Professional Documents
Culture Documents
Yang Xu
Hong Xia
Feng Gao
Weihua Chen
Zheming Liu
Pengfei Gu Editors
Volume 507
Series Editors
Leopoldo Angrisani, Department of Electrical and Information Technologies Engineering, University of Napoli
Federico II, Napoli, Italy
Marco Arteaga, Departament de Control y Robótica, Universidad Nacional Autónoma de México, Coyoacán,
Mexico
Bijaya Ketan Panigrahi, Electrical Engineering, Indian Institute of Technology Delhi, New Delhi, Delhi, India
Samarjit Chakraborty, Fakultät für Elektrotechnik und Informationstechnik, TU München, München, Germany
Jiming Chen, Zhejiang University, Hangzhou, Zhejiang, China
Shanben Chen, Materials Science & Engineering, Shanghai Jiao Tong University, Shanghai, China
Tan Kay Chen, Department of Electrical and Computer Engineering, National University of Singapore,
Singapore, Singapore
Rüdiger Dillmann, Humanoids and Intelligent Systems Lab, Karlsruhe Institute for Technology, Karlsruhe,
Baden-Württemberg, Germany
Haibin Duan, Beijing University of Aeronautics and Astronautics, Beijing, China
Gianluigi Ferrari, Università di Parma, Parma, Italy
Manuel Ferre, Centre for Automation and Robotics CAR (UPM-CSIC), Universidad Politécnica de Madrid,
Madrid, Madrid, Spain
Sandra Hirche, Department of Electrical Engineering and Information Science, Technische Universität
München, München, Germany
Faryar Jabbari, Department of Mechanical and Aerospace Engineering, University of California, Irvine, CA,
USA
Limin Jia, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China
Janusz Kacprzyk, Systems Research Institute, Polish Academy of Sciences, Warsaw, Poland
Alaa Khamis, German University in Egypt El Tagamoa El Khames, New Cairo City, Egypt
Torsten Kroeger, Stanford University, Stanford, CA, USA
Qilian Liang, Department of Electrical Engineering, University of Texas at Arlington, Arlington, TX, USA
Ferran Martin, Departament d’Enginyeria Electrònica, Universitat Autònoma de Barcelona, Bellaterra,
Barcelona, Spain
Tan Cher Ming, College of Engineering, Nanyang Technological University, Singapore, Singapore
Wolfgang Minker, Institute of Information Technology, University of Ulm, Ulm, Germany
Pradeep Misra, Department of Electrical Engineering, Wright State University, Dayton, OH, USA
Sebastian Möller, Quality and Usability Lab, TU Berlin, Berlin, Germany
Subhas Mukhopadhyay, School of Engineering & Advanced Technology, Massey University,
Palmerston North, Manawatu-Wanganui, New Zealand
Cun-Zheng Ning, Electrical Engineering, Arizona State University, Tempe, AZ, USA
Toyoaki Nishida, Graduate School of Informatics, Kyoto University, Kyoto, Kyoto, Japan
Federica Pascucci, Dipartimento di Ingegneria, Università degli Studi “Roma Tre”, Rome, Italy
Yong Qin, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China
Gan Woon Seng, School of Electrical & Electronic Engineering, Nanyang Technological University,
Singapore, Singapore
Joachim Speidel, Institute of Telecommunications, Universität Stuttgart, Stuttgart, Baden-Württemberg,
Germany
Germano Veiga, Campus da FEUP, INESC Porto, Porto, Portugal
Haitao Wu, Academy of Opto-electronics, Chinese Academy of Sciences, Beijing, China
Junjie James Zhang, Charlotte, NC, USA
The book series Lecture Notes in Electrical Engineering (LNEE) publishes the latest developments in
Electrical Engineering - quickly, informally and in high quality. While original research reported in
proceedings and monographs has traditionally formed the core of LNEE, we also encourage authors to
submit books devoted to supporting student education and professional training in the various fields and
applications areas of electrical engineering. The series cover classical and emerging topics concerning:
For general information about this book series, comments or suggestions, please contact leontina.
dicecco@springer.com.
To submit a proposal or request further information, please contact the Publishing Editor in your
country:
China
Jasmine Dou, Associate Editor (jasmine.dou@springer.com)
India
Swati Meherishi, Executive Editor (swati.meherishi@springer.com)
Aninda Bose, Senior Editor (aninda.bose@springer.com)
Japan
Takeyuki Yonezawa, Editorial Director (takeyuki.yonezawa@springer.com)
South Korea
Smith (Ahram) Chae, Editor (smith.chae@springer.com)
Southeast Asia
Ramesh Nath Premnath, Editor (ramesh.premnath@springer.com)
USA, Canada:
Michael Luby, Senior Editor (michael.luby@springer.com)
** Indexing: The books of this series are submitted to ISI Proceedings, EI-Compendex, SCOPUS,
MetaPress, Web of Science and Springerlink **
Pengfei Gu
Editors
123
Editors
Yang Xu Hong Xia
Department of Engineering Physics College of Nuclear Science and Technology
Tsinghua University Harbin Engineering University
Beijing, China Harbin, Heilongjiang, China
This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd.
The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721,
Singapore
Preface
In the recent years, along with the development of domestic research and inter-
national communications, more digital instrumentation and control (I&C) tech-
nologies are used in China’s nuclear power plants, such as the
microprocessor-based safety I&C system named FirmSys developed by China
General Nuclear Power Corporation, and the FPGA-based safety DCS named
NASPIC developed by China National Nuclear Corporation, etc. In order to solve
the problems in actual productions and applications, and to provide a platform for
technical discussion, the 3rd International Symposium on Software Reliability,
Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant
(ISNPP) was convened by related organizations and governmental divisions.
Since 2016, this symposium has become an effective technical discussion plat-
form for nuclear power builders, regulators, research institutions, and manufacturers
annually. The 3rd ISNPP was successfully held in Harbin, China, from August 15
to 17, 2018. It attracted around 100 researchers, experts, and engineers from 34
organizations, including Tsinghua University, the Ministry of Ecological
Environment, State Key Laboratory of Nuclear Power Safety Monitoring
Technology and Equipment, China Nuclear Power Engineering Company Ltd., etc.,
as well as institutions and companies from the aerospace industry. The symposium
served as a platform for exchanging ideas on every aspect of nuclear power plants’
instrumentation and control system, and also promoted the military-civilian inte-
gration in China.
More than 100 conference papers were submitted for the symposium, covering
topics including digital instrumentation and control technology, electromagnetic
compatibility, main control room and human–machine interface design, software
verification and validation, etc. After anonymous peer review and selection by the
experts, 33 outstanding papers were finally accepted to the proceedings published in
Lecture Notes in Electrical Engineering by Springer, including seven remarked
excellent papers. Keynote speeches “I&C Island Solutions Based on FirmSys”,
“Digital Transformation of I&C System”, “I&C System components and parts
localization” were presented at the symposium. These speakers shared with the
audience their latest and most important research progress. In fact, many topics
v
vi Preface
discussed at the symposium provided important reference and strong support for the
related works of nuclear power plant. We believe these papers could also benefit the
entire nuclear instrumentation and control system industry.
On the occasion of the publication of these papers, we would like to thank the
organizers of the symposium for providing a good platform for the majority of
nuclear power practitioners. We are also very grateful to the experts and scholars
who provided support and guidance during the reviewing process. Finally, we
would like to thank all the authors, and without whose efforts and studies, this
volume would never have been published successfully.
Sponsors
Organizer
China Nuclear Power Engineering Co., Ltd. (State Key Laboratory of Nuclear
Power Safety Monitoring Technology and Equipment) (CNPEC)
Co-organizers
Editors
vii
viii Organization
Weihua Chen, China Nuclear Power Design Co., Ltd., Shenzhen, China
Zheming Liu, Product Information Committee of China Instrument and Control
Society, Beijing, China
Pengfei Gu, China Nuclear Power Design Co., Ltd., Shenzhen, China
ix
x Contents
Gui-Lian Shi, Ming-Li Li(&), Gang Li, Jie Zhang, and Chang-Yu Mo
1 Introduction
With the large-scale production of petrochemical industry, electric power and other
industries, to ensure the safety and reliability of safety systems and avoid major
industrial accidents become main concerns of safety production. The disasters that
shocked the world such as the Bhopal gas spill in India, the Chernobyl nuclear power
plant in the former Soviet Union, have given people an unprecedented focus on safety
in industrial production. SIS is a category of safety-related systems (SRS), and it is an
important measure to ensure production safety. SIS is required to correctly perform its
safety functions before a dangerous event occurs, to avoid or reduce the occurrence of
an accident [1]. Typically, SIS system consists of sensors, actuators, logical control
devices, and communication systems. The design of the communication system is one
of the key designs for the SIS system, and communication residual error probability is a
quantitative index to evaluate communication safety [2]. Therefore, how to design
communication systems with relatively low residual error probability is the foundation
of the SIS system based on digital control system (DCS) technology.
FirmSys is a nuclear power plant safety control system platform developed by
CTEC, which is the brain and nerve center of a nuclear power plant. It plays a vital role
in ensuring the safety of nuclear power plant equipment and personnel and the envi-
ronment. The safety communication of the FirmSys meets both the nuclear require-
ments and the functional safety requirements. This paper focuses on a key index of
safety communication – the residual error probability of communication, including the
definition of the communication design requirements based on the functional safety. In
addition, based on the IEC 61508, it summarizes and analyzes the design factors of
safety communication, and unifies the FirmSys experience in nuclear power and
functional safety to design a safety communication.
IEC 61508 proposes to use SIL for evaluating the risk reduction capability of a safety
function. PFD (probability of dangerous failure on demand) or PFH (average frequency
of dangerous failure [h−1]) are important quantitative indicators. PFD is used for low
demand SIS and PFH is used for high demand SIS [3]. In this paper, PFD is taken as an
example, and PFH can be used in a similar way.
In terms of safety communication requirements, IEC 61508 makes reference to IEC
61784-3 which raises communication residual error probability as a quantitative
evaluation index. The communication residual error probability is used to measure the
probability that an undiagnosed failure will still occur after a series of measures have
been taken. In standard IEC 61784-3, the communication residual error probability is
required to be far less than the SIL requirements for this safety function loop, that is,
the 1% for the maximum system PFD index, as shown in Fig. 1:
1%PFD
Communication Communication
sensor Logic Processor actuator
PFD
The corresponding relationship of residual error probability, the PFD and the SIL is
shown in the following table [3]:
In the SIS system design process, first, identify the required functions to reduce the
original risk to an acceptable level on the basis of hazard identification and risk
analysis, and the PFD requirements for the functions should be determined. Afterwards,
determine the corresponding SIL for the designed safety functions. And further the
Communication Design of Low Residual Error Probability 3
The design factors affecting the communication residual error probability are analyzed,
and then the design is carried out for each factor.
where:
KSL ðPeÞ Residual error rate per hour of the safety communication layer with respect
to the bit error probability;
Pe Bit error probability. Unless a better error probability can be proven, a value
of 10−2 shall be used;
RSL ðPeÞ Residual error probability of a safety message;
v Maximum number of safety messages per hour;
m Maximum number of information sinks that is permitted in a single safety
function;
SL Safety communication layer.
The residual error rate, which is based on the detection using a cyclic redundancy
checking (CRC) mechanism, can be calculated using the Eq. (2) below (residual error
probability for CRC polynomials).
X
n
RCRC ðPe Þ ¼ Ai Pie ð1 Pe Þni ð2Þ
i¼1
4 G.-L. Shi et al.
where:
Ai the distribution factor of the code (determined either by computer simulation or a
mathematical analysis);
n is the number of bits in the block, including its CRC signature;
Investigations for the method of CRC have shown that for the particular class of so-
called proper CRC polynomials, a weighting factor 2−r is applicable within the
equation to build an approximation. The residual error probability approximation for
CRC polynomials is shown in Eq. (3) below [2].
Xn
r n
RCRC ðPeÞ 2 Pek ð1 PeÞnk ð3Þ
k¼d
k
min
Table 2. Relationship between hamming distance and the number of bits in the block
HD IEEE 802.3 Castagnoli Koopan Castagnoli Koopan Koopan Castagnoli Koopan
0x82608EDB (iSCSI) 0xBA0DC66B 0xFA567D89 0x992C1A4C 0x90022004 0xD419CC15 0x80108400
G.-L. Shi et al.
The safety communication of FirmSys determines the number of bits in the block
based on the system needs, and the original design uses an improper hamming distance
CRC polynomial, after SIL authentication selected the proper CRC polynomial makes
the communication residual error probability meet the requirement.
• transfer media
Due to the loss of transfer media and the influence of environment in communi-
cation transmission, the effect of the bit error rate ðPe Þ of communication is great. The
standard IEC 61784-3 provides a default value of 10-2 if the error rate of transmission
media is not clear. The transmission medium with high reliability and low transmission
loss should be selected, such as optical fiber communication, shielded twisted pair, etc.
• transfer rate
From Eq. (1), when calculating the communication residual error probability of the
communication system, the transmission rate of the communication V is also an
important factor. Therefore, the transmission speed should be minimized under the
precondition of meeting the requirement.
• number of information sinks
The number of information sinks, m in Eq. (1), is the number of terminals that
receive safety communication. The number m is relatively small and it generally has
little impact on the residual error probability of communication. The m is generally
related to the architecture of the system and, a margin should be provided in protocol
design. Validation the residual error probability of communication is required in the
application of the SIS.
where CM N represents the number of combinations N fetch M,which means if more than
M blocks out of N blocks fail, the entire communication fails, RSL ðPeÞ represents the
residual error probability of a safety communication.
8 G.-L. Shi et al.
Compared with Eq. (1), the communication residual error probability of the entire
communication system in Eq. (4) has decent significantly.
3.5 Summary
When applying this design method to design safety communication, first the number of
bits in the block is determined based on the actual amount of communication data and it
should be minimized since it has a negative effect on the communication error prob-
ability. And then select the proper CRC polynomial based on the number of bits in the
block. Additionally, according to the application scenario, determine the communica-
tion rate, and then determine whether the communication architecture design needs
redundancy. Communication design is an iterative process and residual error proba-
bility should be evaluated after each design change.
4 Conclusions
References
1. Jin, J., Wu, Z., et al.: A review of the development of safety instrumentation systems at home
and abroad. Chem. Autom. Instrum. 37(05), 1–6 (2010)
2. IEC 61784-3: Industrial communication networks-Profiles-Part 3: Functional safety
fieldbuses-General rules and profile definitions (2016)
3. IEC 61508-2: Functional safety of electrical/electronic/programmable electronic safety-related
systems-Part 2: Requirements for electrical/electronic/program able electronic safety-related
systems (2010)
4. Koopman, P.: 32-bit cyclic redundancy codes for internet applications.In: The International
Conference on Dependable Systems and Networks(DSN) (2002)
5. Fujiwara, T., Kasami, T., Kitai, A., et al.: On the undetected error probability for shortened
hamming codes. IEEE Trans. Commun. 33(6), 570–574 (1985)
6. IEC 61025: Fault tree analysis (FTA)[S] (2006)
7. Mingli, L., Guilian, S., Qi, M., et al.: A method of quantitative risk assessment for safety
communication residual error probability: China, ZL201310631726.0 (2016)
8. IEEE 802.3: IEEE Standard for Ethernet (2015)
Apply FMEDA to Guide Self-diagnostic Design
for Digital Circuit Board
Jie Zhang1(&), Jin Fan2, Gang Li1, Ming-Li Li1, and Yi-Qin Xie1
1
China Techenergy Co., Ltd, Beijing 100094, China
zhangjie4@cgnpc.com.cn
2
China Nuclear Power Engineering Co., Ltd, Beijing 100840, China
1 Introduction
Safety system is the system that automatically activates relevant equipments and per-
forms protection functions when needed. It is widely used in different industries, e.g.,
oil & gas, nuclear, and rail transport, etc. In recent years, some DCS suppliers in China
start to develop safety DCS under the encouragement of the safety I&C system
localization strategy. CTEC has successfully developed a safety DCS platform named
FirmSys, which can be applied to the reactor protection system of nuclear power plant
and other industries in which high safety systems are required.
Safety I&C systems should fulfill a specific Safety Integrity Level (SIL) according
to the application requirement. The probability of failure on demand (PFD) is required
to reach a defined target level for a specific SIL and DC always has a big influence on
PFD [1]. Therefore self-diagnostics design for each module is a critical issue to deal
with. A good diagnostic measure design should increase DC and meanwhile ensure a
low FAR. There is some research work has been done on FMEDA applications, and
they had proved that FMEDA is a suitable method to evaluate PFD and SIL for a
system or a single equipment [2–4]. Their focus is on the evaluation of the diagnostic
coverage and safe failure fraction. However, the FMEDA could also be used to
evaluate the FAR. In this paper, based on the research and development experience for
FirmSys, certificated as SIL3 by TUV, a method to improve diagnostic design is
proposed.
The paper is structured as follows. Section 2 describes the way to integrate
FMEDA technology into FirmSys development and their relationship. In Sect. 3, it is
described that how to apply FMEDA to improve self-diagnostic design for digital
circuit board. In Sect. 4 there is a case study of DO module to demonstrate the
feasibility of the FMEDA. And the conclusion is drawn in Sect. 5.
System Concept
Validation
System Requirement System Validation
FMEDA
Module Implementation
Output
Analytic Verification
Test Verification
Validation
In the module requirement phase, different types of requirements are raised for the
module, including the self-diagnostic requirements. The self-diagnostic requirements
are normally derived from several sources, for example, the relevant standard (e.g. IEC
60671 and IEC 60880), the customer requirements, diagnostic capability of the similar
products, etc. [5, 6].
12 J. Zhang et al.
As the example shown in Table 2, the open circuit failure mode is a SU failure, so
1.7*80% is a contribution for the total kSU for the module.
(2) Then the DC and SFF can be calculated by using the formula in IEC61508.
The FAR is the sum of the product of the failure rates (Column 2) of which can
lead to false alarm times Alpha (Column 4).
(3) The assessment results will be compared with the predetermined requirements to
decide if any change of self-diagnostics should be made. If there is any change in
self-diagnostics, the results should be updated.
14 J. Zhang et al.
4 Case Study
In this paper the Digital Output (DO) Module of FirmSys is taken as an example to
explain how to improve the self-diagnostic design by FMEDA. The DO module is
designed with self-diagnostic measures, e.g., watchdog, software self-diagnostics,
communication protocol diagnostics, etc.
According to the bill of material and the circuit diagram of DO module, the
FMEDA is conducted for every component. The failure rate of each component comes
from the component failure rate database of CTEC, which is based on the prediction
according to MIL-HDBK-217, the data provided by vendors, etc. During the analysis,
the output of the DO module is supposed to stay as 1 in the normal state and change to
0 when the design base event occurs. Part of FMEDA results is shown in Table 2.
Through the FMEDA process, four types of failures rate of each components can be
reached. And the total kDD, kDU, kSD and kDD are calculated respectively by summing
up the corresponding values of each component. In addition, some flaws about the pre-
diagnostic measures are discovered. For example, the DO is designed with read-back
features to monitor the output, but some components failures that can lead to DO
module failed as stuck-at cannot be detected. The stuck-at problem is considered as a
dangerous failure, which should be detectable. It is not easy to identify this issue
without FMEDA analysis.
After the FMEDA analysis, some self-diagnostic measures are proposed to improve
the diagnostic coverage, e.g., the dynamically self-checking, test pattern, supply
voltage monitoring chip, etc.
The failure rates of the DO module are obtained, as shown in Table 3. It indicates
that the kDD of the DO module increases from 485.2 to 567.4 FIT, and the DC
increases from 76.2% to 90.4%, the FAR decreases from 21.4 to 8.6.
5 Conclusion
module is presented and it demonstrates that FMEDA is applicable to use for diagnostic
measures design optimization. The method proposed in this paper could be a reference
for the self-diagnostic design for digital circuit board.
References
1. IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related
systems [S] (2010)
2. Kim, B.C.: Case Study on the Assessment of SIL Using FMEDA
3. The FMEDA approach to improve the safety assessment according to the IEC 61508.
Microelectron. Reliab. 500, 9–11 (2010)
4. Ehiagwina, F.: A comparative overview of electronic devices reliability prediction methods-
applications trends and challenges (2016)
5. IEC 60880: Nuclear power plants–Instrumentation and control systems important to safety–
Software aspects for computer-based systems performing category A functions [S]
6. IEC 60671: Nuclear power plants – Instrumentation and control systems important to safety –
Surveillance testing [S] (2007)
7. IEC 62061: Safety of machinery-Functional safety of safety-related electrical, electronic and
programmable electronic control systems [S] (2005)
8. Guidelines for Process Equipment Reliability Data, with Data Tables. Center for Chemical
Process Safety of AIChE, New York, NY (1989)
9. Reliability Data for Control and Safety Systems: SINTEF Industrial Management. Trond-
heim, Norway (1998)
A Reusable Functional Simulation Verification
Method Based on UVM for FPGA Products
in DAS
1 Introduction
Because FPGA has the advantage over the microprocessor and software system, a
number of instrument manufacturers adopt FPGA technology in the diversity systems
in order to achieve defence in depth. I&C (Instrument and control) system based on
FPGA technology has not yet mature experience in China, so the nuclear power owners
and regulatory agencies require strict verification of it to ensure quality and reliability
[1–3].
Functional simulation verification is the most complex and time-consuming part in
the FPGA design process, which accounts for about 70% of the entire research and
development cycle. Coupled with the urgency of product listing requirements, verifi-
cation has become the bottleneck of FPGA design. Traditional simulation methods
have many problems, such as long verification cycle, poor reusability of the verification
testbench, low level of automation, etc. The accellera organization launched UVM to
make up for the deficiencies of traditional verification. UVM uses the hierarchical
model method, through the reuse of components, shorten the testbench construction
time, and further shorten the verification cycle.
2 UVM Description
2.1 UVM Introduction
UVM is a new verification methodology in the IC (Integrated Circuit) field, which
synthesizes the advantages of AVM, OVM and VMM, etc. It represents the latest
development in the field of verification, which is characterized by object oriented,
reusability and scalability [4–6]. It can greatly improve the efficiency of chip verifi-
cation by building a flexible and reusable verification testbench by UVM method.
In this paper, the I/O board FPGA is taken as the verification object.
MPU and I/O board make data communication through the SLINK protocol,
physical layer interaction using RS485 bus. SLINK protocol is a self developing
protocol, which is divided into application layer, data link layer and physical layer. All
20 X.-H. Lv et al.
communication processes are initiated by MPU, using a Q & A interaction mode. The
communication sequence is divided into two stages: the configuration phase and the
periodic communication stage.
Through the analysis of the main functional requirements of FPGA, we put forward a
test scheme which is suitable for FPGA function verification. Then we need to design
the overall architecture based on UVM verification testbench.
the connection with the DUT through the virtual interface. The verification developer
builds different sequence according to the test outline and forms different test cases.
Top layer controls the initialization and normal simulation execution processes. It
calls the run_test method to achieve the implementation of the uvm_phase, uvm_phase
control the order of activities execution, including the establishment of testbench,
incentive and simulation results reported, etc.
The application layer component is divided into configuration class component and
communication class component according to the communication type. According to
the direction of data transmission, can be divided into uplink and downlink compo-
nents. From the MPU to the I/O direction is for the downlink, and vice versa.
cfg_app_base_data application layer configuration data packet base class and
msg_app_base_data application layer communication data packet base class are cre-
ated. They are derived from the uvm_object base class. In the data packet based class,
declared the I/O package shared variables, such as packet number, chassis, slot, board
type, etc. For different I/O types, the data packet base class is derived to get the specific
I/O characteristics of the sub data class. In Fig. 5 application layer data diagram, XX
can be replaced by AI, AO, DI and DO.
Next, the app_frame application layer data frame DATA base class is created,
which is derived from the uvm_sequence_item base class. The base class declares a
state byte, frame byte, CRC, and other variables other than the data packet type. In the
app_frame derived app_frame_templet class, add the data packet type variable to form
a complete application layer data frame DATA. In the DATA data frame class, it
includes the random constraints of variables, the correct judgment of the variables, the
application layer pack, and the application layer parsing unpack.
Figure 6 shows the complete application layer data frame. When the application
layer protocol is modified, it only needs the corresponding base class or the extension
class to modify the variables.
Take the application layer data packet as based variables, and then add synchronization
byte SYN, delimiter, frame length, source address, destination address, parity infor-
mation to it. The data link layer data frame is formed.
First, the link_frame derived from the uvm_sequence_item base class is created,
and it is the data link layer base class. In the link_frame base class, the relevant
variables of the data link layer were declared, such as SYN. Get the link_frame_templet
class derived from the link_frame base class. Application layer data packet DATA is
added to link_frame_templet class, then the complete data link layer data frame is
formed. In the data link frame, it includes the random constraints for the variables, the
link layer data pack, the link layer packet unpack, etc.
Figure 7 shows the complete data link layer framing process. If there is a link layer
protocol change, simply modify the changes in the base class or derived class.
The I/O board FPGA realizes communication with MPU through 485 bus. The frame
structure consists of start bit, data, check bit and stop bit. A 485 verification component
rs485_agent is created, used for implementing physical layer communication.
Master_agent has also realized the function of sending down link packets to DUT.
Master_agent can generate the downlink layer frames of dwd_cfg_link_xx_frame and
dwd_msg_link_xx_frame in itself automatically, and data link layer frame is then
converted into rs485_agent physical layer data and sent to the DUT.
The master_agent component can automatically generate a constrained random
down link packet, or it can be programmed by virtual sequencer to generate a prede-
termined data.
A reference & compare module had been developed to check the validity of the
response data. The reference part of this module will prepare the expect data. For
example, the AO output value, the output port current value will also included in the
uplink frame, then we can prepare the expect data. The module can also check other
information, such as frame length, address, command type, chassis or slot number,
CRC, etc. Compare part of this module will check if the data from DUT is correct. If
expect data is not consist with the response data, this will be recorded and reported.
the deepening of the verification activities, testcase library will be more and more
perfect, and then to achieve a higher code coverage and functional coverage, improve
the reliability of FPGA.
Traditional verification method often needs to modify the testbench for a new test
cases, the code modification is large, the work is highly repeated, and is not easy to
maintain and expand. The testbench and testcase of UVM verification testbench are
independent, which enhanced the reusability and scalability. If new test cases or make
some changes during test maintenance is needed, you only need to program the
sequence to form the required testcase.
The following part will show that the cost is reduced from several directions. The
information is collected from the actual project implementation of FitRel.
In the real FPGA verification for I/O board of DAS system, the prepare time for
testbench is greatly reduced. The average preparing time for one specific testcase may
save about 20%*30%. As shown in Table 1.
For … traditional method, test execution is more of a human eye inspection
method, which is difficult to achieve automation. The test process is time-consuming
and laborious. In the UVM testbech, compare module is included to check the validity
of response data, this greatly reduce the test executing time. The average time for one
testcase execution and result check may save about 30%. As shown in Table 2.
Traditional method can only execute one case at a time. When UVM adopted, more
than one testcase can be executed at a time. In addition, the prepare time and execution
and check time for one testcase is reduced. All these contribute to the shorten of the
26 X.-H. Lv et al.
Table 1. Average preparing time for one testcase before test execution in I/O board FPGA
functional simulation verification
I/O FPGA Testcase Traditional method UVM method
Average preparing time for one testcase before test 2 h 1.5 h
Table 2. Average execution time for one testcase in I/O board FPGA functional simulation
verification
I/O FPGA Testcase Traditional method UVM method
Average execution time for one testcase 3 h 2h
entire testing period, and the average project testing period for one I/O board FPGA
may saved by 30%. As shown in Table 3.
Table 3. Average testing period for one I/O board FPGA functional simulation verification
I/O FPGA Testcase Traditional UVM
method method
Average testing period for one I/O board FPGA 300 h 200 h
project
When using this testbench, if tester needs to change the object from the AI FPGA
into DO or other FPGA, he also does not have to make any changes to the testbench,
through changing the corresponding chassis number, slot number, I/O type and the
corresponding parameters of I/O in the virtual sequencer to achieve the purpose.
6 Conclusion
In this paper, UVM is used to simulate the I/O board FPGA of DAS system. Through
the practical application in the project, the verification results show that the use of
UVM for FPGA verification for DAS can effectively improve the efficiency of FPGA
verification, shorten the product development cycle. UVM verification testbench has
good configurability and reusability, effectively meet the functional simulation verifi-
cation requirements.
References
1. Chen, Y.J., Zhang, C.L., et al.: Research on the application of FPGA in diversity system of
nuclear power plants. Process. Autom. Instrum. 35(2), 46–49 (2014)
2. Chen, D.L., Zhang, Y., et al.: FPGA technology application in diversity actuation system of
nuclear power plant. At. Energy Sci. Technol. B11, 976–979 (2014)
A Reusable Functional Simulation Verification Method Based on UVM 27
3. Liu, R., Li, C.L.: Verification and validation for FPGA based safety class I&C system of
nuclear power plant. Nucl. Electron. Detect. Technol. 1, 103–106 (2014)
4. Pan, Y.J., Long, K.: Implementation of efficient and reusable Soc functional verification based
on UVM. Electron. World 3, 180–183 (2016)
5. Xie, Z., Wang, T., et al.: A RISC CPU oriented reusable functional verification platform based
on UVM. Acta Sci. Nat. Univ. Pekin. 50(2), 221–227 (2014)
6. Xu, J.P., Li, S.S., et al.: Adopting universal verification methodology to achieve reusability
and automation verification. Microelectron. Comput. 11, 14–17 (2014)
The Method of Failure Analysis for Safety-
Critical System Software Based
on Formalization
1 Introduction
In recent years, with the application of software in the safety-critical system becoming
more and more widespread, the requirements of reliability for safety-critical software
are also getting stricter. Especially in the field of safety-related, many standards and
regulations have been proposed for the software reliability. For example, it is explicitly
required in the Nuclear Safety Guide HAD102/16 in the field of nuclear power plant
that the reliability should be focused on safety-critical software [1]. GB/T13629
required that when the reliability of the target set out, it should have proven that the
safety-critical system software can still meet the requirements of the target [2]. At this
stage, expert in this field mainly focuses on the analysis of software reliability quali-
tatively. Through software failure analysis, ones can identifies software defects and
modifies software defects to improve software reliability.
Analysis methods for software failure generally use the classical reliability analysis
methods commonly used in the field of hardware reliability analysis, such as FMEA
and Fault Tree Analysis (FTA). When these traditional methods are applied to software
failure analysis, the result is seriously dependent on the knowledge level of the
executives and there is huge workload of analysis. In this paper, we combined FMEA
method and formalization technique. We have made use of rigor mathematical theory
of formalization technology, which can be easily realized by computer processing. This
combined method can ensure the objectivity and validity of the failure analysis. At the
same time, through the use of formal tools, we improved the efficiency of analysis.
When using formal methods to conduct failure analysis of software, the modelling
process requires a high level of ability of analysts. Meanwhile, the software modelling
process is equivalent to a software reconstruction with a huge workload. In Sect. 3 of
this study, a modelling method can effectively reduce the difficulty and workload of
modelling. In Sect. 4, the formalized software failure analysis process is described,
which can effectively guide the implementation of formalized software failure analysis
activities.
From above we can see that in the formalization of software failure analysis process,
the establishment of the software model is crucial. Software model is equivalent to a
refactoring of the software, generally, the workload is huge. Therefore, an common
software model is established to reduce the workload of model an effective method.
When model the software being analyzed, the software to be analyzed is broken up into
a combination of simple software units. The units can be clearly defined by an input
analyst as a measure of the adequacy of a software unit. By decomposing the analyzed
software into multiple simple software units, the software model is simplified and a
common model is built for the simple software units. The process is shown as follows
in Fig. 2.
This study abstracts the software unit into the behaviour of running a specific data
according to a specific set of logic in a specific environment, as shown in the following
Fig. 3.
the two states of “new” and “old”, which are spatially abstracted into two states of
“empty” and “full”. The interaction between software behaviour and software runtime
environment will lead to the change of software data state. Software’s data state (S.
sdata) can be abstracted as: initial-data state (sinit), normal- data state (normal), data-
loss and data-repeat (repeat) four states. The relationship between software behaviour,
environment and data status is shown in the following Fig. 4.
Manually determine the relationship between software unit input data and output
data. Software’s data state (S.sdata) can be abstracted as: initial state of data (sinit),
normal-data state (normal), data-loss (lose) and data- repeat (repeat) four states. Under
certain data states, the relationship between input data and output data is specified in
the form of assertions.
The failure analysis process based on the formal safety critical software is as follows
Fig. 6.
the data assignment, model A data assigned to the model B. In this way, we
can establish basic software model to describe generalized software.
(3) Define the software functions and describe them by using the states in the basic
software model. For example, define the function of the software in the above
example as the data b outputs true if the data state is normal.
(4) Use the ARC tool to automatically search for all status transfer paths that do not
satisfy the function definition, and each transfer path is a failure mode.
(5) For each failure mode combined with the specific circumstances of the software
system analysis of its causes of failure, frequency, etc., and fill in the FMEA form.
For software functions “perform software configuration data read (from FLASH), parse
and parse the parsed data into dual port RAM” to perform FMEA analysis.
(1) Identify the data flow and draw data flow diagram (Fig. 8):
(2) Describe the configuration function formally(A function reads “read configuration
data from FLASH”, B function reads “resolve configuration data” and C function
reads “write configuration data to dual-port RAM”) (Fig. 9)
(3) Define the data written to the dual port RAM that is valid for the configuration
function and formalize the language description: [(C.S.sdata = normal)&
(c! = Yes)]
(4) Use the ARC tool to automatically search for all status transfer paths that do not
satisfy the function definition (Fig. 10):
34 X.-B. Zhou et al.
(5) The status transfer paths that do not satisfy the function definition may be failure
modes. Analyze the cause and calculate the probability of the failure mode, then
fill in the FMEA form (Fig. 11).
Path Example 1:
From the table above, the software failure path is determined by both the software
model and the failure definition. The model and the failure definition are derived from
the software design solution, and the design proposal is relatively objective. Therefore,
the problem that the analysis result is greatly influenced by the executive subjectively
can be solved. In addition, by implementing the work with the software tools, we can
greatly reduce the workload of analysts.
6 Conclusion
This paper introduces a software failure analysis based on formalized method for safety
critical system. This method adopts the software functional unit model method and the
failure analysis process based on ARC language and tools. Through the formalization
function on the software failure and its impact and through the use of formal tools
ARC, the work efficiency is greatly improved. In the system software, when the
number of software units becomes larger, the use of tools can deal with the state that
will be an explosion, then the way should be used to deal with functional segmentation.
