Reliability of digital reactor protection system based on extenics

After the Fukushima nuclear accident, safety of nuclear power plants (NPPs) is widespread concerned. The reliability of reactor protection system (RPS) is directly related to the safety of NPPs, however, it is difficult to accurately evaluate the reliability of digital RPS. The method is based on estimating probability has some uncertainties, which can not reflect the reliability status of RPS dynamically and support the maintenance and troubleshooting. In this paper, the reliability quantitative analysis method based on extenics is proposed for the digital RPS (safety–critical), by which the relationship between the reliability and response time of RPS is constructed. The reliability of the RPS for CPR1000 NPP is modeled and analyzed by the proposed method as an example. The results show that the proposed method is capable to estimate the RPS reliability effectively and provide support to maintenance and troubleshooting of digital RPS system.

For the reliability analysis of RPS software, the failure mode effect analysis (FMEA) method is putted forward at present (Liu et al. 2015). Software FMEA mainly through identifying the failure mode of software, analyzing the reasons and consequences of failure modes, and taking appropriate measures to eliminate and reduce the harmful consequences, thereby enhancing the reliability of the software. For the software of RPS, there are problems such as failure modes are difficult to be clearly defined, failure probabilities and data are hard to be obtained and need to be isolated from the hardware, when FMEA is used for reliability analysis (He and Shi 2006). Meanwhile FMEA only focuses on the impact of the software itself on the function, which regardless the impact of hardware to achieve the system function.
It is a contradiction that both PSA and FMEA can not solve the problem of software and hardware interaction when computing the reliability of RPS. Extenics is a science to solve the contradiction problem through transformation and expansion. In order to calculate the reliability of RPS, the reliability of RPS and the interaction of hardware and software are needed to be converted. As we all know, the response time of RPS is the result of software and hardware interaction. The software is responsible for the generation of control logic, and the hardware is responsible for controlling the transmission and actions of the instructions. The response time is characterized by the interaction between software and hardware. On the other hand, the reliability of RPS is also characterized. The response time can be regarded as the bridge between software and hardware interaction and RPS reliability.
The paper is organized by five parts as follows. The overall of RPS and its control network model are introduced in the first part. The method to calculate the correlation degree data for each element of the control network model according to extenics correlation function is introduced in the second part. How to establish the reliability model between each element and deduce the calculation method in proposed in the third part. The calculation of the reliability of RPS according to the reliability model established is presented in the fourth part, and the conclusions is given in the last part.

Overview of reactor protection system
Digital RPS is mainly used to protect the safety of the nuclear reactor, which can ensure reactor trip system to generate reliable and timely protection action in an accident situation, and bring the NPP into a controlled state (Yu et al. 2003).
Generating a complete reactor protection action is a closed-loop control process, which contains four processes, such as generating excitation signals, feeding back of device status, issuing control commands, releasing control signals (Xiao et al. 2013). In some ways, the response time of reactor trip and engineered safety feature (ESF) is related to the reliability of the reactor, meanwhile the response time of each process is directly impacting the safety of reactor.
In order to establish a reliability relation model of the four steps of the control process, safety bus connections as well as hardwires between cabinets have been simplified to some extent. Cabinets such as core cooling monitor cabinet (CCMS), reactor protect cabinet (RPC), safety related cabinet (SRC) and so on give signals to safety control display cabinet (SCID) about the device status, and encourage it generate and release control commands. The control commands are transmitted to the corresponding cabinet, and the actuators respond to the control actions, then complete a control cycle. Reactor trip instructions and ESF instructions are generated by the output signal of RPC cabinet, which directly acting on reactor trip breaker (RTB) and engineered safety feature action cabinet (ESFAC) carrying out reactor trip and ESF actions. Simplified control network model is shown in Fig. 1.
In the control network model, the blue lines A1, A2, A3 and A4 represent uplink paths of the feedback device status. The green lines B1, B2, B3, B4 and B5 represent the device control command downlink paths. The red line D1 represents the reactor trip response route, and the orange line D2 represents of ESF response route. It is noted that B5 represents device control command downlink path B5, meanwhile the downlink path formed by B2 and B5 represents device control command downlink path B2.
It is necessary to be noted that this paper is based on the RPS part of DCS of Yangjiang 5&6 units, but the analysis of the principles and methods can be shared in other types of safety DCS, such as siemens's TXS and Mitsubishi Electric Corporation's MELTAC. The structure for DCS of different reactor type will be different in signal transmission path and function distribution. The method proposed in this paper mainly suitable for CPR1000. Since the ACPR1000 is an advanced reactor type which increased some improvements based on CPR1000 after the Fukushima accident, this method is equally applicable. For other reactor types, it is necessary to adjust some technical parameters and model frameworks when using this method.

