(Lecture Notes in Electrical Engineering 507) Yang Xu, Hong Xia, Feng Gao, Weihua Chen, Zheming Liu, Pengfei Gu - Nuclear Power Plants_ Innovative Technologies for Instrumentation and Control Systems_.pdf

Lecture Notes in Electrical Engineering 507
Yang Xu
Hong Xia
Feng Gao
Weihua Chen
Zheming Liu
Pengfei Gu Editors
Nuclear Power Plants:

Innovative Technologies
for Instrumentation
and Control Systems
The Third International Symposium on
Software Reliability, Industrial Safety,
Cyber Security and Physical Protection
of Nuclear Power Plant (ISNPP)
Lecture Notes in Electrical Engineering
Volume 507
Series Editors
Leopoldo Angrisani, Department of Electrical and Information Technologies Engineering, University of Napoli
Federico II, Napoli, Italy
Marco Arteaga, Departament de Control y Robótica, Universidad Nacional Autónoma de México, Coyoacán,
Mexico
Bijaya Ketan Panigrahi, Electrical Engineering, Indian Institute of Technology Delhi, New Delhi, Delhi, India
Samarjit Chakraborty, Fakultät für Elektrotechnik und Informationstechnik, TU München, München, Germany
Jiming Chen, Zhejiang University, Hangzhou, Zhejiang, China
Shanben Chen, Materials Science & Engineering, Shanghai Jiao Tong University, Shanghai, China
Tan Kay Chen, Department of Electrical and Computer Engineering, National University of Singapore,
Singapore, Singapore
Rüdiger Dillmann, Humanoids and Intelligent Systems Lab, Karlsruhe Institute for Technology, Karlsruhe,
Baden-Württemberg, Germany
Haibin Duan, Beijing University of Aeronautics and Astronautics, Beijing, China
Gianluigi Ferrari, Università di Parma, Parma, Italy
Manuel Ferre, Centre for Automation and Robotics CAR (UPM-CSIC), Universidad Politécnica de Madrid,
Madrid, Madrid, Spain
Sandra Hirche, Department of Electrical Engineering and Information Science, Technische Universität
München, München, Germany
Faryar Jabbari, Department of Mechanical and Aerospace Engineering, University of California, Irvine, CA,
USA
Limin Jia, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China
Janusz Kacprzyk, Systems Research Institute, Polish Academy of Sciences, Warsaw, Poland
Alaa Khamis, German University in Egypt El Tagamoa El Khames, New Cairo City, Egypt
Torsten Kroeger, Stanford University, Stanford, CA, USA
Qilian Liang, Department of Electrical Engineering, University of Texas at Arlington, Arlington, TX, USA
Ferran Martin, Departament d’Enginyeria Electrònica, Universitat Autònoma de Barcelona, Bellaterra,
Barcelona, Spain
Tan Cher Ming, College of Engineering, Nanyang Technological University, Singapore, Singapore
Wolfgang Minker, Institute of Information Technology, University of Ulm, Ulm, Germany
Pradeep Misra, Department of Electrical Engineering, Wright State University, Dayton, OH, USA
Sebastian Möller, Quality and Usability Lab, TU Berlin, Berlin, Germany
Subhas Mukhopadhyay, School of Engineering & Advanced Technology, Massey University,
Palmerston North, Manawatu-Wanganui, New Zealand
Cun-Zheng Ning, Electrical Engineering, Arizona State University, Tempe, AZ, USA
Toyoaki Nishida, Graduate School of Informatics, Kyoto University, Kyoto, Kyoto, Japan
Federica Pascucci, Dipartimento di Ingegneria, Università degli Studi “Roma Tre”, Rome, Italy
Yong Qin, State Key Laboratory of Rail Traffic Control and Safety, Beijing Jiaotong University, Beijing, China
Gan Woon Seng, School of Electrical & Electronic Engineering, Nanyang Technological University,
Singapore, Singapore
Joachim Speidel, Institute of Telecommunications, Universität Stuttgart, Stuttgart, Baden-Württemberg,
Germany
Germano Veiga, Campus da FEUP, INESC Porto, Porto, Portugal
Haitao Wu, Academy of Opto-electronics, Chinese Academy of Sciences, Beijing, China
Junjie James Zhang, Charlotte, NC, USA
The book series Lecture Notes in Electrical Engineering (LNEE) publishes the latest developments in
Electrical Engineering - quickly, informally and in high quality. While original research reported in
proceedings and monographs has traditionally formed the core of LNEE, we also encourage authors to
submit books devoted to supporting student education and professional training in the various fields and
applications areas of electrical engineering. The series cover classical and emerging topics concerning:
• Communication Engineering, Information Theory and Networks

• Electronics Engineering and Microelectronics
• Signal, Image and Speech Processing
• Wireless and Mobile Communication
• Circuits and Systems
• Energy Systems, Power Electronics and Electrical Machines
• Electro-optical Engineering
• Instrumentation Engineering
• Avionics Engineering
• Control Systems
• Internet-of-Things and Cybersecurity
• Biomedical Devices, MEMS and NEMS
For general information about this book series, comments or suggestions, please contact leontina.
dicecco@springer.com.
To submit a proposal or request further information, please contact the Publishing Editor in your
country:
China
Jasmine Dou, Associate Editor (jasmine.dou@springer.com)
India
Swati Meherishi, Executive Editor (swati.meherishi@springer.com)
Aninda Bose, Senior Editor (aninda.bose@springer.com)
Japan
Takeyuki Yonezawa, Editorial Director (takeyuki.yonezawa@springer.com)
South Korea
Smith (Ahram) Chae, Editor (smith.chae@springer.com)
Southeast Asia
Ramesh Nath Premnath, Editor (ramesh.premnath@springer.com)
USA, Canada:
Michael Luby, Senior Editor (michael.luby@springer.com)
All other Countries:

Leontina Di Cecco, Senior Editor (leontina.dicecco@springer.com)
Christoph Baumann, Executive Editor (christoph.baumann@springer.com)
** Indexing: The books of this series are submitted to ISI Proceedings, EI-Compendex, SCOPUS,
MetaPress, Web of Science and Springerlink **
More information about this series at http://www.springer.com/series/7818

Yang Xu Hong Xia Feng Gao
• • •
Weihua Chen Zheming Liu

• •
Pengfei Gu
Editors
Nuclear Power Plants:

Innovative Technologies
for Instrumentation
and Control Systems
The Third International Symposium
on Software Reliability, Industrial Safety,
Cyber Security and Physical Protection
of Nuclear Power Plant (ISNPP)
123
Editors
Yang Xu Hong Xia
Department of Engineering Physics College of Nuclear Science and Technology
Tsinghua University Harbin Engineering University
Beijing, China Harbin, Heilongjiang, China
Feng Gao Weihua Chen

China Nuclear Power Design Co., Ltd. China Nuclear Power Design Co., Ltd.
Shenzhen, Guangdong, China Shenzhen, Guangdong, China
Zheming Liu Pengfei Gu

Product Information Committee of China China Nuclear Power Design Co., Ltd.
Instrument and Control Society Shenzhen, Guangdong, China
Beijing, China
ISSN 1876-1100 ISSN 1876-1119 (electronic)

Lecture Notes in Electrical Engineering
ISBN 978-981-13-3112-1 ISBN 978-981-13-3113-8 (eBook)
https://doi.org/10.1007/978-981-13-3113-8
Library of Congress Control Number: 2018967732
© Springer Nature Singapore Pte Ltd. 2019

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part
of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission
or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar
methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this
publication does not imply, even in the absence of a specific statement, that such names are exempt from
the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this
book are believed to be true and accurate at the date of publication. Neither the publisher nor the
authors or the editors give a warranty, expressed or implied, with respect to the material contained
herein or for any errors or omissions that may have been made. The publisher remains neutral with regard
to jurisdictional claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd.
The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721,
Singapore
Preface
In the recent years, along with the development of domestic research and inter-
national communications, more digital instrumentation and control (I&C) tech-
nologies are used in China’s nuclear power plants, such as the
microprocessor-based safety I&C system named FirmSys developed by China
General Nuclear Power Corporation, and the FPGA-based safety DCS named
NASPIC developed by China National Nuclear Corporation, etc. In order to solve
the problems in actual productions and applications, and to provide a platform for
technical discussion, the 3rd International Symposium on Software Reliability,
Industrial Safety, Cyber Security and Physical Protection of Nuclear Power Plant
(ISNPP) was convened by related organizations and governmental divisions.
Since 2016, this symposium has become an effective technical discussion plat-
form for nuclear power builders, regulators, research institutions, and manufacturers
annually. The 3rd ISNPP was successfully held in Harbin, China, from August 15
to 17, 2018. It attracted around 100 researchers, experts, and engineers from 34
organizations, including Tsinghua University, the Ministry of Ecological
Environment, State Key Laboratory of Nuclear Power Safety Monitoring
Technology and Equipment, China Nuclear Power Engineering Company Ltd., etc.,
as well as institutions and companies from the aerospace industry. The symposium
served as a platform for exchanging ideas on every aspect of nuclear power plants’
instrumentation and control system, and also promoted the military-civilian inte-
gration in China.
More than 100 conference papers were submitted for the symposium, covering
topics including digital instrumentation and control technology, electromagnetic
compatibility, main control room and human–machine interface design, software
verification and validation, etc. After anonymous peer review and selection by the
experts, 33 outstanding papers were finally accepted to the proceedings published in
Lecture Notes in Electrical Engineering by Springer, including seven remarked
excellent papers. Keynote speeches “I&C Island Solutions Based on FirmSys”,
“Digital Transformation of I&C System”, “I&C System components and parts
localization” were presented at the symposium. These speakers shared with the
audience their latest and most important research progress. In fact, many topics
v
vi Preface
discussed at the symposium provided important reference and strong support for the
related works of nuclear power plant. We believe these papers could also benefit the
entire nuclear instrumentation and control system industry.
On the occasion of the publication of these papers, we would like to thank the
organizers of the symposium for providing a good platform for the majority of
nuclear power practitioners. We are also very grateful to the experts and scholars
who provided support and guidance during the reviewing process. Finally, we
would like to thank all the authors, and without whose efforts and studies, this
volume would never have been published successfully.
Shenzhen, China Pengfei Gu

Organization
Sponsors
Product Information Committee of China Instrument and Control Society

(CIS-PIC)
Nuclear Instrument and Control Technical Division of China Instrument and
Control Society (CIS-NICT)
Professional Committee of Nuclear Facility Cyber Security, Nuclear Safety Branch,
China Nuclear Society (CNS)
Organizer
China Nuclear Power Engineering Co., Ltd. (State Key Laboratory of Nuclear
Power Safety Monitoring Technology and Equipment) (CNPEC)
Co-organizers
College of Nuclear Science and Technology of Harbin Engineering University

China Techenergy Co., Ltd. (CTEC)
China Nuclear Control Systems Engineering Co., Ltd. (CNCS)
Editors
Yang Xu, Department of Engineering Physics, Tsinghua University, Beijing, China

Hong Xia, College of Nuclear Science and Technology, Harbin Engineering
University, Harbin, China
Feng Gao, China Nuclear Power Design Co., Ltd., Shenzhen, China
vii
viii Organization
Weihua Chen, China Nuclear Power Design Co., Ltd., Shenzhen, China
Zheming Liu, Product Information Committee of China Instrument and Control
Society, Beijing, China
Pengfei Gu, China Nuclear Power Design Co., Ltd., Shenzhen, China
Secretary of Organizing Committee
Xiaolian Wang, Product Information Committee of China Instrument and Control

Director of Executive Committee
Yuzhou Yu, Product Information Committee of China Instrument and Control

Contents
Communication Design of Low Residual Error Probability

Based on Function Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Gui-Lian Shi, Ming-Li Li, Gang Li, Jie Zhang, and Chang-Yu Mo
Apply FMEDA to Guide Self-diagnostic Design for Digital
Circuit Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Jie Zhang, Jin Fan, Gang Li, Ming-Li Li, and Yi-Qin Xie
A Reusable Functional Simulation Verification Method
Based on UVM for FPGA Products in DAS . . . . . . . . . . . . . . . . . . . . . . 17
Xiu-Hong Lv, Yun-Tao Zhang, Zong-Sheng Cao, Fei Wu,
and Ling-Ling Dong
The Method of Failure Analysis for Safety-Critical System
Software Based on Formalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Xiao-Bo Zhou, Jin Fan, Ru-Mei Shi, Ya-Dong Zhang, and Qiao-Rui Du
A Study About Software V&V Evaluation of Safety I&C System
in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Peng-Fei Gu, Zhe-Ming Liu, Wei Xiong, Wei-Hua Chen,
and Sheng-Chao Wang
A Study About Pre-developed Software Qualification of Smart
Devices Applied in NPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Sheng-Chao Wang, Tao Bai, Peng-Fei Gu, and Wang-Ping Ye
Applications of Data Mining in Conventional Island of Nuclear
Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Zhi-Gang Wu, Xiao-Yong Zhang, Chang-Ge Xiao, and Wen Chen
A Hierarchically Structured Down-Top Test Equipment Debugging
Method for RPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Wang Xi, Tao Bai, Peng-Fei Gu, Wei Liu, and Wei-Hua Chen
ix
x Contents
Discussion for Uncertainty Calculation of Containment

Leakage Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Yu Sun, Jun Tian, Tian-You Li, and Zhao-yang Liu
Research and Improvement of the Flowmeter Fracture Problem
of Condensate Polishing System in Nuclear Power Plant . . . . . . . . . . . . 87
Hai-Tao Wu, Xin Ding, and Tie-Qiang Lu
Study on Optimization of Turbidity Control for Seawater
Desalination System in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . 95
Hai-Tao Wu, Pan-Xiang Yan, Yong Yan, and Hao Zhong
Optimization Scheme of Turbine Frequency Regulation
for Passive Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Le-Yuan Bai, Kai Gu, Bin Zeng, and Gang Yin
Research and Optimization of the Control Cooperation Between
Turbine Control System and DCS in Nuclear Power Plant . . . . . . . . . . 114
Xiao-Lei Zhan, Kai Gu, Bin Zeng, Xu-Feng Wang, and Chong Zhang
Risk Analysis and Management of Software V&V Activities
in NPPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
HuiHui-Liang, Peng-Fei Gu, Jian-Zhong Tang, and Wei-Hua Chen
The Optimization of Siemens Turbine Synchronization
Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Yan Liu, Pu Zhang, Gang Yin, and Chong Zhang
Research on the Verification and Validation Method
of Commercial Grade Software in Nuclear Power Plants . . . . . . . . . . . . 139
Wang-Ping Ye, Ya-Nan He, Peng-Fei Gu, and Wei-Hua Chen
Research on Application of Sequence Control Strategy
in Conventional Island System of Nuclear Power Plant . . . . . . . . . . . . . 149
Hai-Ying Fan, Song-Di Ji, and Xin-Nian Huang
Optimization of Control Solution for Deaerator Water Level
Protection in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Ying Meng and Jie-Qing Huang
Study on Layout Design and Mechanical Calculation of Seismic
Instrumentation Tubing in Digital Nuclear Power Plant . . . . . . . . . . . . 163
Shuai Huang, Yuan-Jiang Li, Xing-Gao Zhan, and Hai-Tao Wu
Research on the Verification and Validation Method of Safety
Analysis Software in Nuclear Power Plants . . . . . . . . . . . . . . . . . . . . . . 174
Ya-Nan He, Wei Xiong, Peng-Fei Gu, and Jian-Zhong Tang
Contents xi
A Study About Configuration Management Process for Safety DCS

Software V&V in Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . 183
Wei Xiong, Ya-Nan He, Peng-Fei Gu, Hui-Hui Liang,
and Jian-Zhong Tang
Research and Application on the Gateway Design of Digital Control
System of Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Yue-Liang Sun, Zhi-Jia Wang, Hong-Tao Sun, and Wei Bai
Algorithm Research of the ICCMS for Qinshan Phase II NPP
Based on FirmSys Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Xin-Xin Fan, Bo Zhang, Hong-Tao Sun, Li-Min Xia, and Wei-Zhi Zheng
Application of Mosaic Instruments on Back-up Panel in Nuclear
Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Zhi-Guo Ma, Chao Gao, Qing-Jun Meng, Hong-Tao Sun, and Fu-Ju Xie
Equipment Qualification and Methods Application for Class 1E
Digital Instrumentation and Control System . . . . . . . . . . . . . . . . . . . . . 219
Jin Fan, Liang Li, Yong-Bin Sun, and Hua-Ming Zou
Study on Itemized Requirements of Safety Digital I&C System
in NPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Tao Bai, Ji-Xiang Shu, Peng-Fei Gu, and Ya-Nan He
Instrument Survivability Assessment During Severe Accident
in HPR1000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Liu Li and Guo Lin
Influence Analysis of the Halogen Cables Used in the Safety
Related Circuits of AP1000 Nuclear Power Plant . . . . . . . . . . . . . . . . . . 241
Xin-Yu Wang, Cong Li, Jing-Yuan Yang, and Qi Wu
Network Risk Management Based on the ALARP Criteria
for Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Xiao-Jun Liu and Jun-Long Tan
Analysis of Communication Failures in Radiation Monitoring
System of a Nuclear Power Plant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Guang-Feng Li, Xin-Yu Wang, Jing-Yuan Yang, and Hong-Wei Sha
Design of Geological Disaster Monitoring and Early-Warning
System for Mountainous Nuclear Facilities . . . . . . . . . . . . . . . . . . . . . . 265
Zuo-Ming Zhu, Jin-Xing Cheng, Wei-Wei Wen, You-Peng Wu, Xin Gao,
Rong-Zheng Xu, and Bin Zhang
xii Contents
Research on Anti-seismic Qualification for Nuclear Safety Class I&C

Equipment Base on Single-Frequency Wave Technical . . . . . . . . . . . . . 274
Yong-Bin Sun, Ze-Sheng Hao, Hua-Ming Zou, Lei Wang,
and Qiao-Rui Du
The Approaches of Prevention, Detection, and Response
for Cybersecurity of I&C Systems in NPPs . . . . . . . . . . . . . . . . . . . . . . 283
Jianghai Li, Chao Guo, Wen Si, and Xiaojin Huang
Communication Design of Low Residual Error
Probability Based on Function Safety
Gui-Lian Shi, Ming-Li Li(&), Gang Li, Jie Zhang, and Chang-Yu Mo
China Techenergy Co., Ltd. (CTEC), Beijing 100094, China

limingli@cgnpc.com.cn
Abstract. As the scale of petrochemical industry and electric power industry

grows, the safety instrumented system (SIS) becomes more complex and the
safety requirements of SIS are more rigorous. Generally, SIS is composed of
sensors, actuators, logical control devices, and communication systems. The
design of communication system is considered as a key part of SIS designing
and residual error probability is an important index to evaluate safety of com-
munication. Therefore, it is crucial to come up with a method to design a
communication system with low residual error probability. On the basis of
design experience of FirmSys which is a safety integrity level (SIL) 3 safety
platform developed by China Techenergy Cooperation (CTEC) and according to
the standard IEC 61508, this article presents necessary design measures to reach
low residual error probability including data integrity assurance, diagnostic
techniques, the number of bits in the block, etc. And also it provides the design
method of each element. This design method is applicable to the design of the
communication protocol which can meet the functional safety requirement.
Keywords: Function safety Residual error probability FirmSys
1 Introduction
With the large-scale production of petrochemical industry, electric power and other
industries, to ensure the safety and reliability of safety systems and avoid major
industrial accidents become main concerns of safety production. The disasters that
shocked the world such as the Bhopal gas spill in India, the Chernobyl nuclear power
plant in the former Soviet Union, have given people an unprecedented focus on safety
in industrial production. SIS is a category of safety-related systems (SRS), and it is an
important measure to ensure production safety. SIS is required to correctly perform its
safety functions before a dangerous event occurs, to avoid or reduce the occurrence of
an accident [1]. Typically, SIS system consists of sensors, actuators, logical control
devices, and communication systems. The design of the communication system is one
of the key designs for the SIS system, and communication residual error probability is a
quantitative index to evaluate communication safety [2]. Therefore, how to design
communication systems with relatively low residual error probability is the foundation
of the SIS system based on digital control system (DCS) technology.
FirmSys is a nuclear power plant safety control system platform developed by
CTEC, which is the brain and nerve center of a nuclear power plant. It plays a vital role

Y. Xu et al. (Eds.): Nuclear Power Plants: Innovative Technologies
for Instrumentation and Control Systems, LNEE 507, pp. 1–9, 2019.
https://doi.org/10.1007/978-981-13-3113-8_1
2 G.-L. Shi et al.
in ensuring the safety of nuclear power plant equipment and personnel and the envi-
ronment. The safety communication of the FirmSys meets both the nuclear require-
ments and the functional safety requirements. This paper focuses on a key index of
safety communication – the residual error probability of communication, including the
definition of the communication design requirements based on the functional safety. In
addition, based on the IEC 61508, it summarizes and analyzes the design factors of
safety communication, and unifies the FirmSys experience in nuclear power and
functional safety to design a safety communication.
2 Residual Error Probability Requirements

of Communication in Functional Safety
IEC 61508 proposes to use SIL for evaluating the risk reduction capability of a safety
function. PFD (probability of dangerous failure on demand) or PFH (average frequency
of dangerous failure [h−1]) are important quantitative indicators. PFD is used for low
demand SIS and PFH is used for high demand SIS [3]. In this paper, PFD is taken as an
example, and PFH can be used in a similar way.
In terms of safety communication requirements, IEC 61508 makes reference to IEC
61784-3 which raises communication residual error probability as a quantitative
evaluation index. The communication residual error probability is used to measure the
probability that an undiagnosed failure will still occur after a series of measures have
been taken. In standard IEC 61784-3, the communication residual error probability is
required to be far less than the SIL requirements for this safety function loop, that is,
the 1% for the maximum system PFD index, as shown in Fig. 1:
1%PFD
Communication Communication
sensor Logic Processor actuator
PFD
Fig. 1. Safety function loop
The corresponding relationship of residual error probability, the PFD and the SIL is
shown in the following table [3]:
In the SIS system design process, first, identify the required functions to reduce the
original risk to an acceptable level on the basis of hazard identification and risk
analysis, and the PFD requirements for the functions should be determined. Afterwards,
determine the corresponding SIL for the designed safety functions. And further the
Communication Design of Low Residual Error Probability 3
requirements for the communication residual error probability should be assigned to

SIS based on its SIL, as shown in Table 1.
Table 1. Correspondence of residual error probability, PFD and SIL

SIL PFD Residual error probability of communication
4 [1.0e-5,1.0e-4) [1.0e-7,1.0e-6)
3 [1.0e-4,1.0e-3) [1.0e-6,1.0e-5)
2 [1.0e-3,1.0e-2) [1.0e-5,1.0e-4)
1 [1.0e-2,1.0e-1) [1.0e-4,1.0e-3)
3 Design Method for Safety Communication with Low

Residual Error Probability
The design factors affecting the communication residual error probability are analyzed,
and then the design is carried out for each factor.
3.1 Analysis of Relevant Design Factors

For how to evaluate the communication residual error probability for safety commu-
nications, the basic residual error probability calculation formula is specified in stan-
dard IEC 61784-3:
KSL ðPeÞ ¼ RSL ðPeÞ v m ð1Þ
where:
KSL ðPeÞ Residual error rate per hour of the safety communication layer with respect
to the bit error probability;
Pe Bit error probability. Unless a better error probability can be proven, a value
of 10−2 shall be used;
RSL ðPeÞ Residual error probability of a safety message;
v Maximum number of safety messages per hour;
m Maximum number of information sinks that is permitted in a single safety
function;
SL Safety communication layer.
The residual error rate, which is based on the detection using a cyclic redundancy
checking (CRC) mechanism, can be calculated using the Eq. (2) below (residual error
probability for CRC polynomials).
X
n
RCRC ðPe Þ ¼ Ai Pie ð1 Pe Þni ð2Þ
i¼1
4 G.-L. Shi et al.
where:
Ai the distribution factor of the code (determined either by computer simulation or a
mathematical analysis);
n is the number of bits in the block, including its CRC signature;
By analyzing the above assessment methods, the corresponding design elements

can be sorted out, including: redundant checksum codes, the number of bits in the
block, transfer media, transfer rates, and number of information sinks.
3.2 Related Design Methods for the Residual Error Probability

of Communication
The paper expands the design factors separately as follows:
• redundant checksum codes
The most commonly used redundant checksum codes is CRC, when there is a
certain number of errors in the communication data, the CRC can detect the commu-
nication failures, which greatly reduces the communication residual error probability,
so CRC is the first design factor to consider.
Different CRC polynomials have different effects on the communication residual
error probability, and the criteria are given for whether a CRC polynomial is appro-
priate in standard IEC 61784-3. Figure 2 shows the differences between the changing
curves of residual error probability under proper CRC polynomials and improper CRC
polynomials.
Fig. 2. Proper and improper CRC polynomials