References
1. HAD 102/16 2004: Computer based safety important system software for nuclear power plant
2. GB/T 13629-2008: Criteria of computers in safety system for nuclear power plant
A Study About Software V&V Evaluation
of Safety I&C System in Nuclear Power Plant
1 Introduction
digital system and equipment in the Generic Design Assessment (GDA) of the EPR,
ABWR1000, AP1000 and the formal method is used in the verification of nuclear
safety instrumentation and control (I&C) system software at Sizewell nuclear power
plant of UK.
The promulgation of new regulations and standards related to nuclear safety soft-
ware may put forward new and higher requirements in terms of the scope and depth of
V&V, technologies and methods suitable for use, so that existing software V&V
technical solutions cannot fully cover the new requirements, and the correctness and
effectiveness of new technologies and methods needed to be adopted are also to be
assessed.
Several major nuclear power groups in China are actively to develop the nuclear
safety digital I&C system and equipment with independent intellectual property rights,
and gradually form its own V&V laboratory to carry out the research of the key tech-
niques of V&V and the evaluation of nuclear safety software, but do not use statistical
test and formal method for engineering practice. There is still a gap between the new
requirements of the new regulations, the new standards and the software V&V experi-
ence feedback on issues of GDA. Therefore, relevant research of software V&V is
needed so as to meet the new requirements for domestic and international safety reviews.
This study focused on the software V&V related regulations and standards such as
Institute of Electrical and Electronic Engineers (IEEE) 1012 and International Atomic
Energy Agency (IAEA) No.SSG-39 and ONR review principles, as well as the tech-
nical opinion report of EU safety software certification, and carried out a comparative
study between the old and the new version standards. On this basis, the main technical
requirement differences are sorted out for the technical reference of V&V solution
establishment or optimization.
The main executive standard of software V&V is IEEE 1012-2004, and IEEE 1012-
2012 and 2017 have been released. The IAEA has adjusted its regulatory and standard
system, and the specific safety guide No.SSG-39 related to the I&C system and soft-
ware design has come into effect in 2016. Besides, RCC-E standard has already
upgraded to 2016 edition. In 2015 the European Union issued a technical opinion
report on licensing of safety critical of software for nuclear reactor. By comparing the
regulations, standards and technical reports related to safety software V&V, the gaps
between the old and new standards in the technical requirements, implementation
scope, depth and procedures of V&V are analyzed.
IEEE 1012-2004 is limited to software V&V, while IEEE 1012-2012 [3] and IEEE
1012-2017 [4] extend the scope of V&V to system and hardware. Accordingly, the
concept of “software integrity level” is extended to “integrity level”, and the concept of
“component” is extended from “software component” to “software component and
hardware component”, and “V&V tasks” is subdivided into software, hardware, system
and general V&V tasks.
1. Integrity level
Integrity level of the IEEE 1012 setting value to quantify the complexity, critical,
risk, security level, security level of confidentiality, the required performance, relia-
bility, or other project unique features which the importance is based on the user and
the buyer. The concept of integrity level is used to determine the degree of V&V tasks,
activities, and strict and V&V execution strength level. As software integrity level
declines, the necessary scope, intensity, and rigor associated with the V&V tasks
should also decrease. For example, in the hazard analysis of software with integrity
level 4, it can be officially recorded into the document and the module failure can be
considered, in the hazard analysis of software with integrity level 3, only significant
software failures are taken into account and can be informally recorded as part of the
design review process.
IEEE 1012-2012 and IEEE 1012-2017 do not require that all subsystems or
components assigned to the system have exactly the same level of integrity, while IEEE
1012-2004 does not give a clear explanation for this. However, it is important to note
that the NRC requires that the integrity levels of the system and all its components be
the same.
2. V&V processes
IEEE 1012-2004 allows V&V team to arrange design team to conduct V&V test
specifications, test execution, and test records. IEEE 1012-2012 and IEEE 1012-2017
require V&V organization for testing of systems/software/hardware at integrity level 3
and level 4, which ensures the independence and diversity of testing between V&V
organization and design organization. For integrity level 2 systems/software/hardware,
testing can be performed by the design team and reviewed by the V&V team.
3. V&V activities
The comparative analysis of software V&V activity differences among IEEE 1012
versions is shown in the Table 1.
4. V&V tasks
IEEE 1012-2004 and IEEE 1012-2012 and IEEE 1012-2017 differ in the depth of
V&V tasks requirements. Major differences include:
• Hazard analysis
In IEEE 1012-2012 and IEEE 1012-2017, the new requirement “evaluation and
identification of mitigation measures to verify each hazard have been prevent, mitigate
40 P.-F. Gu et al.
and control (record any harm unease, as a part of the system and software running
attention)” is added in the design, implementation, test, installation and checkout,
operation and maintenance phase of the V&V tasks.
• Security analysis
In IEEE 1012-2012 and IEEE 1012-2017, the new requirement “to ensure the
security of the identified threats and vulnerabilities have been defensive to prevent,
mitigate and control (record any security threats and vulnerabilities unease, and as a
part of the system and software running attention)” is added in the design, imple-
mentation, test, installation and checkout, operation and maintenance phase of the
V&V tasks.
In Appendix J of IEEE 1012-2017, new security analysis method based on threat
and system life cycle process assurance are added, which can provide operational
guidance for implementation.
• Source code and source code documentation evaluation
In IEEE 1012-2012 and IEEE 1012-2017, the new requirement “verify that the
source code and its interfaces with other components do not result in unnecessary,
unintended or harmful consequences” is added in the implementation V&V task.
In addition, compared with IEEE 1012-2004, IEEE 1012-2012 has the following
appendices, including:
– Appendix I system, software and hardware integration V&V.
– Appendix J hazards, security and risk analysis.
– Appendix K the system integrity hierarchy and changes sample in “supporting
system functions”.
A Study About Software V&V Evaluation of Safety 41
3. Static analysis
As for the formal code verification technology, NO.SSG-39 deleted the clause
content of NS-G-1.1-2000, which is “When software requirements are formally
specified, it is possible to verify formal code. However, formal verification generally
requires a wide range of expertise, so consider consulting competent analysts”.
4. Software tools
NO.SSG-39 further details the requirements for software tools in Sect. 7.148–7.164
of Chap. 7. Additional requirements include:
– Information security testing tools have been added to the tools used in the I&C
system development life cycle;
– Configuration management of all software tools is required.
6. Operation experience
NO.SSG-39 adds the clause that “relevant operational experience can be a sup-
plement to other validation technologies, but cannot replace them”.
7. Information security
NO.SSG-39 adds the requirements of 9.82–9.94 for information security verifica-
tion in software V&V of Chap. 9:
– The software automation tool is used to examine the information security vulner-
ability of the code and manually assisted to review key parts of the code, including
input and output processing, exception processing, etc.
– For security systems, final applications need to be submitted for testing to ensure
computer security (such as penetration testing), to verify that common security
vulnerabilities are not easily detected, and to allow continuous improvement in
software design and implementation.
8. Pre-developed software
NO.SSG-39 puts forward requirements for pre-developed software used in safety
systems and important safety systems respectively:
– For safety systems, pre-developed software used in the safety I&C system should
have the same level of identification as its application.
– For the safety important I&C system, the user manual needs to describe the pre-
developed software, including: function, interface, different behavior modes and
their switching conditions, restriction conditions, reasonable demonstration of sat-
isfying users or the requirements applicable to the I&C system.
– More detailed identification requirements have been added to the identification of
pre-developed items, as detailed in Sect. 6.78–6.134 of Chap. 6.
9. Third-party evaluation
Additional requirements for third-party evaluation for NO.SSG-39 include:
– Third-party evaluation should be adopted for the safety system software and exe-
cuted in parallel with the development process.
– Content of the assessment include:
The development process, through quality assurance supervision, technical
inspection of life-cycle process documents such as Outlines, software specifi-
cations, and full-scope testing activities;
The final version of the software and any subsequent modifications are evaluated
through static analysis, inspection, monitoring, and testing.
44 P.-F. Gu et al.
– For selection of verification tools and methods, the combined use of different
methods to achieve full coverage of functional and non-functional requirements,
and consideration of formalized validation scope. And software modules must be
tested and meet the coverage requirements.
– Verification policies are balanced in terms of time, schedule, and resources.
– Test coverage.
2.4 ONR Technical Assessment Guide for Old and New Versions
of Analysis
ONR technical assessment guide related to software V&V is NS-TAST-GD-046
“Computer Based Safety Systems”, which has been updated two editions in the last two
years. Compared to NS-TAST-GD-046 (rev3, 2013) [8], the changes of NS-TAST-
GD-046 (rev4, 2017) [9] are mainly reflected in the updated version of the standard
version it refers to, and there is no significant change in its review technical principles.
Recently, ONR released NS-TAST-GD-046 (rev5, DRAFT). Compared to NS-
TAST-GD-046 (rev4, 2017), the changes of NS-TAST-GD-046 (rev5, DRAFT) mainly
include:
1. Scope of application: new technical guide for this review are applicable to HDL
systems.
2. In terms of the general review principles, additional or further clarifying require-
ments are as follows:
– The functions of computer systems and the complexity of their implementation
should be minimized and avoided.
– For a diversified safety system, if one is based on computer technology, the
other should adopt non-computer technology.
– Production Excellence (PE): Demonstrate that potential systemic defects intro-
duced in the software development process are minimized.
– Independent Confidence Building Measures (ICBM): The emphasis on
dependability comes from the diversity of independent execution, and the
diversity of execution staff, evaluation techniques and methods.
– In addition to the consideration of information security of safety important
systems based computer, ONR gives the specific control requirements and
control methods in Appendix 6.
– Adding to the consideration of software tool identification, ONR clarifies the
requirements for software tool identification in Appendix 7.
– Based on current technology level and consideration of all relevant factors
including complexity, ONR believes that the statement of 1e-4 reliability for the
computer safety system is reasonable and credible.
46 P.-F. Gu et al.
3. Multi-legged arguments
– New identification requirements for pre-developed items such as commercial
grade smart devices and platforms are added. And ONR gives the classification
identification method of commercial grade smart devices in Appendix 4.
By comparing the old and new versions of relevant regulations and standards of nuclear
safety software V&V, the following differences in technical requirements are sorted
out:
1. V&V object range expands to include HDL software.
2. The scope of V&V task is expanded and the task content is detailed.
– Project planning V&V, configuration management V&V and disposal V&V are
added.
– In hazard analysis and security analysis, the task of evaluating mitigation
measures is added.
3. The V&V task requires more clarity
– Further clarify and regulate the V&V strategies and methods of reuse/pre-
developed software.
– Further detail the contents and requirements of hazard analysis and security
analysis.
– Specify the configuration management requirements and identification require-
ments of software tools.
– Further clarify the functional and structural coverage requirements for testing.
4. Increased severity of task execution, for example:
– The independence requirement is emphasized, and the third-party evaluation is
required for the safety system software.
– For safety system software V&V, the system test is required to perform by the
V&V organization independent.
– The diversity of V&V techniques and methods is emphasized. Statistical tests
and formal methods are recommended.
– For safety pre-developed software V&V, source code testing such as static
testing, dynamic testing is emphasized.
A Study About Software V&V Evaluation of Safety 47
4 Conclusions
Based on the comparative analysis of the new and old nuclear safety standards, such as
IEEE 1012 and IAEA No.SSG-39 and ONR review principles, as well as the technical
opinion report of EU safety software certification, this study sorted out the main
technical differences to provide technical reference for the establishment of better
applicability or the optimization of the nuclear safety I&C system software V&V
solution.
Although the IEEE and the IAEA have been published or updated the relevant
regulations and standards of nuclear safety software V&V, the nuclear safety regulators
of China mainly refer to the standards accepted by NRC regulatory guide, such as R.G.
1.168-2013 in endorsement of IEEE 1012-2004 and IEC 60880 for regulatory scrutiny
of nuclear safety I&C system. As a result, the existing nuclear safety software V&V
solution can satisfy the current safety evaluation requirements.
The results of this study are forward-looking research results that take into account
the requirements of GDA review and can deal with possible technical risks in the future
nuclear safety review in accordance with the new standards, laying the foundation for
the “going global” of Hua-Long No.1 project and meeting GDA review.
References
1. R.G. 1.168: Verification, Validation, Reviews and Audits for Digital Computer Software
Used in Safety Systems of Nuclear Power Plants. Office of Nuclear Regulatory Research
(2013)
2. IEEE Std.1012: IEEE Standard for Software Verification and Validation. Institute of
Electrical and Electronics Engineer (2004)
3. IEEE Std.1012: IEEE Standard for System and Software Verification and Validation. Institute
of Electrical and Electronics Engineer (2012)
4. IEEE Std.1012: IEEE Standard for System, Software and Hardware Verification and
Validation. Institute of Electrical and Electronics Engineer (2017)
5. No.SSG-39: Design of Instrumentation and Control Systems for Nuclear Power Plants.
International Atomic Energy Agency (2016)
6. NS-G-1.1: Software for Computer Based Systems Important to Safety in Nuclear Power
Plants. International Atomic Energy Agency (2000)
7. Bel V of Belgium, BfE of Germany, CNSC of Canada, et al: Licensing of Safety Critical of
Software for Nuclear Reactors. Common Position of International Nuclear Regulators and
Authorised Technical Support Organisations, Regulator Task Force on Safety Critical
Software (2018)
8. NS-TAST-GD-046: Computer Based Safety Systems. Office for Nuclear Regulation (2013)
9. NS-TAST-GD-046: Computer Based Safety Systems. Office for Nuclear Regulation (2017)
A Study About Pre-developed Software
Qualification of Smart Devices Applied in NPP
Abstract. According to the research and analysis about the standards and
Electric Power Research Institute (EPRI) relevant reports of commercial grade
dedication (CGD) such as the pre-developed software of smart devices which
perform intelligent measuring, communication and actuation devices employing
programmed electronic components (PEC) to enhance the performance, the
requirements for the pre-developed software qualification has been identified.
And in combination with the tasks of IEEE 1012, a V&V model was proposed
to guide the concrete execution of qualification activities such as suitability
evaluation, quality evaluation, operating experience evaluation, additional sys-
tem test and comprehensive assessment. Besides, it also helps establish the
specification and process for the pre-developed software qualification. On the
basis of that, a pre-developed software qualification was performed for each
qualification activity, and forming some good practice in the process. At the
same time some special considerations are put forward for the pre-developed
software qualification. Furthermore, some critical qualification points has been
captured and may provide some technical reference for subsequent CGD such as
the pre-developed software of smart devices which will be applied in the
HPR1000 and other nuclear power plants (NPPs).
1 Introduction
With the development of the smart technology, smart devices which can perform
intelligent measuring, communication and actuation device employing PEC with
embedded software to enhance the performance, have been increasingly used to replace
the conventional devices in the safety instrumentation and control (I&C) systems of
nuclear power plant (NPP) for improving economic efficiency. Although there are lots
of advantages like greater accuracy, better noise filtering, in-built linearization and on-
line calibration and diagnostics, a smart device is generally a commercial-off-the-shelf
(COTS) product sold as black-box and it’s hard to demonstrate the reliability and
potentially increases risk of common cause failure (CCF). Therefore, even though there
is extensive and mature application in other non-nuclear industries, a smart device
should be thoroughly tested and evaluated, or dedicated for NPP safety application,
especially for the pre-developed software (also called COTS software) of the smart
device, which is directly effecting the safe and reliable operation of NPP and should be
paid more attention to guarantee the safety function to be implemented correctly.
However, there are many issues for the pre-developed software qualification of
smart devices applied in NPP, such as lack of unclear-specific, hidden changes, internal
complexity, requiring manufacturer’s intellectual property. Besides, it’s lack of nuclear
engineering experience for the pre-developed software independent qualification in the
domestic. In order to meet related regulatory requirements and achieve the goal of
going out of specified software matching with the HPR1000, it’s necessary to carry out
software qualification standard and technology research for the autonomous pre-
developed software.
The study firstly researches the relevant guidelines and standards and refers to EPRI
related technical reports, teases out the specific requirements for the pre-developed
software. Then an appraisal plan is put forward including the qualification process and
methods, and the implementation effort of the plan will be illustrated by a concrete
engineering practice. Finally, the main technical points are summarized to provide
technical reference for subsequent engineering practice.
The concept of CGD has already been proposed in the nuclear safety guide HAD
102/16 by China, but it has not yet formed a perfect and enforceable scheme or
procedure, which mainly refers to the relevant standard system in Europe, America or
international organization [1]. The Fig. 1 is the context diagram of relevant documents
for CGD like pre-developed software qualification.
HAD 102/16
China
Rev. 2004
IEC
IEC 60880 Clause 15 Qualification of pre-developed software
Rev. 2006 e.g. microprocessor: MPU/MCU/CPU
Aeeeptance process for programmable integrated
IEC 62566
circuits, native blocks and pre-developed blocks
Rev. 2012 e.g. complex hardware logic: ASIC/FPGA/CPLD
(f) Get the design documents and source code if there need to modify the existing
software.
(g) The information should be available for the evaluation of the quality of existing
software and the development process, and meet the requirements of assessing the
quality level of existing software.
Acceptance of existing software shall be performed as follows.
(a) Verify the functions implemented by existing software meets all requirements
described in the safety system requirement specification and other application
specification.
(b) Verify existing software didn’t refer to the functions that safety system require-
ments specification doesn’t require, and isn’t response to the adverse effects for
the functions required.
(c) Compliance analysis between standard requirements used and software design.
A Study About Pre-developed Software Qualification 51
(d) Validate the expected use of functions of existing software through test which
includes the test completed by the supplier.
(e) Ensure the functions of existing software aren’t used by the safety system, other
software and user in the way that isn’t specified and tested.
If possible, to get sufficient operation historical information and failure rate data
and properly evaluate experience feedback based on the analysis of operation time,
error report and delivery history in the related system’s operation.
If relevant software development information isn’t sufficient and available, the risk
assessment should be carried out for safety impacted by the software fault.
For this study, the research object of smart device is a breaker (C1 classified system)
with micro-logic trip unit, which belongs to mature commercial grade item and has
been ten years of good performance so far. The functions of breaker are mainly realized
by pre-developed software developed by ASIC technology. And the development
language includes VHDL and C++. Therefore, this study is at the same time to consider
the requirements of RCC-E-2012, IEC 62566-2012 and IEC 60880-2006 when per-
forming the pre-developed software qualification. The suitability analysis of the three
standards sees the Table 1.
Concept V&V
Verification
( Additional Test )
( Suitability Evaluation )
Validation
Breaker System Design Requirements Breaker System Integration
( Comprehensive Assessment )
Because the breaker will eventually be used for the three generation NPP HPR1000 to
perform safety functions, V&V team performed suitability evaluation, quality evalu-
ation, evaluation of operating experience and additional system test in order to guar-
antee high reliability of the ASIC.
(1) Suitability evaluation
• Required input documentation
– System specification documentation
– PDS specification and user’s documentation
• Evaluation requirements
– Comparison of the system and PDS specification
– Identification of modifications and missing point
• Performing evaluation
– According to the required input documentation and evaluation require-
ments, the adaptive V&V tasks are suitability analysis and traceability
analysis which can be well to identify of modifications, missing point or
inconsistencies through comparison of the system and PDS specification.
– And the efforts of the V&V tasks performed had found two kinds of
anomalies. The one is the requirements of system specification documen-
tation don’t reflect in the PDS specification and user’s documentation. The
other one is the requirements of timing characteristic of the ASIC can’t be
proved.
• Preliminary evaluation conclusion
– The conclusion of suitability evaluation is that complementary work is
needed to clarify the anomalies or provide convincing proof.
54 S.-C. Wang et al.
5 Conclusions
According to the research and analysis about the standards and EPRI relevant reports of
CGD, the requirements for a smart device breaker including pre-developed software
has been identified. And in combination with the tasks of IEEE 1012, a V&V model
was proposed to guide the qualification activities, which also helps establish the
specification and process for the pre-developed software qualification. On the basis of
that, the pre-developed software qualification had been performed and formed some
good practice in the process. All of qualification efforts can be the evidence as the
evaluation for the reliability of the pre-developed software and promote the confidence
of the software used to perform safety functions. Furthermore, some critical qualifi-
cation points has been captured and may provide some technical reference for subse-
quent CGD such as the pre-developed software of smart devices which will be applied
in the HPR1000 and other NPPs.
References
1. HAD 102/16: Nuclear Power Plants-Systems Important to Safety-Software Aspects for
Computer-based Systems. National Nuclear Safety Administration (2004)
2. EPRI NP-5652: Guideline for the Utilization of Commercial Grade Items in Nuclear Safety
Related Applications (NCIG-07). Electric Power Research Institute (1988)
3. EPRI TR-102260: Supplemental Guideline Application of EPRI Report NP-5652 Commer-
cial Grade Items. Electric Power Research Institute (1994)
4. IEEE Std.7-4.3.2: IEEE Standard Criteria for Digital Computers in Safety Systems of
Nuclear Power Generating Stations. Institute of Electrical and Electronics Engineers (2010)
5. EPRI TR-106439: Guideline on Evaluation and Acceptance of Commercial Grade Digital
Equipment for Nuclear Safety Application. Electric Power Research Institute (1996)
6. R.G. 1.152: Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.
Regulatory Guide Office of Nuclear Regulatory Research of U.S. Nuclear Regulatory
Commission (2011)
7. IEEE 1012: IEEE Standard for Software Verification and Validation. Institute of Electrical
and Electronics Engineer (2004)
A Study About Pre-developed Software Qualification 57
8. RCC-E: Design and Construction Rules for Electrical Equipment of Nuclear Islands. French
Association for Design, Construction and In-service Inspection Rules for Nuclear Island
Components (2012)
9. IEC 60880: Nuclear Power Plants-Instrumentation and Control Systems Important to Safety-
Software Aspects for Computer-based Systems Performing Category A Functions.
International Electro-technical Commission (2006)
10. IEC 62566: Nuclear Power Plants - Instrumentation and Control Important to Safety-
Development of HDL-programmed Integrated Circuits for Systems Performing Category A
Functions (2012)
Applications of Data Mining in Conventional
Island of Nuclear Power Plant
State Nuclear Electric Power Planning Design & Research Institute CO., LTD,
Beijing 100095, China
u2490@snpdri.com
Abstract. With the application of digital control system and field-bus tech-
nology in nuclear power plant, the production data has the trend of explosive
growth. For the large amount of production data with the characteristic of high
dimensional and multi-coupling, data mining technology will play an increas-
ingly important role. This paper briefly introduces the data mining process and
its commonly used methods. Based on the data size of conventional island in
nuclear power plant and the current data application, this paper put forward the
data mining application in Conventional Island (CI), and analysis the primary
approaches and trends of the applications.
In recent years, big data analytics has advanced unprecedented mostly in Internet
related research and development. While, big data is not new to the science and
technology communities but comparing to what have been occurring in the Internet,
data applications have primarily been in a stage to be used to prove the rightfulness of
existing physical laws. Data sciences and technology are largely ignored. As a result,
potentially prominent sciences remain uncovered.
In nuclear power industry, data analytics are very important tools because 90% of
the events which leads to the unplanned energy loss (such as unplanned shutdowns,
outage extensions or load reductions) are due to equipment failure according to the
statistics from World Nuclear Association (WNA) from 2008 to 2012, for the global
NPPs [1]. Among such failure, the top 5 reasons are associated with: (1) turbine and
auxiliary system; (2) electrical control system; (3) generator and auxiliary system;
(4) reactor; and (5) main feed water and main steam systems. Over 70% of total
unplanned energy loss, about 140 GWh, is caused by these top five equipment prob-
lems as listed above. Most of these failures can be resolved safely, but they can be the
trigger to catastrophic disaster like Chernobyl in the former USSR and most recently
Fukushima nuclear power plant in Japan.
The main task of a nuclear power plant, once its construction is completed, is to
keep its operating to be safe and at low cost. To do so, the operation and maintenance
of a NPP require significant efforts to monitor and analyze the equipment status, which
© Springer Nature Singapore Pte Ltd. 2019
Y. Xu et al. (Eds.): Nuclear Power Plants: Innovative Technologies
for Instrumentation and Control Systems, LNEE 507, pp. 58–71, 2019.
https://doi.org/10.1007/978-981-13-3113-8_7
Applications of Data Mining in Conventional Island 59
contributes a substantial portion of the operational cost. Make matter worse, there are
no existing physical laws and models that can be used directly to ease the difficulties
encountered in massive monitoring data acquired in the operation to analyze/separate
abnormal from normal operations. Data enabled science and engineering might be a
unique and significant tool to be used to assist a stable, reliable and economic operation
of CI equipment.
Presently, the operation of the production data of the NPP and fossil power plants
usually include:
(1) Direct digital control
Direct digital control (DDC) is the automated control of a condition or process by a
digital device. DDC allows automatic control of the equipment, and monitor the status
of the unit performance when setting the control and alarm upper/lower limit value of
the production data.. For example, the vibration instruments are usually used to
measure the vibration values of the bearing of the pumps, and also an upper limit of
vibration value should be set. Once an abnormal vibration signal exceeds the upper
limit, an alarm will be generated to remind the operators that the current pump is in the
abnormal state, or the alarm will initiate the pump to stop for the protection reason.
DDC provides the basic control and monitoring means for a safe operation. The
advantage of DDC is that the control and alarm upper/lower limit values can be
obtained according to the characteristics of the systems or equipment, which is simple
and feasible. Especially, DDC is combined with the use of Distributed Control System,
it can be more useful. Therefore, DDC has become the primary means in many
applications [2].
However, because the upper/lower limit values usually have a large margin, DDC
may malfunction due to a fake marginal signal, which increases significant the oper-
ational cost.
(2) Mathematical model analysis method
Mathematical model analysis method (MMAM) is a method that uses the mathematical
models for equipment performance and status analysis. Based on the mathematical
model of the equipment, the device-related parameters are used to calculate the per-
formance of the equipment or to further analysis the status of the equipment. For
example, building the mathematical models of the turbine and using the related pres-
sure and temperature data as given value, parameters of the steam turbine performance
such as turbine efficiency, the flow area are calculated. And these performance
parameters can be used to analyze the equipment status [3].
MMAM provides a further analysis for the production data. The advantage of
MMAM is that the analysis can be accomplished safely and precisely if the mathe-
matical model is accurate. Years of research, some of the mathematical model of
equipment in CI had shown its usefulness which can basically meet the requirements of
engineering application.
However, MMAM is only applicable to the single device, and not suitable for the
complex system with large correlation and strong coupling presently, and its reliability
in real life application is often in doubt.
60 Z.-G. Wu et al.
DM is the process of applying some methods with the intention of uncovering hidden
source physics in large data sets. The following are several commonly used methods.
(1) Statistical Analysis
Statistics provide a lot of discriminant and regression methods for DM, including
Bayesian inference, regression analysis, and variance analysis. Bayesian inference is a
method of statistical inference, which is used to update the probability for a hypothesis
as more evidence or information becomes available. Regression analysis is a set of
statistical processes for estimating the relationships among variables; it can also be used
to model the probability of occurrence of certain events. Analysis of variance is a
Applications of Data Mining in Conventional Island 61
collection of statistical models, which can used to analyze the performance of the
regression and the effects of the independent variables on the final regression [5].
4 Applications
Digital control system and field bus technology have been gradually applied in NPP in
recent years, as a result, a huge amount of data is acquired. But the data analysis and
application are still in the infant stage. It is expected DM can greatly enhance safety
operation of NPP in the following aspects: equipment fault diagnosis, optimization of
unit operation and soft sensor.
the normal range. Furthermore, it cannot differentiate the trend of the condition changes
to provide the early warnings.
Recently, to diagnose the rotating equipment, i.e., steam turbine, most scholars use
the association rule learning method [10]. The authors of this paper proposed associ-
ation rule learning method, and expresses the relationship among the vibration sign, the
thermal parameter data and the fault type as the confidence and support degree of the
association rule. This paper provided a rule-based database for a specific unit, and uses
the database to implement the diagnosis of turbine. The process of rule mining,
judgment and results analysis process is shown in Fig. 1. Based on this method, the
authors tested the effectiveness of diagnosis on a 900 MW turbine of a fossil power
plant and provided an example as follows:
The turbine rotor has two bearings, the horizontal (X phase) and vertical (Y phase)
vibration of each bearing is monitored(for bearing 1, refer to as 1X and 1Y; for bearing
2, refer to as 2X and 2Y). During the start-up stage of the turbine, 1X and 1Y is soared,
the highest value of 1X is 198 lm, which leads to the turbine trip. As the bearing 1 and
bearing 2 are located in the same rotor, the vibration of bearing 2 also has a corre-
sponding change, the highest value of bearing 2 has is 138 lm. After analyzing the
parameters of the thermal process, it was found that the main steam temperature (MS-
T), 100% high pressure cylinder temperature (HPC-T), high pressure cylinder exhaust
steam temperature (HPCES-T) has reached the highest values before the turbine trip as
64 Z.-G. Wu et al.
shown in Fig. 2. Compared with the vibrations of bearing 1 and bearing 2, it is found
that both of them have reached the upper values to trip the turbine, and the phase
changes are very large, which meets the symptom of thermal unbalance trouble. And
association rule fault diagnosis system also diagnosis that the bearing 1 and bearing 2
have the thermal unbalance trouble, which proves the accuracy of the diagnosis system.
This method is also applicable to the equipment of CI part in NPP. The association rule
fault diagnosis system can accurately determine the cause of the fault and help the
operators to discover and eliminate the fault in time, so that to ensure the stable
operation and safety of CI systems and equipment [11].
Diagnosis of faulty operation of the heat exchanger includes the conditions i.e.,
specifically the condenser. Neural network or improved neural network have shown to
be useful.
Fig. 3. Schema of faulty diagnosis using nonlinear principal component analysis and
probabilistic neural network
The diagnostic results verify the reliability of the diagnosis method based on
NLPCANN and PNN, and also the diagnosis speed has been improved, which is
suitable for the occasion with complex system and high speed requirement. So for the
diagnosis of the condenser in NPP, method 2can determine the failure cause speedy and
correctly.
Thermodynamic sensors are used primarily to acquire production data. These data
are used as the basis of the monitor, control and analysis for the unit. In this case, the
signal quality of the sensors is critical. If the signal quality is bad, the following
response from control system or operators may be wrong, which may cause the serious
accident. So recent years, researches use dynamic data mining (DMM) method to
evaluate the sensor condition [12].
Thermodynamic parameter signals can be decomposed into a series of intrinsic
modal functions and a trend margin to realize the dynamic mining on the feature
information of the sensor fault using empirical mode decomposition method.
Application of DM technology to diagnosis can realize the predictive analysis and
active analysis for the critical equipment, change the post-maintenance to predictive
maintenance, guide the maintenance personnel to focus on the equipment have the
66 Z.-G. Wu et al.
and some papers showed the improved fuzzy association rule mining method in the
fossil power plant, the application were verified to be successful [14, 15].
With the mining of the historical data, implementing the optimization research on
the CI systems, so that to guide the operators and improve the unit economy.
xði; jÞ xmin ð jÞ
x0 ði; jÞ ¼ ð1Þ
xmax ð jÞ xmin ð jÞ
Where: xði; jÞ is the input vector value of the ith variable of the jth sample; xmax ðjÞ,
xmin ðjÞ are the maximum and minimum values of the jth index; x0 ði; jÞ is the normalized
serial number of the index eigenvalue. Through the transformation of this formula, the
effects on the average influence value and GRNN model by the differences of meaning
and unit can be avoided. Then, the variables are filtered based on Vimpavg , and get the
average influencing value of input variables on dependent variables.
Taking the first N variables which is accounted for 85% of the total influencing
value as the input of the network, and the average influencing value in order is: 0.0307,
0.0274, 0.0231, 0.0213, 0.0184, 0.0154, 0.0124, 0.008 and 0.0073, represent respec-
tively high pressure condenser pressure (HPC-P), low pressure condenser pressure
(LPC-P), governing stage pressure (GS-P), main steam pressure (MS-P), high pressure
Applications of Data Mining in Conventional Island 69
cylinder exhaust pressure (HPCE-P), main condensate flow (MC-F), reheater hot side
steam temperature (RHSS-T), generator power (G-P) and feed water flow (FW-F). The
9 variables is accounted for 85.33%. And the sample data after the filtering is shown in
Table 4.
In Table 4, the data of first 15 samples were used as model training, and the data of
last 5 samples were used as model test. The first 15 sets of data were introduced by
Matlab programming, and the distribution density Ds was selected respectively. Then
get the change pattern of d with Ds , so that to determine the value of Ds when d is the
smallest. At this time, the network has higher training precision and generalization
ability.
After that, the SSM model for the main steam flow has been established, which uses
the 9 variables as input and optimized Ds as the network distribution density param-
eters. At last, the reserved 5 sets of sample data are used to test the model.
dð i Þ
DdðiÞ ¼ ð3Þ
X ðiÞ
Where: XðiÞ, X0 ðiÞ are the actual value and output value of the model; dðiÞ is the
absolute error of the actual value and output value; DdðiÞ is the relative error. Com-
parison results are shown in Table 5. From the table, we can see that the relative errors
are within a reasonable range, which can fully meet the requirements.
Therefore, the flow measurement device for main steam flow can be replaced by the
SSM.
Application of DM technology for SSM can cover the shortage of the commonly
used instruments or traditional calculation methods, and have a great significance of
improving the unit performance and reducing the project cost.
70 Z.-G. Wu et al.
5 Conclusions
Based on the DM technology, this paper put forward a solution to the problem of
inefficient use of large amount of production data of CI in NPPs. By analyzing several
application examples, DM shows a great application prospect in CI, which has the large
amount of production data with the characteristic of high dimensional and multi-
coupling. In CI, DM can be applied extensively in the areas of equipment fault diag-
nosis, unit operation optimization, soft measurement calculation, to further improving
the safety and economy of the unit.