Establish reliability model
From the perspective of the response time to analyze the reliability of nuclear reactor, RPS mainly takes reactor trip response time, ESF response time, device control signal downlink time and device status feedback signal uplink time into consideration . We know that response time is not the sooner the better normally, and sometimes an abnormal response time indicates there may be a fault or functional failure in somewhere.  In this paper, in order to define the reliability degree of safety-critical system data, we note the measurements of system response test results of safety DCS as C, the best theoretical value as M, and the worst theoretical value as N. M is defined as the center point of the interval C = [2 M-N, N], with reference to the definition of extenics correlation function (Yang and Cai 2000): As we know, it means C is a bad value and does not reliable, when C is less than M. Therefore we define the reliability correlation function as below: Then we calculate the correlation degree K(C), and note it as K c according to the definition of correlation function. If the measured data is closer to the best value, the correlation degree will be closer to 1, which means the higher reliability degree of the measurement data. On the contrary, if the measured data closer to interval endpoints, the correlation degree will be closer to 0, which means the lower reliability degree of the measurement data.
In order to improve the calculation accuracy of the reliability in RPS, the determined values of M and N are very important, and two methods can be used to determine the specific values of M and N. The first method obtains the values from multiple test data of multiple identical power plants with the same reactor type. This method is obtained in actual operation of power plant, and the data provided from which are more reliable. The other gets the optimal value and the worst value of the whole by theoretical calculating, which compute the optimal value and the worst value of each link. The data obtained by this method may be different from the data obtained in the actual power plant operation. The data of M and N in Tables 1, 2, 3 and 4 of this paper are obtained by the first method, which is analyzing the data of CPR1000 power plant, and lead to a result closer to the real situation of the power plant. The C value is a true measurement,  reflecting the current state of operation of the equipment, which can be monitored during the operation of the plant and regularly test to obtain.

Reactor trip response time matrix
Reactor trip response time refers to the interval between the instant for RPC receiving sensor signal and the instant for PRC outputing reactor trip command, when any of the 21 kinds of conditions that can trigger reactor trip occurs (Zheng et al. 2010). In order to facilitate the calculation, three conditions are selected for research, with the assumptions of 90 ms for the best response time and 110 ms for the worst one. We calculate the degree of association according to correlation function formula (2). The results are shown in Table 1. Reactor trip response time matrix is established based on the results calculated in Table 1, and note C1 = |c1, c2, c3| = |0.59, 0, 0.81|.

ESF response time matrix
ESF response time refers to the interval between the instant for RPC receiving sensor signal and the instant for PRC outputting of ESF command, when any of the 49 kinds of conditions that can trigger ESF action occurs. In order to facilitate the calculation, we select three conditions for research, with the assumptions of 130 ms for the best response time and 150 ms for the worst-one. We calculate the degree of association according to correlation function formula (2). The results are shown in Table 2. ESF response time matrix is established based on the results calculated in Table 2, and note C2 = |c4, c5, c6| = |0.47, 0.59, 0.40|.

Device control signal downlink time matrix
Device control downlink time is the time that SCID control instruction is transferred to the related cabinet. In order to facilitate the calculation, the best and worst value is set to  200 and 500 ms respectively. The degree of association is calculated according to correlation function formula (2), and the results are shown in Table 3. Device control signal downlink time matrix is established based on the results calculated in Table 3, and note B = |B1, B2, B3, B4, B5| = |0.83, 0.95, 0.99, 0.80, 0.08|.

Device status feedback uplink time matrix
Device status feedback uplink time refers to the transmission time of the cabinet or the field board feedback the device status to the SCID. In order to facilitate the calculation the best and worst value is set to 300 and 500 ms respectively. The degree of association is calculated according to correlation function formula (2), and the results are shown in Table 4.

Associated model
In order to calculate the degree of correlation data and derive the reliability of RPS, an association model between each element to characterize the relationship is established. The reliability data is calculated based on the relationship among the elements. In order to facilitate the calculation, this section will establish a simplified model of RPS reliability, and describe the formulas and conversion of data used in the calculation of RPS reliability.
The reliability model established shown in Fig. 2, which is used to characterize the relationship of the control process. Matrix A = |A1, A2, A3, A4| represents reliability of condition signals feedback for field device. Matrix B = |B1, B2, B3, B4, B5| represents reliability of generating control command when received condition signals. Matrix C = |C1, C2| = |c1, c2, c3, c4, c5, c6| represents reliability of control commands issued. Matrix D = |D1, D2| represents reliability of control actions, in which D1 represents of reliability of reactor trip action, and D2 represents of the reliability of ESF action. The relationship of matrix A, B, C, D is shown in Fig. 2.

Contribution factor
In order to calculate reliability of the entire network, it is necessary to define the contribution degree of each node to the next node, for example the reliability of path that through node B5 determined by the reliability of node B5 as well as the reliability of node A1 and A4 (Hou and Chen 1999). The reliability of node B5 is determined by the correlation function. The contribution of A1 and A4 to B5 depends on their importance. If it is assumed that the paths A1 and A4 are equally important, the contribution factor will be 0.5.
Note the contribution of Ai to Bj as Ab ij , Bi to Cj as Bc ij , Ci to Dj as Cd ij ,thus we establish correlation matrix Ab, Bc, Cd of matrix A, B, C, D. If the reliability of a node is related to n nodes upstream, the reliability contribution of each node upstream to this node is 1/n, thereby the correlation matrix is obtained: It is necessary to be noted that the calculation of contribution factor for a node is mainly concerned with three aspects: • The importance of the transmission path. The paths transmit the signal for safety equipment is more important than for non-safety equipment. • The importance of the transmitted signal. The signal used for reactor trip is more important than for ESF. • The number of transmission signals.
In this paper, the transmission path and signals are assumed to be the same importance, the contribution factor of nodes are measured by the number of transmission signals.