Investigations for the method of CRC have shown that for the particular class of so-
called proper CRC polynomials, a weighting factor 2−r is applicable within the
equation to build an approximation. The residual error probability approximation for
CRC polynomials is shown in Eq. (3) below [2].
Xn
r n
RCRC ðPeÞ 2 Pek ð1 PeÞnk ð3Þ
k¼d
k
min
Where, dmin Represents

the minimum distance between yards (the minimum
n
Hamming distance), represents the number of combinations N fetch k, r repre-
k
sents for the length of CRC.
Equation (3) shows that the communication residual error probability becomes
lower with the increment of r, which means the safety and reliability of communication
improve.
• the number of bits in the block
Equation (3) also shows that the reliability of communication will deteriorate as the
number of bits in the block increases. Different number of bits in the block with the
same CRC polynomial can also cause the smallest hamming distance to be smaller, as
shown in the following illustration [4, 5]. So you should choose the proper number of
bits in the block for the communication design, and refer to the Table 2 (Fig. 3).
Fig. 3. The trend of Hamming distance as the code values increase

6
Table 2. Relationship between hamming distance and the number of bits in the block
HD IEEE 802.3 Castagnoli Koopan Castagnoli Koopan Koopan Castagnoli Koopan
0x82608EDB (iSCSI) 0xBA0DC66B 0xFA567D89 0x992C1A4C 0x90022004 0xD419CC15 0x80108400
G.-L. Shi et al.
{32} 0x8F6E37A0 {1,3,28} {1,1,15,15} {1,1,30} {1,1,30} {32} {32}

{1,31}
15 8–10
14 – 8
13 – –
12 11–12 9–20 8–16 8–11 8–16 8–17
11 13–21 – – – – 8–21
10 22–34 21–47 17–18 12–24 17–26 22–27
9 35–57 – – – – –
8 58–91 48–177 19–152 25–274 27–134 28–58
7 92–171 – – – – 59–81
6 172–268 178–5243 153–16360 275–32736 135–32737 8-32738 82–1060
5 269–2974 – – – – – 1061–65505 8–65505
4 2975–91607 5244–131072 16361– 32737– 32738– 32739– – –
114663 65502 65506 65506
3 91608–131072 – – – – – –
2 114664+ 65503+ 65507+ 65507+ 65506+ 65506+
The safety communication of FirmSys determines the number of bits in the block
based on the system needs, and the original design uses an improper hamming distance
CRC polynomial, after SIL authentication selected the proper CRC polynomial makes
the communication residual error probability meet the requirement.
• transfer media
Due to the loss of transfer media and the influence of environment in communi-
cation transmission, the effect of the bit error rate ðPe Þ of communication is great. The
standard IEC 61784-3 provides a default value of 10-2 if the error rate of transmission
media is not clear. The transmission medium with high reliability and low transmission
loss should be selected, such as optical fiber communication, shielded twisted pair, etc.
• transfer rate
From Eq. (1), when calculating the communication residual error probability of the
communication system, the transmission rate of the communication V is also an
important factor. Therefore, the transmission speed should be minimized under the
precondition of meeting the requirement.
• number of information sinks
The number of information sinks, m in Eq. (1), is the number of terminals that
receive safety communication. The number m is relatively small and it generally has
little impact on the residual error probability of communication. The m is generally
related to the architecture of the system and, a margin should be provided in protocol
design. Validation the residual error probability of communication is required in the
application of the SIS.
3.3 Redundant Schema Design for Communication Systems

The basic formula for communication residuals is specified in the standard IEC 61784-
3, but communication architecture design is not considered. When communication
packets become longer, it is difficult to meet the requirements of low communication
residual error probability (such as SIL3) only through design methods in Sect. 3.2. The
reliability of the system can be improved by using redundant architecture based on the
system reliability theory. To further improve communication reliability, it is feasible
either to adopt the design of redundant communication links or to adopt the design of
redundant communication packages. In addition, cross comparison of redundant data
needs to be implemented for both of them.
For redundant design safety communication with its communication residual error
probability calculation equation is as follows [6, 7]:
KSL ðPeÞ ¼ CNM ðRSL ðPeÞÞM v m ð4Þ
where CM N represents the number of combinations N fetch M,which means if more than
M blocks out of N blocks fail, the entire communication fails, RSL ðPeÞ represents the
residual error probability of a safety communication.
8 G.-L. Shi et al.
Compared with Eq. (1), the communication residual error probability of the entire
communication system in Eq. (4) has decent significantly.
3.4 Firmsys Safety Communication Design

There are many kinds of safety communication in FirmSys, and in this paper the safety
communication between control stations is chosen as an example. The target of
communication residual error probability is 1.0E-9. For the original design of com-
munication, if the default value of 1.0E-2 is adopted for Pe, it cannot meet the
requirements. However, according to the standard IEEE 802.3, the value of Pe could be
set to 1.0E-8, since FirmSys communication adopts optical fiber transmission [8]. In
that case, the calculated communication residual error probability can reach the target.
Even though in some case the target is met, CTEC still decides to improve the com-
munication design. Through analysis, appropriate CRC polynomials are selected and
redundant communication packages are adopted. After implementing these measures,
the safety of communication has strengthened and the communication residual error
probability can satisfy the design requirements even for the most conservative
assessment criteria (Using the default Pe value).
3.5 Summary
When applying this design method to design safety communication, first the number of
bits in the block is determined based on the actual amount of communication data and it
should be minimized since it has a negative effect on the communication error prob-
ability. And then select the proper CRC polynomial based on the number of bits in the
block. Additionally, according to the application scenario, determine the communica-
tion rate, and then determine whether the communication architecture design needs
redundancy. Communication design is an iterative process and residual error proba-
bility should be evaluated after each design change.
4 Conclusions
Based on the requirement of functional safety, combining with the experience of

FirmSys on nuclear safety design and functional safety authentication, this paper
summarizes and analyzes the design factors of the low communication residual error
probability of the functional safety communication. In order to meet the design
requirements of low communication residual error probability, the design needs to
consider the following design measures: CRC polynomial selection, number of bits in
the block, communication medium, transmission rate and the number of information
sinks. This paper focuses on the above factors and provides the design reference or
acceptance criteria. At the same time, it can further reduce the residual error probability
of communication through the architecture design of safety communication. This paper
can provide a reference for safety communication design with high reliability and low
communication residual error probability.
References
1. Jin, J., Wu, Z., et al.: A review of the development of safety instrumentation systems at home
and abroad. Chem. Autom. Instrum. 37(05), 1–6 (2010)
2. IEC 61784-3: Industrial communication networks-Profiles-Part 3: Functional safety
fieldbuses-General rules and profile definitions (2016)
3. IEC 61508-2: Functional safety of electrical/electronic/programmable electronic safety-related
systems-Part 2: Requirements for electrical/electronic/program able electronic safety-related
systems (2010)
4. Koopman, P.: 32-bit cyclic redundancy codes for internet applications.In: The International
Conference on Dependable Systems and Networks(DSN) (2002)
5. Fujiwara, T., Kasami, T., Kitai, A., et al.: On the undetected error probability for shortened
hamming codes. IEEE Trans. Commun. 33(6), 570–574 (1985)
6. IEC 61025: Fault tree analysis (FTA)[S] (2006)
7. Mingli, L., Guilian, S., Qi, M., et al.: A method of quantitative risk assessment for safety
communication residual error probability: China, ZL201310631726.0 (2016)
8. IEEE 802.3: IEEE Standard for Ethernet (2015)
Apply FMEDA to Guide Self-diagnostic Design
for Digital Circuit Board
Jie Zhang1(&), Jin Fan2, Gang Li1, Ming-Li Li1, and Yi-Qin Xie1
1
China Techenergy Co., Ltd, Beijing 100094, China
zhangjie4@cgnpc.com.cn
2
China Nuclear Power Engineering Co., Ltd, Beijing 100840, China
Abstract. Today Safety Digital Control System (DCS) is widely applied in

industrial safety system. Safety DCS is mainly composed of input module, logic
control unit, output module, and communication module. Each module is fea-
tured with a powerful fault diagnostic capability and it is able to detect the
hidden failures. On the other hand, the diagnostic design increases the com-
plexity and the failure of diagnostics may also trigger false alarm, which could
lead to production loss. Therefore self-diagnostic measures design is very
important for the digital module of safety DCS. Based on the development
experience of FirmSys, a safety DCS platform developed by China Techenergy
Co., Lit (CTEC), this paper proposes Failure Modes, Effects, and Diagnostic
Analysis (FMEDA) technology to evaluate the diagnostic coverage (DC) and
false alarm rate (FAR), and guide self-diagnostic design. Through the case study
of Digital Output (DO) module, it demonstrates the feasibility of the proposed
method.
Keywords: FMEDA Diagnostic coverage False alarm rate
1 Introduction
Safety system is the system that automatically activates relevant equipments and per-
forms protection functions when needed. It is widely used in different industries, e.g.,
oil & gas, nuclear, and rail transport, etc. In recent years, some DCS suppliers in China
start to develop safety DCS under the encouragement of the safety I&C system
localization strategy. CTEC has successfully developed a safety DCS platform named
FirmSys, which can be applied to the reactor protection system of nuclear power plant
and other industries in which high safety systems are required.
Safety I&C systems should fulfill a specific Safety Integrity Level (SIL) according
to the application requirement. The probability of failure on demand (PFD) is required
to reach a defined target level for a specific SIL and DC always has a big influence on
PFD [1]. Therefore self-diagnostics design for each module is a critical issue to deal
with. A good diagnostic measure design should increase DC and meanwhile ensure a
low FAR. There is some research work has been done on FMEDA applications, and
they had proved that FMEDA is a suitable method to evaluate PFD and SIL for a
system or a single equipment [2–4]. Their focus is on the evaluation of the diagnostic
coverage and safe failure fraction. However, the FMEDA could also be used to

https://doi.org/10.1007/978-981-13-3113-8_2
Apply FMEDA to Guide Self-diagnostic Design for Digital 11
evaluate the FAR. In this paper, based on the research and development experience for
FirmSys, certificated as SIL3 by TUV, a method to improve diagnostic design is
proposed.
The paper is structured as follows. Section 2 describes the way to integrate
FMEDA technology into FirmSys development and their relationship. In Sect. 3, it is
described that how to apply FMEDA to improve self-diagnostic design for digital
circuit board. In Sect. 4 there is a case study of DO module to demonstrate the
feasibility of the FMEDA. And the conclusion is drawn in Sect. 5.
2 FMEDA in the Development of FirmSys
The development of FirmSys follows a V model shown in Fig. 1, and it demonstrates

different phases of the life cycle. Compliance with the V model, each phase starts with
verification of the previous phase on the left side of the V model, and each phase in the
right side of V model is a validation and verification process for each phase on the left.
System Concept
Validation
System Requirement System Validation
System design System integration
Module Requirement Module Validation
FMEDA
Module design Module testing
Module Implementation
Output
Analytic Verification
Test Verification
Validation
Fig. 1. FirmSys development lifecycle model
In the module requirement phase, different types of requirements are raised for the
module, including the self-diagnostic requirements. The self-diagnostic requirements
are normally derived from several sources, for example, the relevant standard (e.g. IEC
60671 and IEC 60880), the customer requirements, diagnostic capability of the similar
products, etc. [5, 6].
12 J. Zhang et al.
In the module design phase, the pre-design of self-diagnostics is firstly conducted to

fulfill the requirements defined in the previous phase based on the experience and good
practices recommended by standards. And then the FMEDA technology is integrated
and applied to evaluate the self-diagnostic measures and identify the flaws. After the
FMEDA, the identified defects act as the feedback for the update of module design. It is
an iterative process that can minimize the influence of designers’ skill and experience
on module design and improve modules’ self-diagnostic capability.
In the module test phase, the results of FMEDA could be the input of Fault
Injection (FI) test, and also the effectiveness of diagnostic measures could be tested.
3 Self-diagnostics Assessment and Improvement
3.1 Enhance Diagnostic Coverage

After pre-design of module self-diagnostics, FMEDA will be implemented for every
component for a quantitative evaluation of diagnostic effectiveness. In general, the
failure mode and its occurrence ratio (Alpha) for each component are derived from
some standards [7–9]. The effects of each failure modes on the module should be
analyzed according to the specific application. And the severity of failure mode and
whether it is a dangerous or safe failure could be decided. The failure mode could be
categorized as five types: safe undetected (SU), safe detected (SD), dangerous unde-
tected (DU), dangerous detected (DD) and not relevant (NR). The diagnostic effec-
tiveness (DE) could be derived based on the standard IEC 61508. An example is given
in Table 1.
In addition, failure modes without self-diagnostic measures can be screened out.
For the dangerous failure modes, self-diagnostic measures should be designed to make
as less undetectable as possible.
Table 1. An FMEDA example of a resistor

1 2 3 4 5 6 7 8 9 10
Name Failure Failure Alpha Failure Effect Severity Dangerous Diagnostic Failure DE
rate mode (1) or safe measures type
(FIT) (0)
Resistor 1.7 Open 80% Transistor Q11 High 0 None SU NR
R1 circuit cut-off, DO
stuck at 1
3.2 Decrease the FAR

To improve the self-diagnostic measures includes not only increasing the DC, but also
reducing the FAR. There are many causes for false alarm, including the measurement
precision, communication error, hardware failure, etc. In this section only the false
alarm caused by hardware failure is discussed.
For self-diagnostic design, in some cases it is implemented by adding circuits. For
example, the read-back check circuit is normally added to the digital output module. If
some failures occur in the circuits, the diagnostic measures may announce a false
alarm. In this case the FAR is increased. In this paper the FAR refers to the failure rate
of the components whose failure could lead to a false alarm. Since the FMEDA is
implemented through every component, this type of false alarm could be found in the
effects column. FAR could be used as a reference for self-diagnostic measures selec-
tion. To reduce the FAR, the self-diagnostic circuit could use more reliable components
or may change the diagnostic mechanism design.
3.3 Quantitative Assessment

After FMEDA process for each component, the self-diagnostic design could be
assessed quantitatively. The assessment method is showing below:
(1) According to the failure type (Column 9), NR failure type is not considered into
calculation, and the rest four failure rates could be calculated:
X
kSD ¼ each SD failure rate (Column 2Þ Alpha (Column 4Þ DE (Column 10Þ
ð1Þ
X
kSU ¼ each SU failure rate (Column 2Þ Alpha (Column 4Þ kSD ð2Þ
X
kDD ¼ each DD failure rate (Column 2Þ Alpha (Column 4Þ DE ðColumn 9Þ
ð3Þ
X
kDU ¼ each DU failure rate (Column 2Þ Alpha (Column 4Þ kDD ð4Þ
As the example shown in Table 2, the open circuit failure mode is a SU failure, so
1.7*80% is a contribution for the total kSU for the module.
(2) Then the DC and SFF can be calculated by using the formula in IEC61508.
The FAR is the sum of the product of the failure rates (Column 2) of which can
lead to false alarm times Alpha (Column 4).
(3) The assessment results will be compared with the predetermined requirements to
decide if any change of self-diagnostics should be made. If there is any change in
self-diagnostics, the results should be updated.
14 J. Zhang et al.
Table 2. FMEDA analysis results of DO module

Name Failure Failure Alpha Failure Effect Severity Dangerous Diagnostic Failure DE
rate mode (%) (1) or measures type (%)
(FIT) safe (0)
CPU 40 RAM 10 Unable to High 1 March C DD 90
memory communicate
failure with XCU
module
Register 10 Unable to High 1 Check- DD 90
failure communicate board test
with XCU
module
Command 10 Unable to High 1 Self-test by DD 90
decoding communicate software
and with other
execution module
failure
Program 10 Unable to High 1 Check- DD 60
counter and communicate board test
stack with other
pointer module
failure
ROM 10 Unable to High 1 CRC DD 90
failure communicate
with other
module
Sequential 50 Unable to High 1 Watch-dog DD 90
Execution communicate without
failure with other time
module window
… … …
Resistor 1.7 Open 80 Transistor High 0 Read-back SU 0
R1 circuit Q11 is cut- value stuck
off, DO stuck at 0, false
at 1 alarm
Short 10 No effect NE NR No NR NR
circuit (NE)
Parameter 10 No effect NE NR No NR NR
drift
Transistor 1 C open 10 Transistor High 0 Read-back SD 60%
Q11 circuit Q11 is cut- check
off, DO stuck
at 0
C and E 10 Q11 short High 1 Read-back DD 0
short circuit circuit, DO check
stuck at 1
4 Case Study
In this paper the Digital Output (DO) Module of FirmSys is taken as an example to
explain how to improve the self-diagnostic design by FMEDA. The DO module is
designed with self-diagnostic measures, e.g., watchdog, software self-diagnostics,
communication protocol diagnostics, etc.
According to the bill of material and the circuit diagram of DO module, the
FMEDA is conducted for every component. The failure rate of each component comes
from the component failure rate database of CTEC, which is based on the prediction
according to MIL-HDBK-217, the data provided by vendors, etc. During the analysis,
the output of the DO module is supposed to stay as 1 in the normal state and change to
0 when the design base event occurs. Part of FMEDA results is shown in Table 2.
Through the FMEDA process, four types of failures rate of each components can be
reached. And the total kDD, kDU, kSD and kDD are calculated respectively by summing
up the corresponding values of each component. In addition, some flaws about the pre-
diagnostic measures are discovered. For example, the DO is designed with read-back
features to monitor the output, but some components failures that can lead to DO
module failed as stuck-at cannot be detected. The stuck-at problem is considered as a
dangerous failure, which should be detectable. It is not easy to identify this issue
without FMEDA analysis.
After the FMEDA analysis, some self-diagnostic measures are proposed to improve
the diagnostic coverage, e.g., the dynamically self-checking, test pattern, supply
voltage monitoring chip, etc.
The failure rates of the DO module are obtained, as shown in Table 3. It indicates
that the kDD of the DO module increases from 485.2 to 567.4 FIT, and the DC
increases from 76.2% to 90.4%, the FAR decreases from 21.4 to 8.6.
Table 3. Failure rates of DO module

Module Failure rate (FIT) Development stage kDD kDU kSD kSU kFAR
DO Module 937.5 Initial detailed design 485.2 151.3 278.6 21.4 21.4
After improvement 567.4 69.1 285.2 14.8 8.6
5 Conclusion
Based on the experience of developing FirmSys, the paper introduces a method to

improve self-diagnostic measures for digital circuit board. FMEADA is applied to
analyze the failure modes and effects of each components and it can clearly identify if
the failure mode is detectable and if the effects is safe or dangerous. The self-diagnostic
design could not be perfect, but it can improve the diagnostic capability, especially for
the dangerous failures and meanwhile decrease the false alarm rate. A case study of DO
16 J. Zhang et al.
module is presented and it demonstrates that FMEDA is applicable to use for diagnostic
measures design optimization. The method proposed in this paper could be a reference
for the self-diagnostic design for digital circuit board.
References
1. IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related
systems [S] (2010)
2. Kim, B.C.: Case Study on the Assessment of SIL Using FMEDA
3. The FMEDA approach to improve the safety assessment according to the IEC 61508.
Microelectron. Reliab. 500, 9–11 (2010)
4. Ehiagwina, F.: A comparative overview of electronic devices reliability prediction methods-
applications trends and challenges (2016)
5. IEC 60880: Nuclear power plants–Instrumentation and control systems important to safety–
Software aspects for computer-based systems performing category A functions [S]
6. IEC 60671: Nuclear power plants – Instrumentation and control systems important to safety –
Surveillance testing [S] (2007)
7. IEC 62061: Safety of machinery-Functional safety of safety-related electrical, electronic and
programmable electronic control systems [S] (2005)
8. Guidelines for Process Equipment Reliability Data, with Data Tables. Center for Chemical
Process Safety of AIChE, New York, NY (1989)
9. Reliability Data for Control and Safety Systems: SINTEF Industrial Management. Trond-
heim, Norway (1998)
A Reusable Functional Simulation Verification
Method Based on UVM for FPGA Products
in DAS
Xiu-Hong Lv, Yun-Tao Zhang(&), Zong-Sheng Cao, Fei Wu,

and Ling-Ling Dong
China Techenergy Co., Ltd, 5 Yongfeng Road, Haidian District,

Beijing 100094, China
24728yuntao@163.com
Abstract. Functional simulation verification is an important part for Field

Programmable Gate Array (FPGA) product verification. Many problems had
been encountered in FPGA verification in nuclear instrument control system
when adopting traditional verification methods, such as long verification cycle,
poor reusability of verification testbench, low level of automation, etc. Universal
Verification Methodology (UVM) has the characteristics of reusability, exten-
sibility and automatic. We introduced UVM for FPGA verification, which
improved the efficiency and quality of verification process, and saved the project
time. At present, this technology had been applied in the IO product verification
of Diverse Actuation System (DAS) and achieved good results, and this
approach will be applied gradually in the project.
Keywords: DAS FPGA Functional simulation verification Reusable
1 Introduction
Because FPGA has the advantage over the microprocessor and software system, a
number of instrument manufacturers adopt FPGA technology in the diversity systems
in order to achieve defence in depth. I&C (Instrument and control) system based on
FPGA technology has not yet mature experience in China, so the nuclear power owners
and regulatory agencies require strict verification of it to ensure quality and reliability
[1–3].
Functional simulation verification is the most complex and time-consuming part in
the FPGA design process, which accounts for about 70% of the entire research and
development cycle. Coupled with the urgency of product listing requirements, verifi-
cation has become the bottleneck of FPGA design. Traditional simulation methods
have many problems, such as long verification cycle, poor reusability of the verification
testbench, low level of automation, etc. The accellera organization launched UVM to
make up for the deficiencies of traditional verification. UVM uses the hierarchical
model method, through the reuse of components, shorten the testbench construction
time, and further shorten the verification cycle.

https://doi.org/10.1007/978-981-13-3113-8_3
18 X.-H. Lv et al.
In functional simulation verification of nuclear product based on FPGA, we also

encounter the same problems above. Code coverage and functional coverage are the
key quality property in general FPGA function simulation verification, which are also
key quality requirements for FPGA in nuclear that UVM can meet. Beyond this, it also
has advantages of reusability and efficiency, so UVM was introduced to our functional
simulation verification process for FPGA.
FitRel is a DCS (Distributed Control System) product based on FPGA technology
which can be used as DAS system, and it is the result of independent R&C (research
and development) of CTEC. In this paper, we take the FitRel project I/O board FPGA
verification as object under test. UVM methodology is used to build reusable verifi-
cation testbench. The quality of FPGA product and verification efficiency was
improved, and the goal of better verification had achieved.
2 UVM Description
2.1 UVM Introduction
UVM is a new verification methodology in the IC (Integrated Circuit) field, which
synthesizes the advantages of AVM, OVM and VMM, etc. It represents the latest
development in the field of verification, which is characterized by object oriented,
reusability and scalability [4–6]. It can greatly improve the efficiency of chip verifi-
cation by building a flexible and reusable verification testbench by UVM method.
2.2 UVM Testbench