References
1. Optimized Capacity: Global Trends and Issues 2014 edition. A Report by the World Nuclear
Association’s Capacity Optimization Working Group
2. Xu, J.G.: Progress in the design of DCS for large-scale thermal power plants. Electr. Power
39(10), 84–87 (2006)
3. Wang, Y.M., Zhang, L.Z., Xu, D.M., Ma, H.L.: Application of characteristic flow area of
steam turbine. J. Eng. Therm. Energy Power 27(2), 160–164 (2012)
4. LI, H.: Development of Database of Rotating Machine History Fault-cases and Precision
Diagnosis. North China Electric Power University (2004)
5. Olaru, C., Geurts, P.: Data mining tools and applications in power system engineering. In:
Proceedings of the 13th Power System Computation Conference. Norway (1999)
6. Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1), 81–106 (1986)
7. Garcez, T., Miranda, V.: Knowledge discovery in neural networks with application to
transformer failure diagnosis. IEEE Trans. Power Syst. 20(2), 717–724 (2005)
8. Pawlak, Z.: Rough sets. Int. J. Parallel Program. 11(5), 341–356
9. Su, H.C., Sun, X.F., Yu, J.L.: A survey on the application of rough set theory in power
systems. Autom. Electric Power Syst. 28(3), 90–95 (2004)
10. Han, H.: The Research of Vibration Fault Diagnosis System for 900 MW Turbine Based on
Data Mining. Shanghai Jiao Tong University (2009)
11. Hou, G.L., Sun, X.G., Zhang, J.H., Jin, W.G.: Research on fault diagnosis of condenser via
nonlinear principal component analysis and probabilistic neural networks. Proc. Chin. Soc.
Electr. Eng. 25(18), 104–108 (2005)
Applications of Data Mining in Conventional Island 71
12. Li, W., Yu, Y.L., Sheng, D.R., Chen, J.H.: Fault diagnosis of thermodynamic parameter
sensors based on dynamic data mining. J. Vib. Measurement Diagnosis 36(4), 694–699
(2016)
13. Zheng, X.X., Yang, H.Y., Gu, J.J.: Optimization of the targeted value for thermal power
based on association rules. Electr. Power Sci. Eng. 26(9), 48–51 (2010)
14. Li, J.Q., Liu, J.Z., Zhang, L.Y., Niu, C.L.: The research and application of fuzzy association
rule mining in power plant operation optimization. Proc. Chin. Soc. Electr. Eng. 26(20),
118–123 (2006)
15. Li, J.Q., Niu, C.L., Liu, J.Z.: Application of data mining technique in optimizing the
operation of power plants. J. Power Eng. 26(6), 830–835 (2006)
16. Wang, J.X., Fu, Z.G., Jing, T., Chen, Y.: Main steam flow measurement based on
generalized regression neural network. Power Eng. 32(2), 130–134,158 (2012)
A Hierarchically Structured Down-Top Test
Equipment Debugging Method for RPS
Wang Xi(&), Tao Bai, Peng-Fei Gu, Wei Liu, and Wei-Hua Chen
Abstract. Reactor protection system (RPS) plays critical role in digital control
system (DCS), and ensures the safety for nuclear power plant (NPP). System test
is a necessary step during system development, verification and validation
(V&V), which ensure the safety and reliability for RPS. The debugging of test
environment and equipment is an important step that ensures the effective and
efficiency of test. The system, such as RPS that contains complicated logic and
large number of interfaces, cost a lot of time and human resource for debugging.
A structured debugging method has been proposed in this paper, this method
establishes debugging architecture with a hierarchical model in according to
signal transmission path, and it designs the debugging process from down to
top. The result from engineering practice show that this method has improved
the effective and efficiency of debugging provides the support and reference for
system test environment establishment.
1 Introduction
The key point of digital technology in NPP is the introduction of safety software, the
performance of software affects the safety and reliability of NPP directly [1, 2]. Reactor
protection system (RPS) plays critical role in Digital control system (DCS), ensures the
safety for Nuclear power plant (NPP). System test is a necessary step for system
development, verification and validation (V&V), ensuring the safety and reliability for
RPS [3–5]. The debugging of test environment and equipment is an important step,
which ensures the effective and efficiency of test. The system, like RPS contains
complicated logic and large number of interfaces, the test environment established with
unstructured debugging cannot ensure a adequate and correct test, and result in much
more reworks that cost a lot of time and human resource for debugging [6].
Therefore, to improve the debugging efficient and effective, save human and time
cost, this paper research in structured debugging method for digital RPS test
equipment.
2 Test Architecture
2.1 System and Equipment
The test architecture of RPS is described in Fig. 1, including user interface, test tools,
and target system, achieves following functions [7]:
AO
I/O board
DO
User-interface
AI Target
Signal control DI system
Analog and
Control machine
Digital Signals
(1) The user-interface provides configuration functions for operator, including test
conditions, test cases and test data;
(2) The test tool provides the translation and simulation for signals transmission and
reflects the reception to user-interface.
Interface Control
Recuperate
configurati machine
board
on table I/O
Gate
Mapping- Slot and I/O mapping Slot and I/O mapping
level
Gate
Board-
Input interface Output interface
level
Cabinet- Gate
Input interface Output interface
level
RPS
Gate
System-level
Monitor
(1) The test architecture is divided into 5 levels, including user-level, mapping-level,
board-level, cabinet-level and system level, according to the signal transmission
path, it can be described as a V model;
(2) The user-level is used by operator to configurate and monitor the input and output
data;
(3) The mapping-level is connected the signal name to slot and I/O interface of
control machine;
(4) The board-level input or output signals by translating them into voltage and
current;
(5) The cabinet level transports the signals between board and the target system;
(6) The system-level means the internal of target system, where the signals can be
monitored and changed by software, the monitor software is important for
checking the correctness of debugging for higher level.
A Hierarchically Structured Down-Top Test 75
5 Conclusions
References
1. Ding, Y.X., Gu, P.F., et al.: Study on Standard about Safety Digital I&C System in
NPP. Process Autom. Instrum. 36(11), 61–64 (2015)
2. International Electro Technical Commission: IEC 60880 Nuclear power plants-
Instrumentation and control systems important to safety-Software aspects for computer-
based systems performing category A functions. International Electro Technical Commission,
Switzerland (2006)
A Hierarchically Structured Down-Top Test 77
3. Gu, P.F., Xi, W., Chen, W.H., et al.: Evaluation system of software concept V&V about the
safety digital I&C system in nuclear power plant. In: International Symposium on Software
Reliability, Industrial Safety, Cyber Security and Physical Protection for Nuclear Power Plant.
Springer, Singapore, Vol. 400, pp. 125–132 (2016)
4. V&V Software Engineering Standards Committee of the IEEE Computer Society: IEEE 1012
IEEE Standard for Software Verification and Validation. Institute of Electrical and Electronics
Engineer, New York (2004)
5. He, Y.N., Gu, P.F., Xi, W.: Research on digital control system status monitoring and
reliability prediction method for nuclear power plant. Atomic Energy Sci. Technol. 51(12),
2338–2343 (2017)
6. Xiao, P., Zhou, J.X., Liu, H.C.: Relationship between architecture of reactor protection
system and reliability. Nucl. Power Eng. 34(S1), 179–183 (2013)
7. Xu, H.L.: The design and realization of nuclear power plant DCS TEST instrument. North
China Electric Power Univ. 3, 4–6 (2016)
Discussion for Uncertainty Calculation
of Containment Leakage Rate
1 Introduction
The containment leakage rate on-line monitoring system in nuclear power plant
monitors the change in containment tightness and provides containment leakage rate
during power operation. The difference between containment on-line monitoring sys-
tem and containment total tightness test (type A test) lies that the latter is to validate the
containment performance during Loss Of Coolant Accident status and the test object is
to measure total containment leakage rate under design pressure. The leakage is from
concrete pores and crack for containment total tightness test. While in power operation,
the containment leakage is mainly from penetration leakage [1].
The requirement for containment leakage rate on-line monitoring system in nuclear
power plant is presented in European Utility Requirements for LWR Nuclear Power
Plants (EUR) and Advanced Light Water Reactor Utility Requirements Document
(URD) [2, 3]. Similar requirement is also put forward in HAD102-06 Design of
Containment System for Nuclear Power Plant Reactor which is drafted in 2009 for
update.
At present, mass conservation method is widely used in the world to calculate the
containment leakage rate. And according to the equation of state of the ideal gas, the
standard volume of air is equivalent to the quality of air. The standard status is defined
as 0 °C, 1.01325 105 Pa. A number of standard volume changes denoted as DVh
during one day are used to linear fit with time. The linear slope is the leakage rate of
that day. This calculation method is based on the principle of mass conservation which
is adopted by pressured water reactor nuclear power plant such as AP1000. But in
AP1000, the standard volume of air in containment is directly linear fitted to get
leakage. If to display the air volume data, the volume change will be invisible com-
pared to total volume. So in this paper, the change of air volume is used to calculate
leakage. And in civil nuclear power plant, pressured air is used to drive containment
isolation valve which will interfere leakage measurement. So it is necessary to deduct
pressured air volume in the calculation method.
The calculation method for DVh is introduced as follows:
Zt
DVhðtÞ ¼ VNH ðtÞ VNH ðt0 Þ Qsar ðtÞdt ð1Þ
t0
where
VNH ðtÞ: The standard volume of containment air at present time t (Nm3);
VNH ðt0 Þ: The standard volume of containment air at reference time t0 (Nm3);
Qsar : The standard volume flow rate of compressed air injected into containment
from t0 to t which disturb leakage rate measurement and should be
deducted (Nm3/h).
The uncertainty of containment leakage rate is used to measure the reliability of leakage
rate calculation result. When the uncertainty passes high, the input data should be
processed and leakage rate be re-calculated. Factors contributing to high leakage rate
uncertainty include [1]:
(1) Containment ventilation system exhaust causes change of containment air volume;
(2) Change of containment leakage rate;
80 Y. Sun et al.
(3) The transient operation results in a sudden change in the calculated volume of
containment air.
There is lack of information about the uncertainty calculation method of contain-
ment leakage rate both at home and abroad. The calculation method is not given in
document of EUR, URD and HAD. The domestic research papers on the uncertainty
calculation are still in blank state. In the algorithm description of the French leakage
rate monitoring software (SEXTEN) commonly used internally, Type A evaluation
formula of uncertainty is based on simulation and detailed derivation process is not
available, Type B evaluation is provided with a fixed value whose calculation method
is also lacked [4].
By studying statistical theory, the method of calculating the uncertainty of leakage
rate is discussed in this paper based on mass conservation method.
Based on statistical theory, standard uncertainty of line slope adopting least squares
is calculated below [6]:
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
r2
uA ðQld Þ ¼ PN ð2Þ
ðXi X Þ2
i¼1
Discussion for Uncertainty Calculation 81
In the equation, r2 is the variance around the fitted line (Residual Variance) and is
calculated below:
PN
i¼1 ðYi a0 a1 Xi Þ2
r2 ¼ ð3Þ
N 2
a1 , a0 is the slope and intercept of the regression line.
The uncertainty of compressed air flow sensor can be obtained from sensor’s datasheet
and is denoted as uB ðQsar Þ.
VL
Tavg ¼ Pn Vi ð6Þ
i¼1 tiavg
where
VL : The volume of free space in the containment, unit m3;
Vi : The volume of the air measured by each sensor, unit m3;
tiavg : The average air temperature measured by each sensor, unit K
t 4P 2 5 uB tiavg
m Vj
i¼1
j¼1 tjavg ð8Þ
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
X n T4 V2
avg i 2
¼ uB tiavg
i¼1 L
V tiavg
2 4
Let
Vi
¼ vi ð9Þ
VL
Discussion for Uncertainty Calculation 83
Totally 48 uncertainty of average temperature can calculated for the containment air
in one day.
TN VL piavg
VH ðti Þ ¼ ð11Þ
PN Tiavg
Where
TN : Standard state temperature, 273.15 K;
PN : Standard state absolute temperature, 1.01325 105 Pa;
VL : The volume of free space in the containment, unit m3;
piavg : The average pressure in the containment at the moment ti , unit Pa;
Tiavg : The average temperature in the containment at the moment ti , unit K;
i: The ith half hour in a day and its value ranges from 1 to 48
Let
TN VL
k¼ ð12Þ
PN
And then Eq. (11) can be expressed as:
piavg
VH ðti Þ ¼ k ð13Þ
Tiavg
Since piavg and Tiavg are independent, according to the uncertainty combination
theory, the uncertainty of VH ðti Þ are calculated as follows:
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
@VH ti 2 @VH ti 2
uB ðVH ðti ÞÞ ¼ uB piavg þ uB Tiavg
@piavg @Tiavg
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð14Þ
1 2 p2iavg 2
¼k 2
uB piavg þ 4 uB Tiavg
Tiavg Tiavg
Totally 48 uncertainty of air standard volume can be calculated for the containment
air in one day.
84 Y. Sun et al.
where
Xi : The time for every half hour in a day and the value is 0 h, 0.5 h, 1 h, 1.5 h…
23.5 h;
Yi : The change in standard volume, DVH ðti Þ, of the containment air in every half
hour relative to the reference moment t0 ;
N: A constant value representing the total number of time points when measurement
is performed and it is equal to 48 in this case
The change in standard volume of containment air Yi is the difference between the
moment ti and the reference moment t0 : The volume of the compressed air injected
during the period between t0 to ti is further deducted from Yi . The calculation is as
follows:
X
Mi
1
Yi ¼ DVH ðti Þ ¼ VH ðti Þ VH ðt0 Þ Qsarij ð19Þ
j¼1
2
where, Mi is the number of data points of compressed air measurement during the
period between t0 to ti .
By substituting Eq. (19) into Eq. (18), containment leakage rate Qld can be
expressed as:
Discussion for Uncertainty Calculation 85
" #
X
N X
Mi
1
Qld ¼ A ðXi BÞ VH ðti Þ VH ðt0 Þ Qsarij
i¼1 j¼1
2
X
N
¼A ðXi BÞ ½VH ðti Þ VH ðt0 Þ ð20Þ
i¼1
XN XMi
1
A ½ðXi BÞ Qsarij
i¼1 j¼1
2
Let
X
N
Qlda ¼ A ðXi BÞ ½VH ðti Þ VH ðt0 Þ ð21Þ
i¼1
X
N X
Mi
1
Qldb ¼ A ½ðXi BÞ Qsarij ð22Þ
i¼1 j¼1
2
Since Qlda is calculated according to the pressure and temperature in the contain-
ment, the Qldb is calculated according to the compressed air flow, and the three kinds of
data are independent to each other. Therefore, the uncertainty of the type-B evaluation
of leakage rate Qld is calculated as follows:
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
uB ðQld Þ ¼ u2B ðQlda Þ þ u2B ðQldb Þ ð23Þ
(2) uB ðQldb Þ
Since the compressed air flow data from reference time t0 to current time ti are
measured by the same flowmeter and any two of flow data are strongly correlated.
Assume correlation coefficients as 1 and then calculate uB ðQldb Þ as follows:
86 Y. Sun et al.
XN XMi 1
uB ðQldb Þ ¼ A ½ðXi BÞ u Qsarij ð25Þ
i¼1 j¼1
2
According to the calculation process of leakage rate described from Sect. 4.1 to 4.3,
the uncertainty is related to the measured values of the sensor, and the uncertainty of
leakage rate should be calculated according to the actual operation data.
5 Conclusion
The containment leakage rate on-line monitoring system is used to monitor the leakage of
the containment during normal operation of nuclear power plant. It can alert the opening of
the containment caused by human error operation, or provide early warning for the overall
leakage rate of containment under accident. The uncertainty of containment leakage rate is
used to judge the reliability of the leakage rate measurement. When the measurement error
or occasional factor leads to the abnormal uncertainty, it is necessary to analyze the input
data, remove the abnormal data and recalculate it, to ensure the effective of the mea-
surement results. Based on the statistics theory, the calculation method of the uncertainty of
containment leakage rate is derived in this paper.
References
1. Software Requirements Description of Containment Leakage Rate Monitoring System for
Units 5 and 6 in Yangjiang Nuclear Power Plant, China Nuclear Power Design
Company LTD.(Shen zhen) (2012)
2. European Utility Requirements for LWR Nuclear Power Plants, Revision E, December 2016
3. Advanced Nuclear Technology: Advanced Light Water Reactor Utility Requirements
Document, Revision 13, 2014
4. Sexten 2 System Principles and Methodology Software v 3.1, Electricite De France (2006)
5. JJF 1059-1: Evaluation and Expression of Uncertainty in Measurement, State Administration
of Quality Supervision, Inspection and Quarantine (2012)
6. The Theory of Probability and Statistics, National Defense Industry Press (2011)
7. IEC 60751:2008 Industrial platinum resistance thermometers and platinum temperature
sensors
8. TS-X-NIEP-PELI-F-DC-20012 Ver. G Sensors accuracies and response time calculation
Research and Improvement of the Flowmeter
Fracture Problem of Condensate Polishing
System in Nuclear Power Plant
1 Preface
The Condensate Polishing system (ATE) is used as the important system of the full
bypass in the Second-Loop of Nuclear Power Plant. Its main function is to remove
suspended impurities and ionic impurities in the condensate water, and ensure the water
quality of the Second-Loop within the operating requirements, for reducing Thermal
system equipment corrosion, extending equipment life.
The Annubar flowmeter of ATE system in Booster Pump outlet, is used to monitor
and calculate real-time date of condensate polishing, to determine whether the system is
full-flow treatment. It is also used as an adjustment condition of Booster Pump operating.
But, during the normal operation of ATE system in Nuclear Power Project, the
flowmeter probe on the Booster Pump outlet occur neck fracture, and the part of
fracture is found at the downstream valve of the condensate extraction system.
The breakage of Flowmeter will bring troubles to the important equipment and safe
operation of the Second-Loop system. The broken part is likely to enter the Condenser
Extraction System (CEX) and Low Pressure Feedwater Heater System (ABP) follow-
ing condenser flow, then it will cause damage to important equipment of the Second-
Loop system, and affect the downstream system’s safe operation (Fig. 1).
CEX ATE
MD MD MD
PIPE CATION
BED 5 PCS
FLOW
MD
MD MD
MIX
TO M M M BED 5 PCS
ABP
For example, the deaerator level control valve and the recirculation control valve of
the CEX system are affected by the broken part for jamming and damage. If the
recirculation control valve fails, the recirculation function of CEX will not be realized
normally. And if the deaerator level control valve fails, deaerator will not be adjusted
automatically, more seriously, which will cause the Unit shutdown [1].
2 Flowmeter Introduction
3 Fracture Analysis
The broken equipment was returned to the factory for inspection and failure analysis.
The analysis report is mainly related to the material quality of the equipment. The
Positive Material Identification (PMI) test confirmed that the Annubar material was
stainless steel 316. The hardness average value by the hardness measurement was
87HRB, belong to normal value scope, another Energy Dispersive X-Ray Spectrum
(EDX) did not detect any corrosive elements.
Two different fracture types, brittle fracture and ductile fracture, were detected in
the fractured surface of Flowmeter. The Scanning Electron Micrograph (SEM) observe
that the river patterns on the brittle fracture surface which was consistent with fatigue,
and found dimples on the ductile fracture surface (Fig. 3);
The streak on the fracture surface shows that the ductile fracture belong to the
secondary damage after brittle fracture, isn’t the main fracturing cause. Therefore,
determined that the brittle fracture is the first cause, the cause of the fracture is
mechanical fatigue of the equipment.
Through the principle analysis of flowmeter, comprehensive equipment parameters,
field installation and product analysis reports, determine the single-end fixed Annubar
Flowmeter, which located at the outlet of the three condensate booster pumps, for long
time work longtime flow for long time Mechanical fatigue causes the flow probe to
break.
90 H.-T. Wu et al.
4 Feasibility Study
Single-end fixed Annubar flowmeter’s parameters are satisfied the design requirements
in process selection. However, in the actual operation, this flowmeter is fractured due to
mechanical fatigue. So it can confirm that single-ended fixed Annubar flowmeter is not
suitable for ATE system flow measurement.
For analysing widely flowmeter types that used in industrial application, and
refering to the successful measurement of large flow in other systems, the following
three options are selected for feasibility study.
Upstream Transducer
L
D
Downstream Transducer
Fig. 4. Ultrasonic flowmeter schematic
Pressuer device
5 Valve
Group
The double-ended fixed Annubar flowmeter keep the advantages of Annubar, and
at the same time it can better ensure the stability of the sensor and play a role in
preventing the probe from breaking.
5 Conclusion
Above schemes have mature designs in the nuclear power industry, and each has its
own advantages for flow measurement.
However, this paper analyzes the cause of flowmeter probe breakage in detail,
discusses the applicability, advantages and disadvantages of various solutions, and
refers to similar flowmeter applications currently used in operating nuclear power
projects. After multiple comparisons and comparisons, the final determination of the
solution will be finalized. Annubar flowmeter is the best solution to solve the problem
of breakage of booster pump outlet flowmeter.
94 H.-T. Wu et al.
The solution can provide reference for subsequent condensate polishing system
flow design and similar problems in nuclear power plants.
References
1. Guangdong Nuclear Power Training Center. 900 MW Pressurized Water Reactor Nuclear
Power Plant System and Equipment. Atomic Energy Press (2007)
2. Guo-wei, L., Wu-chang, C.: Flow Measurement Technology and Instrumentation. Mechanical
Industry Press (2002)
3. Zhi-min, L., Shan, X.: Research and application of ultrasonic flowmeter. Pipeline Technol.
Equip. (2004)
4. HG/T 20507: Design Specification for Automatic Instrument Selection (2014)
5. Jiangxi, Y.: Installation of Thermal Measurement and Control Instruments. China Electric
Power Press (1998)
Study on Optimization of Turbidity Control
for Seawater Desalination System in Nuclear
Power Plant
1 Introduction
amount of medicines to be added are mainly related to the flow of influent water.
Generally, drug dosage is increasing in proportion to the flow of influent water from
experience. So when other conditions of turbidity are changing, drug dosage can’t be
adjusted timely.
In turbidity control, it is difficult to establish an accurate and reliable mathematical
model for the complication of turbidity change process, and also it has time lag and
nonlinearity. Because the deference between the Nuclear Power and the other common
power plants is tiny in the process of Seawater Desalination, the data collected from the
common power plants can be used to the Nuclear Power. In this paper, a coagulation
sedimentation tank of some water plant is took as the research object, to give a method
based on nonlinear multivariate regression to calculate the dosage of medicines. Based
on the measured values of different conditions related to the turbidity of the effluent, the
drug dosage can be adjusted in real time.
2 General
In the coagulation sedimentation tank, flowmeter, pH, and turbidimeter are installed in
the inlet pipe, and another turbidimeter is installed in the outlet pipe. In this paper, the
actual engineering data of these instruments is used to establish a mathematical model
on how coagulant dosage affects on the effluent turbidity, therefor more accurately
control turbidity by adjusting the drug dosage.
The data of Coagulation sedimentation tank in some water plant were collected
every one hour from August 8th, 2013 to September 5th, 2014. A total of 9,398 actual
engineering data were collected, including the original pH, raw water turbidity, sedi-
mentation tank effluent turbidity, water flow, coagulant consumption and other process
parameters, etc. Turbidity dosing control flow chart shown in Fig. 1.
In the formula:
g(x, y) : the output value of (x, y); Sxy: the Center’s neighborhood of (x, y);
f(s, t) : the Value of (s, t) of nearby the (x, y) as the center;
mean(f(s, t)) : Average value after highest value of nearby (x, y) as the center.
The mean filter uses the average value nearby the most significant value as the
value of this point, effectively eliminating the mutation point. The filtering method
greatly reduces the influence of the deviation of the filtering result from the true value
due to the abnormal point participating in the operation, but also changes the original
data.
The rules for determining the outlier is:
In the formula:
f(s, t)’ : the value after deleting highest value;
Std (f(s, t)’) : Standard deviation of processed data;
If the above equation holds, it is determined that the (x, y) point is an abnormal
value.
The average filter method is used to determine the data. If the data is abnormal, the
data is rejected. When the data is filtered and detected, two values are selected as the
area before and after the data. This is the case when discriminating abnormalities:
When the maximum and minimum values of the five data are removed and the
remaining three data are relatively close, the data will be close to the average value, and
the resulting standard deviation will be extremely small. The exception data will be
treated as normal data.
98 H.-T. Wu et al.
In the formula:
Std(f(x, y)) : standard deviation of all data.
Through the average filter method to detect the original data, abnormal value
statistics are obtained, shown in Table 1.
According to Table 2 and Fig. 1, the raw water quality of the coagulation sedi-
mentation tank is relatively stable, whose turbidity is mostly between 10 NTU and 400
NTU. Particularly, the plateau water turbidity is very rare, and water quality is mostly
on low turbidity interval. When the model parameters are being identified, the pro-
cessed sample space can be divided into a training set and a generalization set. The
training set is used for model training and the generalization set is for the inspection
and prediction of the model.
Study on Optimization of Turbidity Control for Seawater 99
M ¼ a0 Ca1
0 Q C1
a2 a3
ð5Þ
In the formula:
M : Coagulant dosage, mg/L;
C0 : Raw water turbidity;
C1 : turbidity of the sedimentation tank outlet;
Q : Inflow, m3/h
a 0, a 1, a 2, a 3 : variable parameter.;
Formula (5) shows the non-linear exponential relationship between dosing amount
and other factors, and the nonlinear problem is transformed into a linear problem by
taking the mathematical method of logarithm. Formula (5) can be converted to:
100 H.-T. Wu et al.
ln M ¼ a1 ln C0 þ a2 ln Q þ a3 ln C1 þ ln a0 ð6Þ
e1-en : are Residuals, independent of each other, obey normal distribution N(0, d2).
The data obtained after data preprocessing is randomly divided into 6 sample
tables. To ensure that the established model is suitable for various turbidity intervals,
when randomly allocating sample tables, each sample set table should contain various
sources. The water turbidity interval was selected and the five data tables were used to
obtain the parameters of the model. Another set of sample table data was used to verify
the validity of the model.
Using MATLAB for multiple linear regression identification, the undetermined
parameters under five different data samples can be solved. The MATLAB solution
program is described in the annex. The linear identification parameters are shown in
Table 3.
Based on the above parameter table, a mathematical model of the dosing amount of
the coagulant can be obtained, as shown below.
as
M ¼ 220:6 C0:2122
0 Q0:2889 C0:3389
1 ð9Þ
As can be seen from the formula above, the unit consumption of coagulant is
positively related to the turbidity of the raw water and produced water, and negatively
related to the water flow. Bigger turbidity of the raw water leads to bigger turbidity of
Study on Optimization of Turbidity Control for Seawater 101
the produced water and unit consumption of the coagulant. Bigger flow rate of water
withdrawal leads to smaller unit consumption of coagulant, indicating that the con-
sumption of coagulant has a character of scale effect [3].
5 Model Verification
80
70
60
50
40
30
20
0 10 20 30 40 50 60 70 80 90 100
Above Fig. 2, the red curve is the predicted value of the dosing amount calculated
by the dosing model, and the blue curve is the actual value of the project. From the
Fig. 2, the dosing amount model effectively tracks changes in actual values.
102 H.-T. Wu et al.
In the formula:
m : the unit drug consumption of the coagulant;
m(c) : current drug consumption obtained from Eq. (9);
m(c0) : the standard drug consumption of maintaining the target turbidity;
Due to the lack of temperature data, the model presented in this paper does not
consider the effect of temperature on coagulation and sedimentation. Due to the small
pH change, the model does not consider the pH characteristics of the influent, which
has certain limitations.
In addition, the neural network algorithm has a good applicability to dosing
analysis of coagulation sedimentation. The raw water flow rate, raw water turbidity,
raw water pH, product water turbidity and other factors were taken as the input vari-
ables of the neural network, and the dosing amount was taken as the output variable of
the neural network. The training and generalization of the neural network model can be
achieved through actual data [5]. The application of neural network algorithm in the
coagulation and sedimentation dosing control system can be used as a follow-up
research direction.
Study on Optimization of Turbidity Control for Seawater 103
6 Conclusion
References
1. Xin, Xin, Na, Zhou, Zhen, Wang: Research on detection and correction of data outliers.
Modern Electron. Technol. 36(11), 5–11 (2013)
2. Yimei, Tian, Hongwei, Zhang, Gengzhong, Qi, Jingyue, Luo: Research on the mathematical
model of water treatment system operation state. China Water Supply Drain. 14, 10–13
(1998)
3. Xiaodong, Huang, Yuling, Qi, Tiejun, Qiao, et al.: Research on turbidity control technology
of conventional water purification process. Water Supply Technol. 1(1), 19–23 (2007)
4. Decui, T., Xiaoyan, D., Xuefeng, Z. et al.: Modeling research on dosage of coagulant in water
works, water treatment technology 6, 54–56 (2010)
5. Hua, B., Guibai, L.: Neural network control method of coagulation and administration, water
supply and drainage 11, 83–86 (2001)
Optimization Scheme of Turbine Frequency
Regulation for Passive Nuclear Power Plant
1 Introduction
Frequency has a significant impact on the safety and stable operation of the power grid.
Once the load changes, the total power of generators will not match the total load of
grid, and the frequency changes. To maintain the stability of grid frequency, it is
needed to regulate the unit power according to the variation of frequency, namely
frequency regulation. According to the differences of regulatory range and capacity,
frequency regulation can be divided into two parts, primary frequency regulation and
secondary frequency regulation [1, 2].
Frequency regulation in nuclear power plant is related to the composition structure
of grid. In Paris, the scale of nuclear power is over 75%, and the nuclear power units
directly participate in grid frequency regulation. In other countries, such as American,
Canada, Japan, Korea, the nuclear power units are in base load operation, and hardly
take part in grid frequency regulation [3]. As the domestic nuclear power percentage of
grid is relatively low, the nuclear power units only take part in primary frequency
regulation, but not secondary frequency regulation [4].
2 Original Scheme
In a passive nuclear power plant, the turbine generator is designed by Mitsubishi, and
turbine governing system (DEH) controls the speed and power by regulating steam
flow, to meet the power supply demand of grid and ensure the safe and stable operation
of plant.
DEH has two load controllers, governor and limiter. As the different controller
used, turbine load control is divided into governor control mode (G mode) and limiter
control mode (L mode). This two control modes collectively regulate turbine regulating
valves (GV), including the main steam regulating valves and the reheated steam reg-
ulating valves. GV opening demand is the smaller output between governor and limiter,
to realize turbine power control. Auto following function can be applied between the
two control modes [5, 6].
Frequency regulation is realized in governor control loop. As shown in Fig. 1, in
normal operation, turbine actual load (Pm) is approximately equal to load set point
(Pset) and load deviation is about zero to limiter setting. Meanwhile, as the generator is
connected to grid, the turbine rotation frequency follows the frequency of grid. Once
the grid frequency varies, there is a deviation between turbine speed set point (Nset)
and turbine actual speed (Nm). This speed deviation is converted into the increase or
decrease of governor setting through speed governing droop. If governor output is
smaller than limiter output, speed deviation will influence turbine steam demand (SD).
Then GV opening demand and turbine power vary, to realize the stability of grid
frequency.
Nm +
-
Droop
Following width h M SD
I
N
f(x)
GV
Pm Opening Demand
P
-
+
As the speed deviation is only introduced into governor control loop, frequency
regulation is only valid in G mode. Thereby, frequency regulation is directly related
with turbine control mode. The following is to analyze the different frequency regu-
lation functions in different control modes.
2.1 G Mode
G mode is mainly used for speed control and synchronization with grid. Before con-
nection to grid, turbine is in G mode automatically, and GV opening demand is
determined by speed deviation. Once connecting to grid, governor will automatically
set GV opening demand equal to the initial load, to prevent turbine from motor mode,
which might cause cylinder deformation and vibration.
Figure 2 demonstrates the principle of frequency regulation in G mode. In normal
operation, turbine speed follows grid rated frequency (f0). If limiter auto tracking is
selected, turbine automatically switches to G mode until grid frequency falls to a
certain value (f1), and limiter setting automatically tracks the sum of limiter setting and
following width (h).
GV Opening/%
Governor setting
limiter setting
Frequency/Hz
f1 f0
As shown in Fig. 3, When grid frequency increases (>f0), turbine actual speed is
greater than set value, and a negative speed deviation acts on governor setting. Then,
GV opening decreases and turbine output power decreases, to lower grid frequency.
Conversely, when grid frequency decreases (<f0), turbine actual speed is smaller
than set value, and a positive speed deviation impacts limiter setting. Thereby GV valve
opening increases and turbine output power increases, to raise grid frequency.
However, when grid frequency reduces to a certain value (f1), the positive speed
deviation makes governor output equal to limiter output. If grid frequency continues to
reduce, turbine will switch to L mode automatically, to limit the increase of GV
opening. Therefore, turbine will no longer increase output and frequency regulation
Optimization Scheme of Turbine Frequency Regulation 107
f = f0
f >f0 f <f0
Y
Y
N
f >f1
GV GV GV
Opening Opening Opening
will be out of action. The purpose is to prevent GV from quick opening when grid
frequency drastically decreases, which may cause reactor overpower and impact on
plant safety.
2.2 L Mode
L mode is mainly used for load control. Figure 4 demonstrates the principle of fre-
quency regulation in L mode. Once governor auto tracking is selected, turbine auto-
matically switches to L mode, and governor setting automatically tracks the sum of
limiter setting and following width (h). Turbine does not take part in frequency reg-
ulation until grid frequency rises to a certain value (f2).
As shown in Fig. 5, when grid frequency decreases (<f0), a positive speed devi-
ation is added to governor setting. However, as governor setting is bigger, limiter
output is used as the final GV opening demand after the smaller selection module.
Under this condition, because limiter setting is unchanged, GV opening and turbine
output will not change with grid frequency fluctuation.
When grid frequency increases (>f0), a negative speed deviation is added to
governor setting. Since the difference between governor setting and limiter setting is
108 L.-Y. Bai et al.
GV Opening/%
Governor setting
h limiter setting
Frequency/Hz
f0 f2
f = f0
f <f0 f >f0
Y
Y
N
f >f2
GV GV GV
Opening Opening Opening
following width, whether frequency regulation works depends on the size of grid
frequency increase. If grid frequency does not increase to a certain value (f2), governor
setting reduction is smaller than following width, turbine is still in L mode, and
frequency regulation does not work. Once grid frequency increases higher (>f2), tur-
bine turns into G mode. In this condition, the frequency deviation makes GV opening
and turbine output smaller, and frequency regulation goes into effect.
(1) In G mode, frequency regulation takes effect unless grid frequency falls to the
certain value (f1); in L mode, frequency regulation is no longer effective unless
grid frequency rises to the certain value (f2) and automatically switches to G
mode. Frequency regulation function is related to turbine control mode. However,
turbine is generally in L mode in normal operation, and cannot participate in
frequency regulation. If the unit has to participate in frequency regulation, it is
necessary to switch from L mode to G mode. According to GBT 31464-2015 Grid
Operation Criteria, “Grid generators should all participate in frequency regula-
tion.” Thereby, there are some differences.
