previous analysis, reliability analysis was conducted for the control system composed of ESFAC-A1 and ESFAC-B1, and the results are shown in Fig. 8.

Fig. 8.
figure 8

Control Station Reliability

Full size image

The decline of system reliability over time is shown in Table 6.

Table 6. Deterioration of Reliability
Full size table

4.5 Maintenance Scheme Optimization

Combined with the above analysis and the actual situation of nuclear power plants, whose typically undergo an 18-month overhaul cycle, the maintenance solution is optimized. In order to maintain the reliability of the system above 0.95, combined with the above calculation results, the equipment involving TFM031EL1 instruction should be repaired at least once in 9 overhauls (Fig. 9).

Fig. 9.
figure 9

Schematic Diagram of System Maintenance Scheme Optimization

Full size image

Similarly, if the reliability requirement is to be improved and the output instruction of single control station is still 0.95, then at least, maintenance shall be performed once in every two plant overhauls.

5 Conclusion

In the paper, the reliability of nuclear safety-class DCS ESFAS is analyzed. Taking TFM031EL1 instruction as an example, the FT method is used and the reliability decline curve with time of different levels and nodes is obtained. Based on the minimum cut set, probability importance and other parameters, the weakness of system reliability is quantitatively analyzed. Combined with the actual situation of nuclear power plant overhaul, the optimization scheme of system maintenance is put forward, and it is also useful for the reliability analysis of other similar control loops in nuclear safety-class DCS.