UVM introduces the concept of class, which has the characteristics of object-oriented,
and it is a collection of many types of libraries of class. The UVM test testbench
consists of reusable verification components. The verification component is a package,
easy to use and configurable verification environment, which is used to verify the
design of sub modules and interface protocols. These verification components stored in
IP component library are developed by the verification staff. They can be used con-
veniently, and can be used in a variety of verification environments flexibly according
to the requirement.
Figure 1 has shown a verification environment, which consists of two agent and a
virtual sequencer. Each agent verification component follows a consistent architecture,
which is composed of a set of excitation signals, checks, and coverage statistics. Agent
can be configured as ACTIVE mode, responsible for driving and monitoring the bus; if
configured for PASSIVE mode, only responsible for monitoring the bus. The verifi-
cation environment has multiple sequence mechanism, which can synchronize the
clock and data of different interfaces to realize the control of the test environment and
signal excitation.
A Reusable Functional Simulation Verification Method Based on UVM 19
Fig. 1. Schematic diagram of UVM testbench
3 Introduction to the Device Under Test
In this paper, the I/O board FPGA is taken as the verification object.
3.1 Function of I/O Board

The main function of I/O board is implemented by FPGA. It is the core control unit of
data acquisition and output control in FitRel system. As shown in Fig. 2, it is
responsible for controlling the channel acquisition (or output) circuit, and is responsible
for communication with the MPU board. It receives commands from the MPU board
and performs the corresponding actions, and report data to the MPU board.
Fig. 2. Schematic diagram of I/O board application environment
MPU and I/O board make data communication through the SLINK protocol,
physical layer interaction using RS485 bus. SLINK protocol is a self developing
protocol, which is divided into application layer, data link layer and physical layer. All
20 X.-H. Lv et al.
communication processes are initiated by MPU, using a Q & A interaction mode. The
communication sequence is divided into two stages: the configuration phase and the
periodic communication stage.
3.2 FPGA Architecture of I/O Board

I/O board FPGA using the same top-level module partition structure.
The FPGA top-level module structure is shown in Fig. 3: SLINK communication
module, serial read interface module, clock module and print interface module are
public modules; internal process module and channel signal processing module are
different according to I/O board’s own characteristics.
Fig. 3. Schematic diagram FPGA overall architecture of I/O board
4 Functional Simulation Verification Testbench
Through the analysis of the main functional requirements of FPGA, we put forward a
test scheme which is suitable for FPGA function verification. Then we need to design
the overall architecture based on UVM verification testbench.
4.1 Testbench Architecture for FPGA

It is necessary to build a testbench to validate the simulation. After the establishment of
the verification component library, the top verification environment is built according
to the verification requirement. The verification environment is composed of DUT and
verification components.
As shown in Fig. 4, the verification bestbench includes an external memory
functional device, an ADC\DAC functional device, and the UVM verification envi-
ronment for simulating the MPU master device. The MPU function model establishes
Fig. 4. Schematic diagram of test-bench architecture for FPGA
the connection with the DUT through the virtual interface. The verification developer
builds different sequence according to the test outline and forms different test cases.
Top layer controls the initialization and normal simulation execution processes. It
calls the run_test method to achieve the implementation of the uvm_phase, uvm_phase
control the order of activities execution, including the establishment of testbench,
incentive and simulation results reported, etc.
4.2 Verification Component Library Creation

According to the verification testbench architecture, the design and implementation of
the components of the verification environment are carried out.
4.2.1 Create External Memory Function Model

External memory function model just need to have read function. This function model
reads the data in the related register, and the data will be sent to the DUT serial read
interface through IIC protocol. Data register is different according to I/O board type.
4.2.2 Create Adc/Dac/Di Function Model

DAC function model is created,which is used to analyze the output current data through
SPI protocol.
ADC function model is created, which is used for AI type FPGA verification, and is
used to complete the channel current acquisition. This model generates constrained
random current input data.
The DI function model is created to generate a constrained random digital input
signal for verification of the DI type FPGA. Because the output of the DO board FPGA
is digital quantity, no external DO function model is needed.
22 X.-H. Lv et al.
4.2.3 SLINK Protocol Component

MPU function is very complex, and in this paper only needs to meet FPGA SLINK bus
data exchange and processing part.
(1) Application layer component
The application layer component is divided into configuration class component and
communication class component according to the communication type. According to
the direction of data transmission, can be divided into uplink and downlink compo-
nents. From the MPU to the I/O direction is for the downlink, and vice versa.
cfg_app_base_data application layer configuration data packet base class and
msg_app_base_data application layer communication data packet base class are cre-
ated. They are derived from the uvm_object base class. In the data packet based class,
declared the I/O package shared variables, such as packet number, chassis, slot, board
type, etc. For different I/O types, the data packet base class is derived to get the specific
I/O characteristics of the sub data class. In Fig. 5 application layer data diagram, XX
can be replaced by AI, AO, DI and DO.
Fig. 5. Application layer data packet
Next, the app_frame application layer data frame DATA base class is created,
which is derived from the uvm_sequence_item base class. The base class declares a
state byte, frame byte, CRC, and other variables other than the data packet type. In the
app_frame derived app_frame_templet class, add the data packet type variable to form
a complete application layer data frame DATA. In the DATA data frame class, it
includes the random constraints of variables, the correct judgment of the variables, the
application layer pack, and the application layer parsing unpack.
Figure 6 shows the complete application layer data frame. When the application
layer protocol is modified, it only needs the corresponding base class or the extension
class to modify the variables.
Fig. 6. The complete application layer data frame

(2) Data link layer component library creation
Take the application layer data packet as based variables, and then add synchronization
byte SYN, delimiter, frame length, source address, destination address, parity infor-
mation to it. The data link layer data frame is formed.
First, the link_frame derived from the uvm_sequence_item base class is created,
and it is the data link layer base class. In the link_frame base class, the relevant
variables of the data link layer were declared, such as SYN. Get the link_frame_templet
class derived from the link_frame base class. Application layer data packet DATA is
added to link_frame_templet class, then the complete data link layer data frame is
formed. In the data link frame, it includes the random constraints for the variables, the
link layer data pack, the link layer packet unpack, etc.
Figure 7 shows the complete data link layer framing process. If there is a link layer
protocol change, simply modify the changes in the base class or derived class.
Fig. 7. The complete data link layer data frame
(3) Physical layer component creation
The I/O board FPGA realizes communication with MPU through 485 bus. The frame
structure consists of start bit, data, check bit and stop bit. A 485 verification component
rs485_agent is created, used for implementing physical layer communication.
4.2.4 Create Env Component

The master_agent component is derived from the uvm_env base class. The data link
layer and physical layer variables were declared and instantiated within the agent, then
a virtual sequencer that is associated with the sequence is declared. As shown in Fig. 8.
Master_agent receives the up physical layer data through rs485_agent, and gets the
uplink layer packet from the physical layer data. In link layer components uwd_cf-
g_link_frame and uwd_msg_link_xx_frame will send frame to the reference & com-
pare to complete the correctness of the data check. Such as byte length, source address,
CRC and other link layer parameters. If there is an error then report it in the log.
24 X.-H. Lv et al.
Fig. 8. The master_agent component
Master_agent has also realized the function of sending down link packets to DUT.
Master_agent can generate the downlink layer frames of dwd_cfg_link_xx_frame and
dwd_msg_link_xx_frame in itself automatically, and data link layer frame is then
converted into rs485_agent physical layer data and sent to the DUT.
The master_agent component can automatically generate a constrained random
down link packet, or it can be programmed by virtual sequencer to generate a prede-
termined data.
A reference & compare module had been developed to check the validity of the
response data. The reference part of this module will prepare the expect data. For
example, the AO output value, the output port current value will also included in the
uplink frame, then we can prepare the expect data. The module can also check other
information, such as frame length, address, command type, chassis or slot number,
CRC, etc. Compare part of this module will check if the data from DUT is correct. If
expect data is not consist with the response data, this will be recorded and reported.
4.3 Master_Testbench Verification Environment

The testbench is derived from the uvm_test component. Integrate the master_agent
component into testbech, meanwhile, the testbench also includes the main control
chassis and the slot number, the master address, I/O type, I/O slot, I/O address and
other necessary variables. The testbench is as shown in Fig. 9.
The vir_sqr of the virtual sequencer component is declared in the testbench, which
is used to establish connection between the sequence of the test case and the internal
component of the testbench. In the test top layer, the sequence can call the sequencer,
and program the corresponding variables in virtual sequencer, to achieve the desired
test excitation signal to DUT. It is characterized by the fact that different test cases can
be implemented without modifying the testbench.
4.4 Testcase Library

After completing the verification testbench, by modifying the sequence set, verification
personnel can form different testcase depending on the test purpose. Testcase library
has been established according to the test plan.
Testers can focus on the development of testcase, so as to facilitate the discovery of
valuable defects. This will improve the verification efficiency and product quality. With
Fig. 9. The master_testbench verification environment
the deepening of the verification activities, testcase library will be more and more
perfect, and then to achieve a higher code coverage and functional coverage, improve
the reliability of FPGA.
5 Functional Simulation Verification Implemention
Traditional verification method often needs to modify the testbench for a new test
cases, the code modification is large, the work is highly repeated, and is not easy to
maintain and expand. The testbench and testcase of UVM verification testbench are
independent, which enhanced the reusability and scalability. If new test cases or make
some changes during test maintenance is needed, you only need to program the
sequence to form the required testcase.
The following part will show that the cost is reduced from several directions. The
information is collected from the actual project implementation of FitRel.
In the real FPGA verification for I/O board of DAS system, the prepare time for
testbench is greatly reduced. The average preparing time for one specific testcase may
save about 20%*30%. As shown in Table 1.
For … traditional method, test execution is more of a human eye inspection
method, which is difficult to achieve automation. The test process is time-consuming
and laborious. In the UVM testbech, compare module is included to check the validity
of response data, this greatly reduce the test executing time. The average time for one
testcase execution and result check may save about 30%. As shown in Table 2.
Traditional method can only execute one case at a time. When UVM adopted, more
than one testcase can be executed at a time. In addition, the prepare time and execution
and check time for one testcase is reduced. All these contribute to the shorten of the
26 X.-H. Lv et al.
Table 1. Average preparing time for one testcase before test execution in I/O board FPGA
functional simulation verification
I/O FPGA Testcase Traditional method UVM method
Average preparing time for one testcase before test 2 h 1.5 h
Table 2. Average execution time for one testcase in I/O board FPGA functional simulation
verification
I/O FPGA Testcase Traditional method UVM method
Average execution time for one testcase 3 h 2h
entire testing period, and the average project testing period for one I/O board FPGA
may saved by 30%. As shown in Table 3.
Table 3. Average testing period for one I/O board FPGA functional simulation verification
I/O FPGA Testcase Traditional UVM
method method
Average testing period for one I/O board FPGA 300 h 200 h
project
When using this testbench, if tester needs to change the object from the AI FPGA
into DO or other FPGA, he also does not have to make any changes to the testbench,
through changing the corresponding chassis number, slot number, I/O type and the
corresponding parameters of I/O in the virtual sequencer to achieve the purpose.
6 Conclusion
In this paper, UVM is used to simulate the I/O board FPGA of DAS system. Through
the practical application in the project, the verification results show that the use of
UVM for FPGA verification for DAS can effectively improve the efficiency of FPGA
verification, shorten the product development cycle. UVM verification testbench has
good configurability and reusability, effectively meet the functional simulation verifi-
cation requirements.
References
1. Chen, Y.J., Zhang, C.L., et al.: Research on the application of FPGA in diversity system of
nuclear power plants. Process. Autom. Instrum. 35(2), 46–49 (2014)
2. Chen, D.L., Zhang, Y., et al.: FPGA technology application in diversity actuation system of
nuclear power plant. At. Energy Sci. Technol. B11, 976–979 (2014)
3. Liu, R., Li, C.L.: Verification and validation for FPGA based safety class I&C system of
nuclear power plant. Nucl. Electron. Detect. Technol. 1, 103–106 (2014)
4. Pan, Y.J., Long, K.: Implementation of efficient and reusable Soc functional verification based
on UVM. Electron. World 3, 180–183 (2016)
5. Xie, Z., Wang, T., et al.: A RISC CPU oriented reusable functional verification platform based
on UVM. Acta Sci. Nat. Univ. Pekin. 50(2), 221–227 (2014)
6. Xu, J.P., Li, S.S., et al.: Adopting universal verification methodology to achieve reusability
and automation verification. Microelectron. Comput. 11, 14–17 (2014)
The Method of Failure Analysis for Safety-
Critical System Software Based
on Formalization
Xiao-Bo Zhou1(&), Jin Fan2, Ru-Mei Shi1, Ya-Dong Zhang1,

and Qiao-Rui Du1
1
wwwww.abcd@163.com
2
China Nuclear Power Engineering Co., Ltd, Beijing 100840, China
Abstract. As the digital instrument control system in the field of security

become more and more widely used, the reliability of the software has drawn
great attention. Identifying and eliminating potential errors in software is an
effective way to improve software reliability. Most of the methods for identify
software failures at this stage are evolved from the traditional failure analysis
methods, such as fault tree, Failure Mode Effect Analysis methods (FMEA).
These traditional failure analysis methods encountered some problems, such as
the credibility of the results depends heavily on the skills of the executive staff
and the analysis workload is huge. In this study, a formal method was adopted to
describe the software design, and formal tools were used to find the software
failure path. Formal technology is based on rigorous mathematical theory, and it
is easy to carry out by computer processing, which can greatly reduce the impact
of executive staff awareness on the analysis results. In addition, using formal
tools can effectively reduce the workload of executives.
Keywords: Failure analysis Safety critical software Formalization
1 Introduction
In recent years, with the application of software in the safety-critical system becoming
more and more widespread, the requirements of reliability for safety-critical software
are also getting stricter. Especially in the field of safety-related, many standards and
regulations have been proposed for the software reliability. For example, it is explicitly
required in the Nuclear Safety Guide HAD102/16 in the field of nuclear power plant
that the reliability should be focused on safety-critical software [1]. GB/T13629
required that when the reliability of the target set out, it should have proven that the
safety-critical system software can still meet the requirements of the target [2]. At this
stage, expert in this field mainly focuses on the analysis of software reliability quali-
tatively. Through software failure analysis, ones can identifies software defects and
modifies software defects to improve software reliability.
Analysis methods for software failure generally use the classical reliability analysis
methods commonly used in the field of hardware reliability analysis, such as FMEA

https://doi.org/10.1007/978-981-13-3113-8_4
The Method of Failure Analysis for Safety-Critical System 29
and Fault Tree Analysis (FTA). When these traditional methods are applied to software
failure analysis, the result is seriously dependent on the knowledge level of the
executives and there is huge workload of analysis. In this paper, we combined FMEA
method and formalization technique. We have made use of rigor mathematical theory
of formalization technology, which can be easily realized by computer processing. This
combined method can ensure the objectivity and validity of the failure analysis. At the
same time, through the use of formal tools, we improved the efficiency of analysis.
When using formal methods to conduct failure analysis of software, the modelling
process requires a high level of ability of analysts. Meanwhile, the software modelling
process is equivalent to a software reconstruction with a huge workload. In Sect. 3 of
this study, a modelling method can effectively reduce the difficulty and workload of
modelling. In Sect. 4, the formalized software failure analysis process is described,
which can effectively guide the implementation of formalized software failure analysis
activities.
2 Safety-Critical System Software Failure Analysis Principles
Formally-based failure analysis software is achieved by analyzed software (such as

software requirements, design, code, etc.) by creating a model using formal methods.
The software uses state machine way to describe the analysis, and the process translate
the problem domain into the analyze domain. Then the formal tool searches for the
state transition path that does not satisfy the function definition of the software. Usu-
ally, this state transition path, which can not satisfy the definition of software function,
represents a software function failure. Finally, we should analyze the failure path and
identify the failure path to related to which kind of software failure and calculate the
probability of failure, etc. This process is the process of transforming the analysis
domain into the problem domain. Analysis of the process diagram is as follows in
Fig. 1.
Fig. 1. Implementation process

30 X.-B. Zhou et al.
3 Safety-Critical System Software Model
From above we can see that in the formalization of software failure analysis process,
the establishment of the software model is crucial. Software model is equivalent to a
refactoring of the software, generally, the workload is huge. Therefore, an common
software model is established to reduce the workload of model an effective method.
When model the software being analyzed, the software to be analyzed is broken up into
a combination of simple software units. The units can be clearly defined by an input
analyst as a measure of the adequacy of a software unit. By decomposing the analyzed
software into multiple simple software units, the software model is simplified and a
common model is built for the simple software units. The process is shown as follows
in Fig. 2.
Fig. 2. Software structure model
This study abstracts the software unit into the behaviour of running a specific data
according to a specific set of logic in a specific environment, as shown in the following
Fig. 3.
Fig. 3. Software operate model
3.1 Software Unit Data State Model

Software behaviour can be abstracted as three categories: read (Read), write (Write)
and initialization (Rest). software operating environment from the time (S.fresh) and
space (S. space is abstracted from the two aspects and abstracted from time to time as
the two states of “new” and “old”, which are spatially abstracted into two states of
“empty” and “full”. The interaction between software behaviour and software runtime
environment will lead to the change of software data state. Software’s data state (S.
sdata) can be abstracted as: initial-data state (sinit), normal- data state (normal), data-
loss and data-repeat (repeat) four states. The relationship between software behaviour,
environment and data status is shown in the following Fig. 4.
Fig. 4. Software unit data state model
Manually determine the relationship between software unit input data and output
data. Software’s data state (S.sdata) can be abstracted as: initial state of data (sinit),
normal-data state (normal), data-loss (lose) and data- repeat (repeat) four states. Under
certain data states, the relationship between input data and output data is specified in
the form of assertions.
3.2 Software Modeling

As a basic element, through the data coupling to connect the various software units,
software unit behaves to control the timing of each software unit, as follows Fig. 5.
Fig. 5. Software model example

4 Software Failure Analysis Method Based on Formalized

Safety Critical System Software
The failure analysis process based on the formal safety critical software is as follows
Fig. 6.
Fig. 6. Analysis process
(1) Identify software data flow and data flow diagram

(a) Identify the information and find the source of the information;
(b) Draw the data flow diagram according to the data in the transfer path between
the various functional blocks.
(2) Model the software to be analyzed
(a) Altarica formalized language description for software unit data state model
according to Sect. 2 is follows Fig. 7.
(b) The common basic software model for the smallest granularity, according to
the data flow direction and the data assignment. For example, a software
containing two basic software functional units, that is, there are two basic
software models (model A, B). The data flow from model A to model B, then
Fig. 7. Software ware unit data state model base on Altarica
the data assignment, model A data assigned to the model B. In this way, we
can establish basic software model to describe generalized software.
(3) Define the software functions and describe them by using the states in the basic
software model. For example, define the function of the software in the above
example as the data b outputs true if the data state is normal.
(4) Use the ARC tool to automatically search for all status transfer paths that do not
satisfy the function definition, and each transfer path is a failure mode.
(5) For each failure mode combined with the specific circumstances of the software
system analysis of its causes of failure, frequency, etc., and fill in the FMEA form.
5 Based on Formal Software Failure Analysis Application

Practice
For software functions “perform software configuration data read (from FLASH), parse
and parse the parsed data into dual port RAM” to perform FMEA analysis.
(1) Identify the data flow and draw data flow diagram (Fig. 8):
(2) Describe the configuration function formally(A function reads “read configuration
data from FLASH”, B function reads “resolve configuration data” and C function
reads “write configuration data to dual-port RAM”) (Fig. 9)
(3) Define the data written to the dual port RAM that is valid for the configuration
function and formalize the language description: [(C.S.sdata = normal)&
(c! = Yes)]
(4) Use the ARC tool to automatically search for all status transfer paths that do not
satisfy the function definition (Fig. 10):
Fig. 8. Data flow diagram
Fig. 9. Software model base on Altarica
Fig. 10. Software function description base on Altarica

(5) The status transfer paths that do not satisfy the function definition may be failure
modes. Analyze the cause and calculate the probability of the failure mode, then
fill in the FMEA form (Fig. 11).
Path Example 1:
Fig. 11. Path example 1
Path Example 2 (Fig. 12):
Fig. 12. Path example 2
Present the results in the form of FMEA (Table 1).
Table 1. The table of FMEA

Reason Mode Probability Effect Measures Remarks
Nothing Not read from the Impossible – – The
FLASH data, MPU
direct write dual- executes
port RAM as a
serial
FLASH Write dual-port Possible Configuration Diagnose –
reading RAM data error error “FLASH
function reading
failure function”
… … … … …
From the table above, the software failure path is determined by both the software
model and the failure definition. The model and the failure definition are derived from
the software design solution, and the design proposal is relatively objective. Therefore,
the problem that the analysis result is greatly influenced by the executive subjectively
can be solved. In addition, by implementing the work with the software tools, we can
greatly reduce the workload of analysts.
6 Conclusion
This paper introduces a software failure analysis based on formalized method for safety
critical system. This method adopts the software functional unit model method and the
failure analysis process based on ARC language and tools. Through the formalization
function on the software failure and its impact and through the use of formal tools
ARC, the work efficiency is greatly improved. In the system software, when the
number of software units becomes larger, the use of tools can deal with the state that
will be an explosion, then the way should be used to deal with functional segmentation.
References
1. HAD 102/16 2004: Computer based safety important system software for nuclear power plant
2. GB/T 13629-2008: Criteria of computers in safety system for nuclear power plant
A Study About Software V&V Evaluation
of Safety I&C System in Nuclear Power Plant
Peng-Fei Gu1, Zhe-Ming Liu2, Wei Xiong1, Wei-Hua Chen1,

and Sheng-Chao Wang1(&)
1
State Key Laboratory of Nuclear Power Safety Monitoring Technology and
Equipment, I&C Equipment Qualification and Software V&V Laboratory, China
Nuclear Power Engineering Co., Ltd., Shenzhen 518172, Guangdong, China
18566693557@163.com
2
Product Information Committee of China Instrument and Control Society,
Abstract. Software verification and validation (V&V) is internationally rec-

ognized as an important technology to improve software reliability. The pro-
mulgation of new regulations and standards related to nuclear safety software
may put forward new and higher requirements, so that existing software V&V
technical solutions cannot fully cover the new requirements. There is still a gap
between the new requirements of the new regulations, the new standards and the
software V&V experience feedback on issues of Generic Design Assessment
(GDA) of Office for Nuclear Regulation (ONR). Therefore, relevant research of
software V&V is needed so as to meet the new requirements for domestic and
international safety reviews. Based on the comparative analysis of the new and
old nuclear safety standards, such as Institute of Electrical and Electronic
Engineers (IEEE) 1012 and International Atomic Energy Agency (IAEA) No.
SSG-39 and ONR review principles, as well as the technical opinion report of
European Union (EU) safety software certification, the main technical differ-
ences were sorted out to provide technical reference for the establishment of
better applicability or the optimization of the nuclear safety I&C system soft-
ware V&V solution.
Keywords: Software V&V New requirements GDA

Technical differences Optimization
1 Introduction
Software verification and validation (V&V) is internationally recognized as an

important technology to improve software reliability. Due to the complexity of soft-
ware and the limitations of testing methods, software V&V needs to adopt a variety of
methods and verify the products generated in each phase of the software life cycle to
achieve the ultimate goal of improving software reliability.
With the continuous accumulation of engineering practice experience and the
maturity and application of new technologies and methods, software V&V related
standards will also include good engineering practices and proven effective methods
when upgrading. For example, the statistical test is adopted for the nuclear safety
https://doi.org/10.1007/978-981-13-3113-8_5
38 P.-F. Gu et al.
digital system and equipment in the Generic Design Assessment (GDA) of the EPR,
ABWR1000, AP1000 and the formal method is used in the verification of nuclear
safety instrumentation and control (I&C) system software at Sizewell nuclear power
plant of UK.
The promulgation of new regulations and standards related to nuclear safety soft-
ware may put forward new and higher requirements in terms of the scope and depth of
V&V, technologies and methods suitable for use, so that existing software V&V
technical solutions cannot fully cover the new requirements, and the correctness and
effectiveness of new technologies and methods needed to be adopted are also to be
assessed.
Several major nuclear power groups in China are actively to develop the nuclear
safety digital I&C system and equipment with independent intellectual property rights,
and gradually form its own V&V laboratory to carry out the research of the key tech-
niques of V&V and the evaluation of nuclear safety software, but do not use statistical
test and formal method for engineering practice. There is still a gap between the new
requirements of the new regulations, the new standards and the software V&V experi-
ence feedback on issues of GDA. Therefore, relevant research of software V&V is
needed so as to meet the new requirements for domestic and international safety reviews.
This study focused on the software V&V related regulations and standards such as
Institute of Electrical and Electronic Engineers (IEEE) 1012 and International Atomic
Energy Agency (IAEA) No.SSG-39 and ONR review principles, as well as the tech-
nical opinion report of EU safety software certification, and carried out a comparative
study between the old and the new version standards. On this basis, the main technical
requirement differences are sorted out for the technical reference of V&V solution
establishment or optimization.
2 Comparison Between Old and New Versions of Standards
The main executive standard of software V&V is IEEE 1012-2004, and IEEE 1012-
2012 and 2017 have been released. The IAEA has adjusted its regulatory and standard
system, and the specific safety guide No.SSG-39 related to the I&C system and soft-
ware design has come into effect in 2016. Besides, RCC-E standard has already
upgraded to 2016 edition. In 2015 the European Union issued a technical opinion
report on licensing of safety critical of software for nuclear reactor. By comparing the
regulations, standards and technical reports related to safety software V&V, the gaps
between the old and new standards in the technical requirements, implementation
scope, depth and procedures of V&V are analyzed.
2.1 Comparison Between Old and New Versions of IEEE 1012