(2) In G mode, the upper limit is determined by following width (h). When grid
frequency rises to the certain value (f2) and turbine automatically turns to G
mode, the unit participates in frequency regulation. In this case, the unit can only
reduce its output and cannot increase the output. According to “GBT 31464-2015
Grid Operation Criterion”, “the maximum load limit of thermal power unit is not
less than 6% of the rated capacity of the unit, and the unit in the rated load
operation should participate in frequency adjustment.” Although the nuclear
power unit does not have to increase the output during the rated load operation for
reactor safety, at the other power levels, the frequency regulation function to
increase output should be set to support the stability of the grid frequency as much
as possible.
110 L.-Y. Bai et al.
(3) In G mode, the dead band is (−∞, f1), and there is no dead band at the rated
frequency; in L mode, the dead band is (−∞, f2). The dead band is determined by
control mode, following width, and speed governing droop. There is no special
dead band setting at rated frequency in G mode. However, the grid-connected
generator set generally has a dead band, and GBT 31464-2015 Grid Operation
Guideline puts forward basic performance indicators for the dead band. On one
hand, a dead band can avoid unnecessary response of turbine to small changes of
grid frequency, which is beneficial to the stable operation of the unit. On the other
hand, if reactor frequently responds to grid frequency fluctuation, it will cause the
frequent movement and aggravate the mechanical wear of the control rod, which
is not conducive to the operational safety of the unit and should be avoided or
reduced as much as possible. At present, most nuclear power plants have a fre-
quency dead band, and the reactor does not respond to frequency disturbances
within a certain range.
According to the analysis, there are actually no concepts of dead band, amplitude,
and frequency regulation function, and the corresponding functions are achieved by
mode switching and following width. However, the original scheme has some detects
and needs to be optimized in order to meet the requirements of grid operation criteria
and the unit safety.
4 Scheme Optimization
The frequency regulation scheme of passive nuclear power plant is optimized in the
following aspects:
(1) A specialized frequency regulation function is added, and the regulating variable
is introduced into L mode, to solve the problem of no frequency regulation in L
mode. A settable amplitude parameter of frequency regulation is introduced, and
is no longer determined by mode switching and following width. At the same
time, a settable dead band parameter is introduced, in order to solve the problem
that the dead band cannot be set independently.
(2) A specialized power limiter is added in order to avoid the problem of frequency
regulation at full power level and low power level.
After the optimization, the frequency regulation scheme is shown in Fig. 6. When
grid frequency varies, the speed deviation is converted to the regulating variable
through the added frequency regulation function and power limiter function. The fre-
quency regulation variable is introduced into both G mode and L mode. Frequency
regulation in both control modes does not affect turbine load control function.
In the optimization scheme, the amplitude and dead band are reflected in the
frequency regulation function. As shown in Fig. 7, when grid frequency fluctuation
exceeds dead band (g1, g2), the frequency regulation output is between lower limit
(△P1) and upper limit (△P2). The frequency regulation output is calculated out by
speed deviation and speed governing droop. Then turbine automatically increases or
decreases power. The parameters of dead band (g1, g2) and limit (△P1, △P2) and can
Optimization Scheme of Turbine Frequency Regulation 111
Frequency
Nm + regulation
-
g(x)
Pm
+
GV
Opening Demand
P
-
+
P2
Frequency/Hz
g1 g2
P1
be set manually based on the requirements of plant and grid, independently from
control modes.
At the same time, the power limiter is introduced into the optimization scheme, to
takes into account that frequency regulation at full power level and low power level.
When the unit is at the full power level, if grid frequency decreases, the unit power is
required to be increased, and the steam demand of second loop increases. However, the
reactor power cannot increase because the control rod is already at the top of reactor. It
will cause steam quality degradation and primary loop temperature decrease, which
112 L.-Y. Bai et al.
will seriously cause primary loop over-cooling and reactor overpower [7, 8]. Therefore,
the frequency regulation output has to be limited in order to avoid the risk of reactor
overpower caused by frequency regulation under full power condition. At the same
time, the unit at low power level generally does not participate in frequency regulation.
The power limiter is realized as shown in Fig. 8. When turbine power is more than the
upper limit (W2%), if frequency regulation output is positive (>0), the limiter is active.
Then the frequency regulation output enters locked mode and turbine power no longer
increases. Similarly, when turbine power is less than the lower limit (W1%), if fre-
quency regulation output is negative (<0), the limiter is active. Then the frequency
regulation output enters locked mode and turbine power no longer decrease. The values
of upper limit (W2%) and lower limit (W1%) can be set manually.
& &
5 Conclusions
References
1. Lyu, A.G., Chen, W.H., Huang, W.J.: Implementation study on frequency modulation in
nuclear power plant. Power Syst. Autom. 38(5), 86–88 (2016)
2. Zhan, X.L., Lv, A.G., Wang, X.F., Meng, G.: Study on frequency control in nuclear power
plant. Nucl. Sci. Eng. 31(2), 63–67 (2011)
3. Peng, B., Yu, W.Q., Liu, Y.: Overview of foreign nuclear power plants in load-following.
South. Power System Technol. 5(3), 23–26 (2011)
4. Guo, Z.L.: Cause analysis and solution for the event happened on May 25, 1994 in Daya
Bay NPP. Nucl. Power Eng. 16(5), 436–442 (1995)
5. Shi, Z.Z.: Study on turbine control for frequency regulation in a new type PWR. China High-
Tech Enterp. 10, 81–83 (2015)
6. Xu, X.Y., Song, K., Chen, P.J., Li, Y.L.: Impact analysis on govern valve flow-curves of
nuclear power turbine for the DEH control system. Mech. Eng. (6), 176–177 (2015)
7. Fan, P.F., Cao, X.H.: Analysis of the two Qinshan nuclear power plant primary frequency
operation. Sci. Technol. Innov. 4, 100–101 (2015)
8. Yao, W., Xiao, F.W.: The risk analysis and optimization of primary frequency regulation for
nuclear power plant. Instrumentation 3, 77–79 (2016)
Research and Optimization of the Control
Cooperation Between Turbine Control System
and DCS in Nuclear Power Plant
Abstract. In normal operation of the nuclear power plant, the display, control
and record are accomplished in Digital Control System (DCS). Turbine Control
System (TCS) exchanges data with DCS through communication. The control
cooperation between Turbine Control System and DCS is studied, which caused
the turbine tripped during running up to rated speed accidentally, and caused an
abnormal shutdown when switching to Speed mode while in load operation. By
studying TCS and DCS control cooperation scheme and speed set-point tracing
scheme. Improving the speed set logic and communication time, modifying the
communication packet sequence and other measures. Finally the problem of
accidental tripping and abnormal shutdown is solved effectively. By improve-
ment of control scheme, the safety and reliable control changing-over between
TCS and DCS turbine is guaranteed. Meanwhile the availability of nuclear
reactor is enhanced; thus safety and reliable operation of entire nuclear power
plant is guaranteed technically.
1 Preface
The turbine control system in a nuclear power plant is adopted the design basis of “one
key to start and shutdown” of SIEMENS. The speed regulation system plays an
important role in turbine speed-load control and ensures the safety, stability and
economy of nuclear power plant [1]. All function of turbine and generator main and
auxiliary systems of TCS is controlled by SPPA-T2000 platform and DCS function is
realized by HolliAS MACS6 platform. As a result, there are more communication data
between TCS and DCS, comparing with the reference unit the communication time is
much longer. To ensure effective surveillance and manipulation of DCS to TCS and
stable operation of the nuclear power plant, the control cooperation and matching
between DCS and TCS is most important [2–4].
During the steam turbine unit startup to rated speed and synchronization to the grid,
the speed set-point fails to transmit from DCS to TCS, the acceleration of speed is
lower than rated value and result in turbine shutdown to turning gear speed. When
turbine speed up to about 463.9 rpm, the output of turbine control system drops to
−80% and all the four main steam governing valves close then all the main steam stop
valves close and turbine trip. There is a risk for the economy operation for nuclear
power plant, so analysis and optimization of the control cooperation strategy must be
supplied to ensure the stability of the turbine unit.
The gateway CM6 and CM7 on TCS site is connected with the gateway COM65
and COM66 on DCS site respectively. The gateways transmit the control command
from DCS to TCS and feedback signals from TCS to DCS. The time-tagged, alarm and
history records signals are transmitted from TCS to DCS by XU protocol.
During normal operation, the target speed value is set by operator on DCS platform
and sent to TCS through communication. Then the turbine governing system controls
the speed and load. When TCS is priority, target speed value is set by TCS auto-
matically through sequence controller [7, 8]. Considering the bump-less transfer
between TCS and DCS, the speed set-point should be sent from TCS to DCS and then
written by DCS and sent back to TCS. The control logic is shown as follows (Fig. 2).
Note: t1 is digital time from TCS to DCS, t2 is analog time from TCS to DCS, t3 is
analog time from DCS to TCS.
(a). When t = T1, DCS receives the control command XC38(DCS) and sends the
speed set-point KM24(DCS) to TCS(signal KM24(TCS)). Because of time delay,
XC38(TCS) is sent to DCS earlier than KM61(TCS), so the speed set-point KM24
(DCS) to TCS is still the last value of 390 rpm, as shown at time T1.
(b). When t = T2, DCS receives the feedback signal KM61(DCS) and update the
value inside DCS immediately. So the value of KM61(DCS) and KM24(DCS)
change to 1515 rpm.
(c). The time XC38(TCS) is 5 s pulse, XC38(TCS) = 0 after 5 s, the speed set-point
KM61(TCS) follows the value KM24(TCS) from 1515 rpm to 390 rpm. Because
of the time delay, When t = T3, KM61(TCS) follows the value KM24(TCS) at
1515 rpm again.
(d). When t = T4, XC38(DCS) = 0, the speed set-point value inside DCS no longer
traces the value from TCS, at this time the current value inside DCS is still
390 rpm as KM24(DCS) shown at time T4. Because of the time delay, When
t = T5, KM24(TCS) change to 390 rpm.
118 X.-L. Zhan et al.
So finally the speed set-point changes to 390 rpm because of the unreasonable
communication time sequence and the speed set logic. The acceleration of speed is
lower than rated and finally result in turbine shutdown. whose process is shown as
follows (Fig. 4).
Fig. 6. Time sequence after modifying the speed set-point tracing logic
analyzes the message, wasting longer time to response the command from DCS.
So it is reasonable to modify both function codes on TCS and DCS to F5 to
shorten the communication time about 0.4 s through site test (Table 2).
4 Conclusion
An optimization scheme of the logic modification and the shortening of the commu-
nication time are proposed. The test is done in the simulator and the simulation results
show that the proposed scheme is feasible and can guarantee the success of the function
of turbine speed set-point tracing. Site commissioning and operation practice shows
that this scheme can effectively solve the problem of turbine trip, which is caused by
the control cooperation scheme between TCS platform and DCS platform. Also the
proposed scheme can ensure the safety and reliable operation of the steam turbine
122 X.-L. Zhan et al.
during switchover between the different control platforms. All above provides a
technical support to ensure the safety and economy and reliable operation of the nuclear
power plant.
References
1. Zeng, B., Zhan, X.L., Zhang, C.: Analysis and research on the standardized design of turbine
control system in nuclear power plant. Process Autom. Instrum. 36(11), 36–40 (2015)
2. Li, J., Xu, H.B.: Communication design in turbine protection system based on modbus
protocol. Process Autom. Instrum. 21(4), 35–47 (2006)
3. Cheng, B.H., Zhu, W.: CPR1000 nuclear power project and the third part system
communication fault diagnosis and optimization. Electron. Test 4(X), 65–67 (2013)
4. Wang, Q.W., Fu, Q., Xia, F.Y.: Application of IEC60870-5-104 transmission protocol in
nuclear power plant. Electron. Test. 2013(23), 106–109 (2013)
5. Wang, H.: SIEMENS 1000 MW control logic optimization in turbine DEH system. China
Electr. 47(09), 6–10 (2014)
6. Li, Y.l., Xu, X.Y.: Emergency operation for nuclear power steam turbine control system
response. Instrumentation 24(3), 64–70 (2017)
7. Wang, Z.H., Wang, H.T., Tao, X.Y.: Analysis and simulation optimization of mal-operation
of power load unbalance protection for 1000 MW unit. Sci. Technol. Eng. 18(1), 40–46
(2018)
8. Lu, S.Q., Zhang, Y.J.: Load rejection test of a half speed steam turbine for nuclear power
plant. Power Equip. 32(1), 29–31 (2018)
Risk Analysis and Management of Software
V&V Activities in NPPs
Abstract. The life cycle of software can be divided into the concept, require-
ments, design, construction and integration phase and so on. The risk analysis
and management should been executed during the software life cycle. The risks
of the instrumentation and control (I&C) system include the technical and
management risks. The concern of risk analysis is different in the software life
cycle. The verification and validation (V&V) effort may identify the technical
and management risks that have a measureable possibility of negative conse-
quences to I&C system in nuclear power plants (NPPs). The risk analysis is one
of the minimum tasks of the software verification and validation. The IEEE
1012-2017 Annex J has described the risk analysis, risk estimation and risk
evaluation in general. The risks of the software V&V activities will be identified
in this paper. Based on the risks of the software V&V activities, the risk
management strategy has been proposed.
1 Introduction
The digital technology is an important flag to the advanced nuclear power plants. It has
been accepted by the nuclear power plants, and used in the critical system (such as
RPN, RIC). The physical limit can be overcome by introducing the software. Then the
complex logic and computing can be implemented. To ensure the reliability and safety
of software, the development of software shall meet the requirements of standards and
regulations in nuclear power plant. The software for performing category A functions
should comply with the IEC 60880 [1] or IEC 62566 [2], the category B and C need to
follow the IEC 62138 [3] in the nuclear power plants. In order to qualify the software in
accordance with the plant and standards requirements, software V&V (verification and
verification) technology is a common identification method [4]. The risk analysis is one
of the minimum tasks of the software verification and validation. The IEEE 1012-2017
is the standard for software V&V activities, Annex J has described the risk analysis,
risk estimation and risk evaluation in general [5]. The purpose of the risk management
process is to identify potential managerial and technical risks [6]. The process of risk
assessments includes the potential risk identified, the likelihood and consequences,
making the risk level, proposing the ease measures, performing the risk treatment, the
acceptability and effectiveness of the measures. The risk management mainly contains
making and maintaining the risk management plan, risk monitoring, recording the
information for the successful risk management measures and evaluating the risk
management process. The reference [7] has given the evaluation measures about
software V&V of the safety digital instrumentation and control in nuclear power plant.
The evaluation results can be used for evaluating the risk of the V&V activities.
The development of software can be divided into concept, requirement, design,
implement, and integrate phase. So the process of software verification and validation
also includes five phases. The concern of the risk analysis is different in the software
V&V activities. The risks of the software V&V activities will be given in this paper.
The risk management measurements for the software V&V activities will be proposed
to nuclear power plant software.
Based on the project of software V&V activities in NPPs, some cases have been shown
in Table 1. The risks mainly come from an unenforceable plan, tester and schedule
delay. In order to avoid the upper risks, the organization of software V&V often
performs peer review for the software V&V plan (SVVP) and carries on the overall
training before starting project. The team of software V&V and the organization of
development should keep communication at any time to ensure the project schedule is
controlled. The risks of software V&V activities should be fully identified and given
the risk treatment measures.
3 Risk Identification
The risks refer to transverse and longitudinal risks for the software V&V activities. The
transverse is risks of different technical routes, such as CPU and FPGA. FPGA tech-
nical needn’t to pay more attention the security risk. But the security risk is the key
point to the CPU software V&V activities. The longitudinal is the risks of software
V&V process, such as concept V&V, software requirement V&V, design V&V. The
risks are different in every V&V phase. Such as the risks of concept V&V mainly come
from tester and method, the risks of implementation V&V may be caused by tester,
environment and tools. So before the risk management of software V&V activities in
NPPs, the software V&V team needs to draw a table like Table 4, and put the risk
category into the Table 4. Then the applicable management methods can be provided.
The risk management should combined with the prior project experience and be
updated along with the project.
Risk Analysis and Management of Software 127
Normality, the risk management process includes plan and implement risk man-
agement, establish and maintain the risk, risk analysis, monitoring and evaluate. So the
risk management can be performed by the following measures.
• Software V&V plan
The risk management process needs to be described in the software V&V plan at the
beginning of the project. The technical and management risks of the software V&V
activities need to be fully identified in SVVP (software verification and validation
plan). The risk analysis should be considered on each phase of the software V&V
activities. The monitor and management strategies should be proposed in SVVP.
• Quality assurance plan
The special quality assurance plan shall exist or be established at an early stage of
the software V&V life cycle. Any deviation from the V&V quality assurance plan
shall be documented and justified.
Configuration management plan
Software V&V configuration management plan should be established earlier in the
software V&V lifecycle. It shall establish responsibility, assign V&V resources, and
make sure the measured object in control. The verification team should have clearly
defined responsibilities and be equipped with adequate means.
• Independence
The software V&V activities can be undertook as part of a third assessment
department of the software development and user. The quality targets may be
provided better assurance.
• Human factors
The V&V team needs to have adequate human resource and nuclear technical
background. Establishing a good communication mechanism and reviewing the test
technique in period are necessary. The verification team should have a perfect
training mechanism.
128 HuiHui-Liang et al.
5 Summary
The risks of software V&V activities in NPPs should focus the general and special
risks. In order to fully assessment the risks, the tester needs to analyses the risk of the
software V&V activities in transverse and longitudinal. Then the V&V team can make
the applicable management strategies in software V&V plan, quality assurance plan
and configuration management plan. Based on the technical route, the tester can be
chosen and given the target training. The V&V team needs to establish the risk
database and continually renew. In order to ensure its effectiveness, the period moni-
toring of the risk management process is necessary. Information on successful risk
assessment and management shall be documented. The risk management process is an
iterative process throughout the life cycle of software V&V activities.
References
1. International Electrotechnical Commission: IEC 60880 Nuclear Power Plants-Instrumentation
and Control Systems Important to Safety-Software Aspects for Computer-Based Systems
Performing Category A Functions. International Electrotechnical Commission, Switzerland
(2006)
2. International Electrotechnical Commission: IEC 62566 Nuclear Power Plants-Instrumentation
and Control Important to Safety-Development of HDL-Programmed Integrated Circuits for
Systems Performing Category A Functions. International Electrotechnical Commission,
Switzerland (2012)
3. International Electrotechnical Commission: IEC 62138 Nuclear Power Plants-Instrumentation
and Control Systems Important for Safety-Software Aspects for Computer-Based Systems
Performing Category B or C Functions. International Electrotechnical Commission,
Switzerland (2004)
4. Gu, P.F., Wang, S.C, Chen, W.H., et al.: A Study about safety I&C system software V&V in
nuclear power plant-final. In: The 24th International Conference on Nuclear Engineering
(2016)
5. Software Engineering Standards Committee of the IEEE Computer Society. IEEE 1012 IEEE
Standard for System, Software, and Hardware Verification and Validation. Institute of
Electrical and Electronics Engineer, New York (2017)
6. IEEE P1540/D7.0: Draft standard for Software Life Cycle Processes–Risk Management
(1999)
7. Gu, P.F., Liu, Z.M., Liang, H.H., et al.: Evaluation measures about software V&V of the
safety digital I&C system in nuclear power plant. In: Lecture Notes in Electrical Engineering,
pp. 234–234 (2018)
The Optimization of Siemens Turbine
Synchronization Strategy
Abstract. The Siemens half speed turbine technology has been used in nuclear
plants. When the turbine synchronizes to the grid at idling, the active power
increases slowly. This will cause a reverse power generating to the unit or the
generator low power at positive direction. And in synchronization to the grid
with house load, the initial load has a large fluctuation. The power disturbance at
synchronization will bring a transient shock to the unit, and it is no good for the
coordination between reactor and turbine. This paper improves the strategy of
synchronization for the Siemens turbine control system, modifies the match of
speed setpoint and load setpoint in synchronization. The active power will leave
0 MW quickly at idling synchronization, and it can avoid the reverse power and
low power at positive direction. The controller output won’t have a step change
in synchronization with the house load, so the active power will not fluctuate
greatly. This optimized scheme can reduce the power disturbance effectively for
the turbine of the nuclear plant in synchronization.
1 Preface
Siemens half speed steam turbine is single axis three cylinder four exhaust reheat
reactionary condensing type with rated power 1086 MW and rated speed 1500 RPM.
The turbine control and protection platform is T2000 + PCS7 (Siemens distributed
control system) system. After the continuous development and the promotion, the
design concept of T2000 + PCS7 system has been very mature. The hardware
equipment is very reliable, and the TEC4 (Siemens configuration software) configu-
ration is very convenient. T2000 + PCS7 has been widely used in different units
around the world [1]. The synchronization of nuclear power unit requires the coop-
eration and parameter matching of reactor, turbine and generator. But in this process,
due to the influence of the grid and the synchronization system, including the syn-
chronization mode and precision, the nuclear power unit will be subjected to a certain
degree of transient shock. It will lead a transient fluctuation to its operating parameters.
If the turbine regulation system is not fit with the synchronization system, the active
power will increase slowly when the unit is synchronized to the grid at idling, or a large
initial load fluctuation occurs at synchronization with house load. So there is the risk of
turbine trip and even the reactor trip, which is not conducive to the safety and stable
operation of the nuclear power plant.
2 Event Review
When the turbine unit 1 of Project A nuclear power plant synchronized to the gird, see
Fig. 1, after the load switch was closed in 4 s, the active power fluctuated up and down
with a sinusoidal oscillation, and the oscillation time was nearly 4 s. Then the active
power left the 0 axis, that was to maintain positive and started to increase steadily, and
this process was up to 12 s. This condition could easily cause the reverse power of the
unit or the protection action of the generator at low power, and finally it would lead to a
turbine trip.
Fig. 1. The idling synchronization curve of the unit 1 of Project A nuclear power plant
When the turbine synchronized to the grid with house load, see Fig. 2, the fre-
quency pulse width and the frequency modulation period of the synchronization system
did not match the parameters of the turbine governing system, and the actual speed and
the effective speed setpoint did not change accordingly together before and after the
synchronization. The active power fluctuated. The largest value was up to 103 MW. If
the plant operator did not intervene in time, according to the logic operation results of
the turbine governing system, the active power would automatically increase to
93 MW. Because the house load of the nuclear power plant was about 55 MW, the
high power fluctuation of the second loop would lead to the subcooling of the first loop,
the low level of the steam generator and the risk of reactor trip.
According to the operation parameters in synchronization, the Siemens turbine has
two problems: when the turbine synchronizes to the grid at idling, the active power
increases slowly; and in synchronization to the grid with house load, the initial load
The Optimization of Siemens Turbine Synchronization Strategy 131
Fig. 2. The house-load synchronization curve of the unit 1 of Project A nuclear power plant
fluctuation has a large fluctuation. These situations will pose a threat to the safe
operation of the nuclear plant. The important parameters of the first loop and the second
one in the nuclear plant should not fluctuate greatly after synchronization, and they
should recover quickly or remain in the safe stable conditions. So the Siemens turbine
synchronization strategy needs to be optimized to make the reactor, the turbine and the
generator to work in together. It is beneficial to the security and the economy of the
nuclear plant.
The speed load controller NPR of Siemens turbine has two operation modes: speed
control and load control. These two modes both use the same PI (propotion and
integration) controller mainly through the condition judgment and dimensional trans-
formation in the input link. PI controller uses the proportional component and the
integral part to regulate the system according to the error [2].
To improve the control efficiency of the system under two operating modes, the
frequency feedforward and power feedforward are added in the PI loop by the Siemens
turbine technology. Frequency feedforward is used in run-up and primary frequency
modulation, while power feedforward is applied to the adjust the active power.
132 Y. Liu et al.
The Siemens turbine uses the speed mode in run-up, house-load operation and load
rejection. Normally it’s on the load mode.
Frequency deviation
Speed set point
NS
Dead band of primary
frequency modulation
KDN frequency
Actual Speed NT feed forward
Power component of primary
frequency modulation
B
Load set point Steam demand
PI controller
PS A SD
According to the original logic design, the effective load setpoint starts increases
from 0 MW, and the maximum increase rate is 54.3 MW/min. After the unit is syn-
chronized to the grid, the time for the initial load going up to 50 MW requires nearly
1 min following the instructions of sub-loop control. The positive power protection
threshold of the unit is 10 MW, and the process that the active power increases larger
than 0 MW needs nearly 10 s. Because the load increase rate is limited, the process of
the unit operating with the initial load is very slow. Because the synchronization system
needs differential frequency to connect to the gird, the turbine idling speed is required
to be about 1503 RPM, at cutting-in moment the power transmitter may be hit by a
large shock impacted greatly. Then the active power transient fluctuation appears. The
effective load setpoint increases slowly in 10 s after synchronization. Compared to the
load fluctuation value the load setpoint is smaller. So the deviation of the speed load
The Optimization of Siemens Turbine Synchronization Strategy 133
K speed feed
forward
In the process of synchronization with house load, the synchronization system still
adopts the mode of differential frequency to connect to the gird. When the generator is
in the same frequency as the power grid, the synchronization device will send an
acceleration command to the turbine governing system, so that the frequency of the unit
is increased and it will be higher than the frequency of the power grid. In this process,
the closed-loop response time of the turbine governing system is not more than 16 ms,
but the rotating inertia of the turbine body is large and the turbine speed will change
slowly. It is about 4 s from the turbine governing system sending speed regulation
instructions to reach the target value. It is not consistent with the frequency pulse
period of the synchronization device which is 4 s. When the turbine speed does not
meet the requirement of the differential frequency, the system will still continue to send
out the impulse signals to the turbine governing system. As the turbine governing
system receives excessive speed regulation pulse signal, the speed setpoint still increase
after the high voltage switch is closed. The output of the speed load controller will
increase, resulting in the fluctuation of the active power, and the maximum value up to
102 MW.
134 Y. Liu et al.
(3) the high voltage switch and the load switch are both closed, that is, the steam
turbine has been synchronized to the gird; (4) the optimal idling synchronization switch
is closed. After these four conditions are satisfied, the effective load setpoint will
rapidly rise to 15 MW at the rate of 900 MW/min in 1 s, and then the speed load
controller can increase its output through the larger positive deviation and the power
feedforward, so the turbine can bring the initial load 50 MW as soon as possible.
After optimization, the power fluctuation in synchronization has been reduced. As
shown in Fig. 6, the effective load setpoint (red line) after synchronization is increased
rapidly in 1 s at the rate of 900 MW/min, and the load increase rate is restored to
54.3 MW/min after 1 s. The process that the active power (blue line) leaves the 0 axis
to become the positive value only needs 2.8 s, and finally the value reaches to 50 MW
required by the sub-loop control. The power overshoot is less, and the PID control
effect is excellent, the optimization successfully solves the problem of the unit bringing
the initial load too slowly. It is beneficial to the safety and stable operation of the unit.
Fig. 6. The idling synchronization of the unit 1 of Project A nuclear power plant after
optimization
Since the speed setpoint does not follow the actual speed change, the output of the
speed load controller is increased. Therefore, it is necessary to optimize the speed mode
of the turbine governing system: the speed deviation before and after synchronization
to the grid is superimposed to the unit effective speed setpoint, so that the effective
speed setpoint can track the unit frequency at the initial stage of synchronization in
10 s:
Ns1 (target speed setpoint after synchronization) = Ns0 (target speed setpoint
before synchronization) + delta N (speed deviation before and after synchronization)
The design can ensure that the speed deviation of the speed load controller is kept
constant. The power disturbance of house load synchronization can be solved by the
method of making the speed setpoint track the speed deviation before and after syn-
chronization through in a short time.
The logic modification of speed setpoint is shown in Fig. 7, if the unit frequency
needs to be tracked, the following requirements shall be met: (1) the actual load PEL
more than 100 MW can not exceed 2 s; (2) the turbine governing system is in the speed
mode; (3) the time that the high voltage switch and the load switch are both closed shall
not exceed 10 s; (4) the optimization switch of house load synchronization is closed;
(5) the speed/load mode switch signal, load rejection signal and speed tracking signal
are not triggered. When the turbine is connected to the grid with house load, the speed
setpoint and the actual speed before synchronization are saved through the memory
block. The turbine speed after synchronization is subtracted from the stored turbine
speed before synchronization, and the deviation is added to the speed setpoint after
synchronization in 10 s, so the unit frequency can be tracked in time. The input of the
controller remains stable, so the active power of the turbine will not fluctuate.
After synchronization, the effective speed setpoint fluctuates together with the unit
speed, so that the speed deviation is kept unchanged. Then the output of the steam
turbine is ensured to remain stable. The curve is shown in Fig. 8. The actual load is
55 MW before synchronization, and it can return to 55 MW by closed loop adjustment
after synchronization. The power fluctuation can be solved.
By optimizing the parameters of the synchronization system, and improving the
logic of the speed setpoint of the turbine governing system, the active load of the
turbine before and after synchronization can remain stable at about 55 MW. The output
of the speed load controller is kept unchanged because of the unchanged speed
deviation.
5 Conclusion
Because it is the first application in the field of nuclear power, the relevant control
strategy of Siemens steam turbine needs to be adjusted accordingly and coordinate with
the reactor. The Siemens turbine accepting the initial load is slow when synchronizing
to grid, and there is a problem of the inverse power and positive low power of the unit,
they can easily lead to the generator protection action. Also the parameters of the
turbine governing system and the synchronization system are not matched when the
unit is connected to the grid with house load. The speed deviation can not be kept stable
before and after synchronization. It will result in a large power fluctuation of the second
loop. The steam generator level would be raised and even the reactor is subcool.
After fully absorbing the experience from the prophase operation of the units, the
synchronization logic of the turbine governing system is optimized and the related
parameters of the synchronization system are also modified. After several simulation
tests, the final optimal control strategy is proposed by comparison. This scheme
138 Y. Liu et al.
successfully solves the problem of power disturbance in the synchronization for the
Siemens half speed turbine. It is beneficial to the coordinated control of nuclear power
plant, and it improves the safety and stable operation of the nuclear power plant [4].
References
1. Qiong, W.U., Jun-Ning, L.I.: The application of Siemens turbine governing system in
CPR1000 nuclear power unit. Technol. Dev. Enterp. 35(21), 42 (2016)
2. Wang, S.-Q.: Industrial Process Control Engineering. Chemical Industry Press (2007)
3. Zeng, B.: Analysis and research on the standardized design of turbine control system in
nuclear power plant. Process Autom. Instrum. (11), 39 (2015)
4. Zeng, B.: Study on HP inlet pressure control in nuclear power plant. Chin. J. Nucl. Sci. Eng
(S2) (2011)
Research on the Verification and Validation
Method of Commercial Grade Software
in Nuclear Power Plants
1 Introduction
With the continuous development of China’s nuclear power technology, more and
more digital devices are being applied to nuclear power plants. Smaller devices such as
smart devices that transmit pressure and level signals, and larger scaled safety digital
instrumentation systems, are increasingly used in the design, construction, operation,
and maintenance of nuclear power plants.
In the past, most of the software used in nuclear power plants was costly imported
which mainly through commercial purchase, such as Mitsubishi’s I&C system TXP,
TXS, Siemens’s industrial software SMATIC S7. However, in recent years, with the
process of “going out” and autonomy of China’s nuclear power technology, more and
more independent research & development software has been used in nuclear power
plants, such as the safety I&C system FirmSys which developed by the China Tech-
energy CO., LTD. Even some safety analysis software has also been gradually local-
ized, such as the neutron transport calculation software SUPERMC which developed
by the Chinese Academy of Sciences Security, also the development of non-safety-
critical software. In addition, with the mass construction of nuclear power plants,
digital equipment in the general industry is gradually applied to nuclear power plants,
such as embedded devices PLC, FPGA etc.
Although a large amount of manpower and resources have been devoted to inde-
pendent research and development, the gap between China’s software industry and
foreign software is unavoidable. At the same time, domestic software lacks long-
running operating experience compared to foreign software, and the safety should be
great concerned. At the same time, in order to save development costs or shorten
progress, self-developed equipment often use some not fully verified commercial grade
software in the R&D process, and also use components that are not available from the
source code, such as operating systems in embedded devices, further increases the
safety risk of the software. For safety-critical autonomous software used in nuclear
power plants, such as DCS, with strict development process, perfect quality assurance
and fully third-party verification and validation, such as white box testing with 100%
coverage, the software quality is credible [5]. However, for commercial grade software,
considering the development costs, it is generally not a perfect development process
and quality assurance. If be applied directly in nuclear power plants, the consequences
would be unimaginable.
How to dedicate these commercial grade software to meet the review requirements
of domestic and foreign regulatory agencies has become a problem that needs to be
solved urgently, also no engineering experience can be used for reference. Based on the
analysis of commercial grade software dedication standards, this article proposes a set
of concrete and feasible commercial grade software V&V solutions draw from the
engineering experience of safety software identification of the nuclear power plants. It
mainly includes the following parts: The first part briefly introduces the status of
application and appraisal of commercial grade software in nuclear power plants; the
second part mainly introduces the differences and connections between commercial
grade software and safety software, and the focus and difficulty of commercial grade
software dedication; the third part analyzes and combs domestic and foreign com-
mercial grade software related standards, and gives a reference to the V&V method; the
fourth part gives a feasible V&V plan, its advantages and disadvantages combining
with the standards analysis results and engineering practice. The fifth part combed and
summarized the content of the plan needs to be improved and the follow-up research.
The sixth part lists the reference literature information referenced in the writing
process.
2.1 Definition
Commercial grade software refers to the software used in commercial grade items,
including system software and application software. Commercial grade items refer to
structures, systems or components that do not design and manufacture under a nuclear
quality assurance program but affect the safety functions of the plant. In general, it is
Research on the Verification and Validation Method 141
not the items specifically designed for nuclear facilities but used in nuclear power
plants. Such items are generally not subjected to the same stringent process control and
verification as nuclear-level items during the design and development process [6].
Design VerificaƟon
V&V
SoŌware Design
Implement
VerificaƟon
V&V
SoŌware Implementaion
When the V&V inputs like documents and codes required for carrying out the
minimum tasks in each stage are not available and the software requires high confi-
dence, substitute analysis and test methods should be permitted instead of the IEEE
1012 requirement V&V tasks to generate objective conclusions about the correctness,
completeness, accuracy and usability of the reused software. The following alternative
methods should be considered (decreasing as desired):
a) Black box testing.
b) Review developer’s quality assurance.
c) Operational history.
d) Audit results.
e) Artifacts.
f) Reverse compilation.
g) Prototyping.
h) Prior system results.
