Reliability of digital reactor protection system based on extenics
 Jing Zhao^{1}Email authorView ORCID ID profile,
 YaNan He^{2},
 PengFei Gu^{3},
 WeiHua Chen^{2} and
 Feng Gao^{2}
Received: 9 June 2016
Accepted: 28 October 2016
Published: 10 November 2016
Abstract
After the Fukushima nuclear accident, safety of nuclear power plants (NPPs) is widespread concerned. The reliability of reactor protection system (RPS) is directly related to the safety of NPPs, however, it is difficult to accurately evaluate the reliability of digital RPS. The method is based on estimating probability has some uncertainties, which can not reflect the reliability status of RPS dynamically and support the maintenance and troubleshooting. In this paper, the reliability quantitative analysis method based on extenics is proposed for the digital RPS (safety–critical), by which the relationship between the reliability and response time of RPS is constructed. The reliability of the RPS for CPR1000 NPP is modeled and analyzed by the proposed method as an example. The results show that the proposed method is capable to estimate the RPS reliability effectively and provide support to maintenance and troubleshooting of digital RPS system.
Keywords
Bacground
Nuclear safety has been widespread concerned. China has the largest number of NPPs under constructing currently. Along with the implementation of China’s “going out” strategy of nuclear power, the importance of nuclear safety to nuclear power development is selfevident. RPS is directly related to the reliability and safety of NPPs, which has been an important issue to evaluate the safety of NPPs.
RPS is consisted of hardware devices and software components. The interaction of software and hardware determines the reliability of RPS. Normally, the method to analyze the reliability of RPS mainly considers from hardware and software, but it does not take the interaction between hardware and software into account.
Probabilistic safety assessment (PSA) is the main method used to analyze the reliability of RPS’s hardware devices (Ma 2010). PSA is a new accident evaluation method for NPPs developed recently. PSA uses system reliability evaluation techniques (fault tree and event tree analysis) and probabilistic risk assessment techniques to predict the occurrence and progress of various possible accidents in complex systems. PSA mainly focuses on the failure of hardware devices, which does not take the hardware problems caused by software failure into account.
For the reliability analysis of RPS software, the failure mode effect analysis (FMEA) method is putted forward at present (Liu et al. 2015). Software FMEA mainly through identifying the failure mode of software, analyzing the reasons and consequences of failure modes, and taking appropriate measures to eliminate and reduce the harmful consequences, thereby enhancing the reliability of the software. For the software of RPS, there are problems such as failure modes are difficult to be clearly defined, failure probabilities and data are hard to be obtained and need to be isolated from the hardware, when FMEA is used for reliability analysis (He and Shi 2006). Meanwhile FMEA only focuses on the impact of the software itself on the function, which regardless the impact of hardware to achieve the system function.
It is a contradiction that both PSA and FMEA can not solve the problem of software and hardware interaction when computing the reliability of RPS. Extenics is a science to solve the contradiction problem through transformation and expansion. In order to calculate the reliability of RPS, the reliability of RPS and the interaction of hardware and software are needed to be converted. As we all know, the response time of RPS is the result of software and hardware interaction. The software is responsible for the generation of control logic, and the hardware is responsible for controlling the transmission and actions of the instructions. The response time is characterized by the interaction between software and hardware. On the other hand, the reliability of RPS is also characterized. The response time can be regarded as the bridge between software and hardware interaction and RPS reliability.
The paper is organized by five parts as follows. The overall of RPS and its control network model are introduced in the first part. The method to calculate the correlation degree data for each element of the control network model according to extenics correlation function is introduced in the second part. How to establish the reliability model between each element and deduce the calculation method in proposed in the third part. The calculation of the reliability of RPS according to the reliability model established is presented in the fourth part, and the conclusions is given in the last part.
Overview of reactor protection system
Digital RPS is mainly used to protect the safety of the nuclear reactor, which can ensure reactor trip system to generate reliable and timely protection action in an accident situation, and bring the NPP into a controlled state (Yu et al. 2003).
Generating a complete reactor protection action is a closedloop control process, which contains four processes, such as generating excitation signals, feeding back of device status, issuing control commands, releasing control signals (Xiao et al. 2013). In some ways, the response time of reactor trip and engineered safety feature (ESF) is related to the reliability of the reactor, meanwhile the response time of each process is directly impacting the safety of reactor.
In the control network model, the blue lines A1, A2, A3 and A4 represent uplink paths of the feedback device status. The green lines B1, B2, B3, B4 and B5 represent the device control command downlink paths. The red line D1 represents the reactor trip response route, and the orange line D2 represents of ESF response route. It is noted that B5 represents device control command downlink path B5, meanwhile the downlink path formed by B2 and B5 represents device control command downlink path B2.
It is necessary to be noted that this paper is based on the RPS part of DCS of Yangjiang 5&6 units, but the analysis of the principles and methods can be shared in other types of safety DCS, such as siemens’s TXS and Mitsubishi Electric Corporation’s MELTAC. The structure for DCS of different reactor type will be different in signal transmission path and function distribution. The method proposed in this paper mainly suitable for CPR1000. Since the ACPR1000 is an advanced reactor type which increased some improvements based on CPR1000 after the Fukushima accident, this method is equally applicable. For other reactor types, it is necessary to adjust some technical parameters and model frameworks when using this method.
Establish reliability model
From the perspective of the response time to analyze the reliability of nuclear reactor, RPS mainly takes reactor trip response time, ESF response time, device control signal downlink time and device status feedback signal uplink time into consideration (Zhou et al. 2013). We know that response time is not the sooner the better normally, and sometimes an abnormal response time indicates there may be a fault or functional failure in somewhere.
Then we calculate the correlation degree K(C), and note it as K _{ c } according to the definition of correlation function. If the measured data is closer to the best value, the correlation degree will be closer to 1, which means the higher reliability degree of the measurement data. On the contrary, if the measured data closer to interval endpoints, the correlation degree will be closer to 0, which means the lower reliability degree of the measurement data.
Reactor trip response time
No  Condition  C (ms)  M (ms)  N (ms)  K _{ c } 