U.S. Nuclear Regulatory Commission (NRC) endorsed that nuclear safety software
V&V shall comply with IEEE 1012 integrity level 4 software V&V requirements by
R.G. 1.168. The standard version of endorsement in R.G. 1.168-2004 is IEEE 1012-
1998, while the standard version of endorsement in R.G. 1.168-2013 [1] is IEEE 1012-
2004 [2].
A Study About Software V&V Evaluation of Safety 39
IEEE 1012-2004 is limited to software V&V, while IEEE 1012-2012 [3] and IEEE
1012-2017 [4] extend the scope of V&V to system and hardware. Accordingly, the
concept of “software integrity level” is extended to “integrity level”, and the concept of
“component” is extended from “software component” to “software component and
hardware component”, and “V&V tasks” is subdivided into software, hardware, system
and general V&V tasks.
1. Integrity level
Integrity level of the IEEE 1012 setting value to quantify the complexity, critical,
risk, security level, security level of confidentiality, the required performance, relia-
bility, or other project unique features which the importance is based on the user and
the buyer. The concept of integrity level is used to determine the degree of V&V tasks,
activities, and strict and V&V execution strength level. As software integrity level
declines, the necessary scope, intensity, and rigor associated with the V&V tasks
should also decrease. For example, in the hazard analysis of software with integrity
level 4, it can be officially recorded into the document and the module failure can be
considered, in the hazard analysis of software with integrity level 3, only significant
software failures are taken into account and can be informally recorded as part of the
design review process.
IEEE 1012-2012 and IEEE 1012-2017 do not require that all subsystems or
components assigned to the system have exactly the same level of integrity, while IEEE
1012-2004 does not give a clear explanation for this. However, it is important to note
that the NRC requires that the integrity levels of the system and all its components be
the same.
2. V&V processes
IEEE 1012-2004 allows V&V team to arrange design team to conduct V&V test
specifications, test execution, and test records. IEEE 1012-2012 and IEEE 1012-2017
require V&V organization for testing of systems/software/hardware at integrity level 3
and level 4, which ensures the independence and diversity of testing between V&V
organization and design organization. For integrity level 2 systems/software/hardware,
testing can be performed by the design team and reviewed by the V&V team.
3. V&V activities
The comparative analysis of software V&V activity differences among IEEE 1012
versions is shown in the Table 1.
4. V&V tasks
IEEE 1012-2004 and IEEE 1012-2012 and IEEE 1012-2017 differ in the depth of
V&V tasks requirements. Major differences include:
• Hazard analysis
In IEEE 1012-2012 and IEEE 1012-2017, the new requirement “evaluation and
identification of mitigation measures to verify each hazard have been prevent, mitigate
40 P.-F. Gu et al.
Table 1. Comparison of software V&V activities between versions

V&V activity Rev.2004 Rev.2012 Rev.2017
Concept q q q
Requirement q q q
Design q q q
Implementation (or q q (Construction) q (Construction)
Construction) (Implementation)
Test Contains three Activities broken Activities broken
tasks: down into three down into three
Integration testing phases: phases:
System testing Integration testing Integration testing
Acceptance Qualification testing Qualification testing
testing Acceptance testing Acceptance testing
Installation and q q q
Checkout
Operation q q q
Maintenance q q q
Disposal q q
and control (record any harm unease, as a part of the system and software running
attention)” is added in the design, implementation, test, installation and checkout,
operation and maintenance phase of the V&V tasks.
• Security analysis
In IEEE 1012-2012 and IEEE 1012-2017, the new requirement “to ensure the
security of the identified threats and vulnerabilities have been defensive to prevent,
mitigate and control (record any security threats and vulnerabilities unease, and as a
part of the system and software running attention)” is added in the design, imple-
mentation, test, installation and checkout, operation and maintenance phase of the
V&V tasks.
In Appendix J of IEEE 1012-2017, new security analysis method based on threat
and system life cycle process assurance are added, which can provide operational
guidance for implementation.
• Source code and source code documentation evaluation
In IEEE 1012-2012 and IEEE 1012-2017, the new requirement “verify that the
source code and its interfaces with other components do not result in unnecessary,
unintended or harmful consequences” is added in the implementation V&V task.
In addition, compared with IEEE 1012-2004, IEEE 1012-2012 has the following
appendices, including:
– Appendix I system, software and hardware integration V&V.
– Appendix J hazards, security and risk analysis.
– Appendix K the system integrity hierarchy and changes sample in “supporting
system functions”.
IEEE 1012-2017 builds on IEEE 1012-2004 with the addition of Appendix M

“system application V&V for the Nth time”. The basic idea is that complete hardware,
software, and system V&V activities are performed for the first use of the system, while
for the Nth use of the system, regression analysis is carried out firstly, and then V&V
activities are determined according to the differences. If the application is too different
due to user requirements or environment differences, the system should be considered
as the first application and can be executed with reference to Appendix D reuse soft-
ware V&V.
To sum up, the differences between IEEE 1012-2004 and IEEE 1012-2012/IEEE
1012-2017 are relatively large, while the differences between IEEE 1012-2012 and
IEEE 1012-2017 are relatively small.
2.2 Comparison Between Old and New Versions of IAEA

The IAEA’s newly published safety guide No.SSG-39-2016 [5] is a combination and
modification of its original two safety guides NS-G-1.1-2000 and NS-G-1.3-2002. The
main changes involve the continuous development of computer applications and the
evolution of methods required for safety, security and practical use. In addition, human
engineering development and the need for computer information security are also
considered. Major additions and updates include:
– Specific considerations for I&C in order to meet the requirements specified in GS-
R-3.
– Design inputs to be considered when setting I&C system design benchmarks.
– In the life cycle of I&C system, the characteristics of mutual dependence are
designed and realized, especially for the complete I&C system, independent I&C
system, software interdependency and requirements for human engineering input
and computer information security input of the whole nuclear facility during the life
cycle.
– The use of computers, hardware description language programming devices, limited
industrial equipment, and methods to ensure performance correctness.
– The overall architecture of I&C system is considered to support the deep defense
concept of nuclear power plant system design and to establish the deep defense
protection system of the instrument control system itself to prevent common cause
failure.
– The data transmission between important safety systems should consider the situ-
ation that high safety level systems receive data from low safety level systems.
– Provide measures to ensure the information security of digital security system.
– Activities related to computer software development, including design, verification
and validation, principles derived from the security guidelines.
NS-G-1.1-2000 [6] requirements for software V&V mainly involve general
requirements, static analysis, test strategy and scope, test preparation and implemen-
tation, hazard analysis, tool evaluation, inversion method, evaluation of operation
history, documents, etc.
Compared with NS-G-1.1-2000, the differences in V&V requirements of No.SSG-
39-2016 mainly include the following aspects:
42 P.-F. Gu et al.
1. V&V processes and activities

No.SSG-39 presents the I&C system development life cycle process and V&V
activities, including system V&V activities, software V&V activities, and hardware
V&V activities, and adds V&V activity of the relationship between hardware
requirements and software requirements in the software requirements V&V activities.
These requirements are new and are the same as IEEE 1012-2012 requirements.
2. Hazard analysis
NO.SSG-39 further details the requirements for hazard analysis of the I&C system
in clauses 2.56 to 2.65 of Chap. 2. Additional requirements include:
– Consider internal and external hazards, power plant equipment failures, I&C fail-
ures or accidental operations caused by hardware failures or software errors, etc.
– Consider the state and operation mode of all power plants, switching process of
different operation modes, state of degradation, etc.
– The preliminary results of the I&C system hazard analysis need to be valid before
the overall I&C design benchmark is determined.
– Update hazard analysis is required at all stages of the I&C system development life
cycle.
– Measures to eliminate, avoid, or mitigate hazards identified as possible downgrades
of system function.
3. Static analysis
As for the formal code verification technology, NO.SSG-39 deleted the clause
content of NS-G-1.1-2000, which is “When software requirements are formally
specified, it is possible to verify formal code. However, formal verification generally
requires a wide range of expertise, so consider consulting competent analysts”.
4. Software tools
NO.SSG-39 further details the requirements for software tools in Sect. 7.148–7.164
of Chap. 7. Additional requirements include:
– Information security testing tools have been added to the tools used in the I&C
system development life cycle;
– Configuration management of all software tools is required.
5. Reverse engineering (inversion)

NO.SSG-39 deletes the provisions of reverse engineering (inversion method) in
NS-G-1.1-2000. Note only in the “modifications” section of Chap. 2 that “since the
design documentation for the old system may be incomplete or inaccurate, the modi-
fication or replacement of such systems requires a degree of reverse-engineering
measures to regenerate the original design baseline or design specification”.
6. Operation experience
NO.SSG-39 adds the clause that “relevant operational experience can be a sup-
plement to other validation technologies, but cannot replace them”.
7. Information security
NO.SSG-39 adds the requirements of 9.82–9.94 for information security verifica-
tion in software V&V of Chap. 9:
– The software automation tool is used to examine the information security vulner-
ability of the code and manually assisted to review key parts of the code, including
input and output processing, exception processing, etc.
– For security systems, final applications need to be submitted for testing to ensure
computer security (such as penetration testing), to verify that common security
vulnerabilities are not easily detected, and to allow continuous improvement in
software design and implementation.
8. Pre-developed software
NO.SSG-39 puts forward requirements for pre-developed software used in safety
systems and important safety systems respectively:
– For safety systems, pre-developed software used in the safety I&C system should
have the same level of identification as its application.
– For the safety important I&C system, the user manual needs to describe the pre-
developed software, including: function, interface, different behavior modes and
their switching conditions, restriction conditions, reasonable demonstration of sat-
isfying users or the requirements applicable to the I&C system.
– More detailed identification requirements have been added to the identification of
pre-developed items, as detailed in Sect. 6.78–6.134 of Chap. 6.
9. Third-party evaluation
Additional requirements for third-party evaluation for NO.SSG-39 include:
– Third-party evaluation should be adopted for the safety system software and exe-
cuted in parallel with the development process.
– Content of the assessment include:
The development process, through quality assurance supervision, technical
inspection of life-cycle process documents such as Outlines, software specifi-
cations, and full-scope testing activities;
The final version of the software and any subsequent modifications are evaluated
through static analysis, inspection, monitoring, and testing.
44 P.-F. Gu et al.
2.3 EU Safety Software Certification Technology Common Position

Analysis
The common opinion report-2018 “Licensing of Safety Critical of Software for Nuclear
Reactors, Common Position of International Nuclear Regulators and Authorised
Technical Support Organisation” [7] adopts the method of classification requirements
and management for software, taking software V&V as an example, its classification
requirements are shown in the Table 2.
Table 2. Classification requirements of software V&V with different safety levels

Software Non-safety Safety related systems Safety systems
type important
systems
New / Based on selected standards IEC 60880
software such as IEC 62138 or IEC IEEE 7-4.3.2
61508
Supplier 1. V&V outline 1. V&V outline
V&V 2. Validation at all stages of 2. Validation at all stages of
Field the development lifecycle the development life cycle
delivery test 3. Independent confirmation 3. Independent V&V
Field delivery test 4. Independent evaluation
Field delivery test
/ Feedback on operational Feedback on operational
experience in supporting experience in supporting
software, libraries, and other software, libraries, and other
reusable software reusable software
Pre- / Based on selected standards IEC 60880
developed such as IEC 62138 or IEC IEEE 7-4.3.2
software 61508
Supplier 1. V&V outline 1. V&V outline
V&V 2. Validation at all stages of 2. Validation at all stages of
Field the development lifecycle the development life cycle
delivery test 3. Independent confirmation 3. Independent V&V
Field delivery test 4. Independent evaluation
Field delivery test
/ Relevant operational Relevant operational
experience feedback experience feedback
1. Concerns in software verification

– For software correctness and its impact on reliability, software components (oper-
ating system, library, application software, intelligent equipment, communication
protocol, man-machine interface, etc.) need to be verified.
– For selection of verification tools and methods, the combined use of different
methods to achieve full coverage of functional and non-functional requirements,
and consideration of formalized validation scope. And software modules must be
tested and meet the coverage requirements.
– Verification policies are balanced in terms of time, schedule, and resources.
– Test coverage.
2. Concerns in validation and deliver the test

– It is recommended to use statistical test to estimate system reliability, test case
selection takes account of operational profiles, and the number of test cases depends
on the required level of safety system reliability and confidence level.
2.4 ONR Technical Assessment Guide for Old and New Versions
of Analysis
ONR technical assessment guide related to software V&V is NS-TAST-GD-046
“Computer Based Safety Systems”, which has been updated two editions in the last two
years. Compared to NS-TAST-GD-046 (rev3, 2013) [8], the changes of NS-TAST-
GD-046 (rev4, 2017) [9] are mainly reflected in the updated version of the standard
version it refers to, and there is no significant change in its review technical principles.
Recently, ONR released NS-TAST-GD-046 (rev5, DRAFT). Compared to NS-
TAST-GD-046 (rev4, 2017), the changes of NS-TAST-GD-046 (rev5, DRAFT) mainly
include:
1. Scope of application: new technical guide for this review are applicable to HDL
systems.
2. In terms of the general review principles, additional or further clarifying require-
ments are as follows:
– The functions of computer systems and the complexity of their implementation
should be minimized and avoided.
– For a diversified safety system, if one is based on computer technology, the
other should adopt non-computer technology.
– Production Excellence (PE): Demonstrate that potential systemic defects intro-
duced in the software development process are minimized.
– Independent Confidence Building Measures (ICBM): The emphasis on
dependability comes from the diversity of independent execution, and the
diversity of execution staff, evaluation techniques and methods.
– In addition to the consideration of information security of safety important
systems based computer, ONR gives the specific control requirements and
control methods in Appendix 6.
– Adding to the consideration of software tool identification, ONR clarifies the
requirements for software tool identification in Appendix 7.
– Based on current technology level and consideration of all relevant factors
including complexity, ONR believes that the statement of 1e-4 reliability for the
computer safety system is reasonable and credible.
46 P.-F. Gu et al.
3. Multi-legged arguments
– New identification requirements for pre-developed items such as commercial
grade smart devices and platforms are added. And ONR gives the classification
identification method of commercial grade smart devices in Appendix 4.
3 Summary of Technical Differences Between the Old

and New Versions
By comparing the old and new versions of relevant regulations and standards of nuclear
safety software V&V, the following differences in technical requirements are sorted
out:
1. V&V object range expands to include HDL software.
2. The scope of V&V task is expanded and the task content is detailed.
– Project planning V&V, configuration management V&V and disposal V&V are
added.
– In hazard analysis and security analysis, the task of evaluating mitigation
measures is added.
3. The V&V task requires more clarity
– Further clarify and regulate the V&V strategies and methods of reuse/pre-
developed software.
– Further detail the contents and requirements of hazard analysis and security
analysis.
– Specify the configuration management requirements and identification require-
ments of software tools.
– Further clarify the functional and structural coverage requirements for testing.
4. Increased severity of task execution, for example:
– The independence requirement is emphasized, and the third-party evaluation is
required for the safety system software.
– For safety system software V&V, the system test is required to perform by the
V&V organization independent.
– The diversity of V&V techniques and methods is emphasized. Statistical tests
and formal methods are recommended.
– For safety pre-developed software V&V, source code testing such as static
testing, dynamic testing is emphasized.
4 Conclusions
Based on the comparative analysis of the new and old nuclear safety standards, such as
IEEE 1012 and IAEA No.SSG-39 and ONR review principles, as well as the technical
opinion report of EU safety software certification, this study sorted out the main
technical differences to provide technical reference for the establishment of better
applicability or the optimization of the nuclear safety I&C system software V&V
solution.
Although the IEEE and the IAEA have been published or updated the relevant
regulations and standards of nuclear safety software V&V, the nuclear safety regulators
of China mainly refer to the standards accepted by NRC regulatory guide, such as R.G.
1.168-2013 in endorsement of IEEE 1012-2004 and IEC 60880 for regulatory scrutiny
of nuclear safety I&C system. As a result, the existing nuclear safety software V&V
solution can satisfy the current safety evaluation requirements.
The results of this study are forward-looking research results that take into account
the requirements of GDA review and can deal with possible technical risks in the future
nuclear safety review in accordance with the new standards, laying the foundation for
the “going global” of Hua-Long No.1 project and meeting GDA review.
References
1. R.G. 1.168: Verification, Validation, Reviews and Audits for Digital Computer Software
Used in Safety Systems of Nuclear Power Plants. Office of Nuclear Regulatory Research
(2013)
2. IEEE Std.1012: IEEE Standard for Software Verification and Validation. Institute of
Electrical and Electronics Engineer (2004)
3. IEEE Std.1012: IEEE Standard for System and Software Verification and Validation. Institute
of Electrical and Electronics Engineer (2012)
4. IEEE Std.1012: IEEE Standard for System, Software and Hardware Verification and
Validation. Institute of Electrical and Electronics Engineer (2017)
5. No.SSG-39: Design of Instrumentation and Control Systems for Nuclear Power Plants.
International Atomic Energy Agency (2016)
6. NS-G-1.1: Software for Computer Based Systems Important to Safety in Nuclear Power
Plants. International Atomic Energy Agency (2000)
7. Bel V of Belgium, BfE of Germany, CNSC of Canada, et al: Licensing of Safety Critical of
Software for Nuclear Reactors. Common Position of International Nuclear Regulators and
Authorised Technical Support Organisations, Regulator Task Force on Safety Critical
Software (2018)
8. NS-TAST-GD-046: Computer Based Safety Systems. Office for Nuclear Regulation (2013)
9. NS-TAST-GD-046: Computer Based Safety Systems. Office for Nuclear Regulation (2017)
A Study About Pre-developed Software
Qualification of Smart Devices Applied in NPP
Sheng-Chao Wang(&), Tao Bai, Peng-Fei Gu, and Wang-Ping Ye

18566693557@163.com
Abstract. According to the research and analysis about the standards and
Electric Power Research Institute (EPRI) relevant reports of commercial grade
dedication (CGD) such as the pre-developed software of smart devices which
perform intelligent measuring, communication and actuation devices employing
programmed electronic components (PEC) to enhance the performance, the
requirements for the pre-developed software qualification has been identified.
And in combination with the tasks of IEEE 1012, a V&V model was proposed
to guide the concrete execution of qualification activities such as suitability
evaluation, quality evaluation, operating experience evaluation, additional sys-
tem test and comprehensive assessment. Besides, it also helps establish the
specification and process for the pre-developed software qualification. On the
basis of that, a pre-developed software qualification was performed for each
qualification activity, and forming some good practice in the process. At the
same time some special considerations are put forward for the pre-developed
software qualification. Furthermore, some critical qualification points has been
captured and may provide some technical reference for subsequent CGD such as
the pre-developed software of smart devices which will be applied in the
HPR1000 and other nuclear power plants (NPPs).
Keywords: Pre-developed software Smart devices Software V&V

Standard requirements
1 Introduction
With the development of the smart technology, smart devices which can perform
intelligent measuring, communication and actuation device employing PEC with
embedded software to enhance the performance, have been increasingly used to replace
the conventional devices in the safety instrumentation and control (I&C) systems of
nuclear power plant (NPP) for improving economic efficiency. Although there are lots
of advantages like greater accuracy, better noise filtering, in-built linearization and on-
line calibration and diagnostics, a smart device is generally a commercial-off-the-shelf
(COTS) product sold as black-box and it’s hard to demonstrate the reliability and
potentially increases risk of common cause failure (CCF). Therefore, even though there
is extensive and mature application in other non-nuclear industries, a smart device

https://doi.org/10.1007/978-981-13-3113-8_6
A Study About Pre-developed Software Qualification 49
should be thoroughly tested and evaluated, or dedicated for NPP safety application,
especially for the pre-developed software (also called COTS software) of the smart
device, which is directly effecting the safe and reliable operation of NPP and should be
paid more attention to guarantee the safety function to be implemented correctly.
However, there are many issues for the pre-developed software qualification of
smart devices applied in NPP, such as lack of unclear-specific, hidden changes, internal
complexity, requiring manufacturer’s intellectual property. Besides, it’s lack of nuclear
engineering experience for the pre-developed software independent qualification in the
domestic. In order to meet related regulatory requirements and achieve the goal of
going out of specified software matching with the HPR1000, it’s necessary to carry out
software qualification standard and technology research for the autonomous pre-
developed software.
The study firstly researches the relevant guidelines and standards and refers to EPRI
related technical reports, teases out the specific requirements for the pre-developed
software. Then an appraisal plan is put forward including the qualification process and
methods, and the implementation effort of the plan will be illustrated by a concrete
engineering practice. Finally, the main technical points are summarized to provide
technical reference for subsequent engineering practice.
2 The Analysis of Guides, Standards or Reports
The concept of CGD has already been proposed in the nuclear safety guide HAD
102/16 by China, but it has not yet formed a perfect and enforceable scheme or
procedure, which mainly refers to the relevant standard system in Europe, America or
international organization [1]. The Fig. 1 is the context diagram of relevant documents
for CGD like pre-developed software qualification.
2.1 Requirements or Criteria of China

The requirements and recommendations were proposed in the annex I of the HAD
102/16 for the application and validation of software developed in accordance with
high standard in other industrial safety critical application [1].
(a) Define the functions of existing software and evaluate the impact of these func-
tions on safety.
(b) Clearly identify existing software like the program version.
(c) Clearly identify and fully confirm the interfaces of existing software required by
user or other software, and provide evidence to indicate that no other call
sequence is available.
(d) Develop and maintain the existing software according to good software engi-
neering practice and quality assurance.
(e) The existing software used by the safety system should be subjected to the same
assessment as the final product of the newly developed application software. If
necessary, the reverse engineering should be implemented to evaluate the full
specifications of the existing software.
50 S.-C. Wang et al.
HAD 102/16
China
Rev. 2004
America EPRI NP-5652 For commercial grade item

Rev. 1988 (10CFR-21)
Endorsed by Supplementary report
Generic Letter 89-02 EPRI TR-102260

Rev. 1989 Rev. 1994
IEEE 7-4.3.2
Rev. 2010
Endorsed by Almost the same
R.G. 1.152 Endorsed by EPRI TR-106439

Rev. 2011 Rev. 1996
IEEE 1012 Annex D V&V of reuse software
Rev. 2004 Specific execution standard
Europe
RCC-E C 5333 Programmed
Rev. 2012 electronic conponents(PECs)
IEC
IEC 60880 Clause 15 Qualification of pre-developed software
Rev. 2006 e.g. microprocessor: MPU/MCU/CPU
Aeeeptance process for programmable integrated
IEC 62566
circuits, native blocks and pre-developed blocks
Rev. 2012 e.g. complex hardware logic: ASIC/FPGA/CPLD
Fig. 1. Relevant documents of pre-developed software qualification
(f) Get the design documents and source code if there need to modify the existing
software.
(g) The information should be available for the evaluation of the quality of existing
software and the development process, and meet the requirements of assessing the
quality level of existing software.
Acceptance of existing software shall be performed as follows.
(a) Verify the functions implemented by existing software meets all requirements
described in the safety system requirement specification and other application
specification.
(b) Verify existing software didn’t refer to the functions that safety system require-
ments specification doesn’t require, and isn’t response to the adverse effects for
the functions required.
(c) Compliance analysis between standard requirements used and software design.
(d) Validate the expected use of functions of existing software through test which
includes the test completed by the supplier.
(e) Ensure the functions of existing software aren’t used by the safety system, other
software and user in the way that isn’t specified and tested.
If possible, to get sufficient operation historical information and failure rate data
and properly evaluate experience feedback based on the analysis of operation time,
error report and delivery history in the related system’s operation.
If relevant software development information isn’t sufficient and available, the risk
assessment should be carried out for safety impacted by the software fault.
2.2 Requirements or Criteria of Europe and America