144 W.-P. Ye et al.
4 V&V Method
4.1 V&V Plan
Although the standards have made corresponding requirements for the evaluation of
commercial grade software, but each standard has different emphasis. IEEE 1012
focuses on the verification and validation of the software entire lifecycle, and gives the
minimum set of tasks and V&V requirements for each software V&V phase, which is
suitable for the identification of software with complete development documents and
data. EPRI NP-5652 provides an evaluation and acceptance method for commercial
grade software and it is suitable for the dedication of incomplete or hard-to-get soft-
ware. IEC 60880 and IEC 62138 require both.
Combined with engineering experience, the IEEE 1012 is more performable than
other standards in the V&V of the software entire life cycle. IEC 60880 and IEC 62138
are superior to EPRI NP-5652 in terms of evaluation and acceptance.
4.2 Cases
The software of the non-safety control system used in nuclear power plants developed
by a non-nuclear enterprise in China who carries out software development and quality
assurance of the entire life cycle according to the waterfall model, and the relevant
development documents and data are complete [8, 10]. For this software, the corre-
sponding V&V work is carried out in accordance with the requirements of the IEEE
1012 integrity level 2, and the specific V&V flow and tasks are shown in Table 6.
The control software of a foreign smart device is intended to be applied to a
domestic nuclear power plant. The software belongs to category A and needs to be
identified accordingly. However, due to confidentiality and other requirements, it is
impossible to provide complete software data for independent identification throughout
Research on the Verification and Validation Method 147
the entire life cycle [11]. Finally, according to the requirements of IEC 60880, the
foreign software was subjected to the identification of standards compliance, opera-
tional experience evaluation, and supplementary testing to verify whether the software
meets the requirements of Class A software [12].
5 Summary
Although IEC and United States have given corresponding requirements and methods
for the dedication of commercial grade software and have certain enforceability.
However, the supervision and dedication of commercial grade software in China is still
insufficient at now, and more in-depth research is needed to carry out.
At the same time, with the departure of HPR1000, due to the lack of successful
experience, there is still some uncertainty in how to prove the dedication of the soft-
ware is sufficient to meet the GDA and EUR review requirements. More exchanges and
discussions are needed.
References
1. Nuclear Power Engineering Committee of the IEEE Power Engineering Committee: IEEE 7-
4.3.2. IEEE standard criteria for digital computers in safety systems of nuclear power
generating stations. Institute of Electrical and Electronics Engineers, New York (2010)
2. Software Engineering Standards Committee of the IEEE Computer Society: IEEE 1012.
IEEE standard for software verification and validation. Institute of Electrical and Electronics
Engineer, New York (2004)
3. International Electrotechnical Commission: IEC 60880. Nuclear power plants instrumenta-
tion and control systems important to safety software aspects for computer based systems
performing category A functions (2006)
4. International Electrotechnical Commission: IEC 62138, Nuclear power plants-
instrumentation and control systems important for safety-software aspect for computer-
based systems performing category B or C functions (2004)
148 W.-P. Ye et al.
5. Ye, W.P., Tang, J.Z., Chen, W.H.: Software V&V methods for safety digital I&C system of
nuclear power plants. At. Energy Sci. Technol. 49(zengkan1), 377–381 (2015)
6. Gu, P.F., Wang S, Chen, W.H.: A study about safety I&C system software V&V in nuclear
power plant. In: International Conference on Nuclear Engineering (2016). V001T04A005
7. He, Y.N., Gu, P.F., Xi, W.: Research on status monitoring and reliability prediction method
of digital control system for nuclear power plant. At. Energy Sci. Technol. 51(12), 2338–
2343 (2017)
8. Liang, H.H., Gu, P.F., Tang, J.Z.: The Software Security Analysis for Digital Instrumen-
tation and Control Systems of NPPs. Nuclear Power Plants: Innovative Technologies for
Instrumentation and Control Systems (2018)
9. Zhao, J., He, Y.N., Gu, P.F.: Reliability of digital reactor protection system based on
extenics. SpringerPlus 5(1), 1953 (2016)
10. Liang, H.H., Gu, P.F., Tang, J.Z.: A Study of Implementation V&V Activities for Safety
Software in the Nuclear Power Plant. Nuclear Power Plants: Innovative Technologies for
Instrumentation and Control Systems (2017)
11. Gu, P.F., Liu, Z.M., Liang, H.H.: Evaluation Measures about Software V&V of the Safety
Digital I&C System in Nuclear Power Plant. Nuclear Power Plants: Innovative Technologies
for Instrumentation and Control Systems (2018)
12. Xi, W., Gu, P.F., Liu, W.: A Study and Application about Software V&V Requirement
Management Scheme in Digital RPS. Nuclear Power Plants: Innovative Technologies for
Instrumentation and Control Systems (2018)
Research on Application of Sequence Control
Strategy in Conventional Island System
of Nuclear Power Plant
Abstract. Sequential control has been widely used in thermal power units.
There are only few applied systems in CPR1000 nuclear power projects. The
implementation and the characteristics of the sequential control technology are
described through an engineering application example of sequential logic
modules in the functional group level control utilized at the conventional island
systems of a third generation nuclear power plant. The application of functional
group-level sequential control can effectively reduce the operator’s work
intensity and improve the automatic control level of nuclear power plants. The
application in the nuclear power project provides a demonstration case for the
sequential control strategy of large-scale adoption of conventional island sys-
tems in nuclear power plants, laying the foundation for the automatic start-up
and shutdown of nuclear power plant units.
1 Introduction
The application of the sequential control in the thermal power unit has been relatively
mature and extensive, and plays an increasingly important role in the safety and eco-
nomic operation of large-scale units. At present, the control of auxiliary machines in
the conventional island of the nuclear power plant Chinese PWR (CPR) project mainly
uses a single drive-level device operation with interlock control; however, the appli-
cation of sequential control is not widely applied. The conventional island auxiliary
systems of nuclear power plants are closely related to the production process of the
power plants. Their normal operation is an important condition to ensure the stable and
full production of the units. The automatic control of nuclear power plants is relatively
conservative and the level of automation needs to be further improved.
Sequential control technology has been successfully applied in thermal power,
metallurgical and chemical industries, and the steam-water separation system of the
CPR project. Using sequential control can not only reduce a lot of cumbersome
operations, but also avoid misoperation by the operator. By introducing and widely
© Springer Nature Singapore Pte Ltd. 2019
Y. Xu et al. (Eds.): Nuclear Power Plants: Innovative Technologies
for Instrumentation and Control Systems, LNEE 507, pp. 149–155, 2019.
https://doi.org/10.1007/978-981-13-3113-8_17
150 H.-Y. Fan et al.
According to DL/T 5423-2009, the conventional island switch quantity control system
should use subgroup-level and functional group-level sequential control modes. The
equipment group or auxiliary process system with fixed sequence of start/stop opera-
tion should adopt sequential control [2].
implementation of each step, thereby reducing a lot of tedious operations. At the same
time, in the sequential control logic design, the operations of each device are set with
strict safety interlock conditions. Regardless of the automatic sequence operation or
single device manual operation, as long as the device action conditions are not met, the
device will be locked, thus avoiding the misoperation ensuring the safety of the
equipment.
The second-generation CPR1000 nuclear power project has few functional group-
level sequential control systems. New sequential control strategies are included in the
conventional island system control of the third-generation nuclear power project under
construction, and are divided into five functional group levels according to the char-
acteristics of the process system. Auxiliaries include high-pressure heaters, low-
pressure heaters, circulating pumps, feed pumps, condensate pumps, auxiliary equip-
ment including inlet valves, outlet valves, oil pumps, and/or recirculation valves on
auxiliary equipment.
The design method of the function group sequential logic: Incorporate one or more
auxiliary machines of the nuclear power plant and its associated equipment into the
control logic circuit of a function subgroup; set the subgroup according to the order and
conditions of the auxiliary operation requirements. The operational sequence of the
auxiliary machine and related auxiliary equipment, and the feedback signal of the
execution status of the upper preferentially started auxiliary machine or equipment
works as the permission condition of the next level auxiliary machine or auxiliary
device program. In logic design, it is necessary to accurately analyze and classify the
operational sequence, interrelationships, associated conditions, program return, and
manual intervention of all devices belonging to this group.
① The start command of the sub-function group is set on the CRT, and the
permission condition for the start of the display. ② Program or step is also available. It
may also be the execution status of the previous sequence. ③ Sequential control
output. ④ Step setting switch, in some sub-function group, skip the step due to device
condition or operation, use the step switch to set. ⑤ Sequential control execution
check, when the step control command is issued, the program execution is interrupted
and alarmed when the specified time has not been completed. ⑥ When there is a jump,
the command is accessed.
When the water pump 21 is to be started, a status feedback signal of the water valve
outlet valve 23 is obtained through the signal input 31 (P11, P12). If the state feedback
signal showing the closed status of the valve has been obtained, the closed state signal
is used as the next step. When the water valve 22 is opened, the logic circuit 3
automatically sends an instruction to open the water inlet valve 22 through the signal
output terminal 32 (S01). If the state feedback signal of the water valve 23 is not
obtained within a specified time, the program is interrupted, sending an alarm
instruction to the alarm 5.
When the signal input terminal 31 (P21, P22) of the logic circuit 3 obtains the
feedback signal of the open status from the water inlet valve 22, the open state signal is
used as the start condition for the next lubricating oil pump 24 and the logic circuit 3
automatically sends the instruction to turn on the lubricating oil pump 24 through the
signal output terminal 32 (S02). If the feedback signal of the water inlet valve 22 is not
acquired within the pre-defined time, the program is interrupted and the abnormality
signal is sent to alarm 5.
When the feedback signal of whether the lubricating oil pump 24 has been started is
acquired on the accessory device through the signal input 31 (P31, P32) of the logic
Research on Application of Sequence Control Strategy 153
NO
Close
Yes
Inlet valve22
Alarm
NO
OPEN
YES
NO
OPEN
YES
Pump21
YES NO
OPEN
circuit 3, such as obtaining the state feedback signal of the start, this start state signal
works as the start condition for the next water pump 21; the logic circuit 3 automat-
ically issues an instruction to open the water pump 21 through the signal output
terminal 32 (S03). If the status feedback signal of the lubricating oil pump 24 is not
acquired within the pre-defined time, the program is interrupted and an alarm is issued
to the alarm 5.
When the feedback signal of the water pump 21 is obtained on the accessory device
through the signal input terminal 31 (Pn1, Pn2) of the logic circuit 3, the logic circuit 3
automatically issues the instruction to open the outlet valve 23 through the signal
output terminal 32 (S0n). When the water outlet valve 23 receives the opening request
154 H.-Y. Fan et al.
from the signal output terminal 32 (S0n), it opens automatically and completes the
control program. If the valve can’t be opened, it sends an alarm instruction to the alarm
device 5.
The sequence control execution status check is displayed on the human-machine
interface CRT of the DCS. When the check control instruction is issued, the next-step
start condition is initiated, as described above, via the signal input 31 of the logic
circuit 3 on the accessory device. If the feedback signal of whether the water outlet
valve 23 is closed is unchanged after the predetermined time for the closing signal, the
program interrupting command is executed and the alarm is issued. Similarly, the other
subsidiary conditions are the same. When the cause of the interruption of the program
is eliminated, the reset button 41 may be selected, and then the operator performs the
operation and continues the function group step until each step of the program is
completed.
4 Conclusions
The dedicated logic modules and related sequential logics of conventional island
sequential control have been applied in the logic diagram of the third-generation
nuclear power projects under construction. This logic, which is based on the start/stop
sequence of auxiliary machines and auxiliary equipment of the process system, can
effectively reduce the work load of operators improve the level of automatic control,
and enhance the safety and economic operation of nuclear power plant, also provides
application cases for the subsequent use of sequential control technology in large-scale
nuclear power projects. It makes the solid foundation to achieve automatic start-up and
shutdown of nuclear power plant units.
References
1. East China 6 provinces and 1 city Electrical Engineering (Electricity) Institute. 600 MW
thermal power generating unit training materials (Second Edition) thermal automation, (9),
pp. 73–74. China Electric Power Press, Beijing (2006)
2. DL/T 5423-2009 Design code for instrumentation and control system of conventional island
of nuclear power plants
Optimization of Control Solution for Deaerator
Water Level Protection in Nuclear Power Plant
1 Introduction
The preliminary heated feed-water from the low pressure feed-water heater system is
heated and deaerated in the feed-water heater system and then sent to steam generator
via the high pressure feed-water heater system, in which feed-water is heated to the
required temperature. The feed-water deaerating tank is an important equipment since it
takes part in the important function for heating and deaerating of feed water in the
secondary circuit. The main functions of feed-water deaerating tank are control of
pressure, adjustment of water level and protection of water level in deaerating tank [1].
The trigger of the water level protection function will directly shut down the secondary
circuit feed-water pump or close the bled steam isolation valve, which may further
cause major conditions such as water loss in secondary circuit, turbine trip and reactor
trip [2]. In conclusion, the water level protection function of the deaerator is very
important, and the control solution for implementation of such function should have
excellent stability so as to reduce the probability of trigger due to the operation tran-
sient or instrument failure, which is so-called malfunction. Deaerator water level
instrumentation diagram for several nuclear power plants of generation II+ pressurized
water reactor (CPR1000) at present is shown in Fig. 1. In addition to the protection
function, the deaerator is equipped with water level alarms for four different levels,
which are achieved by corresponding water level switches. The water level measured
by the deaerator water level measuring device can be displayed and read in the main
control room, the value of which can be used to control manually water feeding or
draining in order to maintain the water level [3].
Control logical diagrams for several CPR1000 nuclear power plants are shown in the
following figures. Figure 2 represents deaerator high-high water level protection
function and Fig. 3 represents low-low water level protection function. The high-high
water level protection function is implemented via double one-out-of-two logic. This
logic reduces effectively the failure probability when the system is in danger, as well as,
increases the failure probability when the system is in safety, guaranteeing the safety
while system is in operation. However, it brings risks to the economical efficiency of
the power plant. The low-low water level protection function of the deaerator adopts
the control logic of two-out-of-three, which can not only reduce the failure probability
when the system is in danger, but also the failure probability when the system is in
safety. Both the safety of system in operation and the economical efficiency of the
power plant are well-balanced [4].
So far, deaerators in several CPR1000 nuclear power plants met the malfunction of
water level protection function. For example, a high-high water level switch triggers
the closing of the suction isolation valve and the trip of the condensate pumps, during
the load dumping at 80% power platform in a certain nuclear power plant. As a result,
the second circuit loses the water supply and thus leads to the reactor trip. According to
data analysis on site, the triggering time of such protection is at 9:38 am. A period of
time before the trigger time, there is no sharp spike in the curves of pressure in
deaerator, feed-water flow rate to deaerator and deaerator water level as showed in
Figs. 4 and 5. What’s more, the installation inspection of the high-high level switch
triggered the action and on-line performance tests found no abnormalities. Therefore, it
can be confirmed that a short-term false water level appeared at a local position inside
the deaerator, resulting in the occurrence of this shutdown event. Another nuclear
power plant also experienced a continuous triggering of a high water level alarm. No
abnormalities were found after installation inspection and on-line testing. Finally,
change of measurement point location resolved the problem. Similar failure events
have also occurred in Chinese thermal power plants [5].
According to experience feedback of several power plants, the false water level at a
local position due to the structure and transient cannot be eliminated completely even if
the instrument performance is excellent and the installation is correct, since the body of
deaerator is too large and the internal structure is complex. Besides, there is also a risk
of faulty operation in the existing control solution of the protection function, which
seriously affects the economic efficiency and reliability of the power plant.
Optimization of Control Solution 159
In order to optimize the existing control solution for deaerator water level protection
function, sufficient redundancy of instrumentation and reasonable control logic should
be considered to eliminate the adverse effects caused by false water level [6].
According to the results of the logic analysis, the typical control logic of two-out-of-
three can be considered as a good design proposal for balancing the safety of system in
operation and the economic efficiency of the power plant. It is theoretically feasible to
directly add level switches based on existing control solution to achieve the reasonable
logic, but it is difficult in real project construction. According to the installation of level
instruments showed in Fig. 1, there are already 18 level instruments on the deaerator.
Besides, there are also pressure instruments, temperature instruments and other test
points. Moreover, due to the importance of the system function, the level switches used
are float switches which are in stable performance. The volume of a float switch is
large. The water level switch itself cannot display readings, it should therefore equip
with local level instrument for switch calibration and on site reading. To avoid
excessive opening in deaerator body, balance containers are set for the level switch and
the corresponding level instrument. However, the balance container itself is also rel-
atively large. Therefore, the installation space for the deaerator is extremely tight,
which is also the experience feedback of several plants constructors. If two-out-of-three
logics are implemented in protection function and alarm function, three more level
switches will be required. Besides, the related level instruments and balance containers
have to be added. As a result, the installation on site will be more difficult. A solution
guaranteeing the redundancy with limited instruments can be considered as a truly
optimization. That’s the reason why the analogical transmitters are used to replace the
level switches. The main difference between the analogical transmitters and the level
switch is the value treatment. Contrary to the level switch with a float, level transmitter
needs calculation before transmitting the value, which means that it will take more
time. However, with the development of instrumentation technology, the level trans-
mitters with 300 ms action time are very popular today. Even with 500 ms of control
system calculation cycle, the entire calculation time is within 1 s, which is acceptable
compared to the action time of relative valve, that’s between 16 s and 28 s according to
system process analysis. The optimization employs three level transmitters to replace
nine level switches and corresponding five local level sensors as well as remove a level
sensor which is only used for monitoring. Control logics of high-high level protection
and low-low level protection are changed to two-out-of-three, as shown in Fig. 6.
Regression logic will be one-out-of-two in order to guarantee the safety and reliability
of power plant in operation. The logics of the high level alarm and the low level alarm
are designed in the same way as well.
Optimization of Control Solution 161
Fig. 6. The optimized logic diagram of deaerator water level protection solution
Optimized control solution for deaerator level protection function possesses serval
advantages comparing to the original one:
1. Better stability: reduce the malfunction due to short-term false water level at a local
position in deaerator.
2. Better visibility: easier to determine whether instrumentation of protection function
operates normally.
3. Less space for installation: improve the quality of installation.
4. Less work for the maintenance team since the reduce of level switches so no need
for period test of level switches.
5. Easier for system modification since the level sensors are used and the setting of
alarms will be more flexible.
The current optimization solution has been used in the design of advanced nuclear
power plants, named the third generation and has proved to be in good performance
after commissioning. It’s valuable to generalize such optimization such as in the
subsequent transformation of CPR1000 nuclear power plants. The water level pro-
tection function of various tank equipment in nuclear power plants can refer to this
optimization solution.
162 Y. Meng and J.-Q. Huang
6 Conclusion
The use of analog sensor instead of water level switch combining two-out-of-three
control logic can mostly guarantee the safe and stable operation of the entire power
plant. The optimized instrument configuration and control solution can effectively
reduce the malfunction of protection functions due to transient or instrument failure.
What’s more, it has strong feasibility from the point of instrument procurement and
installation, control logic design and other aspects. Relevant recommendations for
deaerators control solution in conventional power plants and nuclear power plants can
also be found in recent international standards, ensuring again the feasibility and
reliability of the proposed optimization [7, 8]. At the same time, this optimization
proposal serves as an important reference for the protection function control solution
design of similar devices.
References
1. Jiang, H.Y.: Introduction to level control and maintenance of the integrated deaerator. In:
Power Station Auxiliary Equipment, 107th edn, Haerbin (2008)
2. Deng, S.X.: Simulation and prediction of deaerator water level for a 1000 MW unit under
FCB condition. In: Thermal Power Generation, 2nd edn, Guangdong (2015)
3. Zhang, C.Z.; Optimization of deaerator water level control in nuclear power plant. In: Science
& Technology Vision, 104th edn, Zhejiang (2016)
4. Li, L.: Analysis on reliability of water level protection system of deaerator. In: Huadian
Technology, 33rd edn, Beijing (2011)
5. Wu, J.: Malfunction treatment and preventive measures for water level protection of
deaerator. In: Equipment Management and Maintenance, 9th edn, Sanxi (2015)
6. Huang S.W.: Reason analysis of unit due to the false water level signal of deaerator and its
preventive measures. In: Journal of Jiangxi Vocational and Technical College of Electricity,
3rd edn, Guangdong (2009)
7. ASME TDP-1-2006: Recommended Practices for the Prevention of Water Damage to Steam
Turbines Used for Electric Power Generation: Fossil-Fueled Plants. The American Society of
Mechanical Engineers, USA
8. ASME TDP-2-2012: Prevention of Water Damage to Steam Turbines Used for Electric Power
Generation: Nuclear-Fueled Plants, The American Society of Mechanical Engineers, USA
Study on Layout Design and Mechanical
Calculation of Seismic Instrumentation Tubing
in Digital Nuclear Power Plant
1 Introductions
CGNPC currently under construction and operation of nuclear power units are among
the highest in the world. With the development of large capacity generating set high
parameters, system is more and more sophisticated. The increase of unit capacity
makes the economy, safety and reliability of the whole unit operation requirement is
higher. Along with the development of digital technology, digital requirements of
nuclear power plant is becoming more higher, in addition to the requirement of digital
system itself, to the side of the local measurement signal authenticity requirement also
more higher. So there is very important to ensure that the local measurement signal in
the earthquake, pipeline vibration and other operating conditions can be real and
effective, especially for digital control strategy of power plant. Combining with the
engineering design, study on mechanical calculation of instrumentation tubing, seismic
analysis and arrangement principle, the design method of seismic instrument pipeline
of nuclear power plant is formed.
© Springer Nature Singapore Pte Ltd. 2019
Y. Xu et al. (Eds.): Nuclear Power Plants: Innovative Technologies
for Instrumentation and Control Systems, LNEE 507, pp. 163–173, 2019.
https://doi.org/10.1007/978-981-13-3113-8_19
164 S. Huang et al.
For the nuclear power plant of the early CPR project, the instrument tube is designed in
two-dimensions, and the mechanical calculation is based on the mechanical model of
the pipeline according to the ISO drawing of the pipe.
Currently, the course of a new technology Plant all items layout Design by three-
dimensional in PDMS (Plant Design Management System), completed from the tra-
ditional two-dimensional drawing Design to the 3D Design innovation. Before the 3D
layout design, We develop sensors installation standard drawing and mounting bracket
standard drawing base on each type of meter and manufacturer information, installation
requirements, etc., each system is in the instrument 3D Design in accordance with the
requirements of system selection and arrangement of the corresponding mounting
bracket and installation standards and arrangement in PDMS model. To ensure the
reliability of the measurement signal (Under various working conditions and site
conditions), if the instrument has seismic requirements, it’s support and instrumentation
tubing needs to mechanical calculation, After the mechanical calculation is passed, the
piping layout design is completed, and automatically output ISO drawings from the
model for site construction.
Based on the study of mechanical calculation and the analysis a large number of
problems and data of mechanical calculation of instruments tubes in the previous
nuclear power plant projects, the layout design and flexible design of instruments tubes
are important factors to meet the seismic requirements.
166 S. Huang et al.
Table 1. The maximum allowable span between the two supports of the straight pipe.
Size Maximum allowable span.
Nominal diameter Outer diameter Thickness Horizontal line Vertical line
DN (in) mm mm mm mm
3/8′′OD 9.525 1.65 1200 1700
1/4′′ 13.7 3.02 1200 1400
1/2′′ 21.3 2.11 1200 1400
3/4′′ 26.7 2.11 1200 1400
1′′ 33.4 4.55 1200 1400
Study on Layout Design and Mechanical Calculation 167
Minimum leg length Lnec is the sum of equivalent of the pipe, elbow or elbow
unconstrained length. The tube leg is perpendicular to the direction of its absorption
displacement (such as thermal expansion compensation, connection point displace-
ment), and the absorption displacement produces a certain deformation without
excessive load.
Pipe thermal expansion compensation. Dlaxial The calculation is as follows:
Dlaxial ¼ e laxial
168 S. Huang et al.
In the formula:
e ¼ a DT Unit thermal expansion,
a Linear thermal expansion coefficient [1/°C],
DT Temperature difference (°C),
laxial Distance of the two supports with the same constraint direction [mm] [5].
According to the material type, the thermal expansion of each meter can be
determined by Fig. 2, and the pipe thermal expansion compensation. Dlaxial With the
pipe diameter information, the minimum length of leg length (Lnec) required for
thermal expansion compensation is found in Fig. 3. Check Lnec whether it meets the
requirements.
Fig. 3. The Maximum allowable tube leg table of stainless steel tube
When Branch is modeled, following the rules, the tail of a Branch must be con-
nected to the head of another Branch to ensure that the two connected points of
branches are the end and the head; Do not head to head, tail to tail.
3) Requirements for the attributes setting of Pipe see Table 3.
4) Requirements for connection information attributes setting of the pipe parts (such
as TEE, OLET, TEE valves) see Table 4.
170 S. Huang et al.
Table 6. Setting requirement of the virtual point attribute in the wall symbol
Attribute Identifier The Setting requirement
data
type
Sign the information Stext string According to piping design requirement,
in the wall symbol correct setting. The format is “the name of the
perforated hole”
5) Requirements for the design of the structure of the support logic virtual point see
Table 5.
6) Requirements for the virtual point attribute in the wall symbol see Table 6.
7) The piping model can be checked by data consistency, there is no dotted line, and
there is no overlap between adjacent components.
8) The MDS tools should be used to establish the virtual point points of the logical
support points and the virtual point points of the physical support; The coordinates
of the logical support point must be strictly coincident with the corresponding solid
Study on Layout Design and Mechanical Calculation 171
point coordinates; Two or more logical support points cannot be built in the same
coordinate; Two or more solid support points cannot be built on the same
coordinate.
9) The virtual point cannot be built with MDS, and the virtual point tool of the special
pipe should be built.
Seism Displacements
Loading
Generate Calculate Fiche
Force Analysis
Material
Displacement Mass
Solve Pipestress
Seismic Stress
Fig. 4. The process of the automatic data integration and analysis platform about instrument
pipeline mechanics
172 S. Huang et al.
After the mechanical calculation software input 3D mode, the calculation node is
generated when the pipeline is analyzed as shown in the Fig. 5.
Mechanical calculation and analysis results.
The analysis results of mechanical calculation mainly include:
1) Report of piping stress Calculation;
2) The results are divided into two parts, the support stress checking and anchorage
stress checking;
3) Instrumentation tubing mechanics calculation: The instrumentation tubing calcu-
lation depends on pipeline of the allowable stress, tensile strength, elastic modulus,
thermal expansion coefficient, pipeline layout and so on, in calculating if the ratio is
less than 1, the calculation is feasible;
4) If the load of support point, such as horizontal support point, fixed point, limit point
and guide point is too large; the load value should be submitted to civil engineering.
5 Conclusion
This research provides guidance and practical basis for digital nuclear instrumentation
tubing seismic design, in the process of engineering design, mechanical calculation for
instrumentation tubing, seismic analysis and arrangement principle combined with the
mechanical model, establishment of a complete instrumentation tubing and mechanical
model of interface.
Study on Layout Design and Mechanical Calculation 173
References
1. Tang, Y.J.: Stress Analysis of Pressure Pipeline. China Petrochemical Publishing House,
Beijing (2003)
2. ASME Code for Pressure Piping, B31.3, Process Piping
3. Design and construction rules for mechanical components of PWR nuclear islands Section E
(2000+2002)
4. RCC-E Design and construction rules for electrical equipment of nuclear Islands (1993)
5. Design Procedure DP 05.01/02 Mechanical analysis of piping and supports, AREVA
Research on the Verification and Validation
Method of Safety Analysis Software in Nuclear
Power Plants
Abstract. With the wide application of software in nuclear power plants design
and control process, the regulatory has strengthened its supervision. At this
moment, the software used for safety analysis of nuclear power plants design
also needs to carry out strict qualification work, which is the first time that the
qualification of safety analysis software is required in China. How to carry out
the qualification work to ensure the correctness of self-developed safety analysis
software has become an urgent problem to be solved. Base on the interpretation
of the regulatory requirements for safety analysis software, compare with the
analysis of software verification and validation (V&V) requirements in IEEE
1012, a method for safety analysis software qualification has been pointed out in
this paper. This method draws on the successful experience of nuclear power
plant safety-level software V&V, provides a complete V&V process and clear
V&V tasks, and characterizes by easy to execution.
1 Introduction
In recent years, the requirements of safety for nuclear power plants have been more
stringent at domestic and overseas, and the scope of supervision also has become more
and more detailed especially after the Fukushima nuclear accident. For nuclear power
plants, from the qualification of the original hardware equipment to the qualification of
software equipment, and to the qualification of intelligent equipment, and then the
qualification of computer software for safety analysis, the requirements of regulators
are more and more strict [2].
With the independent evolution of nuclear power in China, the hardware equipment
and software equipment that originally relied on imports have been being researched
and developed independently by domestic manufacturers at now, such as DCS. In
terms of hardware qualification, there is a full set of mature qualification methods to
ensure its reliability, such as seismic qualification and electromagnetic compatibility
qualification [4, 6]. On the software side, a complete qualification process and method
for safety-related software has been formed, but more research on the qualification of
© Springer Nature Singapore Pte Ltd. 2019
Y. Xu et al. (Eds.): Nuclear Power Plants: Innovative Technologies
for Instrumentation and Control Systems, LNEE 507, pp. 174–182, 2019.
https://doi.org/10.1007/978-981-13-3113-8_20
Research on the Verification and Validation Method 175
Safety analysis software refers to the safety analysis software, which is used for the
safety analysis of the design basis accidents in nuclear power plants. It usually includes
radiological analysis programs, neutron physics programs, fuel behavior programs,
thermal hydraulic programs, containment thermal hydraulic programs, structural pro-
grams, severe accident analysis programs, radiological consequences analysis programs
and probabilistic safety analysis programs.
At present, seven types of safety analysis software, such as radiological analysis
procedures, are mandatory for qualification, but serious accident analysis procedures
and probabilistic safety analysis procedures have not yet been mandated. The object of
qualification is the self-developed safety analysis software, including newly developed
software and the software upgraded from existing computer software. For the foreign
safety analysis software purchased and non-computer software, such as software based
on FPGA or PLC technology, do not need to be qualified.
176 Y.-N. He et al.
3 Standard Analysis
For the qualification of safety analysis software, the National Nuclear Safety Admin-
istration had issued the “Development and Application of Computer Software Used for
Safety Analysis in Nuclear Power Plants” (Trial), in which the development require-
ments and qualification requirements of the safety analysis software were explained. It
should be noted that the guideline is still trial version at present, and it may be adjusted
according to the effects of implementation.
1. IEEE 1012 has the concept V&V phase. The main reason is that the safety analysis
software is a pure software product and there is no mature process requirement. For
instrument control software and common software, it not only has mature power
plant process requirements or user requirements, but is generally a combination of
software and hardware. The differences are shown in Fig. 1;
2. IEEE 1012 divides integrated V&V, qualification V&V, and acceptance V&V into
separate chapters, and “Development and Application of Computer Software Used
178 Y.-N. He et al.
Table 2. (continued)
V&V Phase V&V Tasks
Maintenance V&V SVVP revision
Anomaly evaluation
Migration assessment
Retirement assessment
Task iteration
Fig. 1. Difference between safety analysis software, instrument control and common software
for Safety Analysis in Nuclear Power Plants” merges them into test V&V, but the
requirements are consistent;
3. Mainly due to the fact that the correctness of the evaluation model of safety analysis
software is yet to be verified, “Development and Application of Computer Software
Used for Safety Analysis in Nuclear Power Plants” increase the model evaluation
V&V;
4. In terms of V&V tasks, the requirements of the two are basically the same with
slight differences.
4 Qualification Plan
4.1 V&V Process
According to the analysis of the qualification requirements of the safety analysis
software in Chap. 3, it can be seen that the qualification of the safety analysis software
is basically the same as the process, tasks, requirements, and methods of the IEEE 1012
for the IL2 software V&V. “Development and Application of Computer Software Used
180 Y.-N. He et al.
for Safety Analysis in Nuclear Power Plants” is a newly released requirement and there
is no good case for engineering practice. However, IEEE 1012 has very detailed
requirements for the tasks and requirements of each V&V phase, and it is easy to
execute, and there are many practical engineering experiences that can be used for Ref.
[9]. Therefore, for the qualification of the safety analysis software, reference can be
made to IEEE 1012. The specific V&V process is shown in Fig. 2.
Requirements V&V, design V&V, implementation V&V, and test V&V can be
carried out by professional software testing laboratories. These laboratories generally
have professional testing theory and rich software testing experience, and can perform
high-quality verification and validation work. At the same time, the professional
software testing laboratory has a perfect system for quality assurance and configuration
management in the software testing process, and can guarantee the validity and cor-
rectness of the evaluation results.
For installation and checkout V&V, operation V&V and maintenance V&V, due to
the V&V involved in the specific use of users (safety analysts), the V&V process must
be completed jointly by professional institutes, software developers and professional
software testing laboratories.
Based on the above analysis, the V&V recommendation for the safety analysis
software adopts the task division mode as shown in Table 3. This makes use of the
advantages of professional institutes, software developers, and professional software
testing laboratories to better perform V&V on safety analysis software.
This paper analyzes the requirements for the qualification of safety analysis software
based on the “Development and Application of Computer Software Used for Safety
Analysis in Nuclear Power Plants”, and clarifies the V&V and V&V tasks of the safety
analysis software. At the same time, through the analysis of IEEE 1012-2004 software
verification and validation requirements for IL2 level, combined with the practical
experience of nuclear power plant safety software qualification, the qualification
methods of safety analysis software are pointed out, including V&V process and V&V
task division.
Although requirements V&V, design V&V, implementation V&V, test V&V, and
other phases of V&V development have already had many mature experiences, the
design of test plans, test procedures, test contents, test methods, and test cases has
corresponding specifications to guide the actual work. However, the model evaluation
182 Y.-N. He et al.
of V&V is still the first required in nuclear power plants, and no corresponding work
has been carried out before. How to effectively carry out model evaluation V&V and
how to prove the adequacy, validity and correctness of the test are need to do more
research.
