Reliability Modeling of Digital Control Systems Using the Markov/Cell-to-Cell Mapping Technique

Reliability Modeling of Digital Control Systems Using the

Markov/Cell-to-Cell Mapping Technique

The Ohio State University – Nuclear Engineering Program

Diego MandelliMaster Thesis Defense

Diego Mandelli – Master Thesis Defense

Overview•Introduction•Objectives•System description•Markov/Cell-to-Cell Mapping Technique (CCMT)

Failure Modes and Effect Analysis (FMEA)Finite State Machine modelingMarkov Modeling

Cell-To-Cell Mapping Technique •Example Initiating Event (EIE)•Conclusions


Introduction• Instrumentation and control systems (I&C) are widely used in

nuclear power plants for:MonitoringControlProtection

• Since 1940s analog systems have accomplished these tasks satisfactorily, however:

inaccurate design specificationssusceptibility to certain environmental conditions effects of aging such as mechanical failures environmental degradation.


Introduction• Digital systems are essentially free of drift that afflicts analog

systems (they maintain their calibration better):Self testingSignal validationProcess system diagnosticsFault toleranceHigher data handling Storage capabilities

• Nuclear power plants are replacing/upgrading obsolete I&Cs

Transition from analog to digital technology


Introduction

The replacement with a new component affects the safety and the reliability of the overall system.

Considerations:1. Probability Risk Assessment (PRA) is a commonly used tool to

examine the safety and reliability of specific systems2. Conventional PRA tools are based on Fault Trees and Event

Trees (FT and ET)


The starting point….Are ET/FT able to model I&C?

What if we have the following:• The presence of phenomena which dictates the system’s response

(e.g. depending on threshold of process variable values)• The effect of process dynamics on the hardware component failure

behavior• Interactions between controller’s components• Multiple failure modes which affects differently the system

response

In these cases the answer is NO.


What do we need?

A type of PRA able to perform also the simulation of both the controller and the process

A “Dynamic PRA”

What are the goals?

• show how it is possible to model digital I&C systems for PRA purposes using dynamic methodologies

• How can I fit the information coming from these methodologies to actual PRA?

The starting point….


What did we chose to model digital I&Cs? The Markov/Cell-to-Cell Mapping Technique

Objectives

What will be the output? 1. CDF of the Top Events2. Event sequences or Dynamic Event Trees (DET)

What are the requirements? • dependence of the control action on system history,• dependence of system failure modes on exact timing of

failures,• functional as well as intermittent failures,• error detection capability,• possible system recovery from failure modes


Simple Event Tree:

Event Trees and Dynamic Event Trees

Initiating event

Large LOCA

Reactor Trip

Success

Failure

Yes

No

Yes

Core damageECCS

Success

Failure


Dynamic Event tree:

Initiating Event

t = 0 t = Δt

Success

Failure State 1

Failure State 2

t

Success

Failure 2

t = 2·Δt

Failure 1

t = Δt

Event Trees and Dynamic Event Trees

EventSequence


Controller

Process

Sensor n

Controller 1Actuator 1

Controller 2

Actuator 2

Actuator 3

Sensor 1

…..

Type I and II Interactions

The classical “Controller + Process” system:

Type I Interactions Type II Interactions


Stochastic description of the system evolution:

• Dynamic interactions between physical process variables (e.g., temperature, pressure, etc.) and the I&C systems that monitor and manage the process

• Dynamic interactions within the I&C system itself due to the presence of software/firmware (e.g., multi-tasking and multiplexing)

The Markov/CCMT methodology


An overview of the Markov/CCMT

System Description

Type I Interactions Analysis

Control Laws: Simulink Model

FMEA

Type II Interactions Analysis

Finite State Machine Description

CCMT Markov/CCMT ApproachMarkov modeling

System Analysis

System Modeling


System description

System Description



FMEA




System Analysis

System Modeling


System descriptionDigital Feedwater Control System (DFWCS)

• Main Feedwater System Components: Main Feedwater Valve (MFV) Bypass Flow Valve (BFV) Feedwater Pump (FP)

• The purpose is to maintain the water level inside each of the SGs optimally within ± 2 inches

• The controller is regarded as failed if water level in a SG is: above 2.5 ft (+30 inches) → High Failure below 2 ft (-24 inches) → Low Failure


System description

Digital Feedwater Control System (DFWCS)

• 5 Pairs of sensors• 2 Computers (MC,BC)• MFV Controller• BFV Controller• FP Controller• PDI Controller


System description

1 Low power automatic mode(Power < 15%)

2 High power automatic mode (15% < Power < 100%)

3 Automatic transfer from Low to High power mode

4 Automatic transfer from High to Low power mode

BFV (MFV closed)FP (minimum speed)

MFV (BFV closed)FP

Operating modes:


Control laws

The control logic and the control laws and have been derived from the code of DFWCS of an existing plant written in C++


Control laws

Control laws determine the feedwater flow demand which is translated into position (MFV) and speed (FP) through look-up tables.