After the investigation and research of the American nuclear industry practice,
The EPRI published the technical report EPRI NP-5652 to guide the application of
commercial grade item like pre-developed software of NPP in 1988, which expounds
evaluation background, objective, basic concept, general process and basic method and
puts forward a verifying method that consists of technical evaluation and acceptance
[2]. And the guide report was endorsed by NRC through the Generic Letter 89-02 in
1989. After that, the EPRI published the supplementary report EPRI TR-102260 to
complement some key issues of EPRI NP-5652 in 1994, including how to implement
technical evaluation, general acceptance and evaluate the assessment procedure for
commercial grade item [3].
Besides, the EPRI published the EPRI TR-106439 to discuss about the evaluation
and method of the key characteristics of digital devices in 1996 [5]. The critical
characteristics are physical critical characteristic evaluation, performance critical
characteristic evaluation and dependability critical characteristic evaluation.
On the basic of a series of the studies by EPRI, the IEEE published IEEE 7-4.3.2-
2010, which is almost the same with EPRI research reports above [4]. According to the
requirements of this standard, the process of CGD of digital devices consists of the
preparation phase, implementation phase and design review phase. And the NRC
published the corresponding guidance R.G. 1.152-2011 to endorse the standard and
EPRI TR-106439 through evaluation report [6].
For the requirements of guides, standards or technical reports, the IEEE 1012-2004
Annex D will be a good reference for the pre-developed software qualification, which
put forward the detailed V&V activities and tasks [7].
Furthermore, the French standard RCC-E-2012 clause C5333 introduces the
Characteristics and requirements of the programmed electronic components (PECs) [8].
For the PECs applied in the C1 and C2 classified systems, how to sufficiently guarantee
in terms of their quality and reliability is related to development cycle, the follow-up of
their software and hardware components, any existing experience feedback that may be
available and their qualification.
2.3 Requirements or Criteria of IEC

The specific qualification requirements of pre-developed software is put forward in the
IEC 60880 clause 15, mainly including suitability evaluation, quality evaluation,
evaluation of operating experience and comprehensive assessment [9].
The IEC 62566-2012 provides how to select and assess pre-developed items when
developing the HDL-Programmed Device (HPD) [10].
3 The Model of Pre-developed Software Qualification
For this study, the research object of smart device is a breaker (C1 classified system)
with micro-logic trip unit, which belongs to mature commercial grade item and has
been ten years of good performance so far. The functions of breaker are mainly realized
by pre-developed software developed by ASIC technology. And the development
language includes VHDL and C++. Therefore, this study is at the same time to consider
the requirements of RCC-E-2012, IEC 62566-2012 and IEC 60880-2006 when per-
forming the pre-developed software qualification. The suitability analysis of the three
standards sees the Table 1.
Table 1. Standards suitability analysis of ASIC

RCC-E C5333-2 IEC 62566 IEC 60880 clause 15 Conclusions
clause 7
Development cycle and 7.4 selection 15.3.2 Quality The
relevant documents 7.4.2 evaluation requirements of
Qualification requirements Documentation the standards are
review basically the
Supervision for software 7.6 15.4 Requirements same
and hardware components Modification for integration in the
and requirements for for acceptance system and
software modification modification of PDS
Available experience 7.4 selection 15.3.3 Evaluation of
feedback data 7.4.3 Operating operating experience
experience
review
Requirements of test and 7.4 selection 15.3.1 Suitability
additional test 7.4.2 evaluation
Documentation 15.3.2 Quality
review evaluation
After specifying the specific qualification requirements through Table 1, the

qualification requirements were assigned to the verification and validation (V&V)
activities and tasks of the IEEE 1012 that can be performed. The specific assignment
and process of ASIC qualification can see the Fig. 2.
Plant and System Requirements
Concept V&V
Verification
( Additional Test )
( Suitability Evaluation )
Validation
Breaker System Design Requirements Breaker System Integration
Requirements V&V Verification Test V&V

( Quality Evaluation ) ( Quality Evaluation )
ASIC Software Requirements
Design V&V Verification

( Quality Evaluation )
ASIC Software Design
Implementation V&V Verification
( Quality Evaluation ) ASIC Software Implementation
( Comprehensive Assessment )
Fig. 2. Process of pre-developed software qualification
4 Qualification and Results of ASIC
Because the breaker will eventually be used for the three generation NPP HPR1000 to
perform safety functions, V&V team performed suitability evaluation, quality evalu-
ation, evaluation of operating experience and additional system test in order to guar-
antee high reliability of the ASIC.
(1) Suitability evaluation
• Required input documentation
– System specification documentation
– PDS specification and user’s documentation
• Evaluation requirements
– Comparison of the system and PDS specification
– Identification of modifications and missing point
• Performing evaluation
– According to the required input documentation and evaluation require-
ments, the adaptive V&V tasks are suitability analysis and traceability
analysis which can be well to identify of modifications, missing point or
inconsistencies through comparison of the system and PDS specification.
– And the efforts of the V&V tasks performed had found two kinds of
anomalies. The one is the requirements of system specification documen-
tation don’t reflect in the PDS specification and user’s documentation. The
other one is the requirements of timing characteristic of the ASIC can’t be
proved.
• Preliminary evaluation conclusion
– The conclusion of suitability evaluation is that complementary work is
needed to clarify the anomalies or provide convincing proof.
(2) Quality evaluation

– Design documentation
– Life cycle documentation
– Analysis of design
– Analysis of the quality assurance (QA)
– Identification of missing point
ments, the adaptive V&V tasks are applicable standards compliance
analysis of the RCC-E, IEC 62566 and IEC 60880 and traceability
analysis.
– The applicable standards compliance analysis is to evaluate the compliance
between the requirements of the standards and input documentation.
The AISC design shall be consistent with the constraint of the system
architecture and deterministic internal behavior. If a behavior adopted is
different from the requirement of the standards in the ASIC development, it
shall be analyzed and justified. And if there is a secondary function of the
software, the influence to the main function shall be analyzed.
– The traceability analysis is mainly to validate the bidirectional tracing
relationship between input documentation, ensuring its correctness, accu-
racy, completeness and consistency.
– And the effort of the V&V tasks performed was to find an anomaly that the
development team widely uses self-developed tools for ASIC development
and test, which the reliability of the tools has not been fully guaranteed.
– On the basis of the evaluation effort above, it’s necessary to require the
additional test and documentation or operating experience evaluation.
(3) Evaluation of operating experience
• Required input documentation and evaluation requirements
– The methods for collection of data and recording the PDS version oper-
ating time
– The operating history of finding, defects and error reports and of
modifications.
– According to the required input documentation, evaluation requirements
and the results of the suitability evaluation and quality evaluation, the
evaluation of operating experience was to evaluate the evidence provided
by the supplier of breaker including the pre-developed software. The evi-
dence is the operating experience of the product collected globally by the
supplier through automated management and configuration tools and the
operating time is about ten years.

– The conclusion of the evaluation is that the supplier provides sufficient
operating experience.
(4) Additional system test
– System design requirements specification documentation
– PDS specification and user’s documentation
– Confirm that the breaker can meet the functional and interface
requirements.
ments, V&V team firstly analyzed the test requirements and combed out
the requirements items. Based on this, it’s to prepare V&V plan and cor-
responding test description. Then, it’s to design the test case for the each
test requirement.
– And the result of system test showed that the design of breaker covered the
functional and interface requirements. However, there are some abnormal
items, which is the performance parameter like the time response is
inconsistent with specific requirement.
– The conclusion of system test is that retest is needed or the development
team needs to clarify the anomalies and make it justified.
(5) Comprehensive assessment
• Required inputs
– The results of suitability evaluation, quality evaluation, evaluation of
operating experience and additional system test.
• conclusion
– The applicability of the commercial grade item of breaker, which will be
used in NPP to perform safety functions, depends on the handling of the
found anomalies and the supplementary clarifications by the supplier.
(6) Special consideration
For the product of the breaker including the pre-developed software performing
safety functions in NPP, the hazard analysis and security analysis are needed.
FMEA method is recommended for hazard analysis. And the specific require-
ments of security analysis can see the clause 5.7 of IEC 60880, mainly focus on
the security during design and development and the user access. After that, it’s to
execute the risk analysis on the basis of the hazard analysis and security analysis.
When the inputs of the tasks of the qualification activities above aren’t available
and may reduce visibility into the pre-developed software products and processes,
some techniques listed below are optional to compensate for the lack of the inputs.
Each has varying strengths and weaknesses. Therefore, it’s need to consider
performing multiple techniques to offset the weaknesses of one technique with

strengths of the others when high confidence is demanded.
• Black box testing
• Review developer’s QA
• Operational history
• Audit results
• Artifacts
• Reverse compilation
• Prototyping
• Prior system results
5 Conclusions
According to the research and analysis about the standards and EPRI relevant reports of
CGD, the requirements for a smart device breaker including pre-developed software
has been identified. And in combination with the tasks of IEEE 1012, a V&V model
was proposed to guide the qualification activities, which also helps establish the
specification and process for the pre-developed software qualification. On the basis of
that, the pre-developed software qualification had been performed and formed some
good practice in the process. All of qualification efforts can be the evidence as the
evaluation for the reliability of the pre-developed software and promote the confidence
of the software used to perform safety functions. Furthermore, some critical qualifi-
cation points has been captured and may provide some technical reference for subse-
quent CGD such as the pre-developed software of smart devices which will be applied
in the HPR1000 and other NPPs.
References
1. HAD 102/16: Nuclear Power Plants-Systems Important to Safety-Software Aspects for
Computer-based Systems. National Nuclear Safety Administration (2004)
2. EPRI NP-5652: Guideline for the Utilization of Commercial Grade Items in Nuclear Safety
Related Applications (NCIG-07). Electric Power Research Institute (1988)
3. EPRI TR-102260: Supplemental Guideline Application of EPRI Report NP-5652 Commer-
cial Grade Items. Electric Power Research Institute (1994)
4. IEEE Std.7-4.3.2: IEEE Standard Criteria for Digital Computers in Safety Systems of
Nuclear Power Generating Stations. Institute of Electrical and Electronics Engineers (2010)
5. EPRI TR-106439: Guideline on Evaluation and Acceptance of Commercial Grade Digital
Equipment for Nuclear Safety Application. Electric Power Research Institute (1996)
6. R.G. 1.152: Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.
Regulatory Guide Office of Nuclear Regulatory Research of U.S. Nuclear Regulatory
Commission (2011)
7. IEEE 1012: IEEE Standard for Software Verification and Validation. Institute of Electrical
and Electronics Engineer (2004)
8. RCC-E: Design and Construction Rules for Electrical Equipment of Nuclear Islands. French
Association for Design, Construction and In-service Inspection Rules for Nuclear Island
Components (2012)
9. IEC 60880: Nuclear Power Plants-Instrumentation and Control Systems Important to Safety-
Software Aspects for Computer-based Systems Performing Category A Functions.
International Electro-technical Commission (2006)
10. IEC 62566: Nuclear Power Plants - Instrumentation and Control Important to Safety-
Development of HDL-programmed Integrated Circuits for Systems Performing Category A
Functions (2012)
Applications of Data Mining in Conventional
Island of Nuclear Power Plant
Zhi-Gang Wu(&), Xiao-Yong Zhang, Chang-Ge Xiao, and Wen Chen
State Nuclear Electric Power Planning Design & Research Institute CO., LTD,
u2490@snpdri.com
Abstract. With the application of digital control system and field-bus tech-
nology in nuclear power plant, the production data has the trend of explosive
growth. For the large amount of production data with the characteristic of high
dimensional and multi-coupling, data mining technology will play an increas-
ingly important role. This paper briefly introduces the data mining process and
its commonly used methods. Based on the data size of conventional island in
nuclear power plant and the current data application, this paper put forward the
data mining application in Conventional Island (CI), and analysis the primary
approaches and trends of the applications.
Keywords: Conventional Island Data mining Fault diagnosis

Operation optimization Soft-sensing
1 Introduction and Background
In recent years, big data analytics has advanced unprecedented mostly in Internet
related research and development. While, big data is not new to the science and
technology communities but comparing to what have been occurring in the Internet,
data applications have primarily been in a stage to be used to prove the rightfulness of
existing physical laws. Data sciences and technology are largely ignored. As a result,
potentially prominent sciences remain uncovered.
In nuclear power industry, data analytics are very important tools because 90% of
the events which leads to the unplanned energy loss (such as unplanned shutdowns,
outage extensions or load reductions) are due to equipment failure according to the
statistics from World Nuclear Association (WNA) from 2008 to 2012, for the global
NPPs [1]. Among such failure, the top 5 reasons are associated with: (1) turbine and
auxiliary system; (2) electrical control system; (3) generator and auxiliary system;
(4) reactor; and (5) main feed water and main steam systems. Over 70% of total
unplanned energy loss, about 140 GWh, is caused by these top five equipment prob-
lems as listed above. Most of these failures can be resolved safely, but they can be the
trigger to catastrophic disaster like Chernobyl in the former USSR and most recently
Fukushima nuclear power plant in Japan.
The main task of a nuclear power plant, once its construction is completed, is to
keep its operating to be safe and at low cost. To do so, the operation and maintenance
of a NPP require significant efforts to monitor and analyze the equipment status, which
https://doi.org/10.1007/978-981-13-3113-8_7
Applications of Data Mining in Conventional Island 59
contributes a substantial portion of the operational cost. Make matter worse, there are
no existing physical laws and models that can be used directly to ease the difficulties
encountered in massive monitoring data acquired in the operation to analyze/separate
abnormal from normal operations. Data enabled science and engineering might be a
unique and significant tool to be used to assist a stable, reliable and economic operation
of CI equipment.
Presently, the operation of the production data of the NPP and fossil power plants
usually include:
(1) Direct digital control
Direct digital control (DDC) is the automated control of a condition or process by a
digital device. DDC allows automatic control of the equipment, and monitor the status
of the unit performance when setting the control and alarm upper/lower limit value of
the production data.. For example, the vibration instruments are usually used to
measure the vibration values of the bearing of the pumps, and also an upper limit of
vibration value should be set. Once an abnormal vibration signal exceeds the upper
limit, an alarm will be generated to remind the operators that the current pump is in the
abnormal state, or the alarm will initiate the pump to stop for the protection reason.
DDC provides the basic control and monitoring means for a safe operation. The
advantage of DDC is that the control and alarm upper/lower limit values can be
obtained according to the characteristics of the systems or equipment, which is simple
and feasible. Especially, DDC is combined with the use of Distributed Control System,
it can be more useful. Therefore, DDC has become the primary means in many
applications [2].
However, because the upper/lower limit values usually have a large margin, DDC
may malfunction due to a fake marginal signal, which increases significant the oper-
ational cost.
(2) Mathematical model analysis method
Mathematical model analysis method (MMAM) is a method that uses the mathematical
models for equipment performance and status analysis. Based on the mathematical
model of the equipment, the device-related parameters are used to calculate the per-
formance of the equipment or to further analysis the status of the equipment. For
example, building the mathematical models of the turbine and using the related pres-
sure and temperature data as given value, parameters of the steam turbine performance
such as turbine efficiency, the flow area are calculated. And these performance
parameters can be used to analyze the equipment status [3].
MMAM provides a further analysis for the production data. The advantage of
MMAM is that the analysis can be accomplished safely and precisely if the mathe-
matical model is accurate. Years of research, some of the mathematical model of
equipment in CI had shown its usefulness which can basically meet the requirements of
engineering application.
However, MMAM is only applicable to the single device, and not suitable for the
complex system with large correlation and strong coupling presently, and its reliability
in real life application is often in doubt.
60 Z.-G. Wu et al.
(3) Fault database diagnosis method

Fault database diagnosis method (FDDM) is a method to build a fault database based
on the engineering experience. FDDM can help the operation and maintenance per-
sonnel to determine the fault causes and solve the fault [4]. Usually the historical fault
database with fault characteristics is formed based on large number of statistical
information of various types of equipment failure.
The advantage of FDDM is that the method provides a historical fault database by
refining and summarizing the experience of experts. So it can accurately determine the
equipment failure which meets the fault characteristics in the database, and to provide
technical support for the operation and maintenance personnel.
However, FDDM can’t provide a comprehensive fault diagnosis of the devices
because of the limits of the data base that relies on expert experience on past operation
failures. It is also not suitable for the complex system with large correlation and strong
coupling.
(4) Data enabled science and engineering
Data enabled science and engineering is a new concept of a big data applications in
recent decades. Data enabled endeavors in science and engineering fields include
primarily twofold efforts: means to acquire reliable data and means to mine the embed
information in the large data sets. Its applications are mainly when there is no pre-
existing physical laws and models to follow, its goal is to seek the source physics, and
to assist decisions of based on the past and present data. Data mining (DM) is one of
powerful tools that is widely used when processing large data sets. In recent years,
digital control system and field-bus technology are largely utilized in nuclear power
plants, as a result, it generates huge amount of operation and production data Therefore,
data enabled science and engineering provides a prominent potential to keep NPP
operation and production safe.
The purpose of this paper will introduce fundamentals of data enabled science and
techniques which may be used in the safety operation monitoring of NPPs, approaches
of data mining, and illustrations of example applications.
2 Date Mining Method
DM is the process of applying some methods with the intention of uncovering hidden
source physics in large data sets. The following are several commonly used methods.
(1) Statistical Analysis
Statistics provide a lot of discriminant and regression methods for DM, including
Bayesian inference, regression analysis, and variance analysis. Bayesian inference is a
method of statistical inference, which is used to update the probability for a hypothesis
as more evidence or information becomes available. Regression analysis is a set of
statistical processes for estimating the relationships among variables; it can also be used
to model the probability of occurrence of certain events. Analysis of variance is a
collection of statistical models, which can used to analyze the performance of the
regression and the effects of the independent variables on the final regression [5].
(2) Decision Tree

A decision tree is a decision support tool that uses a tree-like graph or model of
decisions and their possible consequences, including chance event outcomes, resource
costs, and utility. It is one way to display an algorithm. The biggest advantage of the
decision tree method is intuitive, which is very effective in solving the problem of high
dimensional data classification. The disadvantage is that with the increase of data
complexity, the number of branches will increase and the management will become
more and more difficult. In addition, this method has the problem of processing data
with missing value [6].
(3) Neural Network

Neural network is a computational model established by mimicking the structure and
working mechanism of human brain neural network. Based on the MP model and Hebb
learning rules, it establishes the feed forward network, feedback network and self-
organizing network model. The biggest advantage of neural networks is the ability to
accurately predict complex problems. Because of its good robustness, self-
organization, parallel processing, distributed storage and high fault tolerance, neural
network is very suitable for solving the problem of establishing classification model in
data mining, so it has been paid more and more attention in recent years [7].
(4) Rough Set Theory

Rough set theory as a data analysis method is proposed by Pawlak in 1982 [8]. It
regards knowledge as a division of the domain, that knowledge is granular, and uses
knowledge of relative core to analyze and reduce knowledge. Rough set theory can
analyze and process the fuzzy or uncertain data with absence of the prior knowledge of
the relevant data. So this is one of the main methods of DM, which is good at revealing
the potential rule [9].
Table 1 shows the main methods of each phase of CRISP-DM.
Table 1. Main methods of each phase of CRISP-DM

Phase Main methods
Business
understanding
Data understanding
Data preparation Statistical analysis, Standardized, Visualization
Modeling Decision tree, Statistical analysis, Neural networks, Rough set
method
Evaluation Test set methods
Deployment Decision tree, Statistical analysis
62 Z.-G. Wu et al.
3 Conventional Island Data
Large amount of data is generated, which include from manufacture, construction,

commissioning, operation and maintenance, and retirement. For the NPP in operation,
the data can be divided into two categories, one is non-real-time data, and the other is
real-time data.
Non-real-time data is from the planning and design, procurement, construction and
commissioning phases, which mainly includes design documents from designers,
equipment information and data from the vendor or manufacturers, commissioning
data.
Real-time data, however, is when a NPP is in the operation phase. They can be
acquired by the on-site instrument and controlled equipment. Such data are collected
and accumulated over years, which are in need to seek its source physics.
Haiyang Nuclear Power Plant Phase-1 is AP1000 relying on project. In the CI of
Haiyang NPP, the real-time data is mainly from two parts: instrument and controlled
equipment. Among them, instruments mainly include transmitters and switches which
are used to measure temperature, pressure, flow, level, and vibration, controlled
equipment mainly include air operated valves, motor operated valves, motors, and
heaters., there are about 7000 real-time data points in a CI. If the sampling rate is 1 Hz,
a CI will generate 100 TB of data in one year, or 273 GB per day.
4 Applications
Digital control system and field bus technology have been gradually applied in NPP in
recent years, as a result, a huge amount of data is acquired. But the data analysis and
application are still in the infant stage. It is expected DM can greatly enhance safety
operation of NPP in the following aspects: equipment fault diagnosis, optimization of
unit operation and soft sensor.
4.1 Equipment Fault Diagnosis

The nuclear power plant maintenance, currently, follows so called planned mainte-
nance and troubleshooting, also known as post-maintenance. Its advantage is that the
planned maintenance is easier planning of maintenance and ordering spares and the
costs are distributed more evenly. However, it can be “over-or under-maintenance”,
which cannot provide the real-time status of equipment. And because of the complex of
the equipment, the planned maintenance period is difficult to determine, of which the
short period has higher cost and the prolonged period may lead to decrease equipment
performance and even cause equipment failure. The faulty equipment will lead to the
automatic unit shutdown or load reduction, and even affect the safety of the unit. As
described in Sect. 1, the condition of equipment can only be determined whether the
referenced value of an operating parameter changes, i.e. whether the value exceeds the
boundaries. This method can remind the operators the condition of status to a certain
extent, but failed to consider the change of condition when the parameters are within
the normal range. Furthermore, it cannot differentiate the trend of the condition changes
to provide the early warnings.
Recently, to diagnose the rotating equipment, i.e., steam turbine, most scholars use
the association rule learning method [10]. The authors of this paper proposed associ-
ation rule learning method, and expresses the relationship among the vibration sign, the
thermal parameter data and the fault type as the confidence and support degree of the
association rule. This paper provided a rule-based database for a specific unit, and uses
the database to implement the diagnosis of turbine. The process of rule mining,
judgment and results analysis process is shown in Fig. 1. Based on this method, the
authors tested the effectiveness of diagnosis on a 900 MW turbine of a fossil power
plant and provided an example as follows:
Fig. 1. Rule mining, judgment and result analysis process
The turbine rotor has two bearings, the horizontal (X phase) and vertical (Y phase)
vibration of each bearing is monitored(for bearing 1, refer to as 1X and 1Y; for bearing
2, refer to as 2X and 2Y). During the start-up stage of the turbine, 1X and 1Y is soared,
the highest value of 1X is 198 lm, which leads to the turbine trip. As the bearing 1 and
bearing 2 are located in the same rotor, the vibration of bearing 2 also has a corre-
sponding change, the highest value of bearing 2 has is 138 lm. After analyzing the
parameters of the thermal process, it was found that the main steam temperature (MS-
T), 100% high pressure cylinder temperature (HPC-T), high pressure cylinder exhaust
steam temperature (HPCES-T) has reached the highest values before the turbine trip as
64 Z.-G. Wu et al.
shown in Fig. 2. Compared with the vibrations of bearing 1 and bearing 2, it is found
that both of them have reached the upper values to trip the turbine, and the phase
changes are very large, which meets the symptom of thermal unbalance trouble. And
association rule fault diagnosis system also diagnosis that the bearing 1 and bearing 2
have the thermal unbalance trouble, which proves the accuracy of the diagnosis system.
This method is also applicable to the equipment of CI part in NPP. The association rule
fault diagnosis system can accurately determine the cause of the fault and help the
operators to discover and eliminate the fault in time, so that to ensure the stable
operation and safety of CI systems and equipment [11].
Diagnosis of faulty operation of the heat exchanger includes the conditions i.e.,
specifically the condenser. Neural network or improved neural network have shown to
be useful.
Fig. 2. Main thermal parameters variation Trend
The nonlinear principal component analysis neural network (NLPCANN) is used to

reduce the data dimension and extract features. Then, the probabilistic neural network
(PNN) is used to obtain the final diagnosis results. The process is shown in Fig. 3.
In this paper, they summarized that there are 21 typical faults and 33 characteristics
of the condenser. Two methods were used to diagnose the abnormalities: one is to use
the PNN directly, the other is to use NLPCANN and PNN together as above men-
tioned. Table 2 shows the calculation results of an actual event happen in a fossil power
plant. In the table, ui represents the probability of each typical fault. Comparing the two
methods, the results are nearly the same that u8 has the higher value than others, which
means the 8th fault is the reason of the condenser fault, that is the cause of the trouble is
the imprecision of vacuum system, which coincides with the fact.
Fig. 3. Schema of faulty diagnosis using nonlinear principal component analysis and
probabilistic neural network
Table 2. Comparison of the results of the two diagnostic methods