References
1. Software Engineering Standards Committee of the IEEE Computer Society. IEEE 1012. IEEE
Standard for Software Verification and Validation. Institute of Electrical and Electronics
Engineer, New York (2004)
2. Ye, W.-P., Tang, J.-Z., Chen, W.-H., et al.: Software V&V methods for safety digital I&C
system of nuclear power plants. At. Energy Sci. Technol. 49(zengkan1), 377–381 (2015)
3. Gu, P., Wang, S., Chen, W., et al.: A study about safety I&C system software V&V in nuclear
power plant. In: International Conference on Nuclear Engineering (2016). V001T04A005
4. He, Y.-N., Gu, P.-F., Xi, W., et al.: Research on status monitoring and reliability prediction
method of digital control system for nuclear power plant. At. Energy Sci. Technol. 51(12),
2338–2343 (2017)
5. Liang, H.-H., Gu, P.-F., Tang, J.-Z., et al.: The Software Safety Analysis for Digital
Instrumentation and Control Systems of NPPs. Nuclear Power Plants: Innovative Technolo-
gies for Instrumentation and Control Systems (2018)
6. Zhao, J., He, Y.-N., Gu, P.-F., et al.: Reliability of digital reactor protection system based on
extenics. SpringerPlus 5(1), 1953 (2016)
7. Liang, H.-H., Gu, P.-F., Tang, J.-Z., et al.: A study of implementation V&V activities for
safety software in the nuclear power plant. Nuclear Power Plants: Innovative Technologies for
Instrumentation and Control Systems (2017)
8. Gu, P.-F., Liu, Z.-M., Liang, H.-H., et al.: Evaluation Measures about Software V&V of the
Safety Digital I&C System in Nuclear Power Plant. Nuclear Power Plants: Innovative
Technologies for Instrumentation and Control Systems (2018)
9. XI, W., Gu, P.-F., Liu, W., et al.: A Study and Application about Software V&V Requirement
Management Scheme in Digital RPS. Nuclear Power Plants: Innovative Technologies for
Instrumentation and Control Systems (2018)
A Study About Configuration Management
Process for Safety DCS Software V&V
in Nuclear Power Plant
1 Introduction
process. For example, the way of input file baseline management needs to be improved.
The paper proposes a solution to the lack of baseline management of input files by
studying regulations and standards and combining practical experience.
2 Status
At present, the configuration management of the safety DCS software V&V of nuclear
power plant mainly include CM Planning, CM Management, Configuration Identifi-
cation, Configuration Change Control, Configuration Status Account, Configuration
Audit, Release Management and Delivery, Due to the special nature of the software
V&V, its configuration items not only contain output files of the V&V, but also the
object files of the V&V (input files), and the input files is the basis of the software
V&V. Usually the number of input files is much higher than the number of output files
in the project. The way to effectively ensure that the input files obtained by V&V
personnel are the latest and valid, directly related to the effectiveness of V&V.
In order to effectively control these input files, software configuration management
introduces the concept of baseline. In the configuration management process, the
baseline is the CI or a group of CIs entering a form of formal control through formal
review at different points in its life cycle [4].
In the current configuration management process, the management process of the
input file baseline mainly includes: receiving the input file, performing the audit by
configuration management engineer (CME), and updating the file in the input file
baseline library by CME after the audit is passed, establishing a new input file baseline.
The CME notifies the affected party of the latest input file baseline, and the affected
party can obtain a new baseline file from the input file baseline library. However, this
method has some disadvantages as follows:
(1) For a new input file, it is not enough to be audited by CME alone. It can’t
guarantee its correctness, and it can’t guarantee that input files meet the access
conditions of the V&V. If these files are used as a baseline. The effectiveness of
V&V activities can’t be guaranteed.
(2) The establishment process of the baseline is not standardized, and it relies heavily
on CME, which is prone to human error.
The above deficiencies may lead to the establishment of incorrect input file base-
lines, resulting in incorrect software V&V objects, affecting the validity and correctness
of V&V, and wasting labor and time costs.
3 Standard Requirement
required configuration items in the input file baseline for each phase. According to the
IEEE1012-2004, combined with the experience of safety DCS software V&V in
nuclear power plant, the detailed CIs required for the input file baseline at each stage
are shown in Table 2. In the actual project, appropriate adjustments can be made
according to the project characteristics and user requirements.
(3) The content of the email includes: the name and version of the configuration item
included in the baseline; the name of the baseline; the storage path of the con-
figuration item in the configuration repository.
5 Conclusions
References
1. NB/T 20335: Nuclear power plant software configuration management (2015)
2. ISO/IEC12207: Systems and software engineering-Software life cycle processes (2008)
3. IEEE1012: IEEE Standard for Software Verification and Validation (2004)
4. Yu, H.X., Chen, K., Bai, Y.C.: Application of baseline in software configuration
management. Comput. Appl. Softw. 2, 43–45 (2006)
5. Jiang, W., Liu, L.K.: Research on baseline in software configuration management. Comput.
Technol. Dev. 6, 6–10 (2016)
Research and Application on the Gateway
Design of Digital Control System of Nuclear
Power Plant
Abstract. The alarm and display signals can be transmitted by hard wiring
between the safety DCS and the Non-safety DCS in nuclear power plants, and
also by the Gateway system. Based on different platforms from suppliers, the
configuration between the two systems is an important issue. This paper ana-
lyzes and researches the functions, system structure and interface, software
configuration of Digital Control System Gateway system. And then puts forward
the system data transmission and processing, parallel–control/stand-by redun-
dant allocation, software communication design plans etc. As the interface
system between the different safety level systems, it is accessible to be con-
nected to other platform systems, widely applicative, and convenient for
maintenance. And it also supports huge communication capacity. The Gateway
system had been passed the factory test and applied in some domestic nuclear
power plants.
1 Introduction
As the “Nerve center” of the nuclear power plant (NPP), the instrumentation and
control (I&C) system is an important guarantee for NPP to operate safely, reliably and
economically. So it is necessary to ensure its high safety and reliability. The I&C
system is usually made up of Safety class Digital Control System (DCS), Non-safety
class DCS and other special control systems.
Safety DCS mainly completes the protection functions of nuclear reactor, and
monitors protection parameters related to reactor safety. If any of those parameters
exceeds the protection designed value, the emergency shutdown function and engi-
neered safety features will be actuated automatically to limit the development of
accidents and mitigate the consequences of accidents. It ensures the safety of reactors,
NPP equipments and personnel, and prevents the release of radioactive materials to the
surrounding environment. Non-safety DCS relatively accomplishes power normal
operations such as startup, shutdown and operating, and monitor the states of the
nuclear islands, conventional islands, electrical system and BOP. And it communicates
with the third-party systems and the common units [1].
There are many signal interactions between Safety DCS and Non-safety DCS.
According to specific transmission requirement, data can be transmitted by hard wiring
or Gateway system.
Hard wiring is usually used to transmit some signals, which required high data
transmission speed, high reliability. Besides, there are some security important func-
tional signals that are collected by Safety DCS, and meantime used in Non-safety DCS
device control.
Besides, signals for alarm and display from Safety are usually transmitted by
Gateway. Compared with hard wiring, Gateway communication is more flexible. It can
accomplish not only lager transmission number, more excellent extensibility, and more
simple and convenient transformation, but also with less space and better economy.
Considering of the different functional class on both sides, Gateway system are
usually set in pairs in the DCS. Based on the features of the different platforms, there are
many design plans for Gateway system. This paper introduces and analyses the Gateway
system for one internal operating nuclear power plant systematically, as shown in Fig. 1.
Legend:
Hard wiring
Safety Non-safety
Network communication DCS side DCS side
Gateway Gateway
A A
SNET
Safety System Bus
2.2 Function
The Gateway system mainly completes the functions about data transmission, data
processing, redundancy and fault self-diagnosis between Safety and Non-safety DCS.
192 Y.-L. Sun et al.
The functions class of Gateway system are defined as Non-safety class and realized by
the Non-safety class devices on the basis of its safety importance.
2.2.3 Redundancy
Redundancy is configured to improve the reliability of Gateway system. When any of
the redundant devices has a single failure, it can ensure that the functions of the system
can still be implemented normally to avoid the total loss of the Gateway functions [4].
Cable
Fibre
Photoelectric Photoelectric
converter A converter B
Data flow
Photoelectric
converter
DCS Gateway, and the parallel redundancy should be chosen for safety DCS Gateway,
as shown in Fig. 3.
Without considering on redundant processing links or data scale of redundant
processing, parallel redundancy can also be applied to Gateway on both sides. For the
reason that its scale of communication link is the same as the parallel (for Safety DCS)-
control-standby (for Non-safety DCS), it also can improve the reliability of the
Gateway system. Its fault modes are the same as that in parallel (for Safety DCS)-
control-standby (for Non-safety DCS), which is shown in Fig. 3.
Control- Control-
standby standby
Train A Train B Train A Train B
Control-
standby Parallel
Train A Train B Train A Train B
Parallel Parallel
Train A Train B Train A Train B
Control-
Parallel standby
Train A Train B Train A Train B
Safety DCS Gateway: Parallel Safety DCS Gateway: Parallel Safety DCS Gateway: Control-standby
Non-safety DCS Gateway: Control-standby Non-safety DCS Gateway: Parallel Non-Safety DCS Gateway: Control-standby
Non-Safety Non-Safety Non-Safety Safety DCS Gateway Non-safety Safety DCS Gateway
Safety DCS Safety DCS
DCS DCS DCS fails DCS side fails
Gateway A Gateway B
Gateway A Gateway B Gateway A Gateway B
fails fails
fails fails fails fails
: Or
The Gateway system for some nuclear power unit is set redundantly and inde-
pendent of each other. They are arranged in different Gateway cabinets to improve
communication independence and reliability. Two safety DCS Gateways are connected
to the network bus and it can communicate with all the devices through the network
communication modules [5]. The Gateway from different side are connected with each
other by fibre cables. Two safety DCS Gateways send redundant datas to Non-Safety
DCS Gateways at the same time. The source and quantity of the data are exactly the
same. Two Non-safety DCS Gateways are connected to the Non-safety DCS network
through the Ethernet cards to communicate with all devices in the SNET (or MNET)
(Fig. 4).
Gateway systems of each train include safety DCS and Non-safety DCS side. For
example, safety DCS Gateway a-A and Non-safety DCS Gateway a-A of train A or
safety DCS Gateway a-B and Non-safety DCS Gateway a-B of train B, are independent
with each other, using different paths to transmit datas (Fig. 5).
196 Y.-L. Sun et al.
Control
-
Non-safety standby Non-safety Non-safety Parallel Non-safety
DCS DCS DCS DCS
Gateway a-A Gateway a-B Gateway b-A Gateway b-B
Parallel Parallel
Safety DCS Safety DCS Safety DCS Safety DCS
Gateway a-A Gateway a-B Gateway b-A Gateway b-B
Power supply
card Network
Safety DCS
communication
Fibre network
module 1
backboard bus
Unit card
Network
Optical-electric Optical-electric Main Control
communication
converter converter Unit
module 2
Cable Cable
Fan unit
Fibre
Grounding unit
Non-safety
DCS network
Work Mode
There are two operation modes in the Gateway system: running mode and failure mode
(Fig. 7 and Table 2).
• Loss of power
Loss of Power • Faults: system hardware failures
or platform software can not
receive or send data normally
Communication Mode
Gateway system software contains platform software and application software. Plat-
form software uses the FirmSys platform and HOLLIAS-N platform. And application
software is configured according to the actual functional requirements of the engi-
neering. The Safety DCS Gateway communicates with the Non-safety DCS Gateway
based on the UDP protocol. The protocol belongs to the transport layer protocol. The
Ethernet protocol is used in the physical layer and the data link layer, and the IP
protocol is used in the network layer. UDP layer is located on the upper layer of the IP
layer. The application accesses the UDP layer and then transmits the datagram using
IP layer. The IP layer indicates the IP addresses of source host and destination host, and
the UDP layer indicates the source port and destination port on the host. The com-
munication mode is set to 100 M full duplex.
198 Y.-L. Sun et al.
Software Configuration
To implement system function, corresponding functional application software should
be configured in the Gateway. Gateway system mainly fulfils the following application
configuration tasks, as shown in Table 3.
3 Conclusion
It is discussed the one-way data transmission processing between different safety class
systems in this paper. And the proper redundant configuration is set to meet the single
failure and redundancy principles. Taking into account the configuration size of the
system, the Gateway network communication is based on UDP protocol. This Gateway
system can not only undertake large scale data transmission, but also facilitate the
function expansion, upgrading and maintenance of I&C system. As a Gateway system
based on localization I&C platform, its feasibility and reliability has been verified after
passing factory acceptance test successfully. The Gateway system has been applied to
many domestic NPP projects, which provides a reference for the design and application
of the Gateway system in NPP I&C platform in the future.
References
1. International Atomic Energy Agency. Instrumentation and Control Systems Important to
Safety in Nuclear Power Plants (2005)
2. IEEE Power Engineering Society, Criteria for digital computer in safety systems of nuclear
power generating stations (2003)
3. IEC 61513. Nuclear power plants-Instrumentation and control for systems important to safety
general requirements for systems (2001)
4. GB/T-12788: Criteria for class 1E power system for nuclear power generating stations (2008)
5. Wang, D., Chen, C.P., Yan, J.: Pondering a new-generation security architecture model for
power information network. Autom. Electr. Power Syst. 02, 1000–1026 (2016)
Algorithm Research of the ICCMS for Qinshan
Phase II NPP Based on FirmSys Platform
Abstract. The ICCMS is a safety level system, which monitors the cooling
state of reactor core and the water level of reactor pressure vessel. The ICCMS
of Qinshan Phase II NPP has been running for over ten years since combined to
the grid, and the algorithm of the original system is only for traditional simu-
lation system. There is no algorithm for digital control system. So it needs to
design and development new algorithm for new ICCMS system to solve it. This
paper mainly introduces the design process of the algorithm in new ICCMS
system; it has three parts which are core temperature measurement, core cooling
monitoring, and the water level of reactor pressure vessel measurement. The
overall algorithm is split into twelve subroutines which are called through a root
program by modularization method. It is not only a suitable solution for ICCMS
system of Qinshan Phase II NPP but also can be used for reference of the design
of core cooling monitoring system for PWR nuclear power station under EOP
regulations. At present, the modified ICCMS system is running well. It proves
that the new algorithm designed is fully complies with the original operating
procedures.
1 Introduction
The Qinshan Phase II Nuclear Power Plant (NPP) is an important milestone on the road
of autonomous construction of nuclear power in China [2]. The inadequate core cooling
monitoring system (ICCMS) will continuously monitor the core temperature, super-
cooling margin, and reactor pressure vessel (RPV) under normal operating conditions
and accident conditions [1]. It provides a reliable proof for the operators to understand
the reactor core cooling and the water level of RPV. However, since combined to the
grid, the original ICCMS system has been running for more than ten years. The
reliability and economy of operation must be solved by designing and developing a
new system. But the original system is traditional simulation system, and the original
system has low calculation accuracy, the design of new algorithm for digital control
system is extremely urgent. The design of algorithm has no reference currently, only
through the conversion of text requirements, and then generates the corresponding
engineering application software.
The new system will be designed by China Techenergy Co., Ltd. (CTEC) based on
FirmSys which is platform for safety DCS. The FirmSys is independently researched
and developed by China Techenergy Co., Ltd. which is up to the requirements of
various nuclear safety regulations and standards [5]. The new algorithm for new
ICCMS system will be designed based on this platform. According to the algorithm
requirements of the three functions of ICCMS for Qinshan Phase II NPP, the new
algorithm for digital control system designed will realize the calculation and moni-
toring of them.
2 Algorithm Requirement
The ICCMS system is a nuclear safety grade system. It has three functions which are
core temperature measurement, core water level measurement, and core cooling
monitoring [3]. The ICCMS system of Qinshan Phase II NPP is different from the
conventional three-loop PWR [4]. The primary coolant circuit uses a two-loop layout.
It has 30 core outlet thermocouples in the reactor, distributed in three parts which
are the middle and the surrounding area (120°*300°) and the surrounding area
(300°*120°). So the core temperature and cooling of each area needs to be partitioned
monitor for operator to ensure it. The absolute pressure of the primary coolant circuit is
calculated through a complex pressure checking process. It will provide an accurate
pressure value used for calculating the saturation temperature. The water temperature
which used for calculating water density also needs to be determined after corre-
sponding verification, and then the water level of RPV will be calculated.
pressure values at the top and bottom of the RPV to obtain the corresponding differ-
ential pressure signal. These instruments of pressure measurement include three ranges:
• Narrow range instrument (without main pump operation)
• Wide range instrument (with main pump operation)
• Reference range instrument
3 Algorithm Implementation
The first step in the data processing of the ICCMS system is to check the availability of
each input signal. For analog signals, by checking whether the signal is within or out of
the range, which takes into account the tolerance of the upstream channel and the
sensor. The analog signal which out of the measuring range (standard signal 1 V*5 V,
thermocouple signal 0 mV*50 mV for example) will be rejected by the procedure
program. For digital signals, its validity status depends on the status of the acquisition
card. When the acquisition card is in a normal state, the signal is valid, otherwise it is
invalid. If the data is unavailable, it cannot participate in subsequent operation.
202 X.-X. Fan et al.
signals are not available, the average core temperature, maximum core temperature, and
minimum core temperature will be replaced by the calculated value of the previous
cycle (the CPU processing cycle of the ICCMS system is 25 ms).
Three RTDs located in cabinet accomplish the cold junction compensation of the
core thermocouple signal in one column. The subroutine is TCOLD. It converts the
three thermal resistance values (X) into physical temperature values (°C) firstly, and
then checks it to achieve an effective cold junction compensation temperature for the
core thermocouple signals.
For the characteristics of Qinshan Phase II NPP, it is necessary to monitor the D-
value between the maximum temperature and the minimum temperature in the three
areas of the reactor core separately. Once the value in an area exceeds the threshold, an
alarm is informed to the operators, and the area is also indicated. The maximum
temperature and the minimum temperature of the effective thermocouple signals in the
three areas are respectively calculated by the subroutine INVALID, and the maximum
D-value in the three areas is obtained; and the average core temperature is calculated
and indicated.
signals and the primary circuit pressure signal and the hot or cold leg’s temperature
signals and the core thermocouple temperature signals after calibration. Then the
reactor pressure vessel water level value will be calculated.
In the second automatic switching logic in Fig. 2, when the second highest value of
the available reactor core thermocouple temperature signals is 400 °C, the calcu-
lation temperature TDENS takes the reactor core saturation temperature value TSAT .
When all of the available reactor core thermocouple temperature signals are <380 °C,
the value of TDENS takes the output value of the MIN SELECTOR. The process which
estimates the second highest value of the reactor core thermocouple temperature signals
is 400 °C or not is implemented by the algorithm block SEC15.
Algorithm Research of the ICCMS for Qinshan Phase II NPP 205
Finally, the subroutine RHO calculates the water density value according to TDENS,
and calculates the steam density value according to different conditions of primary
circuit pressure value.
When there is no main pump operation, the RPV water level is monitored by
narrow range pressure transmitter. If the RPV water level is too low, there is a risk that
the fuel assembly inside the reactor will melt out of the RPV water level. Monitoring
the RPV water level is important. Therefore, the ICCMS system needs to give alarm
indications of low water level and low low water level respectively when the value of
RPV water level is lower than 7.5 m and 5.4 m. This alarm is realized in subroutine
OUTPUT and displayed on main control room. Then the operators can operate cor-
rectly follow corresponding procedures.
Some of the algorithm blocks applied in ICCMS system program are shown in
Table 1.
206 X.-X. Fan et al.
5 Conclusion
Although the ICCMS system is only used for monitoring reactor core cooling status
and RPV water level, it plays a vital role in whether operators can take corrective
measures after normal or accident conditions.
After the transformation, the ICCMS system has passed various tests in Unit 1 and
2 of Qinshan Phase II NPP successfully. During commissioning phase of the reactor,
the consistency of the reactor core temperature measurement value is very good, the
values are relatively stable; the D-value of maximum and minimum temperature in
three core areas is shown clearly, the checking process of primary circuit pressure is
normal, and the subcooling margin of core temperature is indicated clearly. The
measurement value and theoretical calculation value of RPV water level are the same
basically, to correspond with the design requirements. The interface between ICCMS
system and the other systems of nuclear power plant corresponds with the design
requirements, it ensures the data receive and transmit safety. The new ICCMS system
has realized expected functions and reached predetermined technical specifications
since it was put into operation. The successful application of the new ICCMS system in
Qinshan Phase II NPP proves that the new algorithm which is designed based on
FirmSys platform is fully complies with the original operating procedures, meets the
corresponding standards, and solves the problem of the transition from the original
analog system to the digital control system.
Algorithm Research of the ICCMS for Qinshan Phase II NPP 207
References
1. Guangdong Nuclear Power Training Center: 900 MW Pressurized Water Reactor Nuclear
Power Plant System and Equipment. Atomic Energy Press, Beijing (2005)
2. Li, W.P., Zhang, F., et al.: Design of core measurement system for Qinshan Nuclear Power
Plant Phase II. Nucl. Power Eng. 24(2), 224–226 (2003)
3. He, Z.X., Li, B., et al.: Core cooling monitoring system design for Qinshan Nuclear Power
Plant Phase II expansion project. Nuclear Power Engineering 29(1), 5–9 (2008)
4. Li, G., Xie, Y.Q., Liu, C.M., et al.: Digital reconstruction scheme of core cooling monitoring
system for PWR Nuclear Power Plant. Nucl. Sci. Eng. 32(2), 206–211 (2012)
5. Zhang, L.B., Liang, Z.Q., Xie, Y.Q., et al.: Reformation practice of core cooling monitoring
system in Daya Bay Nuclear Power Plant. Nucl. Saf. 15(3), 35–41 (2016)
6. IEEE Standard for Software Verification and Validation (2004) IEEE Std 1012TM
Application of Mosaic Instruments on Back-up
Panel in Nuclear Power Plant
China Techenergy Co., Ltd., Bldg 5, no. 5 Yongfeng Rd, Haidian 100094,
Beijing, People’s Republic of China
mazhiguo@cgnpc.com.cn
Abstract. The mosaic instruments installed on the back-up panel (BUP) have
uniform dimensions and are demonstrated to be not only a modern style of main
control room (MCR) but also conveniently installed, maintained and powerfully
extended. As the human-machine interface equipments, mosaic instrument
needs to consider the requirement of human factors (operability, readability,
prevention of malfunction) and independence (physical separation and electrical
isolation) in the nuclear power plant (NPP) designing process in order to insure
the NPP in safe status This paper mainly introduces the type and dimension
character of the mosaic instruments and describe the human factors engineering,
independence application characters that how to meet the standard requirements
when the mosaic instruments are used on BUP in main control room of NPP. As
the development of nuclear industry, for the NPP, the application of mosaic
instruments will be a new choice.
1 Introduction
Conventional instruments have been used on BUP in NPP, such as Hong Yan He NPP
Unit1*Unit4, Ning De NPP Unit1*Unit4 and so on. However, due to the dimensions
of the conventional instruments are different from each other, different dimension cut-
out should be done on the surface of the panel during the engineering design. Once
there is some need to add some new equipments on the panel, the structure of the panel
also need to be changed in engineer design modification. The modification will be very
hard for the installed panel, have a strong impact on the project time and increase the
project cost. The mosaic instruments installed on the mosaic panel have uniform
dimensions and are demonstrated to be not only a modern style of MCR but also
conveniently installed, maintained and powerfully extended. Nowadays the mosaic
instruments have been widely used in MCR of NPPs, such as Lingao Phase-II NPP,
Yang Jiang NPP Unit5&6, Hong Yan He NPP Unit5&6, Tian Wan NPP Unit5&6 and
so on. As the development of nuclear industry, for the NPP, the application of mosaic
instruments will be a new choice. This paper mainly introduces the type and dimension
character of the mosaic instruments and describe human factors engineering,
independence application characters that how to meet the standard requirements when
the mosaic instruments are used on BUP in main control room of NPP.
2 Introduction of BUP
Mosaic instruments are the equipments (such as controls, measuring instruments, lamp
indicator, etc.) installed on the mosaic panel which have the uniform dimensions.
Controls are mainly including pushbutton controls, rotary controls and so on, analog
indicate instruments and digital indicate instruments are mainly included in the mea-
suring instruments, lamp indicator are mainly including alarm lamp, lamp, etc.
The controls supply the human-machine interface for the operator, according to the
process requirements, the rebound type or the self retention type controls could be
chosen.
The process of physical quantities are generally indicated on the analog indicate
instruments through the pointer, and indicated on the digital indicate instruments by the
numbers.
The alarm lamps mainly provide the visual warning to the operator, in order to warn
the operators to take corresponding intervention behavior. The alarm lamps are lit or
flashing after the alarm signal is triggered. General alarm lamp colors are red, yellow,
green, white, orange, cyan and so on.
The lamps are usually used to provide the equipment feedback information to the
operators. Red, yellow, green, white, etc. colors are commonly used on lamps.
210 Z.-G. Ma et al.
The criteria GB/T 1242-2000 Dimensions for panel mounted indicating and
recording electrical measuring instruments defines not only the dimensions shown in
Table 1, but also the dimensions which are multiples of 10 shown in Table 2:
In the Fig. 1, lamp and alarm lamp are in the first column, pushbutton controls and
rotary controls are in the second and third column, analog and digital indicator
instruments are shown in the fourth column, other blank space are blank tiles.
Application of Mosaic Instruments on Back-up Panel 211
The designing process of the back-up panel in the whole life cycle needs to consider the
factors such as task, work environment, equipment, personnel, organization and sup-
port etc. As the human-machine interface equipments, mosaic instrument needs to
consider the influence of human factors on nuclear power plant in the designing
process.
The TMI nuclear accident in the United States is a typical nuclear accident caused
by human failure. After the accident, the Nuclear Regulatory Commission(NRC) first
212 Z.-G. Ma et al.
put forward the application of human factors engineering to reduce human error and are
widely reflected by the Nuclear Safety Administration all over the world, its published
NUREG 0700 Rev.2 Human-System Interface Design Review Guideline is the current
comprehensive and detailed human engineering criteria, which provides a reference
basis for the design of human factors engineering [3]. In addition, China also pro-
mulgated the corresponding nuclear safety law HAF J0055-1995 Principles of Human
Factors Engineering for control room design of nuclear power plants, the principle of
human factors engineering design for human-machine interface equipments in main
control room of nuclear power plant is clarified by this law, due to the nuclear safety
law has mandatory constraint, the design principle of the human-machine interface
equipments must meet the requirements of HAF J0055-1995, as for those not stipulated
in HAF J0055-1995, can refer to NUREG 0700 Rev.2 for implementation. The users of
BUP in domestic nuclear power station are Chinese operators, people in different
countries have certain differences, so in the design of human factors engineering, those
related to Human Dimensions need to be implemented based on the criteria GB/T
10000-1998 Human Dimensions of Chinese Adults, as for those not stipulated in GB/T
10000-1998, can refer to NUREG 0700 Rev.2 for implementation.
Because of the complexity of nuclear power process, it is necessary to operate
different equipment according to different operating conditions, then the quantity of the
instruments will be very large. The designer will choose the small size mosaic
instruments as far as possible to meet the spatial layout. At last on the limited plate
surface, the equipment arrangement is more compact. Therefore, in view of the feature
of the small size of mosaic instrument and the compact layout panel, according to the
requirements of the standard, human factors engineering design can be considered from
operability, readability, prevention of malfunction etc.
4.1 Operability
The selected equipments need to be suitable for human operation and should conform
to people’s general operating habits. According to HAF J0055, the controller needs to
have appropriate size and appropriate torque, NUREG 0700 gives detailed recom-
mended size and torque requirements for controller [4]. Commonly used operators
include pushbuttons, rotary selector controls, key-operated controls, etc. Take the
pushbutton for example, NUREG 0700 indicates that the size of the pushbutton needs
to be determined in different operation modes to determine the size of the button, as
shown in Fig. 4.
Resistance should be 10 to 40 oz (2.8 to 11.1 N) for fingertip operation and 10 to
80 oz (2.8 to 22.2 N) for thumb or palm operation [5].
Choosing controls should satisfy the requirement of the standard, but NUREG 0700
is not mandatory, so the deviations from the NUREG 0700 in the design process need
to be approved by the relevant superintendent, such as the owner company, the
upstream design company and the relevant regulatory authority.
Application of Mosaic Instruments on Back-up Panel 213
Diameter(D) Displacement(A)
Fingertip Thumb Palm Fingertip Thumb or
Operation Operation Operation Operation Palm
4.2 Readability
Appropriate and clear identification can facilitate the operator to respond to tasks
quickly and accurately. Mainly two factors for consideration are the font height and
color contrast.
The font height should not subtend less than 15 min of visual angle as measured at
the maximum viewing distance, a visual angle of 20 min is preferred. The design
process is based on the size of the mosaic panel, combined with the eye height from
floor from 5th percentile female to the 95th percentile male to determine the maximum
distance from the eye to the mosaic instrument, and then calculate the minimum height
of the font according to the angle of view. The calculation formula is:
The minimum font height = the farthest viewing distance 0.004
The best font height = the farthest viewing distance 0.006
The same device font height in the same area should be kept as consistent as
possible to avoid excessive clutter of the disc and reduce the operator’s visual load.
The contrast between font color and background color should be obvious, avoid the
poor contrast situation, such as the red letters on green background, green letters on red
background, orange letters on white background and so on.
The detail requirement of NUREG 0700 is that for adequate legibility, colored
symbols should differ from their color background by an E distance (CIE Yu’v’) of 100
units or more [5].
should consider the measures of the equipment itself for the prevention of malfunction.
At the same time, due to the smaller size of the mosaic instrument and the compact
panel layout, it is more necessary to consider the design of the prevention of mal-
function of mosaic instruments. Therefore, in order to reduce human factor fault and
meet the safety requirements of NPP, prevention of malfunction should be an important
design factor in the application process of mosaic instruments.
Physical protection and interlock protection are mainly designed protective mea-
sures for the prevention of malfunction of mosaic instruments.
1. Physical protection
Physical protection measures are designed as follows:
• The controls should keep a distance with the edge of the panel, prevent the
person from touching the equipment in the process of walking, NUREG0700
section 11.1.1 gives 75 mm as the minimum reference distance.
• When nearby the edge of the panel, concave or flat-type controls should be
chosen to prevent accidental operation.
• Add a cover on the controls or choose a covered control. The controls could be
operated only after opening the cover.
• Increase the distance between the controls under the condition of space per-
mitting, in order to prevent the operation of one device from being accidentally
hit by another device
2. Interlock protection
Interlock protection is mainly achieved by adding the interlock logic between
different controls.
The equipment control order, release order and order of BUP operation mode are
performed “AND” interlock logic. When only under the BUP operation mode, the
release order button and the equipment control are pushed at the same time, the order of
the equipment control could be performed. The BUP operation mode is achieved by
three self-maintenance controls which perform the 2 out of 3 logic. At least two
controls are set to BUP mode to trigger the BUP operation mode, in order to ensure the
BUP operation mode is a real signal. Even if one of them is fault, the BUP mode could
also be trigged normally. The release order is achieved by two self-reset buttons which
perform “OR” logic. If design only one release button, once the release button is fault,
the equipment control order could not be sent. So the redundancy release buttons is
necessary. The detail designed measure is shown as Fig. 5.
Physical protection and interlocking protection are complementary and comple-
mentary, both with the purpose of prevention of malfunction of mosaic instruments to
ensure the safety and reliability of NPP.
Application of Mosaic Instruments on Back-up Panel 215
5 Principles of Independence
In places where the minimum separation distance cannot be satisfied, barriers such
as metal ducts, metal covers and metal flexible pips should be set up between equip-
ments that need to be separated.
As shown in Fig. 6, the contact 1 signal is directly connected with the safety class
DCS, the contact 2 is isolated by the safety class isolation relay, and then transmitted to
non-safety class DCS. Due to add the safety class isolation relay, the contact 1 and 2
are all belong to safety class. The requirements of physical separation and electrical
isolation between safety class signal and non-safety class signal which is described in
IEEE384 are met at the same time.
6 Disadvantages
The advantages of mosaic instruments are very prominent, but there are also disad-
vantages in the implementation of the project, mainly in the following areas:
• Conventional instrument using label for identification, which can be replaced freely,
but mosaic instrument using spraying technology, as there is not any domestic
supplier that meets the requirements of nuclear standard, all products have to be
imported, even if a device code is changed, which cause a long period of manu-
facturing and high cost.
• When the layout of panel is compact, due to the small size of mosaic instruments,
the requirement of the minimum separation distance cannot be met according to the
criteria IEEE-384, mass of metal covers, metal flexible pips are needed to design to
meet the independence of instruments and cables.
218 Z.-G. Ma et al.
7 Summary
In order to ensure the safety and reliability of the nuclear power plant, during the
engineering design application, not only need to follow the human factors regulations
and standard requirements to reduce human error, but also need to consider the
independence between the safety class instruments and non-safety class instruments
and the independence in different trains of safety class. Mosaic Instrument is favored by
many nuclear power plants due to is simple installation, strong expansion and neat
surface, but its shortcomings cannot be ignored either, there is some need to weigh the
pros and cons to choose the right type. With the development of nuclear power in
China, mosaic instruments will be a new option for nuclear power plant.
References
1. IEC 61554: Panel mounted equipment-Electrical measuring instruments-Dimensions for panel
mounting. International Electrotechnical Commission (1999)
2. GB/T 1242: Dimensions for panel mounted indicating and recording electrical measuring
instruments (2000)
3. Yang, H.L., et al.: Discussion on verification criterion and method of human factors
engineering for nuclear power plant controller. Atomic Energy Sci. Technol. 48(Suppl.),
1043–1047 (2014)
4. HAF J0055: Principles of Human Factors Engineering for control room design of nuclear
power plants (1995)
5. NUREG 0700 Rev.2: Human-system interface design review guideline. U.S. Nucl. Regul.
Comm. (AAA, 2211) (2002)
6. IEEE 384(2008) Criteria for Independence of Class 1E Equipment and Circuits. The Institute
of Electrical and Electronics Engineers
7. Lu, C., et al.: Independence Design of Safety Class DCS System in Nuclear Power Plant.
Nucl. Sci. Eng. 32(Suppl. 2), 222–230 (2012)
Equipment Qualification and Methods
Application for Class 1E Digital
Instrumentation and Control System
1 Introduction
According to the directory of civil nuclear safety equipment issued by the National
Nuclear Safety Administration (revised in 2016), Class 1E DCS belongs to the category
of instrument control system cabinet equipment for 1E electrical equipment [1]. It is the
central nervous system of nuclear power plants and is used to ensure the safe and stable
operation of nuclear power plants. Therefore, it is necessary to verify the consistency of
its design and reliability goals through equipment qualification. Equipment qualification
can be used to prove that there are no design defects, manufacturing defects, and defects
caused by improper storage and transportation that may cause the equipment to fail [2].