1  High nuclear fluxsource range and ((not P6) and (not P10))  98.2  90  110  0.59 
2  High nuclear flux intermediate range and (not P10)  80  90  110  0 
3  High nuclear flux (low set point) Power range and  93.9  90  110  0.81 
ESF response time
No  Condition  C (ms)  M (ms)  N (ms)  K _{ c } 

1  Lowlow pressurizer pressure  140.6  130  150  0.47 
2  High differential pressure in steam line  138.3  130  150  0.59 
3  High containment pressure (max 2)  142.1  130  150  0.40 
Control device downlink time
No  Downlink path  C (ms)  M (ms)  N (ms)  K _{ c } 

1  SCID → ESF → CICA3  252  200  500  0.83 
2  SCID → SRC → CICA3  214  200  500  0.95 
3  SCID → RPC  198  200  500  0.99 
4  SCID → CCMS  260  200  500  0.80 
5  SCID → SRC  476  200  500  0.08 
Device status feeding back uplink time
No  Uplink path  C (ms)  M (ms)  N (ms)  K _{ c } 

1  RPC III → SCID  318  300  500  0.91 
2  CICA3 → SCID  352  300  500  0.74 
3  SRCA4 → SCID  376  300  500  0.62 
4  CCMS → SCID  376  300  500  0.62 
Reactor trip response time matrix
Reactor trip response time refers to the interval between the instant for RPC receiving sensor signal and the instant for PRC outputing reactor trip command, when any of the 21 kinds of conditions that can trigger reactor trip occurs (Zheng et al. 2010). In order to facilitate the calculation, three conditions are selected for research, with the assumptions of 90 ms for the best response time and 110 ms for the worst one. We calculate the degree of association according to correlation function formula (2). The results are shown in Table 1.
Reactor trip response time matrix is established based on the results calculated in Table 1, and note C1 = c1, c2, c3 = 0.59, 0, 0.81.
ESF response time matrix
ESF response time refers to the interval between the instant for RPC receiving sensor signal and the instant for PRC outputting of ESF command, when any of the 49 kinds of conditions that can trigger ESF action occurs. In order to facilitate the calculation, we select three conditions for research, with the assumptions of 130 ms for the best response time and 150 ms for the worstone. We calculate the degree of association according to correlation function formula (2). The results are shown in Table 2.
ESF response time matrix is established based on the results calculated in Table 2, and note C2 = c4, c5, c6 = 0.47, 0.59, 0.40.
Device control signal downlink time matrix
Device control downlink time is the time that SCID control instruction is transferred to the related cabinet. In order to facilitate the calculation, the best and worst value is set to 200 and 500 ms respectively. The degree of association is calculated according to correlation function formula (2), and the results are shown in Table 3.
Device control signal downlink time matrix is established based on the results calculated in Table 3, and note B = B1, B2, B3, B4, B5 = 0.83, 0.95, 0.99, 0.80, 0.08.
Device status feedback uplink time matrix
Device status feedback uplink time refers to the transmission time of the cabinet or the field board feedback the device status to the SCID. In order to facilitate the calculation the best and worst value is set to 300 and 500 ms respectively. The degree of association is calculated according to correlation function formula (2), and the results are shown in Table 4.
Device status feedback uplink time matrix is established based on the results calculated in Table 4, and note A = A1, A2, A3, A4 = 0.91, 0.74, 0.62, 0.62.
Calculation process
Associated model
In order to calculate the degree of correlation data and derive the reliability of RPS, an association model between each element to characterize the relationship is established. The reliability data is calculated based on the relationship among the elements. In order to facilitate the calculation, this section will establish a simplified model of RPS reliability, and describe the formulas and conversion of data used in the calculation of RPS reliability.
Contribution factor
In order to calculate reliability of the entire network, it is necessary to define the contribution degree of each node to the next node, for example the reliability of path that through node B5 determined by the reliability of node B5 as well as the reliability of node A1 and A4 (Hou and Chen 1999). The reliability of node B5 is determined by the correlation function. The contribution of A1 and A4 to B5 depends on their importance. If it is assumed that the paths A1 and A4 are equally important, the contribution factor will be 0.5.