Typical failure u1 u2 u3 u4 u5 u6 u7
Direct PNN 0.036 0.091 0.091 0.079 0.041 0.164 0.100
NLPCANN+PNN 0.019 0.084 0.130 0.319 0.296 0.250 0.005
Direct PNN 0.449 0.164 0.230 0.122 0.164 0.340 0.110
NLPCANN+PNN 0.639 0.206 0.011 0.040 0.236 0.362 0.156
Direct PNN 0.110 0.202 0.340 0.139 0.202 0.230 0.340
NLPCANN+PNN 0.259 0.127 0.450 0.284 0.239 0.206 0.479
Method 1: Diagnostic time is 74 ls; Method 2: Diagnostic time is
63 ls
The diagnostic results verify the reliability of the diagnosis method based on
NLPCANN and PNN, and also the diagnosis speed has been improved, which is
suitable for the occasion with complex system and high speed requirement. So for the
diagnosis of the condenser in NPP, method 2can determine the failure cause speedy and
correctly.
Thermodynamic sensors are used primarily to acquire production data. These data
are used as the basis of the monitor, control and analysis for the unit. In this case, the
signal quality of the sensors is critical. If the signal quality is bad, the following
response from control system or operators may be wrong, which may cause the serious
accident. So recent years, researches use dynamic data mining (DMM) method to
evaluate the sensor condition [12].
Thermodynamic parameter signals can be decomposed into a series of intrinsic
modal functions and a trend margin to realize the dynamic mining on the feature
information of the sensor fault using empirical mode decomposition method.
Application of DM technology to diagnosis can realize the predictive analysis and
active analysis for the critical equipment, change the post-maintenance to predictive
maintenance, guide the maintenance personnel to focus on the equipment have the
66 Z.-G. Wu et al.
performance degradation. So that to effectively reduce emergency repairs and

unplanned shutdown by reasonable arrangement of repair plans.
4.2 Optimization of Unit Operation

The operation optimization of the thermal system of a NPP unit is one of the important
means to improve the efficiency and to reduce cost by meeting a set of target values.
The main methods to determine the optimal target values may include:
(1) Mathematical model
This method is to build mathematical models of equipment or system, and then to
conduct the optimization.
However, because the equipment in CI works with the wet steam, it is very difficult
to establish the proper working conditions of the variable in the thermodynamic
models. Often, models are under the assumptions to be established, which limited their
applications.
(2) Engineering test optimization method
Engineering optimization is accomplished by performing a series of engineering
optimization tests under different load of the unit, from which the optimal target values
can be sought. This method, compared to the previous one, is more reliable and has the
higher accuracy, which can meet the requirements from the operation and maintenance
[13]. But along with the operation of unit, due to the equipment wear and other reasons,
the performance of the equipment will change, the optimal target values are also
changed accordingly, and the original target values need to be modified by a new round
of optimization tests. So this method requires more tests and greater economic
investment.
In addition, because there are many parameters that are related to the unit operation
cost and they often correlated and coupled, it increases the difficulty to determine the
optimal values. So the development of data enabled science opens new method to
implement the optimization of unit operation.
Many existing methods in data mining, statistics and probability can be used to
implement the system operation optimization such as association rule learning, graph
theory, and neural network For instance, the association rule learning is a common
method and has been verified in the fossil power plant. This method consist of steps of:
definition of related concepts, data preprocessing, building data structure, and gener-
ating association rules. Such as the reference, this paper is to apply the association rules
on the determination of the operation optimization target value for one fossil power
plant [13]. This paper establishes a complete process model from data preprocessing,
rule evaluation and representation, and takes the historical data of a 10,000 MW fossil
power plant as the mining target. Using the method, get the optimization target values s
for 9 important parameters that can indicate the unit status under 100% loads, as shown
in Table 3. Using this method, the optimization target values also can be obtained
under different loads.
In addition, improved fuzzy association rule mining method was used to extract the
association rules from the operation history data to guide the optimization operation.
Table 3. Intervals of optimization target values under 100% loads

Parameters Interval
Feed water flow (t h1 ) [2750 2770]
Feed water temperature ( C) [295.4 295.8]
Main steam temperature ( C) [601.5 601.88]
Main steam pressure (MPa) [24.92 25.05]
Separator Steam tank outlet steam pressure (MPa) [27.3 27.48]
Moisture Separator outlet temperature ( C) [417.5 419]
Water/coal ratio [8.51 8.58]
Net Coal Consumption (g kWh1 ) [276.48 279.06]
and some papers showed the improved fuzzy association rule mining method in the
fossil power plant, the application were verified to be successful [14, 15].
With the mining of the historical data, implementing the optimization research on
the CI systems, so that to guide the operators and improve the unit economy.
4.3 Soft Senor Method

Soft sensor method (SSM) provides a relatively new approach that by establishing a
mathematical model or relationship with variables that are easily measured. The model
is then used to estimate other variables.
For the important variables which are difficult to be measured or can’t be measured
because of the measurement technical restriction, soft sensor method (SSM). In
operations of NPPs, variables such as main steam flow, enthalpy, and steam humidity
are not measured directly. SSM can be used.
For example, one of the most important variables is the main steam flow to monitor
the turbine performance, and control the operation process. Currently, differential
pressure measurement method is used to measure the flow using a throttling device and
differential pressure transmitter. But this method may cause the pressure loss of the
measurement medium caused from the throttling device. Using this method to measure
the main steam flow may reduce the quality of the main steam and cause a loss of 1%-
2% of the turbine output when conducting the measurement. Not to mention, the
working temperature, pressure and flow of the main steam may change significantly
when the unit load changes which will decrease the accuracy of the differential pressure
measurement. Therefore, the large fossil power plants and NPPs usually do not use the
flow measurement device to measure the main steam flow, but by SSM with the
relevant variables.
Traditionally, the combination of Flugel formula and the law of conservation of
mass are used as the main method to calculate the main steam flow, improvement of
this method has been done, but poor accuracy remains to be an issue. In years, the use
of DM method to solve the problem has achieved some research results. For example,
some authors proposed a SSM model for the main steam flow calculation based on
generalized regression neural network [16]. The variables of the model are effectively
reduced by the shield filtering of the average influence value, and the generalization
68 Z.-G. Wu et al.
ability of the model is improved by optimizing the distribution density, so that to

provide an effectively calculation for the main steam flow. In this paper, we clarify the
generalized regression neural network (GRNN) structure, as shown in Fig. 4.
In this paper, a case is studied based on the 20 sets of data after the calibration of
the main steam flow of a 600 MW fossil power plant. First, by the normalization of the
Fig. 4. Generalized regression neural network structure
GRNN input vector, these data are preprocessed.
xði; jÞ xmin ð jÞ
x0 ði; jÞ ¼ ð1Þ
xmax ð jÞ xmin ð jÞ
Where: xði; jÞ is the input vector value of the ith variable of the jth sample; xmax ðjÞ,
xmin ðjÞ are the maximum and minimum values of the jth index; x0 ði; jÞ is the normalized
serial number of the index eigenvalue. Through the transformation of this formula, the
effects on the average influence value and GRNN model by the differences of meaning
and unit can be avoided. Then, the variables are filtered based on Vimpavg , and get the
average influencing value of input variables on dependent variables.
Taking the first N variables which is accounted for 85% of the total influencing
value as the input of the network, and the average influencing value in order is: 0.0307,
0.0274, 0.0231, 0.0213, 0.0184, 0.0154, 0.0124, 0.008 and 0.0073, represent respec-
tively high pressure condenser pressure (HPC-P), low pressure condenser pressure
(LPC-P), governing stage pressure (GS-P), main steam pressure (MS-P), high pressure
cylinder exhaust pressure (HPCE-P), main condensate flow (MC-F), reheater hot side
steam temperature (RHSS-T), generator power (G-P) and feed water flow (FW-F). The
9 variables is accounted for 85.33%. And the sample data after the filtering is shown in
Table 4.
Table 4. Sample data of main steam flow soft calculation

HPC- LPC-P GS-P MS-P HPEC- MC-F RHSS- G-P FW-F Main steam flow
P (kPa) (kPa) (kPa) P (t h1 ) T (MW) (t h1 ) (t h1 )
(kPa) (kPa) (°C)
1 5.57 3.78 10.52 14.56 3.708 1435.63 538.25 581.60 1766.02 1805.75
2 5.58 3.78 10.53 14.48 3.712 1443.57 537.63 581.92 1722.64 1807.62
3 5.18 3.51 9.77 14.52 3.445 1340.68 538.47 540.29 1656.41 1677.52

18 4.22 2.85 7.96 12.60 2.807 1119.97 538.86 454.54 1277.51 1367.09
19 4.24 2.86 7.99 12.65 2.818 1115.56 536.46 450.03 1329.51 1372.17
20 3.25 2.18 6.13 9.69 2.157 883.91 538.11 356.46 930.39 1050.82
In Table 4, the data of first 15 samples were used as model training, and the data of
last 5 samples were used as model test. The first 15 sets of data were introduced by
Matlab programming, and the distribution density Ds was selected respectively. Then
get the change pattern of d with Ds , so that to determine the value of Ds when d is the
smallest. At this time, the network has higher training precision and generalization
ability.
After that, the SSM model for the main steam flow has been established, which uses
the 9 variables as input and optimized Ds as the network distribution density param-
eters. At last, the reserved 5 sets of sample data are used to test the model.
dðiÞ ¼ X ðiÞ X 0 ðiÞ ð2Þ
dð i Þ
DdðiÞ ¼ ð3Þ
X ðiÞ
Where: XðiÞ, X0 ðiÞ are the actual value and output value of the model; dðiÞ is the
absolute error of the actual value and output value; DdðiÞ is the relative error. Com-
parison results are shown in Table 5. From the table, we can see that the relative errors
are within a reasonable range, which can fully meet the requirements.
Therefore, the flow measurement device for main steam flow can be replaced by the
SSM.
Application of DM technology for SSM can cover the shortage of the commonly
used instruments or traditional calculation methods, and have a great significance of
improving the unit performance and reducing the project cost.
70 Z.-G. Wu et al.
Table 5. Comparison results

Mode Actual value Model output value Absolute Relative error
(t h1 ) (t h1 ) error (%)
(t h1 )
1 1670.86 1661.65 9.21 0.5510
2 1655.97 1646.94 9.03 0.5455
3 1367.09 1372.59 −5.50 −0.4023
4 1372.17 1374.60 −2.43 −0.1768
5 1050.82 1061.67 −10.85 −1.0329
5 Conclusions
Based on the DM technology, this paper put forward a solution to the problem of
inefficient use of large amount of production data of CI in NPPs. By analyzing several
application examples, DM shows a great application prospect in CI, which has the large
amount of production data with the characteristic of high dimensional and multi-
coupling. In CI, DM can be applied extensively in the areas of equipment fault diag-
nosis, unit operation optimization, soft measurement calculation, to further improving
the safety and economy of the unit.
References
1. Optimized Capacity: Global Trends and Issues 2014 edition. A Report by the World Nuclear
Association’s Capacity Optimization Working Group
2. Xu, J.G.: Progress in the design of DCS for large-scale thermal power plants. Electr. Power
39(10), 84–87 (2006)
3. Wang, Y.M., Zhang, L.Z., Xu, D.M., Ma, H.L.: Application of characteristic flow area of
steam turbine. J. Eng. Therm. Energy Power 27(2), 160–164 (2012)
4. LI, H.: Development of Database of Rotating Machine History Fault-cases and Precision
Diagnosis. North China Electric Power University (2004)
5. Olaru, C., Geurts, P.: Data mining tools and applications in power system engineering. In:
Proceedings of the 13th Power System Computation Conference. Norway (1999)
6. Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1), 81–106 (1986)
7. Garcez, T., Miranda, V.: Knowledge discovery in neural networks with application to
transformer failure diagnosis. IEEE Trans. Power Syst. 20(2), 717–724 (2005)
8. Pawlak, Z.: Rough sets. Int. J. Parallel Program. 11(5), 341–356
9. Su, H.C., Sun, X.F., Yu, J.L.: A survey on the application of rough set theory in power
systems. Autom. Electric Power Syst. 28(3), 90–95 (2004)
10. Han, H.: The Research of Vibration Fault Diagnosis System for 900 MW Turbine Based on
Data Mining. Shanghai Jiao Tong University (2009)
11. Hou, G.L., Sun, X.G., Zhang, J.H., Jin, W.G.: Research on fault diagnosis of condenser via
nonlinear principal component analysis and probabilistic neural networks. Proc. Chin. Soc.
Electr. Eng. 25(18), 104–108 (2005)
12. Li, W., Yu, Y.L., Sheng, D.R., Chen, J.H.: Fault diagnosis of thermodynamic parameter
sensors based on dynamic data mining. J. Vib. Measurement Diagnosis 36(4), 694–699
(2016)
13. Zheng, X.X., Yang, H.Y., Gu, J.J.: Optimization of the targeted value for thermal power
based on association rules. Electr. Power Sci. Eng. 26(9), 48–51 (2010)
14. Li, J.Q., Liu, J.Z., Zhang, L.Y., Niu, C.L.: The research and application of fuzzy association
rule mining in power plant operation optimization. Proc. Chin. Soc. Electr. Eng. 26(20),
118–123 (2006)
15. Li, J.Q., Niu, C.L., Liu, J.Z.: Application of data mining technique in optimizing the
operation of power plants. J. Power Eng. 26(6), 830–835 (2006)
16. Wang, J.X., Fu, Z.G., Jing, T., Chen, Y.: Main steam flow measurement based on
generalized regression neural network. Power Eng. 32(2), 130–134,158 (2012)
A Hierarchically Structured Down-Top Test
Equipment Debugging Method for RPS
Wang Xi(&), Tao Bai, Peng-Fei Gu, Wei Liu, and Wei-Hua Chen

Equipment, I&C Equipemnt Qualification and Software V&V Laboratory, China
xw.hope@qq.com
Abstract. Reactor protection system (RPS) plays critical role in digital control
system (DCS), and ensures the safety for nuclear power plant (NPP). System test
is a necessary step during system development, verification and validation
(V&V), which ensure the safety and reliability for RPS. The debugging of test
environment and equipment is an important step that ensures the effective and
efficiency of test. The system, such as RPS that contains complicated logic and
large number of interfaces, cost a lot of time and human resource for debugging.
A structured debugging method has been proposed in this paper, this method
establishes debugging architecture with a hierarchical model in according to
signal transmission path, and it designs the debugging process from down to
top. The result from engineering practice show that this method has improved
the effective and efficiency of debugging provides the support and reference for
system test environment establishment.
Keywords: NPP DCS RPS System test Equipment Debugging
1 Introduction
The key point of digital technology in NPP is the introduction of safety software, the
performance of software affects the safety and reliability of NPP directly [1, 2]. Reactor
protection system (RPS) plays critical role in Digital control system (DCS), ensures the
safety for Nuclear power plant (NPP). System test is a necessary step for system
development, verification and validation (V&V), ensuring the safety and reliability for
RPS [3–5]. The debugging of test environment and equipment is an important step,
which ensures the effective and efficiency of test. The system, like RPS contains
complicated logic and large number of interfaces, the test environment established with
unstructured debugging cannot ensure a adequate and correct test, and result in much
more reworks that cost a lot of time and human resource for debugging [6].
Therefore, to improve the debugging efficient and effective, save human and time
cost, this paper research in structured debugging method for digital RPS test
equipment.

https://doi.org/10.1007/978-981-13-3113-8_8
A Hierarchically Structured Down-Top Test 73
2 Test Architecture
2.1 System and Equipment
The test architecture of RPS is described in Fig. 1, including user interface, test tools,
and target system, achieves following functions [7]:
AO
I/O board
DO
User-interface
AI Target
Signal control DI system
Analog and
Control machine
Digital Signals
Fig. 1. Test architecture
(1) The user-interface provides configuration functions for operator, including test
conditions, test cases and test data;
(2) The test tool provides the translation and simulation for signals transmission and
reflects the reception to user-interface.
2.2 Test Interface

According to signals transmission paths, the test architecture contains following
interfaces:
(1) The interfaces between signals names and slot table;
(2) The interfaces between slot table and IO card of control machine;
(3) The interfaces between IO card of control machine and recuperate board;
(4) The interfaces between recuperate board and target system (cabinet).
As show in Fig. 2, among the large number of interfaces, the error in any interface
may lead to error test results, and the multiple interface levels, the interface error should
be detected and confirmed in each level. Therefore, how to do a fast and effective
debugging is the key point for ensuring a correct test environment.
3 Hierarchical Debugging Model
3.1 Structured Multi-level

According to the signal interface loop that shows in Fig. 3, the test architecture has
been abstracted into a structured multi-level, which is called test V model. The char-
acteristics are described as follow:
74 W. Xi et al.
Interface Control
Recuperate
configurati machine
board
on table I/O
User Transmission signals

Target
Interface System
Reciptioin signals
Interface Control
Recuperate
configurati machine
board
on table I/O
Fig. 2. Signal interface loop
User-level Input signal Output signal
Gate
Mapping- Slot and I/O mapping Slot and I/O mapping
level
Gate
Board-
Input interface Output interface
level
Cabinet- Gate
Input interface Output interface
level
RPS
Gate
System-level
Monitor
Fig. 3. Debugging model
(1) The test architecture is divided into 5 levels, including user-level, mapping-level,
board-level, cabinet-level and system level, according to the signal transmission
path, it can be described as a V model;
(2) The user-level is used by operator to configurate and monitor the input and output
data;
(3) The mapping-level is connected the signal name to slot and I/O interface of
control machine;
(4) The board-level input or output signals by translating them into voltage and
current;
(5) The cabinet level transports the signals between board and the target system;
(6) The system-level means the internal of target system, where the signals can be
monitored and changed by software, the monitor software is important for
checking the correctness of debugging for higher level.
3.2 Debugging Criterion

Base on the debugging model, this paper proposes a down-top debugging method, the
general debugging criterion in this method is described as follow:
• Each level can be considered as a debugging level, to ensure the debugging result
that not affected by lower level, the debugging cannot get into the upper level until
the lower level has been well debugged;
• The transition from lower to higher level is phase transition, which can be called the
“gate”, the condition to pass the gate is the transition criteria;
• The general transition criteria is the whole interface, including input and output, of
the lower level, has been correctly checked, and the lower level can be “closed”.
4 The Down-Top Debugging Method
4.1 Debugging Process and Gates

The down-top debugging method proposed in this paper started at the button level, and
ended at the top level, the Table 1 describes different processes and gates for each
phase.
Table 1. Debugging method and gate

Phase Method Gate
System- Confirm the correct connection between the monitor Monitor successfully connected
level and system logic, the signal change can be
monitored effectively in software, and the signal can
be changed by monitor in system level
Cabinet- • Inject the signal in cabinet level interface, and The input and output signals on cabinet-
level check the signal change in system level by level are changed as same as monitor
monitor;
• Change the signal in system level by monitor and
check the output interface in cabinet level
Board- • Check the connection between board and cabinet • Connections are correct between
level by link interface table; board and cabinet interface;
• Inject signals on board level, check signal variation • The input and output signals on board-
in monitor; level are changed as same as monitor
• Change signals in monitor, check the output on
board level
Mapping- • Check the connections between software and I/O • Connections are correct between
level slot in control machine by mapping table; mapping-level and control machine;
• Inject signals in mapping-level by tools (such as, NI • The input and output signals on
MAX), and check the signals change in monitor; mapping-level are changed as same as
• Change signals in monitor, check the output on monitor
mapping-level
User- • Check the configuration table that describes the • Connections are correct between
level connections between signals names and I/O slot signal names and mapping-level;
name in mapping-level; • The outputs are changed as expected
• Load in and inject the test case, including input
values and expected output, check the signals
change in monitor, and check the corrections of real
output
76 W. Xi et al.
Table 2. Debugging method and gate

Efficient Unstructured Down-top method Comparison
Human cost (person/day) 4 2 50%#
Rounds 4 2 50%#
Re-debugging interfaces 63 7 80%#
4.2 Engineering Practice

Base on this debugging method, this paper practiced on RPS test equipment, which
contains 200 interfaces. In this practice, both unstructured and down-top debugging
methods are used for comparison. The unstructured debugging method starts at user-
level by test cases, which is lack of organization, more time is used for detecting where
the fault happened, the total debugging rounds and re-debugging interfaces are
increased, and finally result in huge human and time cost. The down-top method may
spend more time on interface checking at lower level, in this way, the correction of
interface in higher level can be ensured.
As show in Table 2, to debugging the same number of interfaces, compared with
unstructured debugging method, the down-top method proposed in this paper reduced
50% human cost and debugging rounds, the re-debugging interfaces has been
decreased by 80%.
5 Conclusions
A hierarchical structured debugging method is proposed in this paper, according to

signal transmission path, the test V model with multi-level has been abstracted, and
developed into a down-top debugging process, this process improves the correct and
stability of test environment by debugging from button level the top level. With
engineering practice, this method establishes a well debugging procedure that improves
debugging efficiency, it saves the human and time cost directly. This method also
provides the support and reference for test environment establishment and the other test
equipment debugging.
References
1. Ding, Y.X., Gu, P.F., et al.: Study on Standard about Safety Digital I&C System in
NPP. Process Autom. Instrum. 36(11), 61–64 (2015)
2. International Electro Technical Commission: IEC 60880 Nuclear power plants-
Instrumentation and control systems important to safety-Software aspects for computer-
based systems performing category A functions. International Electro Technical Commission,
Switzerland (2006)
3. Gu, P.F., Xi, W., Chen, W.H., et al.: Evaluation system of software concept V&V about the
safety digital I&C system in nuclear power plant. In: International Symposium on Software
Reliability, Industrial Safety, Cyber Security and Physical Protection for Nuclear Power Plant.
Springer, Singapore, Vol. 400, pp. 125–132 (2016)
4. V&V Software Engineering Standards Committee of the IEEE Computer Society: IEEE 1012
IEEE Standard for Software Verification and Validation. Institute of Electrical and Electronics
Engineer, New York (2004)
5. He, Y.N., Gu, P.F., Xi, W.: Research on digital control system status monitoring and
reliability prediction method for nuclear power plant. Atomic Energy Sci. Technol. 51(12),
2338–2343 (2017)
6. Xiao, P., Zhou, J.X., Liu, H.C.: Relationship between architecture of reactor protection
system and reliability. Nucl. Power Eng. 34(S1), 179–183 (2013)
7. Xu, H.L.: The design and realization of nuclear power plant DCS TEST instrument. North
China Electric Power Univ. 3, 4–6 (2016)
Discussion for Uncertainty Calculation
of Containment Leakage Rate
Yu Sun(&), Jun Tian, Tian-You Li, and Zhao-yang Liu