With the acceleration of the domestic production of Class 1E DCS equipment, it is
urgently necessary to form a complete system of independent nuclear power equipment
qualification standards suitable for China’s national conditions. The Chinese GB/T
12727 is equivalent to IEC 60780. It is a standard in the promulgated Class 1E
equipment qualification standards [3]. Other special qualification standards should meet
© Springer Nature Singapore Pte Ltd. 2019
Y. Xu et al. (Eds.): Nuclear Power Plants: Innovative Technologies
for Instrumentation and Control Systems, LNEE 507, pp. 219–225, 2019.
https://doi.org/10.1007/978-981-13-3113-8_25
220 J. Fan et al.
the requirements of GB/T 12727. By comparing GB/T 12727, IEEE 323, and RCC-E B
volumes, GB/T 12727 and RCC-E B volumes are basically the same in terms of the
principles and methods of Class 1E DCS equipment qualification. GB/T 12727 is
basically the same as IEEE 323 in terms of procedures for the qualification of Class 1E
DCS equipment. Therefore, in view of the fact that the domestic downstream quali-
fication standards are compiled with reference to the IEEE standards, IEEE 323 can be
used as a standard guideline for the qualification of domestic Class 1E DCS equipment.
3 Combined Methods
DCS equipment manufacturer has obtained the civil nuclear safety electrical equipment
design and manufacturing license issued by the National Nuclear Safety Administration
of China, typical equipment name is Class 1E digital control and protection system
cabinet. According to requirements of units 3 and 4 of the Fangchenggang nuclear
power plant, typical equipment to be added is Class 1E chilled water system cabinet.
The manufacturer adopts combined methods to analyze the applicability of the quali-
fication standards, quality assurance process, product type, functional performance, test
conditions and application hardware configuration.
Standards for equipment qualification and testing are selected according to three
levels, main body standards, guidance and specific standards, and general implementation
standards. Standards adopted for Class 1E chilled water system cabinet are in line with
standards adopted for Class 1E digital control and protection system cabinet, and the
required functions and performance are covered in the completed qualification products.
Class 1E chilled water system cabinet adopts Class 1E instrument control platform
(FirmSys) products that have been officially released and applied to Class 1E digital
control and protection system cabinet, the scope, functionality, performance, and
operating environment of products have been verified in application of multiple nuclear
power plants. There is no new product development activity in the design and
222 J. Fan et al.
manufacture of Class 1E chilled water system cabinet, and no new types of outsourced
components are added.
Qualification test items based on IEEE 323 requirements are shown in Table 2. By
comparing test conditions of qualification test items of Class 1E digital control and
protection system cabinet and Class 1E chilled water system cabinet, it is concluded
that only seismic test items can’t be fully enveloped. Floor response spectrum used in
qualification of Class 1E digital control and protection system cabinet is 5.365 g in the
maximum acceleration horizontal direction and 2.885 g in vertical direction, while the
floor response spectrum maximum horizontal acceleration 6.4 g and vertical 3.2 g in
Class 1E chilled water system cabinet. Therefore, it is necessary to carry out additional
seismic test for Class 1E chilled water system cabinet.
Since SSE and OBE are twice the relationship, take OBE as an example to compare
the response spectrum, as shown in Figs. 1 and 2.
seismic table is normal. After the test personnel and test instruments are in normal
working conditions, the shock wave is input according to the required response
spectrum and 5 OBE and 1 SSE tests are conducted. After the OBE and SSE tests, the
detection was completed and the second dynamic feature exploration was performed.
Class 1E chilled water system cabinet’s self-vibration fundamental frequency (The base
frequency calculated at the top of the cabinet) X, Y, and Z directions are 33.75 Hz,
16.78 Hz, and 33 Hz. The self-vibration fundamental frequency in three directions is
outside the excellent frequency band of the seismic wave. The seismic table measured
acceleration test response spectrum (TRS) envelope required response spectrum (RRS),
the envelope situation is shown in Figs. 3 and 4. The test results show that Class 1E
5 Conclusions
Through the comparative study of the domestic and foreign standards based on
equipment qualification, it is proposed that the IEEE standard is applicable to the
qualification of Class 1E DCS equipment in China, and IEEE 323 can be used as a
guideline standard.
Through combined methods analysis, some test items can be avoided, the reduction
of the test items can reduce the test cost accordingly. The combined methods have
certain reference value for simplifying the supervision and management process of the
China nuclear safety regulatory agency, and speeding up the application of the license
change of Class 1E DCS equipment manufacturers.
References
1. Directory of civil nuclear safety equipment (Revised in 2016). National Nuclear Safety
Administration, Bei Jing, China (2016)
2. Li, M.C., Lin, J., Fu, M.X., etc.: Qualification test on class 1E charger and inverter in nuclear
power plant. Nucl. Saf. 13(2), 77–82 (2014)
Equipment Qualification and Methods Application 225
3. Huang, W. J., Zhang, M., Zhang, Y. B., etc.: A preliminary study on qualification of
instrumentation and control system for nuclear power plants. Nucl. Power Eng. 35(6), 111–
114 (2014)
4. NUREG 0800-S7. Standard review plan section 7 [S]. Washington D.C, U.S (2005)
5. IEEE Std. 323-2003. IEEE standard for qualifying class 1E equipment for nuclear power
generating stations. New York, U.S (2004)
6. Fang, Q.X., Sun, Z.Z., etc.: Seismic qualification of Class 1E equipment. In: Mechanics 2000
Academic Conference Proceedings, pp. 669–670 (2000)
Study on Itemized Requirements of Safety
Digital I&C System in NPP
1 Introduction
Nowadays, more and more digital instrumentation and control (I&C) systems are
adopted by nuclear power plants (NPPs). Especially safety-critical digital protection
system is used as critical safeguard against the severe accidents like reactor core
damage, release of radioactive materials and etc. It is the software that realizes control
functions executed by CPU, which malfunction may give wrong action and endanger
the nuclear power plants. Therefore, software reliability for digital I&C systems is
critical to the safety of NPPs. Different from the stochastic failure of analog I&C
systems, software failure may be caused by systematic design fault, human error and
tools failure. Some traditional analog system (hardware) reliability analysis methods
are not applicable to software. Software reliability qualitative analysis and quantitative
analysis methods are still in discussion. The consensus amongst the world’s experts is
that rigid lifecycle quality management, and verification and validation (V&V) are the
most effective ways to improve the software reliability presently. With the further
research on safety-critical software used for NPPs, the quality of V&V has become key
concern of the safety regulatory authorities around the world.
According to the requirements of nuclear safety regulations and related standards,
some mandatory software V&V activities through life cycle phases are defined for the
different safety-graded software explicitly [1–4]. For safety-critical software, the
required scope, intensity and degree of rigor associated with the V&V activities and
tasks are the highest among all graded I&C systems. It should be mentioned that
traceability analysis is the most basic one for safety-critical software and I&C systems
and affects the quality of other V&V activities directly. Traceability analysis is also
required by EUR [5]. It is used to confirm implementation and validation of require-
ments, where neither any extra function is allowed, nor is any necessary function
missed. The quality of traceability analysis depends on the granularity of itemized I&C
function requirements. The finer granularity of itemized I&C function requirements is,
the easier it is to find the potential software failure, and the higher quality the trace-
ability analysis gets. However, it also means heavier burden of V&V activity. There-
fore how to effectively itemize I&C functions is an important question.
In this paper, the V&V activities through software life cycle related nuclear safety
regulations and standards are analyzed in Sect. 2. Necessity of implementing itemized
requirements on I&C function during software development life cycle is studied
according to the nuclear safety regulations and related standards in Sect. 3. What’s
more, key points of itemized requirements are proposed by learning from some NPPs
project experience in Sect. 4. Finally, Sect. 5 gives the conclusion.
ISO/IEC 12207 defines the software life cycle processes at a high level and their
corresponding minimum tasks, but how to perform these tasks is not given clearly [6].
As shown in Fig. 1, V&V processes related to the software life cycle are defined in
IEEE 7-4.3.2 and IEEE std. 1012 [2, 3]. Seven processes for software life cycle are
defined, including Acquisition, Supply, Development, Operation, Maintenance,
Organizational and Other Supporting. Moreover, Development Processes are divided
into six phases further, i.e., Concept, Requirements, Design, Implementation, Test, and
Installation and checkout. Different mandatory V&V activities and tasks with their
assessment criteria are defined for safety-graded software as part of the software life
cycle explicitly. Verification of a software product of a phase should be performed
before the start of the next phase and shall be performed before the completion of the
next phase, as required by IEC 60880 [4].
In each phase of software life cycle, software fault or failure is inevitable because of
human error, systematic design fault and tools failure. Software reliability qualitative
analysis and quantitative analysis methods have not been accepted universally.
Therefore, the feasible and practical measures are used to focus on the product quality
of each phase. V&V activities should be performed to ensure that the product meets the
requirements of its input of each phase and no new errors are induced, so that the
reliability of final product is limited within the acceptable level.
228 T. Bai et al.
Other
Acquisition Supply Development Operation Maintenance Organizational
Supporting
Documentation
IEEE 1012/IEEE 7-4.3.2 Software V&V Process
Configuration
Management
Quality
Assurance
Management
V&V Activities
Process Review
Problem
resolution
...
V&V Tasks
Learning from some NPPs project experience, difficulties of itemized I&C require-
ments are discussed and key points are proposed for implementation of itemized I&C
function requirements.
other. As a result, it would be hard to analyze the traceability among those I&C
diagrams. Moreover, it would also be very hard to trace the relationship between
documents and diagrams due to their completely different ways of expression.
Serial Number
Quality Identifier
Document Identifier
System Identifier
Serial Number
Signal Characterisitics Identifier
Signal type or Parameters Identifier
System or Equipment Identifier
(4) To use the special tools like DOORS. It is capable of developing itemized I&C
Requirements and generating identification number coding number automatically.
5 Conclusions
With the digital technologies are used in NPPs, software reliability and V&V quality
have caused widespread concerns around the world. Traceability is the basic require-
ment on I&C functions during the life cycle V&V activities. How to effectively itemize
the I&C functions is an important question for traceability analysis. From the viewpoint
of V&V, necessity of itemizing requirements on I&C function is discussed and key
points of itemized requirements are proposed by learning from CPR1000 NPPs’ project
experience to ensure the software V&V quality with proper workload.
232 T. Bai et al.
References
1. HAD 102/16: Computer-based safety-critical system software of nuclear power plants (in
Chinese), National Nuclear Safety Administration (2004)
2. IEEE Std. 1012: IEEE standard for software verification and validation (2004)
3. IEEE Std. 7-4.3.2: IEEE standard for digital computers in safety systems of nuclear power
generating stations (2010)
4. IEC 60880: Nuclear Power Plants-Instrumentation and Control Systems Important to Safety-
Software Aspects for Computer-based Systems Performing Category A Functions (2006)
5. EUR: European Utility Requirements for LWR Nuclear Power Plants, Rev. E (2016)
6. ISO/IEC 12207: Information Technology-Software Life Cycle Processes (1995)
7. IEEE Std. 1233: IEEE Guide for Developing System Requirements Specifications (1998)
8. IEEE Std. 830: IEEE Recommended Practice for Software Requirements Specifications
(1998)
9. IEEE Std. 1016: IEEE Recommended Practice for Software Design Specifications (1998)
10. NUREG-0800 BTP-7-14: Guidance on Software Reviews for Digital Computer-based
Instrumentation and Control Systems, Rev. 5 (2007)
Instrument Survivability Assessment During
Severe Accident in HPR1000
Abstract. The Fukushima Nuclear Accident has attracted social public atten-
tion to the severe accident. The instruments used to monitor the processing of
severe accident could perform the function correctly in the time frame required
during and after the Severe Accident Management Guidance (SAMG). Inter-
national and domestic regulations and standards are all required these instru-
ments available during severe accident. However, it’s still not set down relevant
standard that how to analyze the instrument survivability assessment and qualify
these instruments. This paper introduces the requirements of relevant regulations
and standards, factors, methods of instrument survivability assessment and
technology status of instrument survivability assessment. On the basis of
assessment method of second-generation plus nuclear power plants, the
assessment method of HPR1000 was studied and confirmed. It is improved and
optimized on environment, qualification requirement, etc.
1 Introduction
The Fukushima Nuclear Accident has attracted social public attention to the severe
accident. NNSA has demands on the management of severe accidents at nuclear power
plants. In order to ensure that Severe Accident Management Guidance (SAMG) can
effectively work during and after severe accident, the survivability of equipment and
instruments are needed for severe accidents.
HPR1000 is the third generation pressurized water reactor (PWR) with a wholly-
owned intellectual property formed by China National Nuclear Corporation (CNNC)
Corporation on the basis of thirty years’ experience in R & D, design, construction and
operation of nuclear power plants. Active + passive safety system are used in
HPR1000.Diverse approaches are available to perform safety functions both in DBA
and BDBA/SA conditions. These design characteristics meet the requirements of the
third generation of nuclear power plants.
At the beginning of the design, HPR1000 considered severe accident prevention
and mitigation measures and exhaustive envelope curve of severe accident environ-
mental condition as well as the time frame which instrumentation needed to perform
functions during and after severe accidents. This paper presents relevant regulations,
standards, assessment factors, qualification requirements, process and methods of
survivability assessment of equipment and instruments during and after severe accident
in HPR1000.
For the HPR1000 nuclear power plant, it is necessary to provide the severe accident
environmental conditions and the accuracy requirements during and after the severe
accident in the technical specification for the instruments, and purchase the instrument
that meets the requirements of severe accident. HPR1000 has comprehensive design for
severe accidents from environmental conditions research, instrument qualification, the
time frame that the instrument needs to perform functions, signal acquisition and
control, power supply and so on. On the basis of the above design, auxiliary test and
alternative solution are supplemented if necessary (Table 1).
3 Assessment Factors
Due to the significant increase in radiation dose during severe accidents, a large amount
of high temperature and high pressure steam, combustible gas and aerosol are gener-
ated in the containment. Such harsh environmental conditions may cause the perfor-
mance degradation or failure of the instrument in the containment [6].
Instrument Survivability Assessment 235
two category: one is based on environmental conditions extreme values and the other is
based on time frame and environmental conditions curve in this time frame, these two
methods are widely used in nuclear power plant in-serve and under construction.
As a general rule, the damage caused by beta and gamma radiation differs. For large
total integrated dose (typically greater than 1 MGy), it is thus recommended that no
equivalence be assumed between the two types of radiation, and to apply the two tests
successively in the lab. The integrated dose of gamma in this time frame is
1.08 105 Gy and the integrated dose of beta was 3.71 105 Gy. After beta was
equivalently converted, the integrated dose of gamma was 4.79 105 Gy, which is
less than that 1 MGy. The integrated dose of CIS003MD radiation test is
1.1 106 Gy.
HPR1000 has independent severe accident monitoring and control system. There
are two independent 72-hour uninterruptible power supply systems that supply SA
cabinets and are also divided into train A and train B. The instrument channel can
maintain operation for 72 h during severe accident and station black-out (SBO). All
components of the channel have been qualified to severe accident conditions including
seismic test and work well during severe accident. The signal acquisition and pro-
cessing of CIS003MD is carried out in the train A SA cabinet and meets the
requirements of power supply and environment of severe accident conditions.
In summary, CIS003MD is available and performs its function in the time frame
required in severe accident conditions.
6 Conclusion
Based on the analysis of the assessment factors and technical status of severe accident
instruments, this paper presents the flow chart of survivability assessment of severe
accident instrument. Assessment of equipment in severe accident was performed
according to the flow chart and qualification of instrument and related support
equipments.
The instruments and related supporting equipments installed inside containment
and must be used during and after severe accidents have been qualified according to the
environmental conditions of severe accidents. The qualification test provides direct data
and ensures high confidence of instrument survivability assessment in HPR1000.
References
1. HAF102, Safety Code on Nuclear Power Plant Design, National Nuclear Safety Adminis-
tration, China, pp. 17–38 (2016)
2. RCC-E, Design and Construction Rules for Electrical components of nuclear Islands,
AFCEN, France, p. 58 (2005)
3. EPRI TR-102371, Instrument Performance Under Severe Accident Conditions, Electric
Power Research Institute, America (1993)
4. EPRI TR-103412, Assessment of Existing Plant Instrumentation for Severe Accident
Management, America (1993)
5. Youjun, H.: Study of Instrument Survivability Evaluation Methods During Severe Accident in
Nuclear Power Plant. University of South China (2014)
6. EPRI, NRC, DOE, Three Mlile Island Technical Information and Examination Program:
Instrumentation and Electrical Summary Report, p. 7 (1985)
240 L. Li and G. Lin
1 Introduction
Currently, the nuclear power plant has been developed to the third generation. The 3rd
generation technology includes AP1000, EPR, VVER, and Hualong No.1. Each gen-
eration NPP has been with the related developed equipment. The old ones are replaced
by the new ones. Through the analysis of the nuclear cables development and the
collection of information got from the NPP owners, we can clearly understand the
development of the new cables. And it is the premise for cable products improvement
and development.
The essence of the nuclear cable development is cable materials development.
China cable industry started to develop the nuclear cable materials in the 1980s. The
cable materials have been developed into the 3rd generation with the development of
the NPPs (Table 1).
For the above table, the nuclear cable development trend to non-halogen cable.
However, due to the limitation of the non-halogen material performance and the
excellent performance of halogenated materials, some halogen cables are still used in
some area, equipment or systems in the nuclear power plant. This paper is to discuss
the requirements of the halogen materials required in the nuclear safety rules and
regulations in different countries. And by taking an actual sample that AP1000 NPPs
use halogen cables to analysis the safety of adopting halogen cables. Finally, it is
confirmed that some halogen cables can be used in AP1000 NPPs.
The cables or wires with such insulation shall the thermal aging test, radiation test
and long-term immersion test. The thermal aging test shall verify that the cables
thermal life is 60 years under the 90 °C conductor operation temperature [1].
The cables or wire with the above jacket materials shall pass the flame-retardant
test. And the cables routed in the cable tray shall be UL qualified. If the low smoke and
Influence Analysis of the Halogen Cables Used 243
zero halogen materials are used for the cable jacket, these materials shall meet all the
technical requirements, especially the flame retardant test requirement.
The wires installed in the auxiliary electrical cabinets shall use the flame retardant
thermosetting SIS (NEC rated 90 °C) insulation and stranded conductors. And the
wires shall pass UL VW-1 flame test [2].
The cables laid in the cable trays shall pass IEEE 1202 flame test and shall be UL
qualified. Both the aged and un-aged cable samples shall pass the IEEE 1202 flame test.
The quantity of halogen cables and the total amount of the nuclear island cables used in
one AP1000 project are sorted out and shown in Table 3.
The halogen cables of the safety-related circuits and equipment listed in Table 4 are
mainly distributed in the circuits and equipment listed in Table 4.
Based on the statistics in the above table, the number of halogen-containing cables
in the nuclear island of some AP1000 NPPs accounted for only 3.25% of the total.
(2) Most of the halogen cables in the table belong to the secondary circuit of the
cabinet or the instrument control circuit. They are used to transmit weak current or
low-level signals, and the current through them is insufficient to cause fire.
246 X.-Y. Wang et al.
with respect to the total weight of the cable, so for much more halogen cable con-
ductors are more than 18 AWG, so the less hydrogen fluoride will be produced.
The NPP designer’s assessment showed that if the toxic content is to reach the limit
of 200 PPM as defined by BBS7239, 29.6 km (95,000 ft) of cable must be burned. The
number of cables has greatly exceeded the criteria for identifying local incidents of a
plant. At this time, the inside containment fire detection system should have issued an
alarm. At the same time, the number of cables exceeds the total number of halogen
cables with a 4 km safety rating in the shell as reported in Table 3 (Fig. 1).
250
200
150
100
50
0
Toxic Hyrdrogen Fluoride Release based on the QuanƟty of the Halogen
Cables
29.6 kM 25 kM
As mentioned above, during normal power plant operation, access to the inside
containment is controlled. In the event of a fire, personnel inside the containment will
also be evacuated. Persons entering the area after a fire are limited to firefighters and
they wear appropriate personal protective equipment. After the fire has been extin-
guished, smoke and other combustion by-products will be purified by using a venti-
lation subsystem or alternate temporary ventilation if the area is to be used.
In the shutdown condition of the power plant, good continuous ventilation is
maintained within the containment to support relevant maintenance activities. There-
fore, there is no accumulation of chlorine products inside the containment due to partial
events. In the event of a more serious fire, the personnel inside the containment will be
evacuated. Persons entering the area after a fire are limited to firefighters and they wear
appropriate personal protective equipment. After the fire has been extinguished, smoke
and other combustion by-products will be purified by using a ventilation subsystem or
alternate temporary ventilation if the area is to be used.
248 X.-Y. Wang et al.
The fire protection plan of the power plant covers many aspects, including the fol-
lowing basic elements:
• Identify and control flammable products.
• Use permanently installed fire detection subsystem.
• Use automatic sprinklers or other subsystems where necessary and appropriate.
• Use permanently installed fire hoses and portable fire extinguishers.
• Develop a written fire protection strategy and plan.
• On-site fire brigade training and qualifications.
Halogen cables in safety-related circuits and equipment are mainly distributed in
auxiliary building and inside the containment. Physical isolation is used among the four
1E electrical channels, and between the four 1E electrical channels and non-safety
related areas to ensure safety.
The main control room minimizes the risk of fire in the main control room by
reducing the number of cables. There are persons staying in the main control room, and
they can quickly discover and extinguish fires in the area. The main fire detection and
fire-fighting measures in the main control room are fire detectors, fire hydrants, and
mobile fire extinguishers.
The entire steel containment is a fire zone with a fire detection and automatic fire
suppression system. Safety-related cables are protected by fire barriers when they pass
through the fire protection zone in non-safety related areas.
In the areas outside the steel containment and main control room, the layout of the
power plant equipment and the routing of the cables are designed to assure the safe
shutdown of the NPP in condition that all the equipment in any fire protection area
(except the fire protection of the fire resistance limit of 3 h) cannot perform function
due fires.
all the components function to assure that in any fire protection area (except the fire
protection of the fire resistance limit of 3 h) are not operational due to fire. Safe
shutdown.
Cables are mainly routed in dedicated cable structures, such as cable channels,
cable trenches, and cable shafts. They can also be routed directly along cable trays and
cable conduits in the rooms or corridors.
Layout between Class 1E and non-11E cables and redundant Class 1E cables is
physically or spatially isolated and meets the requirements of the IEEE 384 standard.
Cable trays are equipped with continuous cable temperature detectors.
The electrical penetration assemblies are used to for cables go through reactor
walls, which have a fire-resistance limit of not less than 3 h and can withstand the
environmental conditions of the design basis event.
In order to solve the problem that the halogen cables in the safety-related circuits
and equipment may generate toxic gases after combustion, hazards can be reduced
through management measures. Firstly, the fire source must be controlled to ensure that
no fires occur, and the configuration and management of labor and defense supplies are
Influence Analysis of the Halogen Cables Used 249
strengthened. Employees’ safety education and necessary fire drills, equipped with
necessary respirator and gas masks in hazardous areas are to reduce the personal injury
caused by toxic gases.
References
1. IEEE: IEEE Standard for Qualifying Class 1E Electric Cables and Field Splices for Nuclear
Power Generating Stations. Standard IEEE 383, The Institute of Electrical and Electronics
Engineers, New York, USA (2003)
2. IEEE: Design and qualification of class 1E control boards, panels, and racks used in nuclear
power generating stations, Standard IEEE 420 The Institute of Electrical and Electronics
Engineers, New York, USA (2001)
3. NNSA: Nuclear power plant fire prevention, HAD102/11, China (1996)
Network Risk Management Based
on the ALARP Criteria for Nuclear Power
Plant
Abstract. The safety problems of nuclear power plants are getting more and
more serious. Digital control system is widely used in nuclear power plants in
China, which reduces the possibility of human error and reduces the workload of
operators, but at the same time brings new risks to the operation of nuclear
power plants. The network security law was formally implemented in June 1,
2017. The baselines for nuclear power plant networks should not be considered
only economic. Security is the most important thing. Input or increase network
security equipment, it does not necessarily lead to the promotion of network
security. This article analyzes the network security risks of nuclear power plants
based on the ALARP Criteria, discusses the balance between inputs and risks,
and proposes network risk management recommendations for nuclear power
plant network security.
On April 19, 2016, general secretary Xi Jinping delivered an important speech at the
Symposium on Internet Security and Informatization. This paper makes a systematic
discussion on the development of China’s network security and information technol-
ogy. Points out the way forward for the development of the network information
industry and provides a fundamental guidance. General secretary Xi Jinping pointed
out: “Network security and information technology are two wings and two wheels
driving together. We must plan, deploy, advance and implement together. To do a good
job of network security and information work, we should deal with the relationship
between security and development so as to achieve a coordinated and consistent
development.”
The general secretary of Xi discussed that: “Network security is dynamic rather
than static. Information technology change faster and faster, the past scattered inde-
pendent network become highly correlation, depend on each other, the threat of net-
work security sources and attack means changing, that rely on several safety equipment
and security software to keep safe forever idea is inappropriate, it is necessary to
formulate a concept of dynamic and comprehensive protection.”
It requires people to understand from the perspective of decision-making that risks are
related to people’s purposeful activities, choices of action plans and future changes of
things when studying risks. The formation process of risk and the objectivity, loss and
uncertainty of risk together constitute the basis of risk formation mechanism analysis
and risk management.
People are generally risk averse and want to reduce risk loss and pursue the balance
optimization of risk and benefit. The development of risk management is closely
related to enterprise development and social background. Risk management is first seen
in the United States as a discipline and diffuses into Latin America, Asia and Western
Europe. Most enterprises in the United States have full-time departments for risk
management, and many colleges and universities offer courses on risk management at
the school of business administration. As a science and art, risk management needs
both qualitative analysis and quantitative estimation. It requires both rationality and
humanity. It takes more than a theoretical guidance and needs multiple methods to
support it [2].
Risk management from risk consciousness mainly includes risk analysis, risk
evaluation and risk control. According to the process of risk formation, risk analysis
contains risk identification and risk assessment. Risk assessment requires frequency
analysis and consequence analysis, which includes scenario analysis and loss analysis.
Available through risk analysis, risk evaluation of the specific system all risk, doesn’t
refer to the corresponding risk criteria and acceptability, and determine whether the risk
of system can be accepted, whether to take safety precautions, it is risk assessment.
Both Risk analysis and assessment are always called risk assessment. Quantitative risk
assessment (QRA) is required for risk assessment. With risk assessment, it takes the
appropriate measures and countermeasures for risk assessment, to control, suppress,
and decrease risk, it is risk control. Risk management is not only to qualitative analysis
of the risk factors, risk of accidents and loss situation, but also evaluate risks quanti-
tatively based on risk criteria and acceptability as far as possible. For industrial
enterprise profit oriented, they also want to evaluate the risk, and offer the monetary
measurement standard.
252 X.-J. Liu and J.-L. Tan
The purpose of risk management is to ensure that all incidents that pose a threat to
cybersecurity are prevented through reasonable steps. Network security threats and
network security protection measures are interactive. Improper network security pro-
tection may not only fail to reduce the security risks of the network, waste a lot of
money, but also may incur greater security threats. Therefore, thorough risk analysis of
network security is a necessary prerequisite for reliable and effective safety protection
measures.
The establishment and development of nuclear power plant network QRA from
within, not only for reliability analysis, safety analysis, quality management, project
management and so on various professional analysis as the foundation, in terms of
external power for the user, the government and the social public, consultancy, and
many other related subjects. The plant network QRA to enterprise’s function mainly
reflects in: Through QRA is advantageous to the enterprise to control the risk levels
within a standard level of risk, and the principle of the minimum feasible; QRA can
help enterprises comprehensively identify risks and prioritize them according to their
priorities, in order to help managers focus, financial and material resources, in the field
of important emergency risk control, so as to make risk management decisions more
reasonable, more effective and less costly. Through various risk management solutions
or QRA’s security improvements, decision maker can choose the options to make the
solution better and make decision support for the company. The risks of the nuclear
power plant network will have several impacts on other enterprises and subjects and
generate amplification effect. The power system is safe, reliable, efficient and superior
is the common aspiration of all trades and government departments. The implemen-
tation of QRA in nuclear power plant network is of practical significance. ALARP rules
are a better way for the network of nuclear power plants to implement QRA [3].
unacceptable area, the reasonably practicable minimum area (ALARP Area), and the
risk acceptable area. If the risk level obtained from the risk assessment falls within the
risk unacceptable area, the risk will not be acceptable in any way except in special
cases. For the device in the design stage, the design scheme cannot be passed; for
existing installations, production must be stopped immediately and mandatory mea-
sures must be taken to reduce risk levels. If the risk level is risky and acceptable, the
risk level is low, and there is no need for safety improvement. If the risk level is in the
ALARP Area, we need to examine the consequences of implementing various risk
reduction measures and conduct cost-benefit analysis to determine whether the risk is
acceptable. If the increased risk prevention measures have no significant impact on
reducing the level of system risk, the risk may be considered unacceptable.
The risk criteria and acceptability should follow the minimum allowable principle.
ALARP principle can be used for the risk system, and the lower the risk level, the
harder it is to reduce the risk further, the higher the risk will be on an exponential curve.
In other words, the marginal benefit of venture improvement measures investment
decreases and eventually tends to zero or even negative. Therefore, a compromise must
be made between the level of risk and the cost. If the risk level of nuclear power plant
network quantitative risk assessment is higher than the acceptable limits, the risk
rejection. If the risk level is below the acceptable line, the risk is acceptable and no risk
improvement measures are required. When the risk level is between the unacceptable
line and the acceptable line, it falls into the ALARP area, we invest risk analysis and
risk cost-benefit analysis on the cost of improvement at that time.
The analysis turns out that if there’s a chance to increase the risk and improve the
risk of investing in the network and the risk level of the network, the risk is acceptable,
254 X.-J. Liu and J.-L. Tan
the risk is acceptable, which is to allow the risk to exist to save investment costs. The
economic interpretation of ALARP principle is similar to the law of diminishing
marginal returns of input factors.
5 Conclusion
The nuclear power plant network QRA is an integrated study that covers reliability
engineering, risk analysis, security engineering. On the basis of the continuous con-
clusion, scientific exploration of theory and practice forms a future of guidance and
prediction through careful and detailed analysis, theory and practice. According to the
industry feature of nuclear power plant network, QRA of nuclear power plant network
not only has a good technical and material foundation, but also has great potential for
the development of QRA of nuclear power plant network.
Through the risk analysis based on ALARP criterion, the risk estimation of all risks
in the network system of the nuclear power plant can be obtained. According to the
corresponding risk standards and acceptability, the risk of the system is judged to be
acceptable, the investment and risk are balanced well, and the corresponding safety
measures are adopted to promote the common progress of security and development of
nuclear power plants network.
References
1. Bell, D.E., LaPadula, L.J.: Secure compter system. MTR-2527 (1973)
2. Hui, Z., Hua, D., Weiting, Q., Weilu, Q.: Engineering construction project risk assessment
standards based on ALARP criterion. Industrial Safety and Environmental Protection (2017)
3. Biba, K.: Integrity considerations for secure computing systems. Mitre Report MTR-3153
(1975)
4. Rao Tummala, V.M., Burchett, J.F.: Applying a risk management process (RMP) to manage
cost risk for an EHV transmission line project, 17
Analysis of Communication Failures
in Radiation Monitoring System of a Nuclear
Power Plant
1 Introduction
On January 18, 2017, the nuclear power plant radiation monitoring system fault alarm
appeared in the main control room of a nuclear power plant in Guangdong. The
parameters of the spent fuel pool radiation monitoring channel on the workstation of
the nuclear power plant radiation monitoring system stopped refreshing, and the
maintenance personnel checked and found that the equipment communication fault
caused the problem appear. The radiation monitoring system uses RS485 communi-
cation to realize the communication between the local processing unit data unit and the
remote display unit of the 15-m monitoring cabinet. The standard RS485 interface
circuit is widely used in the field of automation due to its simple hardware structure,
convenient control, low cost and fast communication speed. However, the RS485 bus
The RS485 signals are known for long distances and multiple users, but the RS485
signals usually encounter interference with the complicated working conditions on the
site. Interference is a signal-independent electrical signal that is inserted into or
superimposed on the system power supply or signal cable, often in the form of an
electric or magnetic field [2]. The RS485 communication interference is roughly
divided into four types:
1. Hardware failure: Generally there is a history of high voltage stringing in the circuit,
such as lightning strike or leakage. It can cause problems in the RS485 chip of the
individual equipment of the system and affect the overall reception;
2. Line faults: For example, a partial short circuit or a signal line break may often
cause the system to work locally or normally, but the operation is unstable.
3. Matching interference or line reflection interference: The system load matching is
unreasonable. Such as: long signal lines, star wiring with long distance, excessive
loads, no system matching resistance, etc. It can cause the system to not work
stably;
4. Electromagnetic interference: EMI that Electromagnetic Interference which refers to
the system’s normal operation through transmission or radiation that emits electro-
magnetic waves and affects other systems or other subsystems within the system [3].
The above four situations often do not exist alone, but are accompanied by each
other and intensify each other, which make the system worse. Based on the four kinds
of interference of the RS485, this paper combines the specific conditions of the on-site
radiation monitoring system to analysis and operate the following fault causes:
First, considering that the RS485 chip of one or some local receiving devices is
damaged due to lightning strikes or high voltage of the RS485 network, etc. during use
of the device. The maintenance personnel replaced the complete equipment of the
faulty channel separately, and the fault reappeared;
Secondly, the line communication fault, usually the fault mode can transmit data
under certain conditions. Once the condition changes, the system will work partially or
completely. This fault usually shows a bus short circuit or an open circuit in the bus.