Control logic

The position and the speed of the actuated devices may depend on the status of the MC and BC.

Otherwise

0S~ 0)( Mn

BnFn tS

FP:

MFV:

BFV:

PDI:


Control Laws

System Description



FMEA




System Analysis

System Modeling


Simulink model

The control logic and the control laws and have been implemented in a Simulink in order to tune and to verify the control laws


Simulink model: an example scenario

The control logic and the control laws and have been implemented in a Simulink model in order to tune and to verify the control laws.

The scenario is a power transient from 70% to 72.5%. This has been modeled thorugh a sequence of finite ramps of 0.5% each.

The purposes were the following:1. Obtain a stable response of the controller2. Obtain a reasonable response of the actuated devices



Results:



MFV response:


Failure Modes and Effect Analysis

System Description



FMEA




System Analysis

System Modeling


FMEA and Finite State MachineFailure Modes and Effect Analysis (FMEA): tool to analyze the possible failure modes and their consequences on the dynamic of the system 1. Failure type

2. Detection of the failure3. Effect of the failure on the controller4. Effect on the process

Finite State Machine: is a model of behavior composed of a finite number of states, transitions between these states, and actions.

1. Transition Conditions2. Transition3. Actions


Computer FMEA

•Input from sensorsLoss of one or both inputsSensor out of range or impossible rate of change

•Output to the controllers

•Communications:

•Loss of Power

•Internal Failures

Roundoff/truncation/sampling rate errorsUnable to meet needed response requirementsWatchdog timer fails to activateWatchdog timer activates when computer has not failedArbitrary value output

Define the intra-computer and computer-computer interactions

Loss of output


Intra-Computer interactions

A. Operating: Computer is operating correctly

B. Loss of One Input: Computer is operating correctly but data are not received from one of the two sensors (for each measured quantity).

C. Loss of Both Inputs: Computer is operating correctly but data are not received from both sensors (for each measured quantity).

D. Computer Down: Computer itself recognizes loss of input(s) or input(s) being out of range and takes itself down. The other computer takes the control of the process automatically (if it is operating correctly) .

E. Arbitrary output: Computer does not realize input(s) out of range or error in processing data. Random data are generated.

D – Computerdown

B – Loss of one input

C – Loss of both inputs

E – Arbitrary Output

A – Computer operating


Two types of failure have been identified:

1. Recoverable (e.g., Loss of input)

2. Not recoverable (e.g., Watchdog timer fails to activate)

Inter-Computer interactions

By this, it is more convenient to talk about primary and secondary computer:

• Primary computer: computer sending output to the controllers

• Secondary computer: computer in stand-by


Inter-Computer interactions

B C

D

E

A

B C

D

E

A

B C

D

E

A

3 Macro States (MS)

2: 1:Operating with 2 computersOperating with 1 computer, possible recovery 3: Operating with 1 computer, no

recovery


Controller FMEA

•Internal FailuresHigh OutputLow OutputArbitrary Value Output

•Loss of Power

Define the Computer-Controller-Actuated Device interactions

• Input from computer (Loss of input): included in the Computer-Computer interactions

•Communications

•Error in the communications

Computer erroneously reported failed

Computer erroneously reported not failed

MFV, BFV, FP controllers do not agree from which computer to accept input.

•Output to the actuated Device

Loss of output


Computer-Controller-Actuated device interaction

0 vdc output

Output High

OutputLow

Arbitrary Output

Freeze

Device Stuck


The Markov/CCMT Approach

System Description



FMEA




System Analysis

System Modeling

System Description



FMEA




System Analysis

System Modeling


The Markov/CCMT Approach

System Description



FMEA




System Analysis

System Modeling

System Description



FMEA




System Analysis

System Modeling

Recall: Stochastic description of the system evolutionBut, so far the system modeling has given a deterministic description of the system.The Markov/CCMT approach convert the information contained in the system modeling step from a deterministic to a statical view point


Cell-to-Cell Mapping Technique

System Description



FMEA




System Analysis

System Modeling


CCMT

CCMT is a technique used to represent the dynamics of the system

• The state space (CVSS) is an n-dimensional space (one dimension for each internal variable)

• CVSS is divided into cells Vj (possibility to capture uncertainties and errors in the monitoring phase of the process)

• Setpoints must fall on the boundary of Vj and not within Vj

• Note: coupling between the discretization of the CVSS and the time step (Δt) of the simulation

• Top Events (Fail High or Fail Low) are modeled as sink cells


CCMT

• the dynamic behavior of the system• control logic of the control system• hardware/firmware/software states

The algorithm:

t t = (k+1)·Δt t = (k)·Δt

j

j’

j”

j’

g(j|j’,n’,t)

The goal is to determine the probability at time t to transit from cell j’ to j given component state combination n’.