Equipment, China Nuclear Power Engineering Company Ltd, Shenzhen 518172,
Guangdong, China
Ysun214@163.com
Abstract. This paper discussed the uncertainty calculation process of con-

tainment leakage rate. Containment leakage rate is linear regressed based on the
change of containment air standard volume. The uncertainty of leakage rate is
the combination of the uncertainty of Type A evaluation and Type B evaluation.
The uncertainty of Type A evaluation reflects the effect of random fluctuation of
containment air volume on the regression line slope and is calculated using
statistical theory directly. The uncertainty calculation of Type B evaluation can
be conducted based on empirical data and statistical theory. The uncertainty of
sensor data is analyzed based on empirical data. With the knowledge of sensor
data uncertainty, the calculation process of leakage rate is further decomposed
into several steps and the calculation of each step is established according to
statistical theory. All of these jobs determine the uncertainty calculation method
of Type B evaluation.
Keywords: Containment Leakage rate Uncertainty On-line monitoring
1 Introduction
The containment leakage rate on-line monitoring system in nuclear power plant
monitors the change in containment tightness and provides containment leakage rate
during power operation. The difference between containment on-line monitoring sys-
tem and containment total tightness test (type A test) lies that the latter is to validate the
containment performance during Loss Of Coolant Accident status and the test object is
to measure total containment leakage rate under design pressure. The leakage is from
concrete pores and crack for containment total tightness test. While in power operation,
the containment leakage is mainly from penetration leakage [1].
The requirement for containment leakage rate on-line monitoring system in nuclear
power plant is presented in European Utility Requirements for LWR Nuclear Power
Plants (EUR) and Advanced Light Water Reactor Utility Requirements Document
(URD) [2, 3]. Similar requirement is also put forward in HAD102-06 Design of
Containment System for Nuclear Power Plant Reactor which is drafted in 2009 for
update.

https://doi.org/10.1007/978-981-13-3113-8_9
Discussion for Uncertainty Calculation 79
The measurement result of containment leakage rate is formulated by the best

estimate value and its uncertainty. In this article, a calculation method of leakage rate
uncertainty is discussed.
2 Brief Introduction to the Calculation Method

At present, mass conservation method is widely used in the world to calculate the
containment leakage rate. And according to the equation of state of the ideal gas, the
standard volume of air is equivalent to the quality of air. The standard status is defined
as 0 °C, 1.01325 105 Pa. A number of standard volume changes denoted as DVh
during one day are used to linear fit with time. The linear slope is the leakage rate of
that day. This calculation method is based on the principle of mass conservation which
is adopted by pressured water reactor nuclear power plant such as AP1000. But in
AP1000, the standard volume of air in containment is directly linear fitted to get
leakage. If to display the air volume data, the volume change will be invisible com-
pared to total volume. So in this paper, the change of air volume is used to calculate
leakage. And in civil nuclear power plant, pressured air is used to drive containment
isolation valve which will interfere leakage measurement. So it is necessary to deduct
pressured air volume in the calculation method.
The calculation method for DVh is introduced as follows:
Zt
DVhðtÞ ¼ VNH ðtÞ VNH ðt0 Þ Qsar ðtÞdt ð1Þ
t0
where
VNH ðtÞ: The standard volume of containment air at present time t (Nm3);
VNH ðt0 Þ: The standard volume of containment air at reference time t0 (Nm3);
Qsar : The standard volume flow rate of compressed air injected into containment
from t0 to t which disturb leakage rate measurement and should be
deducted (Nm3/h).
3 Present Situation of Uncertainty Evaluation Method

for Containment Leakage Rate
The uncertainty of containment leakage rate is used to measure the reliability of leakage
rate calculation result. When the uncertainty passes high, the input data should be
processed and leakage rate be re-calculated. Factors contributing to high leakage rate
uncertainty include [1]:
(1) Containment ventilation system exhaust causes change of containment air volume;
(2) Change of containment leakage rate;
80 Y. Sun et al.
(3) The transient operation results in a sudden change in the calculated volume of
containment air.
There is lack of information about the uncertainty calculation method of contain-
ment leakage rate both at home and abroad. The calculation method is not given in
document of EUR, URD and HAD. The domestic research papers on the uncertainty
calculation are still in blank state. In the algorithm description of the French leakage
rate monitoring software (SEXTEN) commonly used internally, Type A evaluation
formula of uncertainty is based on simulation and detailed derivation process is not
available, Type B evaluation is provided with a fixed value whose calculation method
is also lacked [4].
By studying statistical theory, the method of calculating the uncertainty of leakage
rate is discussed in this paper based on mass conservation method.
4 Method for Evaluating the Uncertainty of Containment

Leakage Rate
According to the rules in JJF 1059.1-2012 Evaluation and Expression of Uncertainty in

Measurement, the uncertainty of the measured value is composed of several compo-
nents [5]. An experimental standard deviation based on a series of values measured is
denoted as Type A evaluation of standard measurement uncertainty. The standard
deviation obtained from the prior probability distribution estimated according to the
relevant information is denoted as Type B evaluation of standard measurement
uncertainty. The total measurement uncertainty is the combination of Type A and
Type B uncertainty.
4.1 Calculation Method for Type a Evaluation Uncertainty

Assuming 48 air standard volume variations (DVh) are used to linear fit containment
leakage rate, the line slope is leakage rate Qld . The Type A evaluation uncertainty of
Qld is from dispersion of DVh data points which is because of random fluctuation of
thermal conditions in the containment. The uncertainty is described as uA ðQld Þ.
Let:
Xi ¼ ti ¼ i ¼ 1. . .N; N ¼ 48; ti ¼ 0h; 0:5h; 1h; 1:5h. . .23:5h

Yi ¼ DVhðti Þ
Based on statistical theory, standard uncertainty of line slope adopting least squares
is calculated below [6]:
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
r2
uA ðQld Þ ¼ PN ð2Þ
ðXi X Þ2
i¼1
In the equation, r2 is the variance around the fitted line (Residual Variance) and is
calculated below:
PN
i¼1 ðYi a0 a1 Xi Þ2
r2 ¼ ð3Þ
N 2
a1 , a0 is the slope and intercept of the regression line.
4.2 Calculation Method for Type B Evaluation Uncertainty

The uncertainty component of measurement evaluated by the method which is different
from that of Type A is denoted as Type B evaluation uncertainty. The evaluation can be
based on the information as bellows [5]:
(1) The amount issued by an authority;
(2) The value of certified reference materials;
(3) Calibration certificate;
(4) The drift of the instrument;
(5) The degree of accuracy of verified measuring instruments;
(6) A limit value inferred from the experience of a person, etc.
In this paper, the leakage rate calculation process is decomposed into several steps.
The calculation method of uncertainty for each step is derived.
4.2.1 Sensor Uncertainty

The containment temperature, pressure, compressed air flow, which is the input data for
leakage rate calculation, can be received by field instrumentation. The sensor uncer-
tainty can be obtained from the manufacturer and some examples are described below.
(1) Temperature Sensor
Assuming Class A thermal resistance is used and the measured average temperature is
tiavg , the standard uncertainty under that temperature is calculated as [7]:

uB tiavg ¼ 0:15 þ 0:002tiavg ð4Þ
(2) Pressure Sensor

The Type B evaluation uncertainty of pressure sensor is combined by several uncer-
tainty components. Assuming the uncertainty components include reference uncer-
tainty e1 and correct uncertainty e2 , the combined uncertainty is calculated below [8]:
rffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
e21 e22
uB pavg ¼ þ ð5Þ
1:962 3
82 Y. Sun et al.
(3) Flow Sensor of Compressed Air
The uncertainty of compressed air flow sensor can be obtained from sensor’s datasheet
and is denoted as uB ðQsar Þ.
4.2.2 The Uncertainty of Average Temperature for the Containment Air

Suppose the containment leakage rate on-line monitoring system uses n temperature sensors
to measure the air temperature of containment every half hour. The measured values of each
temperature sensor represent an average temperature of a part of free-space air and then
average temperature of the containment air, Tavg , is a weighted average according to the
volume of the air measured by each sensor. The calculation model is as follows:
VL
Tavg ¼ Pn Vi ð6Þ
i¼1 tiavg
where
VL : The volume of free space in the containment, unit m3;
Vi : The volume of the air measured by each sensor, unit m3;
tiavg : The average air temperature measured by each sensor, unit K
Because the measurements of the temperature sensors in the containment are

independent to each other, the correlation coefficient of the uncertainty of any two
temperature sensors is zero. According to the uncertainty combination theory, the
calculation of the combination uncertainty of the air average temperature per half hour
is as follows [5]:
vffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
u n
uX @Tavg 2
uB Tavg ¼ t uB tiavg ð7Þ
i¼1
@tiavg
Substituting Eq. (6) into Eq. (7), we obtain:

vffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
2 32
u
u n Vi
u X 6
V L tiavg 7 2
uB Tavg ¼ u
2
t 4P 2 5 uB tiavg
m Vj
i¼1
j¼1 tjavg ð8Þ
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
X n T4 V2
avg i 2
¼ uB tiavg
i¼1 L
V tiavg
2 4
Let
Vi
¼ vi ð9Þ
VL
Equation (8) can be expressed as

sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
X n T4
avg 2
uB Tavg ¼ 4
v2i uB tiavg ð10Þ
t
i¼1 iavg
Totally 48 uncertainty of average temperature can calculated for the containment air
in one day.
4.2.3 The Uncertainty of Standard Volume for the Containment Air

The standard volume VH ðti Þ of the air in the containment is calculated every half hour
according to the average pressure of piavg and the average temperature Tiavg within half
an hour. According to thermodynamic law, the calculation model is as follows:
TN VL piavg
VH ðti Þ ¼ ð11Þ
PN Tiavg
Where
TN : Standard state temperature, 273.15 K;
PN : Standard state absolute temperature, 1.01325 105 Pa;
VL : The volume of free space in the containment, unit m3;
piavg : The average pressure in the containment at the moment ti , unit Pa;
Tiavg : The average temperature in the containment at the moment ti , unit K;
i: The ith half hour in a day and its value ranges from 1 to 48
Let
TN VL
k¼ ð12Þ
PN
And then Eq. (11) can be expressed as:
piavg
VH ðti Þ ¼ k ð13Þ
Tiavg
Since piavg and Tiavg are independent, according to the uncertainty combination
theory, the uncertainty of VH ðti Þ are calculated as follows:
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

@VH ti 2 @VH ti 2
uB ðVH ðti ÞÞ ¼ uB piavg þ uB Tiavg
@piavg @Tiavg
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð14Þ
1 2 p2iavg 2
¼k 2
uB piavg þ 4 uB Tiavg
Tiavg Tiavg
Totally 48 uncertainty of air standard volume can be calculated for the containment
air in one day.
84 Y. Sun et al.
4.2.4 The Uncertainty of Type B Evaluation for Containment Leakage

Rate
According to the principle of least square method used for linear regression, the leakage
rate Qld is calculated as follows:
" PN PN #," N PN 2 #
X
N
Xi i¼1 Yi
X i¼1 Xi
Qld ¼ Xi Yi i¼1
Xi
2
ð15Þ
i¼1
N i¼1
N
where
Xi : The time for every half hour in a day and the value is 0 h, 0.5 h, 1 h, 1.5 h…
23.5 h;
Yi : The change in standard volume, DVH ðti Þ, of the containment air in every half
hour relative to the reference moment t0 ;
N: A constant value representing the total number of time points when measurement
is performed and it is equal to 48 in this case
Here N and Xi are constant, and let

," PN 2 #
XN
Xi
1 Xi2 i¼1
¼A ð16Þ
i¼1
N
PN
Xi
i¼1
¼B ð17Þ
N
Equation (15) can be expressed as:

!
X
N X
N
Qld ¼ A Xi Yi B Yi
i¼1 i¼1
ð18Þ
X
N
¼A ðXi BÞ Yi
i¼1
The change in standard volume of containment air Yi is the difference between the
moment ti and the reference moment t0 : The volume of the compressed air injected
during the period between t0 to ti is further deducted from Yi . The calculation is as
follows:
X
Mi
1
Yi ¼ DVH ðti Þ ¼ VH ðti Þ VH ðt0 Þ Qsarij ð19Þ
j¼1
2
where, Mi is the number of data points of compressed air measurement during the
period between t0 to ti .
By substituting Eq. (19) into Eq. (18), containment leakage rate Qld can be
expressed as:
" #
X
N X
Mi
1
Qld ¼ A ðXi BÞ VH ðti Þ VH ðt0 Þ Qsarij
i¼1 j¼1
2
X
N
¼A ðXi BÞ ½VH ðti Þ VH ðt0 Þ ð20Þ
i¼1
XN XMi
1
A ½ðXi BÞ Qsarij
i¼1 j¼1
2
Let
X
N
Qlda ¼ A ðXi BÞ ½VH ðti Þ VH ðt0 Þ ð21Þ
i¼1
X
N X
Mi
1
Qldb ¼ A ½ðXi BÞ Qsarij ð22Þ
i¼1 j¼1
2
Since Qlda is calculated according to the pressure and temperature in the contain-
ment, the Qldb is calculated according to the compressed air flow, and the three kinds of
data are independent to each other. Therefore, the uncertainty of the type-B evaluation
of leakage rate Qld is calculated as follows:
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
uB ðQld Þ ¼ u2B ðQlda Þ þ u2B ðQldb Þ ð23Þ
Here the uncertainty of Qlda and Qldb are calculated as follows:

(1) uB ðQlda Þ
Because the standard volume of containment air is calculated by the same tem-
perature and pressure instrument measurement data every half hour, so each two of 49
measurement data of air standard volume are strongly correlated. Assume correlation
coefficients as 1 and then calculate uB ðQlda Þ as follows:

XN

uB ðQlda Þ ¼ A ðXi BÞ ½uB ðVH ðti ÞÞ uB ðVH ðt0 ÞÞ ð24Þ
i¼1

(2) uB ðQldb Þ
Since the compressed air flow data from reference time t0 to current time ti are
measured by the same flowmeter and any two of flow data are strongly correlated.
Assume correlation coefficients as 1 and then calculate uB ðQldb Þ as follows:
86 Y. Sun et al.

XN XMi 1

uB ðQldb Þ ¼ A ½ðXi BÞ u Qsarij ð25Þ
i¼1 j¼1
2
4.3 Combination Uncertainty of Containment Leakage Rate

According to the principle of uncertainty combination, the uncertainty of containment
leakage rate Qld is combined by the uncertainty of type A evaluation and the uncer-
tainty of type B evaluation. Due to the uncorrelation between two types of uncertainty,
the combination uncertainty of containment leakage rate is calculated as follows:
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
uðQld Þ ¼ u2A ðQld Þ þ u2B ðQld Þ ð26Þ
According to the calculation process of leakage rate described from Sect. 4.1 to 4.3,
the uncertainty is related to the measured values of the sensor, and the uncertainty of
leakage rate should be calculated according to the actual operation data.
5 Conclusion
The containment leakage rate on-line monitoring system is used to monitor the leakage of
the containment during normal operation of nuclear power plant. It can alert the opening of
the containment caused by human error operation, or provide early warning for the overall
leakage rate of containment under accident. The uncertainty of containment leakage rate is
used to judge the reliability of the leakage rate measurement. When the measurement error
or occasional factor leads to the abnormal uncertainty, it is necessary to analyze the input
data, remove the abnormal data and recalculate it, to ensure the effective of the mea-
surement results. Based on the statistics theory, the calculation method of the uncertainty of
containment leakage rate is derived in this paper.
References
1. Software Requirements Description of Containment Leakage Rate Monitoring System for
Units 5 and 6 in Yangjiang Nuclear Power Plant, China Nuclear Power Design
Company LTD.(Shen zhen) (2012)
2. European Utility Requirements for LWR Nuclear Power Plants, Revision E, December 2016
3. Advanced Nuclear Technology: Advanced Light Water Reactor Utility Requirements
Document, Revision 13, 2014
4. Sexten 2 System Principles and Methodology Software v 3.1, Electricite De France (2006)
5. JJF 1059-1: Evaluation and Expression of Uncertainty in Measurement, State Administration
of Quality Supervision, Inspection and Quarantine (2012)
6. The Theory of Probability and Statistics, National Defense Industry Press (2011)
7. IEC 60751:2008 Industrial platinum resistance thermometers and platinum temperature
sensors
8. TS-X-NIEP-PELI-F-DC-20012 Ver. G Sensors accuracies and response time calculation
Research and Improvement of the Flowmeter
Fracture Problem of Condensate Polishing
System in Nuclear Power Plant
Hai-Tao Wu1(&), Xin Ding2, and Tie-Qiang Lu1

1
Equipment, China Nuclear Power Engineering Company Ltd, Shenzhen 518172,
China
13480835341@163.com
2
Nuclear Industry Research and Engineering Co., Ltd, Beijing 101300, China
Abstract. The Annubar flowmeter of Condensate Polishing System (ATE) in

booster pump outlet is important parameter for monitoring full-flow treatment of
the Second-Loop condensate, and is also the reference for adjusting booster
pump. In this paper, it analyzes the flowmeter principle and fracture analysis
report in detail, and it confirms that the mechanical fatigue is the main reason for
flowmeter fracture. By analyzing and comparing the feasibility of the applica-
tion of flowmeter in this system, the Annubar flowmeter with double-end fixed
installation method is proposed to deal with the fracture problem. Through
practice, this method can solve the problem of mechanical fracture.
Keywords: Annubar flowmeter Installation Mechanical fatigue

Brittle fracture
1 Preface
The Condensate Polishing system (ATE) is used as the important system of the full
bypass in the Second-Loop of Nuclear Power Plant. Its main function is to remove
suspended impurities and ionic impurities in the condensate water, and ensure the water
quality of the Second-Loop within the operating requirements, for reducing Thermal
system equipment corrosion, extending equipment life.
The Annubar flowmeter of ATE system in Booster Pump outlet, is used to monitor
and calculate real-time date of condensate polishing, to determine whether the system is
full-flow treatment. It is also used as an adjustment condition of Booster Pump operating.
But, during the normal operation of ATE system in Nuclear Power Project, the
flowmeter probe on the Booster Pump outlet occur neck fracture, and the part of
fracture is found at the downstream valve of the condensate extraction system.
The breakage of Flowmeter will bring troubles to the important equipment and safe
operation of the Second-Loop system. The broken part is likely to enter the Condenser
Extraction System (CEX) and Low Pressure Feedwater Heater System (ABP) follow-
ing condenser flow, then it will cause damage to important equipment of the Second-
Loop system, and affect the downstream system’s safe operation (Fig. 1).

https://doi.org/10.1007/978-981-13-3113-8_10
88 H.-T. Wu et al.
CEX ATE
MD MD MD
PIPE CATION
BED 5 PCS
FLOW
MD
MD MD
MIX
TO M M M BED 5 PCS
ABP
Fig. 1. ATE System diagram
For example, the deaerator level control valve and the recirculation control valve of
the CEX system are affected by the broken part for jamming and damage. If the
recirculation control valve fails, the recirculation function of CEX will not be realized
normally. And if the deaerator level control valve fails, deaerator will not be adjusted
automatically, more seriously, which will cause the Unit shutdown [1].
2 Flowmeter Introduction
The flowmeter of Condensate Polishing System in booster pump outlet is Annubar

flowmeter, with single-end fixed installation. It is a new type of differential pressure
flow detecting element according to the principle of pitot speed measurement.
The detection bod of the Annubar flowmeter is a hollow metal pipe, and perpen-
dicular to the flow direction. There are four connected total pressure pipe holes at the
inflow surface. After get the average pressure value from detection bar, the pressure is
extracted from the total pressure pipe, sent to the positive pressure of transmitter [2].
Another detection hole, represented the static pressure of the fluid interface, is seted
in the middle of the back side of the detection rod. The static pressure is extracted from
the low pressure connection to the negative pressure chamber of the transmitter. The
square of the differential pressure between the positive and negative pressure chambers
is linearly proportional to the flow speed (Fig. 2).
The Annubar flowmeter is installed in the outlet of the three pump booster of the
ATE system (Fig. 1). The booster pump is used to provide slightly higher output
(5%–10%) than the condensate, forming water returned, to achieve the purpose of all
the condensed water passing through the ATE system. Parameters are as follows
(Table 1):
Research and Improvement of the Flowmeter Fracture Problem 89
Fig. 2. Annubar flowmeter schematic
Table 1. Comparison of parameters

Name Parameter Pres. Tem. Pipe size Flow Speed Install Remark
comparison (MPa) (°C) (mm) (t/h) (m/s) Pipe
Annubar Technology 3 40 600 4000 3.14 11D Condensate
flowmeter Device 3.5 60 600 4795 3.93
3 Fracture Analysis
The broken equipment was returned to the factory for inspection and failure analysis.
The analysis report is mainly related to the material quality of the equipment. The
Positive Material Identification (PMI) test confirmed that the Annubar material was
stainless steel 316. The hardness average value by the hardness measurement was
87HRB, belong to normal value scope, another Energy Dispersive X-Ray Spectrum
(EDX) did not detect any corrosive elements.
Two different fracture types, brittle fracture and ductile fracture, were detected in
the fractured surface of Flowmeter. The Scanning Electron Micrograph (SEM) observe
that the river patterns on the brittle fracture surface which was consistent with fatigue,
and found dimples on the ductile fracture surface (Fig. 3);
The streak on the fracture surface shows that the ductile fracture belong to the
secondary damage after brittle fracture, isn’t the main fracturing cause. Therefore,
determined that the brittle fracture is the first cause, the cause of the fracture is
mechanical fatigue of the equipment.
Through the principle analysis of flowmeter, comprehensive equipment parameters,
field installation and product analysis reports, determine the single-end fixed Annubar
Flowmeter, which located at the outlet of the three condensate booster pumps, for long
time work longtime flow for long time Mechanical fatigue causes the flow probe to
break.
90 H.-T. Wu et al.
Fig. 3. Fracture type
4 Feasibility Study
Single-end fixed Annubar flowmeter’s parameters are satisfied the design requirements
in process selection. However, in the actual operation, this flowmeter is fractured due to
mechanical fatigue. So it can confirm that single-ended fixed Annubar flowmeter is not
suitable for ATE system flow measurement.
For analysing widely flowmeter types that used in industrial application, and
refering to the successful measurement of large flow in other systems, the following
three options are selected for feasibility study.
4.1 Ultrasonic Flowmeter

Ultrasonic flowmeter is a time difference method, used to detect the effect of ultrasonic
beam (or ultrasonic pulse) on fluid flow.
The measurement principle: a probe transmits a signal through the wall, or the
medium of pipe, will be received by another probe. At the same time, the second probe
also transmits the signal and is received by the first probe. Due to the medium flow
velocity, there is a time difference between the two signal, so the relationship between
the flow rate and the time difference can be derived and calculated [3]. Ultrasonic
flowmeter is non-contact measurement, so it can solve problem of fracture perfectly
(Fig. 4).
Upstream Transducer
L
D
Downstream Transducer
Fig. 4. Ultrasonic flowmeter schematic
4.2 Orifice Flowmeter

Orifice flowmeter, also known as differential pressure flowmeter, consist of Detection
element (throttle) and secondary device (differential pressure transmitter and flow
indicator).
The working principle is that when the fluid filled with the pipe flows through the
throttling device in the pipe, local contraction is caused near the throttling member, the
flow velocity increases, and generate static pressure difference between upstream and
downstream sides. Under the condition of known parameters, according to the principle
of flow continuity and Bernoulli equation, the relationship between differential pressure
and flow rate can be derived to obtain the flow rate [4]. There is no instrument probe for
Orifice flowmeter, so this flowmeter can solve problem of fracture (Fig. 5).
Pressuer device
5 Valve
Group
Calculate TransmiƩer IndicaƟon
Fig. 5. Orifice flowmeter schematic
4.3 Double-Ended Fixed Annubar Flowmeter

The principle of the double-ended fixed Annubar flowmeter is the same as that of the
single-ended fixed type, differential pressure flowmeter adopting the principle of a
bifurcated velocity measurement calculates the flow through the relationship between
the differential pressure and the average flow rate. Only the installation method is
different. Double fixed type and single-ended fixed type (Figs. 6 and 2).
92 H.-T. Wu et al.
Fig. 6. Double-ended fixed flowmeter schematic
The double-ended fixed Annubar flowmeter keep the advantages of Annubar, and
at the same time it can better ensure the stability of the sensor and play a role in
preventing the probe from breaking.
4.4 Comparison of Program Feasibility