When the short circuit occurs, the receiving device near the short circuit point and after
the short circuit point will be normally received. For this mode, the maintenance
personnel check the line resistance value and the fastening condition of each terminal
block, and no abnormality is found;
Analysis of Communication Failures in Radiation 257
Third, in the process of transmission along the wire, the electrical signal includes
the current signal and voltage signal which has a certain hysteresis and reflection due to
the distributed inductance, capacitance and resistance of the wire. The multiple
reflection of the signal greatly prolongs the transmission time of the signal. There are
two main factors affecting the reflected wave: one is the impedance of the transmission
line, the impedance of the transmission line is reasonably configured, the reflected
wave interference can be suppressed or the number of reflections can be suppressed; the
second is the signal frequency. The higher the signal frequency, the easier it is to
generate reflected wave interference. The RS485 communication loop of the nuclear
power plant radiation monitoring system has a baud rate of 19200 bps. Under the
condition that the signal frequency is determined, the impedance matching method is
usually used to eliminate the reflected wave interference. In the communication circuit
of the radiation monitoring system of the nuclear power plant, the matching resistance
bus matching method is adopted. This method reduces the reflection and absorption
noise caused by the mismatch, and effectively suppresses the noise interference.
Generally, the characteristic impedance of the twisted pair is about 100 ohms to 130
ohms, and the field actually sets 120 ohms. The schematic diagram is shown in Fig. 1.
The higher the signal frequency, the easier it is to generate reflected wave inter-
ference. Usually the transmission rate is selected between 1200 to 19200 bps [4]. The
communication distance is less than 1 km, and 4800 bps can be selected from the
viewpoints of communication efficiency, number of nodes, and communication dis-
tance. When the communication distance is more than 1 km, the reliability of data
transmission should be improved by adding a relay module or reducing the rate. The
actual distance of the radiation monitoring channel of the spent fuel pool is not more
than 1 km, and the baud rate is set to 19200 bps.
In actual construction, the RS485 usually uses a twisted pair or shielded twisted
pair cable, which is connected by parallel connection, star + parallel connection and
hand-in-hand. One line is generally connected with 32 receiving terminals. Many chips
have 64 or 128 load capacities, but most of them are realized by reducing input
resistance, improving sensitivity, and reducing baud rate. The communication circuit of
the nuclear power plant radiation monitoring system is simple, but for historical rea-
sons, the communication cable uses coaxial. The cable does not use twisted pair cable.
One local processing unit only communicates with one remote display unit. The load
258 G.-F. Li et al.
capacity is not exceeded. At the same time, the polarization voltage setting of the
remote display unit is normal, and the resistance of the terminal resistor is normal.
Fourth, electromagnetic interference generally enters the instrumentation and
control system through conduction and direct radiation. For example, capacitive or
electromagnetic coupling directly radiates electromagnetic field interference into the
control system or through input and output signal lines and power lines. And ground, to
transmit interference to the control system. Electromagnetic interference that causes
equipment performance degradation or failure must have three elements at the same
time. First, there is an electromagnetic field, followed by an interference source and an
interfered source, and finally a coupling path with electromagnetic interference to
transmit energy from the interference source. To the interfered source [5].
The ground wire is the collection point of the protection and shielding of the plant
equipment. It can also be an interference transmission medium according to the above.
In general, the grounding of the instrument control equipment is generally based on the
concept of two grounding systems, namely protection grounding and working
grounding. The grounding system usually adopts one-point grounding. The whole
instrumentation equipment forms a radial grounding system through the instrument
grounding busbar or insulated cable. The radial grounding system is connected to the
grounding grid through one point and is insulated from other grounding loops. The
design signal grounding point is conventionally independent of protection. Grounding
point, for the nuclear auxiliary plant where the faulty channel is located. Because of the
design reasons, the equipment protective grounding and working grounding adopt the
common grounding point in the plant.
Cables are widely used in the communication of radiation monitoring systems in
nuclear power plants. In digital control systems with high-frequency signals, cables are
the main source of interference. They are the main generator of high-frequency
interference and the main receiver. The cable acts as a generator that radiates elec-
tromagnetic noise into space; as a receiver, it can sensitively receive electromagnetic
noise emitted from adjacent sources of interference.
On February 3, 2017, the maintenance personnel discovered that the plant’s video
recording and on-the-spot tracking of the plant resulted in frequent communication
failures during the operation of the plant’s spent fuel sucking device. After several on-
site verifications, the failures were repeated and the cause of the failure was caused by
external interference. The device content log and the fault record waveform are as
follows (Figs. 2 and 3).
Industrial control field electromagnetic interference can be roughly divided into
three categories: First, power frequency interference, second, random spike interfer-
ence, and third, high-frequency electromagnetic interference. Power frequency inter-
ference is mainly caused by the power grid, and its characteristic is 50 Hz. The peak
interference is mostly caused by the frequent start and stop of high-power electrome-
chanical equipment. High-frequency electromagnetic interference mostly interferes
with equipment through space electromagnetic coupling [6].
Analysis of Communication Failures in Radiation 259
Fig. 2. Spent fuel pool radiation monitoring channel communication fault log
Fig. 3. Spent fuel pool radiation monitoring channel communication Abnormal Waveform
Spent fuel pool radiation monitoring channel interferes with the presence of cou-
pled high-frequency signals during the fault, and the signal has burrs. The analysis is
related to spikes and high-frequency electromagnetic interference (Fig. 4).
The nuclear power plant radiation monitoring system signal is processed by the
local processing unit and passed through the ground terminal box which is numbered
260 G.-F. Li et al.
KRT039CR at the bottom of the vehicle, the junction box which is numbered
PMC310CR at the top of the vehicle, and the junction box which is numbered
PMC309CR at the top of the spent fuel plant. It is sent to the cabinet located 15 m away
from the LX electrical plant to complete the signal display. The circuit is complicated.
The grounding is 15 m grounding of the LX electrical plant and the grounding of the
spent fuel plant [7] (Fig. 5).
Fig. 5. Spent fuel pool radiation monitoring channel communication Circuit Structure
Fig. 6. Nuclear auxiliary plant nuclear power plant radiation monitoring equipment layout
4 Solution
4.1 Reduce the Interference of Suction Devices
The main equipment for the on-site test sucking device to interfere with the loop is the
heater power regulator. The original power regulator adopts the half-cycle mode. This
mode works according to the principle of half-wave switching. During the entire cycle,
no direct current component is generated, but external there are many disturbances.
Later in the analysis, the power regulator mode is changed to the periodic mode. The
power supply voltage of this mode can be switched periodically. In this operating
mode, almost no harmonics are generated. At the same time, the cycle output mode is
used. The power regulator has a smaller component and higher efficiency than the half-
wave mode component, and the measured interference is significantly reduced (Fig. 8).
4.3 Modify the Top of the Vehicle’s Spent Fuel Pool Radiation
Monitoring Channel Related Folding Cable Shield Grounding
Position
After the ground wire of the relevant spent fuel pool radiation monitoring channel is
removed, the communication fault waveform still has occasional instability. After
confirming that there is still interference in the folding cable at the top of the traffic, the
analysis of the spent fuel pool radiation monitoring channel is broken. Interference,
adjustment of the spent fuel pool radiation monitoring channel folding cable shielding
layer local grounding adjustment for the electrical plant 15 m after grounding, the
interference burr disappeared (Fig. 9).
Fig. 9. Spent fuel pool radiation monitoring channel equipment ground adjustment before (left)
- rear (right) waveform
After the above analysis and test to confirm the root cause of this communication
failure, the high-power equipment sucking device is put into operation and raises the
interference intensity of the nuclear auxiliary plant, causing the communication failure
of the spent fuel pool radiation monitoring channel.
This method effectively reduces the interference by reducing the interference
intensity of the sucking device, removing the grounding line of the interference
transmitting carrier, and modifying the shielding grounding position of the easily
disturbing line, and successfully solves the problem.
264 G.-F. Li et al.
5 Conclusion
References
1. Chen, Z.-P.: Fieldbus and Industrial Control Network Technology. Publishing House of
Electronics Industry, Beijing (2008)
2. Ge, C.-H.: Anti-Jamming Technology of Industrial Measurement and Control System.
Metallurgical Industry Press, Beijing (2006)
3. Lu, G.-Q.: Electromagnetic Compatibility Theory and Technology in Communication
System. Beijing Broadcasting Institute Press, Beijing (2000)
4. Jian, C.U.I.: Siemens Industry Network Communication Guide. Mechanical Industry Press,
Beijing (2004)
5. Hu, C.-H., Liu, C.-R., Guo, W.-S.: Embedded Network Programming: Serial Communication,
Industrial Bus, Sensor Network Application Development. Publishing House of Electronics
Industry, Beijing (2011)
6. Qiu, G.-Y., Luo, X.-J.: Circuit, 5th edn. Higher Education Press, Beijing (2006)
7. Ling, Q., Guo, L.-Y., et al.: Radiation Measurement Technology in Nuclear Power Plants.
Atomic Energy Press, Beijing (2001)
8. Zang, X.-N., Shen, S.-B.: Nuclear Power Plant Systems and Equipment. Tsinghua University
Press, Beijing (2003)
Design of Geological Disaster Monitoring
and Early-Warning System for Mountainous
Nuclear Facilities
1 Introduction
Due to the special importance of nuclear facilities in mountainous areas, both domestic
and international related institutions have been attaching great importance to the safety
of the mountainous nuclear facilities and the prevention and control of geological
disasters. The prevention and treatment of geological disasters in mountainous nuclear
facilities are all considered in the most unfavorable circumstances and managed with
the most insurance and safety measures; for disaster entities that have not yet been
remedied and have been remedied but still need to be evaluated critically, the moni-
toring and early-warning projects are carried out to ensure the safe operation of
mountainous nuclear facilities [1–3].
China is one of the countries with the most serious geological disasters in the world.
Collapses, landslides, mudslides, ground subsidence, land subsidence, ground fissures
and many other types of geological disasters are very serious [4–6]. Collapses, land-
slides and mudslides account for 44.8% of the country’s land area. How to take
reasonable technical measures to minimize such losses has become a problem that we
urgently need to solve.
The current geological disaster monitoring system is being developed from tradi-
tional manual monitoring to on-line monitoring. The main technical parameters of
traditional monitoring are measured manually by using traditional instruments to the
site. The monitoring workload is large due to many factors such as weather, labor, and
site conditions. There are certain systematic errors and human errors in the impact, and
it is impossible to timely monitor and present the safety deficiencies of the monitoring
objects, which all affect the level of geological disaster monitoring. The development
of on-line monitoring technology well solves the problems existing in traditional
manual monitoring and can well compensate for the lack of manual monitoring [7–9].
In this paper, targeted analysis of the types of geological hazards such as landslides
and mud-rock flows that are prone to occur around mountainous nuclear facilities will
be carried out, and related monitoring indicators will be properly selected. On this
basis, a geological disaster monitoring and early-warning system will be designed for
mountainous nuclear facilities to provide technical support for improving the safety
management level of mountainous nuclear facilities.
2 Design Principles
The design of the geological disaster monitoring and early-warning system should
follow the principles of “progressiveness, stability and reliability, convenience for
expansion, economy and practicality, and security and confidentiality”. Comprehensive
consideration should also be given to important factors such as construction and
maintenance, and at the same time leave room for future transformation and expansion.
• Progressiveness. It adopts advanced technologies such as Internet, cellular network
bandwidth transmission, embedded language conversion, etc. It adopts a system
software platform and terminal acquisition and transmission equipment and adopts a
BS structure. As long as the computer can access the Internet, you can view and
manage it through the browser if you have permission to operate.
• Stability and reliability. Due to the particularity of the use environment of the
geological disaster monitoring and early-warning system, it must be ensured that the
system is stable and reliable. Select stable and reliable network server and server-
specific operating system as the carrier of disaster monitoring and early-warning
platform; geological disaster monitoring and early-warning platform has the
authority operation function, which ensures the reliable operation of the system
from the application; the data transmission adopts a large area covered wireless
mobile communication network, which is efficient and reliable.
• Convenience for expansion. It supports all kinds of existing communication access,
such as GSM, GPRS, 3G, cable broadband, wireless WLAN, serial port, wireless
serial port networking, etc., and the parallel operation of these systems can be
realized; the monitoring terminal supports most of the existing digital, analog and
switch sensors, and the special sensors added in the future can be accessed by
simply modifying the hardware and software; the system design requires opening
part of the database to facilitate other systems to retrieve data from the system.
Design of Geological Disaster Monitoring 267
displacement of the disaster body for analysis and judgment, the accuracy of moni-
toring and early warning is improved.
Design of Geological Disaster Monitoring 269
Slope shallow Slope shallow Slope depth Slope depth Local rainfall Local rainfall
displacement displacement displacement displacement
No. 1 No. m No. 1 No. m No. 1 No. m
RS485
RS485
PC remote control
Shallow
displacement GPRS/GSM
sensor module
Deep Signal
STM32
displacement condition-
sensor controller
ing circuit
Solar energy
generation
Rainfall sensor
system
5 Conclusion
Targeted analysis of the types of geological hazards such as landslides and mud-rock
flows that are prone to occur around mountainous nuclear facilities was carried out, and
related monitoring indicators such as slope shallow displacement, slope deep dis-
placement and local rainfall were properly selected following the design principles of
“progressiveness, stability and reliability, convenience for expansion, economy and
practicality, and security and confidentiality”. On this basis, a geological disaster
monitoring and early-warning system for mountainous nuclear facilities was designed
272 Z.-M. Zhu et al.
to provide technical support for improving the safety management level of moun-
tainous nuclear facilities. The system has been put into trials at several high-risk slopes
in some mountainous nuclear facilities to carry out further experimental research and
improvement; the corresponding research results will be reported in the follow-up
papers.
References
1. Connor, C.B.: A quantitative literacy view of natural disasters and nuclear facilities.
Numeracy 4(2) (2011)
2. Guo, R.P., et al.: Risk Assessment of Respond of Nuclear Power Plant to Natural Disasters.
Henan Science (2012)
3. Zhou, X.: Prevention of natural disaster in Qinshan nuclear power plant. Nucl. Saf. (2017)
4. Dong, Y., et al.: Geological disaster monitoring and early-warning information management
system in three gorges reservoir area. Saf. Environ. Eng. (2008)
5. Huang, H.F.: Application of geological disaster technical monitoring and early-warning
information integration in three gorges reservoir area based on google earth. J. Anhui Agric.
Sci. (2010)
Design of Geological Disaster Monitoring 273
6. Xu, P.B.: The network emergency research on geological disaster monitoring and early
warning in three gorges reservoir areas. J. China Three Gorges Univ. (2011)
7. Hong, X., et al.: Research on the automatic monitoring early-warning system based on
wireless sensor networks for geological disaster. Microcomput. Appl. (2011)
8. Yuan, H., et al.: Geological disaster on-line real-time monitoring and early-warning system
research based on the flex viewer framework. J. Nat. Disasters (2013)
9. Yuan, H., et al.: The all-time geological disaster monitoring and early warning with mobile
terminal. Inf. Technol. (2014)
Research on Anti-seismic Qualification
for Nuclear Safety Class I&C Equipment Base
on Single-Frequency Wave Technical
1 Introductions
Nuclear-safety-class I&C equipment shall be qualified for the anti-seismic test before
being applied to nuclear power plant. To achieve this goal, type test method, operating
experience method, analytical method or the combination of these methods can be used
for equipment qualification [1].
Type test method is the mainstream anti-seismic qualification method in the current
nuclear industry. In this method, a typical equipment model is selected for anti-seismic
test. According to GB13625 single-frequency wave method and multi-frequency wave
method can be adopted for anti-seismic qualification. Featured with long work period,
large manpower input and high test cost, the multi-frequency wave method is generally
used for the first-set qualification of complex equipment. Due to the short work period
Single-frequency wave method and multi-frequency wave method are generally used
for anti-seismic qualification test.
Europe and America country equipment’s most common used earthquake wave when
monitoring in anti-seismic test. Sine beat wave is similar to structure’s resonance under
horizontal earthquake wave in actual earthquake, that means earthquake wave through
a building pass to a structure and make structure generate likeness sine beat wave on
the structure’s natural frequency. There are few vibrating tables with bidirectional
single-frequency sine beat in China at present, however, unidirectional single-
frequency sine beat test method is sufficient to meet the requirements for anti-seismic
test for nuclear I&C equipment.
Unidirectional single-frequency sine beat test is applicable to nuclear safety-class
equipment of the following characteristics:
(1) It’s not directly mounted on building floor of nuclear power plant;
(2) The floor acceleration is transmitted to equipment under anti-seismic qualification
through cabinet and panel or other intermediate structures;
(3) The required response spectrum for equipment mounting position is unknown.
Like sine beat method, single-frequency wave method is an approximate simulation
of real seismic motion. Real seismic motion is multi-frequency random motion in
nature. In this method, it’s simulated by multiple single-frequency motions, so the
method can only be an approximate simulation. It is most reasonable to adopt single-
frequency wave method only when the following conditions are met:
(1) Required response spectrum is controlled by single frequency, for example, the
response spectrum at floor of high elevation belongs to this type due to the
filtration by structures.
(2) The equipment has only one main frequency from 0–33 Hz and the responses at
other natural frequencies are weaker compared to that at the main frequency; or
the natural frequencies are all above 33 Hz; or there are several natural fre-
quencies from 0–33 Hz with relatively large frequency interval and no coupling
effect on each other.
The advantages of sine beat method include:
(1) The nuclear-safety-class I&C platform system is divided into many independent
components;
(2) Conservative spectral recommended by standards are adopted to perform sine beat
tests for components;
(3) By demonstrating that components of nuclear-safety-class I&C system meet the
anti-seismic requirements, the entire nuclear-safety-class I&C system is proven to
meet the anti-seismic requirements.
Therefore, the results of anti-seismic tests by use of sine beat technique can be
reused in different projects, leading to significant reductions in economic, time and
human costs.
Research on Anti-seismic Qualification for Nuclear Safety Class 277
When single-frequency sine beat test method is used, the model is stimulated by several
pre-set sine beat vibrations at fixed frequencies. These fixed frequencies can be pre-set
frequencies or dangerous frequencies identified from sine vibration test response
inspections. There is interval between individual sine beats, giving the model a fall time
for free response. According to practical engineering experience, the interval between
sine beats shall be greater than 2 s.
2pft
aðtÞ ¼ a0 sinft sin ð1Þ
m
Where:
m
a0 t ð3Þ
2f
a0 Measured value in test, which means the maximum peak value of the test wave, it
equal to or less than the modulated wave peak value;
f Test frequency; predetermine frequency or critical frequency tested by vibration
response;
m Ratio of test frequency and modulated frequency of acceleration sine beat, equal
to (2n − 1), in which n is the number of cycles of acceleration sine beat. The
following Fig. 1 shows the sine waveforms when n equals to 3, 5, 10 and 20
respectively, in which the waveform with n = 5 is the optimal sine waveform.
Fig. 2. Horizontal and vertical response spectrums applicable to anti-seismic test of device
(damping ratio: 5%)
The acceleration values of required response spectrums at key frequency points are
as shown in the following table (Table 1).
Table 1. Values at special points of horizontal and vertical response spectrums applicable to
anti-seismic test of device
Special point/anti- Below 2 Hz 10 Hz 20 Hz 35 Hz Above
seismic level 2 Hz 35 Hz
SSE/S2 0.2533 m 40 m/s2 300 m/s2 300 m/s2 60 m/s2 60 m/s2
1/2SSE/S1 0.1266 m 20 m/s2 150 m/s2 150 m/s2 30 m/s2 30 m/s2
Research on Anti-seismic Qualification for Nuclear Safety Class 279
Fig. 3. All frequency points test response spectrum VS required response spectrum
4 Application Examples
Beat spectrum of component VS response spectrum at highest installed position Beat spectrum of component VS response spectrum at highest installed
of cabinet for which the qualification has been completed (horizontal) position of cabinet for which the qualification has been completed (vertical)
Accelerated velocity
Accelerated velocity
Frequency Hz
Frequency Hz
Fig. 4. Comparison between single-frequency sine beat spectrum and response spectrum at
highest installed position of completed model equipment
5 Conclusions
This paper puts forward an anti-seismic testing method by use of single-frequency sine
beat against the problem that time and economic costs for component-level anti-seismic
tests shall be reduced and the results reusability shall be achieved, in accordance with
the requirements on anti-seismic tests for I&C equipment of nuclear power plants in the
national standards of nuclear industry and in combination with the test features of
multi-frequency wave method and single-frequency wave method; in combination with
specific cases of sine beat tests on nuclear-safety-class I&C equipment, this method has
been proven to be applicable and feasible, serving as an economical, efficient and
reliable anti-seismic qualification method for equipment of nuclear industry.
References
1. GB 12727-2002, Nuclear power plants-Electrical equipment of the safety system-
Qualification
2. GB13625-1992, Anti-seismic qualification of electrical equipment of the safety system for
nuclear power plants
3. NB/T20040-2011, Anti-seismic qualification test rules of safety classified electrical equip-
ment for nuclear power plants
4. HAF-J-0053-1995, Guide on anti-seismic qualification for nuclear power equipment
282 Y.-B. Sun et al.
5. Wang, Shu-Rong, Ji, Fan-yu: Environmental test technology. Publishing House of Electronics
Industry, Beijing (2016)
6. MIL-STD-810G-2009: Environmental engineering considerations and laboratory tests
7. IEEE Std 323-2003 IEEE standard for qualifying class 1E equipment for nuclear power
generating stations
8. EPRI TR-107330-1996 Generic requirements specification for qualifying a commercially
available PLC for safety-related applications in nuclear power plants
The Approaches of Prevention, Detection,
and Response for Cybersecurity of I&C
Systems in NPPs
1 Introduction
Since most of the newly-built Instrumentation and Control (I&C) systems in nuclear
power plants (NPPs) are digital, cyber-attacks to these digital systems become a real
possible threat [1]. Cyber intrusions could deeply affect the safe and stable operation of
nuclear power generation via digital I&C systems. The cyber ways affecting the con-
trolled power generation process includes stopping the communication between control
stations and human-machine interfaces (HMIs), tampering the measurements of sen-
sors, falsifying the commands to actuators. In the above ways, cyber intrusions could
disable the functions of subsystems, cause physical damage to equipment, disrupt the
nuclear reaction process, and thus may turn a cybersecurity incident into a nuclear
safety incident.
The framework of prevention, detection, and response has been proven an effective
approach to enhance cybersecurity of widely used digital Information Technology
(IT) systems [2]. This framework can be also applied to I&C systems in NPPs,
although there are significant differences between IT systems and I&C systems. These
differences include the strict operational real-time requirement, the distinct communi-
cation protocols, and the continuous availability through the whole lifecycle. These
specified requirements must be well addressed, when applying the classic framework of
prevention, detection, and response to the new application of I&C systems.
The rest of the paper is organized as follows. Section 2 reviews the cybersecurity
risks of I&C systems and the inapplicability of IT security controls. Section 3 describe
the prevention solution, monitoring and auditing. The intrusion detection based on
physical data will be covered in Sect. 4. To response in incident condition, the concept
of intrusion-tolerant control and its implementation is illustrated in Sect. 5. Above
approaches are summarized in Sect. 6.
The actual situation of existing I&C systems poses real risks of cyber intrusions. First,
there is no common practice of security upgrades for I&C systems [3]. Due to the poor
patching management of I&C systems, many security vulnerabilities, including the
known ones, exist in software and hardware of I&C systems, and will remain there for
a long time. Second, due to the limited resources of I&C components, basic security
measures, such as encryption, antivirus, are difficult to be deployed on each I&C
devices. From the above two facts, it can be concluded that cyber intrusion against I&C
systems is entirely possible to become a reality.
However, the present cybersecurity approaches mainly for IT systems are often
inadequate or inapplicable in addressing challenges associate with digital I&C systems.
The security goals, the operational environment, and the response strategies of I&C
systems are much different from those of IT systems [4]. Therefore, the present
cybersecurity approach cannot be applied to I&C systems directly.
Therefore, an overall cybersecurity solution is needed for I&C systems in NPPs.
The framework of prevention, detection, and response will be customized and applied
to provide the overall solution.
The best way for security is to prevent security incidents before occurring. To achieve
this goal, the security situation of I&C systems should be aware. Monitoring and
auditing will benefit the cyber situation awareness of I&C systems. Monitoring focuses
on the real-time security situation of I&C systems, while auditing is accountable for the
long-term storage of security records for analysis, auditing, and forensic use. Ano-
malous behaviors beyond the normal patterns will be noticed by the monitoring and
auditing.
The Approaches of Prevention, Detection, and Response 285
Since the operational continuity and real-time is the first priority of I&C systems,
when deploying the monitoring and auditing into the I&C systems, the impact on the
normal operation of I&C systems should be carefully considered. Another factor to be
considered is the retrofit of adding the monitoring and auditing system to existing
facilities.
In I&C systems, control devices of I&C systems, such as operator stations, I/O
servers, control stations, are connected by the communication network, i.e. network
switches. The security monitoring points could be deployed in three possible locations
in I&C systems (Fig. 1):
A. on control devices,
B. between control devices and the network, and
C. beside the network.
Deployment on location A is to install software (SW) on hosts, such as operator
stations, engineer stations, and I/O servers. The software will monitor the activities of
hosts and detect the abnormal behaviour. The advantage of this deployment location is
that both external attacks from the network and internal attacks from the host can be
detected. The disadvantage is the requirement of installing additional software on the
host, which could cause software compatibility problems and management issues.
Deployment on location B is to insert a new hardware (HW) module between the
control devices and the network, through which all the network traffic flow in and out
of control devices will pass. The advantage of this deployment location is that the HW
module can perform intrusion detection and intrusion prevention on the traffic flow at
the same time. The disadvantage is that processing of network data packets may bring
the packet delay, which will have negative impact of the normal operation. Moreover,
if the intrusion prevention rules are not appropriate, the normal operation could be
disturbed or interrupted.
Deployment on location C is to install intrusion detection device beside the network
switch. The device monitors the backup of all the traffic over the network by a mirroring
switch port. The advantage of this deployment location is that the actual network traffic
does not go through the device so that it does not have any impact on normal operation.
The above three deployment locations will be assessed from both the impact of
normal operation and the retrofit amount of existing facilities. See in the Table 1.
Intrusion detection is the most effective way for the awareness of cyber-attacks [5]. The
major difference between I&C systems and IT systems is that the physical data can be
obtained and transmitted via distinct control protocols of I&C systems. These control
protocols include OPC, Siemens S7, Modbus TCP, and so on. The major characteristic
of I&C systems brings one challenge, as well as one advantage. The challenge is that
the distinct control protocols have to be dealt with. The conventional intrusion
detection cannot be applied into I&C systems directly. On the other hand, the
advantage of obtaining physical data could be utilized for more advanced intrusion
detection. Unlike the conventional intrusion detection for IT systems merely based on
cyber data, the proposed intrusion detection for I&C systems will be based on the
combination of cyber data and physical data. The physical data will be extracted from
network packets by the technique of data packet inspection (DPI) [6]. The specialized
DPI can deal with the control protocols, making full utilization of the information of
network packet in three levels.
The first level is the use of the general network flow statistics and general packet
analysis. This type of information includes temporal quantities such as traffic amount of
network flow, duration of the flow, average packet interval, as well as spatial quantities
such as source address, destination address, source port, destination port, topology, and
so on. Usually the use of general information alone for intrusion detection would lead
to high false alarm rate and high miss alarm rate. However, for the ICS, the runtime
workflow is relatively fixed, the communication objects are also relatively fixed, so the
temporal and spatial distribution of network flow is relatively stable. The first level
usage of communication flow information is able to accurately detect the attacks of
obvious characteristics, such as the denial of service (DoS) attack.
The second level is the use of information related with industrial control protocol.
To obtain such information, the deep packet inspection based on industrial control
protocol is required. The results of the inspection include the industrial protocol type,
the values of the protocol fields. The industrial control protocol is designed mainly for
the efficiency of communication between devices, not for security. Therefore, there is
no encryption, authentication, or other security mechanisms in industrial protocols.
Packets can be easily stolen, tampered, or forged. With this weakness, the attacker can
launch a malformed message attack against the industrial control protocol, causing the
The Approaches of Prevention, Detection, and Response 287
receivers to fail to process the malformed message and get blocked. Through the deep
inspection of data related with industrial protocol, we are able to detect the malformed
packet which does not conform to the protocol standard data structure.
The third level is the use of information related with the physical controlled objects.
To obtain such information, not only the industrial control protocol, but also the
configurations of control systems are required. With the control configuration, the data
in the control packet can be restored to quantities or commands with actual physical
meanings, such as the temperature, the pressure, the valve switch status, the motor
start/stop commands, and so on. Attacks at this level require an in-depth understanding
of the control process. The most famous example of such an attack is “Stuxnet”
malware. Through the deeper inspection of data with the control configuration, we are
able to detect the data packet which does not meet control requirements.
After the data inspection of the network packets, the detection algorithms will be
applied on the extracted data. In general, intrusion detection methods can be catego-
rized into two categories: anomaly detection and characteristic detection. The anomaly
detection establishes the legal behavior model from the data of the normal operations.
Then the legal model is used as the benchmark to test the current operational data in the
way of statistical test to detect anomalies. Characteristic-based detection is to compare
the operational data with known malicious characteristics to determine whether there is
malicious behavior. These two detection methods have their own advantages and
disadvantages. The characteristic-based detection method is efficient and accurate, but
can only identify the known attacks. The unknown attacks can be detected by the
anomaly detection. But if the established legal behavior model is incomplete, it will
bring more false-positive alarms.
The choice of the intrusion detection method should be determined based on the
patterns of the extracted data. When the data pattern is simple and fixed, such as the
pattern of data extracted from the second level following the standard packet structure,
the characteristic detection can be applied to detect the suspicious packets that con-
taining malicious code, such as shutdown the devices or download new configurations.
When the data flow is complex and variable, such as the operation flows extracted from
the third level, the anomaly detection by the machine learning algorithms is preferred.
The response approach is the actions taken after the occurring of security incidents.
Due to the requirement of continuous availability, I&C systems should keep available
even in the case of cybersecurity incidents. Thus, how to response to security incidents
in order to maintain the availability of I&C systems leads to the approach of the
intrusion-tolerant control [7].
The operation of controlled power generation process requires I&C systems to be
functional at every stage. I&C systems are accountable for monitoring, control, and
protection for the whole NPP. Many processes and systems require continuous moni-
toring by I&C systems, even during the shutdown stage. For those intermittent working
systems, the startup and stopping procedures of them are also controlled by I&C systems.
Thus, it is necessary for I&C systems to be continuous working for other systems.
288 J. Li et al.
To realize the intrusion-tolerant control that keep I&C systems available continu-
ously, three steps are needed to be implemented in sequence: the intrusion detection,
the intrusion assessment, and the intrusion response (see in Fig. 2).
The goal of intrusion detection is to detect cyber intrusions before the physical
impact happens. For the intrusions that aim to cause physical damage on the controlled
systems or equipment, there is a time period between the start of cyber-attacks and the
breakdown of physical systems [8]. If the cyber intrusion could be detected quickly
enough, it is possible to prevent intrusion before any physical damage is done. Even if
physical damage is already made on a part of subsystems, the sooner the intrusion is
detected, the smaller the damage range would be.
As soon as the intrusion is detected, an assessment on the intrusion is performed by
pre-configured rules and/or human experts. The tasks of the intrusion assessment are
estimating the range of the intrusion, evaluating the extent of the intrusion, and making
a judgment about the types of intruders or malwares. For example, is the intrusion only
into several hosts or over the whole I&C system network? Does the intrusion attempt to
steal the information or disturb the operation? Are the intruders or malwares adver-
saries in general or specific to the NPP? This information provided by intrusion
assessment will help to decide how to respond the intrusion.
Based on the result of intrusion assessment, the response will be taken to the
intrusion. For the intrusions that doesn’t compromise any I&C components or disturb
any controlled processes, the dedicated security software can handle them without
human intervention. For example, an ordinary virus imported by portable device can be
detected and eliminated by anti-virus software automatically before any damage is
made. In this case, neither any damage is made by the virus, nor any additional harm is
caused by the virus elimination. For the intrusions that cannot be handled automatically
by the software, human operators should be alerted to switch the compromised com-
ponents to the unaffected backup ones. Thanks to the safety design principles of
redundancy in controlled process, many I&C components, especially the critical ones,
have their online alternatives, such as I/O servers, network switches, processing
The Approaches of Prevention, Detection, and Response 289
modules of control station. Due to another safety design principle, diversity, many of
the redundant alternatives have different attributes, e.g. different architectures, hard-
ware or software. Therefore, the diverse alternatives are not prone to be affected by the
same cyber-attack. For the worst case that not only I&C components are compromised
but also physical systems are disturbed, the intrusion-tolerant control cannot be
achieved. In this case, the safety protection systems should be actuated to drive the
process to a safe state.
To summarize the above three steps of the intrusion-tolerant control, the early
intrusion detection and the accurate assessment are the bases of the appropriate
intrusion response. Differentiate responses to different intrusion situations is the
essential of the intrusion-tolerant control. The situation beyond the capacity of the
intrusion-tolerant control will be dealt with the safety protection system.
6 Summary
References
1. International Atomic Energy Agency: Instrumentation and control (I&C) systems in nuclear
power plants: a time of transition (2008).
2. Davidson, R.: Integrating Prevention, Detection and Response Work Flows: SANS Survey on
Security Optimization. (2017)
3. Valkama, R.: Computer Security for Nuclear I&C Systems. Regional Training Course on
Computer Security for Industrial Control Systems at Nuclear Facilities; 22 Aug 2016.
Daejeon, Republic of Korea (2016)
4. Li, J., Huang, X.: Control system security in nuclear power plant. Atomic Energy Science and
Technology 46(suppl.), 411–416 (2012)
5. Yang, A., Sun, L., Wang, X., Shi, Z.: Intrusion detection techniques for industrial control
systems. J. Comput. Res. Dev. 53(9), 2039–2054 (2016)
6. Francia, G., Francia, X., Pruitt, A.: Towards an in-depth understanding of deep packet
inspection using a suite of industrial control systems protocol packets. J. Cybersecur. Educ.
Res. Pract. 2016(2) (2016)
290 J. Li et al.
7. Stakhanova, N., Basu, S., Wong, J.: A Taxonomy of Intrusion Response Systems. Computer
Science Technical Reports. 1 Jan 2006
8. Li, J., Huang, X.: Cyber attack detection of I&C systems in NPPs based on physical process
data. In: 2016 24th International Conference on Nuclear Engineering. American Society of
Mechanical Engineers (2016)