The importance of the transmission path. The paths transmit the signal for safety equipment is more important than for nonsafety equipment.

The importance of the transmitted signal. The signal used for reactor trip is more important than for ESF.

The number of transmission signals.
In this paper, the transmission path and signals are assumed to be the same importance, the contribution factor of nodes are measured by the number of transmission signals.
Numerical relationship
Model application
According to the control network model (Fig. 1), the signal flow of reactor trip response and ESF response is sorted out, which is shown in Fig. 2. A1, A2, A3 and A4 represent the uplink paths which feeding control status back. B1, B2, B3, B4 and B5 represent the control signal downlink paths. C1, C2 and C3 represent reactor trip response, while C4, C5 and C6 represent ESF response. D1 represents the reactor trip action, and D2 stands for ESF action (He and Shi 2006).
When the reactor trip condition or ESF condition occurs, device status signal will be feedback via the uplink route A1. Then SCID releases control commands through downlink route B2, which would result in the reactor trip response and ESF response. It controls the related device to generate reactor trip and ESF action.
According to the results calculated in “Establish reliability model” section, we get matrix A, B and C.
Matrix D = D1, D2 represents reactor trip action and ESF action, which is the result of control command issued. Matrix D is set to D = D1, D2 = 1, 1.
From the results calculated, we can see that the entire RPS reliability is 0.215. Reactor trip reliability is 0.33, which is higher than the ESF Reliability 0.10. The low reliability of node B5 causes low reliability of ESF, which led to a lower reliability of RPS. In engineering practice, if we want to improve the reliability of RPS, increasing the reliability of the node B5 is particularly important. If we improve the reliability of the node B5 to 0.90 by means, the ESF calculated reliability will be 0.325, compared with 0.10 before optimization significantly improved. Therefore, this method can not only calculate the reliability of RPS but also apply to work in the engineering aspects for fault diagnosis.
Conclusions
RPS’s control commands generation, transmission and outputting are the results of the combined effect of software and hardware for the entire system. The proposed method can effectively eliminate the separation of hardware and software from the perspective of response time, and provide a rigorous mathematical derivation process. Analyzing the actual running data of station can effectively identify the reactor protection system reliability shortcomings. At the same time, it also can help to improve system reliability sustained and provide a reference for maintenance as well as fault diagnosis.
Due to length limitations, this article only assumes the contribution factor, while the specific method for determining the contribution factor is ignored. It should be noted that these assumptions do not affect the use of the proposed method. In this paper, the reliability of RPS under several operating conditions is discussed, and more work conditions can be added for research. Meanwhile, the method can also be used for other systems reliability analysis, such as the core cooling monitoring system.
Declarations
Authors’ contributions
JZ and YNH carried out the reliability quantitative analysis method studies, participated in building response time matrix and drafted the manuscript, PFG provided help in the establishment of the correlation function. WHC and FG gave their technical assistance and reviewed the manuscript. All authors read and approved the final manuscript.
Acknowledgements
Thanks Dr. Bai for her assistance in the English language revision of the manuscript.
Competing interests
The authors declare that they have no competing interests.
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
Authors’ Affiliations
References
 He HK, Shi HS (2006) Research of identification method of network topology based on correlation matrix. J Xi’an Jiaotong Univ 40(4):477–479MathSciNetMATHGoogle Scholar
 Hou XL, Chen CZ (1999) Optimal design of neural network weights and thresholds. J Northeast Univ (Nat Sci) 20(4):447–450Google Scholar
 Liu H, Chen K, Huang Q (2015) Review of application of FMEA in the nuclear power industry. Autom Expo 9:88–90MathSciNetGoogle Scholar
 Ma MZ (2010) Probabilistic safety analysis of nuclear power plants and its application. At Energy Press 3:24–26Google Scholar
 Xiao P, Zhou JX, Liu HC (2013) Reactor protection system structure and reliability relations. Nucl Power Eng S1:179–183Google Scholar
 Yang CY, Cai W (2000) Extension engineering method. Eng Sci 2(12):90–96Google Scholar
 Yu WG, Zhang ZJ et al (2003) Reliability analysis of Daya Bay nuclear power reactor protection system. Nucl Power Eng 24(1):63–67Google Scholar
 Zheng WZ, Li XJ, Zhu YM (2010) Digital nuclear power plant reactor protection system trip response time analysis. Autom Panor 8:74–76Google Scholar
 Zhou SL, Liu YY, Du W (2013) Reliability analysis of nuclear power plant digital reactor power control system based on fault tree. Nucl Sci Eng 33(4):419–428Google Scholar