Markov modeling

System Description



FMEA




System Analysis

System Modeling


Markov modeling

Goal: determine a probabilistic model which can describe the evolution of all the components of the controller

Markov transition diagrams have been chosenWhat do I need?

•a set of mutually exclusive and exhaustive states•probability of transitions between states has been determined

Markov transition diagrams have been deducted from the Finite State Machine description.


Markov modeling

For each component, a Markov transition diagram has been determined


The goal is to determine:

h(n|n’,j’→j) or h(n|n’,j’→j,k)

Probability that a component state combination change from n’ to n during a transition from j to j’.

Note:• failure rates may depend on process variables like

temperature, pressure….• failure rates may depend on time

Markov modeling


System Analysis

System Description



FMEA




System Analysis

System Modeling


• Markov Modeling: h(n|n’,j’→j) • CCMT: g(j|j’,n’,t)

System Analysis

Since these two transition probabilities are independent:

q(n, j|n’, j’,t) = h(n|n’,j’→j) · g(j|j’,n’,t)


CCMTg(j|j’,n’,t)

System Analysis

N

J

j’

j

n’ n

q(n, j|n’, j’,t) = h(n|n’,j’→j) · g(j|j’,n’,t)

Markov Modelingh(n|n’,j’→j)

Graphically:

q(n, j|n’, j’,t)


Markov/CCMT and Dynamic Event Trees

t

(N, J)

(1, j0)1

2

(1, j0)

(2, j2)(2, j2)

(2, j2)

(1, j3)(1, j3)

(2, j2)

(1, j3)

(2, j2)

(1, j3)(1, j0)

(2, j2)

(1, j0)


1. Turbine trips2. Reactor is shutdown3. Power P(t) is generated from the decay heat4. Reactor power and steam flow rate decay from 6.6% of initial

power and the analysis starts 10 second after reactor shutdown5. Feedwater flow and level are initially at nominal value6. Off-site power is available7. Main computer is failed

An Example Initiating Event

Most of the analysis performed for Level 2 PRA assumes that the reactor is shutdown in all the initiating events.Assumptions:


The Example Initiating Event: considerations

• DFWCS is working in Low Power mode• MFV is not used• FP set at minimum speed• BFV only is able to change the feedwater flow• 5 internal variables: CVSS is 4-D


Hypothesis:• Only Loss of both inputs can occur (and not possibly one)• Loss of communications between the sensors and BC and

between BC and BFV controller cannot be recovered.• Only the BFV controller failure can generate arbitrary output.

If BC generates arbitrary output due to internal failure, it is recognized by the BC.

• The BFV controller cannot fail in Output High mode.• FP cannot fail

The Example Initiating Event

Only one controller is considered: BFV controller



Arbitrary Output

0 vdcOutput

Freeze

DeviceStuck

Cont

rolle

r/Dev

ice C

omm

unica

ting



Ad-hoc program has been built in Java:

1. The simulator:

1. solve the set of 4 different differential equation using Runge-Kutta

2. Implement control laws

2. Generate event sequences

3. Determine probability of Low Failure and High Failure at each time step


The Example Initiating Event: Results

An example of Event Sequence:



The importance of the failure timing: the Freeze state.





What is the effect of changing the Markov time step (Δt) on the Cdf of the Top Events (High Failure and Low Failure)?

3 different Markov time steps have been chosen:• 4 hours• 8 hours• 12 hours


The Example Initiating Event: results


The Example Initiating Event: results


ConsiderationPower behavior affect the behavior of the Cdf of the Top Events.

The number of event sequences strictly depend on:1. The number of time steps2. The number of component state combinations N

Given a mission time (e.g., 24 hours) it is possible to decrease the the number of time steps increasing the Markov time (Δt).N can be reduced:

• Reducing the number of components by merging two or more components together

• Reducing the number of states of a component by merging two or more states together (e.g., merge all states that have the same impact on the dynamics of the system)


Conclusions

• The Markov/CCMT methodology has been presented.

• The modeling of digital control systems (DFWCS) through Markov/CCMT has been shown:

Type I interaction have been modeled using CCMT

Type II interactions have been modeled using Markov Transition diagrams

• The output of the analysis are:

Generation of Event sequences

Evaluation of the Cdf of the Top Events


Documents

Reliability Modeling of Digital Control Systems Using the Markov/Cell-to-Cell Mapping Technique