Ultrasonic flowmeter (program 1) is not limited by the pipe diameter, and can be
measured without contact. It is not necessary to cut the pipe or install the hole. The-
oretically, it is the most suitable solution to solve the fracture and measurement of the
condensate fine flowmeter.
However, the ultrasonic flowmeter has poor anti-jamming capability, and the instal-
lation position of the flowmeter is at the outlet of the three Booster Pumps. It is vulnerable
to noise from pump vibration or other sound sources, affecting the measurement results,
and the installation of ultrasonic flowmeter also affect the accuracy of the measurement.
Both program 2 and program 3 are differential pressure flowmeter. However,
compared to program 2 (Orifice flowmeter), the lengths of the upstream and down-
stream straight sections of program 3 (Annubar flowmeter) are much lower than the
orifice plates, and it is easy to install and brings great flexibility and convenience to the
layout design of pipelines (especially large-diameter pipe); the pressure loss of
Annubar flowmeter is much smaller than Orifice Flowmeter. With the increase of pipe
diameters, Annubar pressure loss can be ignored.
Program 3 (Double-ended Fixed Annubar flowmeter), for the water quality of the
Condensate Polishing System is the pure condensed water after treatment, the pressure
between the pressure holes is not easily blocked by the medium debris. And the double-
end fixed installation and fixation method, it can well prevent the risk of mechanical
fatigue fracture due to the long-time impact of the fluid [5] (Table 2).
Table 2. Comparison of flowmeter solutions

Program Meter Advantage Disadvantage Economical
1 Ultrasonic 1. Non-contact 1. Low measurement 1. High equipment
flowmeter measurement, accuracy; costs;
without cutting or 2. Poor anti-interference 2. Small workload,
opening hole ability; but high
installation; 3. Susceptible to bubbles, requirements of
2. No pressure loss; scaling, pumps and installation
3. Not subject to pipe other sources of technical;
diameter restrictions; influence;
4. The measurement
accuracy is affected by
the installation
technology;
2 Orifice 1. Widely applications; 1. Require long straight 1. Low equipment
flowmeter 2. Solid structure; pipe section (difficult costs;
3. Without real-time to meet, especially 2. Re-cutting,
calibration; large pipe diameters); installation
4. Stable and reliable 2. Pressure loss; workload;
performance, long 3. Easy to run, run, drip,
service life; leakage problems,
maintenance workload;
3 Double- 1. High measurement 1. Easy to get clogged by 1. General Cost;
ended fixed accuracy, good the media debris in the 2. Symmetrical
Annubar stability; pressure hole; opening of the
flowmeter 2. Easy installation and pipeline, small
maintenance, workload;
conducive to pipeline
layout;
3. Low pressure loss,
low energy
consumption;
4. Successful cases of
other nuclear power
systems with similar
conditions;
5 Conclusion
Above schemes have mature designs in the nuclear power industry, and each has its
own advantages for flow measurement.
However, this paper analyzes the cause of flowmeter probe breakage in detail,
discusses the applicability, advantages and disadvantages of various solutions, and
refers to similar flowmeter applications currently used in operating nuclear power
projects. After multiple comparisons and comparisons, the final determination of the
solution will be finalized. Annubar flowmeter is the best solution to solve the problem
of breakage of booster pump outlet flowmeter.
94 H.-T. Wu et al.
The solution can provide reference for subsequent condensate polishing system
flow design and similar problems in nuclear power plants.
References
1. Guangdong Nuclear Power Training Center. 900 MW Pressurized Water Reactor Nuclear
Power Plant System and Equipment. Atomic Energy Press (2007)
2. Guo-wei, L., Wu-chang, C.: Flow Measurement Technology and Instrumentation. Mechanical
Industry Press (2002)
3. Zhi-min, L., Shan, X.: Research and application of ultrasonic flowmeter. Pipeline Technol.
Equip. (2004)
4. HG/T 20507: Design Specification for Automatic Instrument Selection (2014)
5. Jiangxi, Y.: Installation of Thermal Measurement and Control Instruments. China Electric
Power Press (1998)
Study on Optimization of Turbidity Control
for Seawater Desalination System in Nuclear
Power Plant
Hai-Tao Wu1(&), Pan-Xiang Yan2, Yong Yan2, and Hao Zhong1

1
State Key Laboratory of Nuclear Power Safety Monitoring Technology
and Equipment, China Nuclear Power Engineering Company Ltd.,
Shenzhen 518172, China
13480835341@163.com
2
Nuclear Industry Research and Engineering Co., Ltd., Beijing 101300, China
Abstract. The coagulation and sedimentation process of Seawater Desalination

System is a complicated physical and chemical reaction process. It has time
delay and nonlinearity, which is difficult to control the coagulation process by
adjusting the dosage. The traditional control method used in the project is the
empirical method, that the dosage is proportional to the influent flow, but other
factors are not full considered. In this paper, according to a lot of field data, the
multiple linear regression method for parameter identification is used to obtained
dose and other factors between the quantitative relationship with good accuracy.
The mathematical model of coagulant dosage is applied in the drug control
system, which can effectively overcome the shortcomings of current empirical
method, such as simple, extensive, not adjusting in time, and improve the
economy and reliability of operation.
Keywords: Seawater Desalination Coagulation sedimentation

Turbidity control Multiple regression Mathematical model
1 Introduction
Seawater Desalination System is a large-scale BOP(Balance of Plant) subproject in

nuclear power plant and assumes the function of providing production and domestic
water for the whole plant. In the Seawater Desalination System, the control of water
turbidity is more typical and complicated. Water turbidity directly affects the water
production capacity of seawater desalination equipment and their service life, which
has a critical impact on the system operation. The turbidity is controlled mainly in the
coagulation sedimentation tank. By adding flocculants, coagulants or other drugs, and
removing suspended particles, colloids and other impurities, thereby controlling the
water turbidity.
The effluent turbidity is affected by many conditions, such as the influent flow rate,
turbidity, temperature, pH, and drug addition amount, etc. But turbidity control is
mainly performed by changing the drug dosage. The coagulation and dosing process is
a complex physical and chemical process of time delay and nonlinear characteristics. In
the current control plans for seawater desalination projects in Nuclear Power, the
https://doi.org/10.1007/978-981-13-3113-8_11
96 H.-T. Wu et al.
amount of medicines to be added are mainly related to the flow of influent water.
Generally, drug dosage is increasing in proportion to the flow of influent water from
experience. So when other conditions of turbidity are changing, drug dosage can’t be
adjusted timely.
In turbidity control, it is difficult to establish an accurate and reliable mathematical
model for the complication of turbidity change process, and also it has time lag and
nonlinearity. Because the deference between the Nuclear Power and the other common
power plants is tiny in the process of Seawater Desalination, the data collected from the
common power plants can be used to the Nuclear Power. In this paper, a coagulation
sedimentation tank of some water plant is took as the research object, to give a method
based on nonlinear multivariate regression to calculate the dosage of medicines. Based
on the measured values of different conditions related to the turbidity of the effluent, the
drug dosage can be adjusted in real time.
2 General
In the coagulation sedimentation tank, flowmeter, pH, and turbidimeter are installed in
the inlet pipe, and another turbidimeter is installed in the outlet pipe. In this paper, the
actual engineering data of these instruments is used to establish a mathematical model
on how coagulant dosage affects on the effluent turbidity, therefor more accurately
control turbidity by adjusting the drug dosage.
The data of Coagulation sedimentation tank in some water plant were collected
every one hour from August 8th, 2013 to September 5th, 2014. A total of 9,398 actual
engineering data were collected, including the original pH, raw water turbidity, sedi-
mentation tank effluent turbidity, water flow, coagulant consumption and other process
parameters, etc. Turbidity dosing control flow chart shown in Fig. 1.
Fig. 1. Turbidity control diagram

Study on Optimization of Turbidity Control for Seawater 97
3 Engineering Data Preprocessing

3.1 Abnormal Data Processing
The data collected are the instantaneous value of the process variable, and therefore
there are many unreasonable false values. In addition to taking into account the impact
of the instrument failure, the preprocessed data need to be performed. The data is
continuously collected, therefore the average filter can be used to perform abnormal
processing on unreasonable data.
Based on statistical theory, Mean Filtering is a non-linear signal processing tech-
nique that can effectively suppress noise [1]. Its definition is as follows:
gðx; yÞ ¼ meanðfðs; tÞÞ; s; t 2 Sxy ð1Þ
In the formula:
g(x, y) : the output value of (x, y); Sxy: the Center’s neighborhood of (x, y);
f(s, t) : the Value of (s, t) of nearby the (x, y) as the center;
mean(f(s, t)) : Average value after highest value of nearby (x, y) as the center.
The mean filter uses the average value nearby the most significant value as the
value of this point, effectively eliminating the mutation point. The filtering method
greatly reduces the influence of the deviation of the filtering result from the true value
due to the abnormal point participating in the operation, but also changes the original
data.
The rules for determining the outlier is:
jMfðx; yÞj [ 3 Stdðfðs; tÞ0 Þ ð2Þ
In the formula:
f(s, t)’ : the value after deleting highest value;
Std (f(s, t)’) : Standard deviation of processed data;
Mfðx; yÞ ¼ fðx; yÞ meanðfðs; tÞ0 Þ ð3Þ
If the above equation holds, it is determined that the (x, y) point is an abnormal
value.
The average filter method is used to determine the data. If the data is abnormal, the
data is rejected. When the data is filtered and detected, two values are selected as the
area before and after the data. This is the case when discriminating abnormalities:
When the maximum and minimum values of the five data are removed and the
remaining three data are relatively close, the data will be close to the average value, and
the resulting standard deviation will be extremely small. The exception data will be
treated as normal data.
98 H.-T. Wu et al.
To do this, use the following weightings:
Stdðfðs; tÞ ¼ 0:2 Stdðfðx; yÞÞ þ 0:8 Stdðfðs; tÞÞ ð4Þ
In the formula:
Std(f(x, y)) : standard deviation of all data.
Through the average filter method to detect the original data, abnormal value
statistics are obtained, shown in Table 1.
Table 1. Raw data anomaly detection

Variable Raw water PH Raw water turbidity Inlet Outlet
Abnormal Point Qty 50 130 20 7
3.2 Data Division

By applying the previous data processing steps, a large amount of data of the water
plant are analyzed and found that the turbidity range of the raw water varies greatly.
When the raw water is clear, the lowest turbidity is only 5.13 NTU, But when the raw
water is turbid, the highest turbidity is as high as 868.36 NTU. In order to apply the
established model of dosage to a wider range of applications, the sample interval set
should be divided for the raw water turbidity so that the model data set and verification
data set cover all the turbidity intervals. The data samples are divided into turbidity
intervals (before closing and opening After the interval), and the sample data set are
obtained, shown in Table 2 and Fig. 2.
Table 2. Data sample turbidity interval table

Turbidity 0–10 10–20 20–30 30–40 40–50 50–60 60–70 70–80 80–90
(NTU)
Sample Qty 259 3175 1861 742 493 350 282 176 124
Turbidity 90– 100– 200– 300– 400– 500– 600– 700– >800
(NTU) 100 200 300 400 500 600 700 800
Sample Qty 108 462 61 26 17 8 15 16 3
According to Table 2 and Fig. 1, the raw water quality of the coagulation sedi-
mentation tank is relatively stable, whose turbidity is mostly between 10 NTU and 400
NTU. Particularly, the plateau water turbidity is very rare, and water quality is mostly
on low turbidity interval. When the model parameters are being identified, the pro-
cessed sample space can be divided into a training set and a generalization set. The
training set is used for model training and the generalization set is for the inspection
and prediction of the model.
Fig. 2. Sample data of turbidity diagram
4 Dosing Model Establishment
The amount of dosing in the coagulation sedimentation tank is related to different

factors, so different mathematical regression models can be used to construct the
mathematical model. Regression analysis is a method of establishing regression
function expressions between dependent and independent variables by using mathe-
matical statistics methods through a large number of observed data. Regression analysis
is divided into linear regression analysis and nonlinear regression analysis. Usually
linear regression analysis method is the most basic analysis method. The problem of
nonlinear regression can be solved by means of mathematics to solve the linear
regression problem, and then by least square method. The estimated value of the
parameter is finally transformed to obtain the required regression equation.
Combined with the research results of the existing literature, the dosage of coag-
ulant and various factors can be expressed by the following index [2]:
M ¼ a0 Ca1
0 Q C1
a2 a3
ð5Þ
In the formula:
M : Coagulant dosage, mg/L;
C0 : Raw water turbidity;
C1 : turbidity of the sedimentation tank outlet;
Q : Inflow, m3/h
a 0, a 1, a 2, a 3 : variable parameter.;
Formula (5) shows the non-linear exponential relationship between dosing amount
and other factors, and the nonlinear problem is transformed into a linear problem by
taking the mathematical method of logarithm. Formula (5) can be converted to:
100 H.-T. Wu et al.
ln M ¼ a1 ln C0 þ a2 ln Q þ a3 ln C1 þ ln a0 ð6Þ
Let: y = lnM, x1 = lnC0, x2 = lnQ, x3 = lnC1;

Perform n times observations on y, x1, x2, x3, to obtain n sets of sample data yi, xi1,
xi2, xi3 (i = 1,2,…,n), then
8
< y1 ¼ b0 þ b1 x11 þ b2 x12 þ b3 x13 þ e1
y ¼ b0 þ b1 x21 þ b2 x22 þ b3 x23 þ e2 ð7Þ
: 2
y1 ¼ b0 þ b1 xn1 þ b2 xn2 þ b3 xn3 þ en
e1-en : are Residuals, independent of each other, obey normal distribution N(0, d2).
The data obtained after data preprocessing is randomly divided into 6 sample
tables. To ensure that the established model is suitable for various turbidity intervals,
when randomly allocating sample tables, each sample set table should contain various
sources. The water turbidity interval was selected and the five data tables were used to
obtain the parameters of the model. Another set of sample table data was used to verify
the validity of the model.
Using MATLAB for multiple linear regression identification, the undetermined
parameters under five different data samples can be solved. The MATLAB solution
program is described in the annex. The linear identification parameters are shown in
Table 3.
Table 3. Linear identification parameters

Parameter Group 1 Group 2 Group 3 Group 4 Group 5 Average
b0 5.7988 5.2142 4.8950 5.8457 5.2279 5.3963
b1 0.2091 0.2128 0.2178 0.2028 0.2186 0.2122
b2 −0.3321 −0.2674 −0.2357 −0.3360 −0.2731 −0.2889
b3 0.3706 0.3346 0.3312 0.3489 0.3093 0.3389
Based on the above parameter table, a mathematical model of the dosing amount of
the coagulant can be obtained, as shown below.
y1 ¼ 5:3963 þ 0:2122 x1 0:2889 x2 þ 0:3389 x3 ð8Þ
as
M ¼ 220:6 C0:2122
0 Q0:2889 C0:3389
1 ð9Þ
As can be seen from the formula above, the unit consumption of coagulant is
positively related to the turbidity of the raw water and produced water, and negatively
related to the water flow. Bigger turbidity of the raw water leads to bigger turbidity of
the produced water and unit consumption of the coagulant. Bigger flow rate of water
withdrawal leads to smaller unit consumption of coagulant, indicating that the con-
sumption of coagulant has a character of scale effect [3].
5 Model Verification
5.1 Dataset Verification

Formula (9) reveals the qualitative relationship between the unit consumption of
coagulant and the turbidity of raw water, the amount of water taken, and the turbidity of
the current product water. Use the sixth set of sample data to test the qualitative
relationship.
Take 100 continuous raw water turbidity, intake flow rate and current effluent
turbidity data in the sixth set of data to obtain the predicted value of coagulant con-
sumption, and compare with the actual value. The result is shown in the Fig. 3 below.
80
70
60
50
40
30
20
0 10 20 30 40 50 60 70 80 90 100
Fig. 3. Comparison between model predictions and actual values
Above Fig. 2, the red curve is the predicted value of the dosing amount calculated
by the dosing model, and the blue curve is the actual value of the project. From the
Fig. 2, the dosing amount model effectively tracks changes in actual values.
102 H.-T. Wu et al.
5.2 Application of Dosing Strategies in Engineering

Based on the actual measured data of the project, the mathematical model of the dosage
of the coagulation sedimentation tank, the influent water quality, the influent flow and
the current turbidity of the produced water were obtained. In practical projects, the
coagulation and sedimentation process takes approximately 70 to 120 min, with a large
lag, and the dosing strategy must be optimized according to the target turbidity [4].
Let the current product water turbidity be C, and the dosing amount calculated
according to Eq. (9) is M. The connotation of formula (9) is: if other relevant factors
remain unchanged, the dosing amount m can maintain the turbidity of the produced
water as C. If C is the target production water turbidity C0, the dosing amount M0 is set
as the reference dosing amount. If C is greater than the target product water turbidity,
mean that the turbidity of the current production water is too large, the dosing amount
calculated according to formula (9) will be greater than the reference dosing amount
M0, and the difference is ΔM. In order to reduce the turbidity of the produced water to
the target turbidity, an amount of ΔM is added to the current dosage M. When C is less
than the target product water turbidity, the same reason.
Summary, the output of the dosing control system should be determined based on
the current influent water quality, influent flow rate, current product water turbidity, and
target product water turbidity, This can be expressed in the following formula.
m ¼ mðcÞ þ Mm ¼ 2 mðcÞ mðc0 Þ ð10Þ
In the formula:
m : the unit drug consumption of the coagulant;
m(c) : current drug consumption obtained from Eq. (9);
m(c0) : the standard drug consumption of maintaining the target turbidity;
Due to the lack of temperature data, the model presented in this paper does not
consider the effect of temperature on coagulation and sedimentation. Due to the small
pH change, the model does not consider the pH characteristics of the influent, which
has certain limitations.
In addition, the neural network algorithm has a good applicability to dosing
analysis of coagulation sedimentation. The raw water flow rate, raw water turbidity,
raw water pH, product water turbidity and other factors were taken as the input vari-
ables of the neural network, and the dosing amount was taken as the output variable of
the neural network. The training and generalization of the neural network model can be
achieved through actual data [5]. The application of neural network algorithm in the
coagulation and sedimentation dosing control system can be used as a follow-up
research direction.
6 Conclusion
The coagulation and sedimentation process of Seawater Desalination System is a

complex physical and chemical reaction process with time delay and nonlinearity. This
paper uses mathematical methods to transform nonlinear problems into linear prob-
lems. Through a large number of field data, using multiple linear regression methods
for parameter identification, the quantitative relationship between dosing amount and
other factors was obtained, with good accuracy.
Combined with the actual situation of the project, the mathematical model of the
dosage of the coagulant is applied to the dosing control system, which can effectively
overcome the shortcomings of the current experience method, such as simple, exten-
sive, and not real-time. Thereby improving the economical efficiency and reliability of
the operation.
References
1. Xin, Xin, Na, Zhou, Zhen, Wang: Research on detection and correction of data outliers.
Modern Electron. Technol. 36(11), 5–11 (2013)
2. Yimei, Tian, Hongwei, Zhang, Gengzhong, Qi, Jingyue, Luo: Research on the mathematical
model of water treatment system operation state. China Water Supply Drain. 14, 10–13
(1998)
3. Xiaodong, Huang, Yuling, Qi, Tiejun, Qiao, et al.: Research on turbidity control technology
of conventional water purification process. Water Supply Technol. 1(1), 19–23 (2007)
4. Decui, T., Xiaoyan, D., Xuefeng, Z. et al.: Modeling research on dosage of coagulant in water
works, water treatment technology 6, 54–56 (2010)
5. Hua, B., Guibai, L.: Neural network control method of coagulation and administration, water
supply and drainage 11, 83–86 (2001)
Optimization Scheme of Turbine Frequency
Regulation for Passive Nuclear Power Plant
Le-Yuan Bai(&), Kai Gu, Bin Zeng, and Gang Yin

Equipment, China Nuclear Power Engineering Company Ltd., Shenzhen 518172,
Guangdong, China
yuanlebai@163.com
Abstract. Frequency is one of significant operation parameters for the power

plant, and also one of significant assessment indicators for grid. Tracking and
model switch of turbine control are used to realize partial function of frequency
regulation for the passive nuclear power plant. However, there is one existing
defect that turbine cannot completely participate in grid frequency regulation.
One optimization scheme is proposed in this paper. By adding a specialized
function for frequency regulation, the frequency regulation output is introduced
into both G model and L model to complete the function of turbine frequency
regulation. At the same time, a specialized power limiter is added to prevent
reactor from overpower due to frequency regulation at full power level.
Keywords: Passive nuclear power plant Turbine Frequency regulation

Optimization
1 Introduction
Frequency has a significant impact on the safety and stable operation of the power grid.
Once the load changes, the total power of generators will not match the total load of
grid, and the frequency changes. To maintain the stability of grid frequency, it is
needed to regulate the unit power according to the variation of frequency, namely
frequency regulation. According to the differences of regulatory range and capacity,
frequency regulation can be divided into two parts, primary frequency regulation and
secondary frequency regulation [1, 2].
Frequency regulation in nuclear power plant is related to the composition structure
of grid. In Paris, the scale of nuclear power is over 75%, and the nuclear power units
directly participate in grid frequency regulation. In other countries, such as American,
Canada, Japan, Korea, the nuclear power units are in base load operation, and hardly
take part in grid frequency regulation [3]. As the domestic nuclear power percentage of
grid is relatively low, the nuclear power units only take part in primary frequency
regulation, but not secondary frequency regulation [4].

https://doi.org/10.1007/978-981-13-3113-8_12
Optimization Scheme of Turbine Frequency Regulation 105
2 Original Scheme
In a passive nuclear power plant, the turbine generator is designed by Mitsubishi, and
turbine governing system (DEH) controls the speed and power by regulating steam
flow, to meet the power supply demand of grid and ensure the safe and stable operation
of plant.
DEH has two load controllers, governor and limiter. As the different controller
used, turbine load control is divided into governor control mode (G mode) and limiter
control mode (L mode). This two control modes collectively regulate turbine regulating
valves (GV), including the main steam regulating valves and the reheated steam reg-
ulating valves. GV opening demand is the smaller output between governor and limiter,
to realize turbine power control. Auto following function can be applied between the
two control modes [5, 6].
Frequency regulation is realized in governor control loop. As shown in Fig. 1, in
normal operation, turbine actual load (Pm) is approximately equal to load set point
(Pset) and load deviation is about zero to limiter setting. Meanwhile, as the generator is
connected to grid, the turbine rotation frequency follows the frequency of grid. Once
the grid frequency varies, there is a deviation between turbine speed set point (Nset)
and turbine actual speed (Nm). This speed deviation is converted into the increase or
decrease of governor setting through speed governing droop. If governor output is
smaller than limiter output, speed deviation will influence turbine steam demand (SD).
Then GV opening demand and turbine power vary, to realize the stability of grid
frequency.
Nset Governor setting
Nm +
-
Droop
Following width h M SD
I
N
f(x)
GV
Pm Opening Demand
P
-
+
Pset limiter setting GV
Fig. 1. Original scheme of frequency regulation in passive nuclear plant

106 L.-Y. Bai et al.
As the speed deviation is only introduced into governor control loop, frequency
regulation is only valid in G mode. Thereby, frequency regulation is directly related
with turbine control mode. The following is to analyze the different frequency regu-
lation functions in different control modes.
2.1 G Mode
G mode is mainly used for speed control and synchronization with grid. Before con-
nection to grid, turbine is in G mode automatically, and GV opening demand is
determined by speed deviation. Once connecting to grid, governor will automatically
set GV opening demand equal to the initial load, to prevent turbine from motor mode,
which might cause cylinder deformation and vibration.
Figure 2 demonstrates the principle of frequency regulation in G mode. In normal
operation, turbine speed follows grid rated frequency (f0). If limiter auto tracking is
selected, turbine automatically switches to G mode until grid frequency falls to a
certain value (f1), and limiter setting automatically tracks the sum of limiter setting and
following width (h).
GV Opening/%
Governor setting
limiter setting
Frequency/Hz
f1 f0
Fig. 2. Schematic diagram of frequency regulation in G mode
As shown in Fig. 3, When grid frequency increases (>f0), turbine actual speed is
greater than set value, and a negative speed deviation acts on governor setting. Then,
GV opening decreases and turbine output power decreases, to lower grid frequency.
Conversely, when grid frequency decreases (<f0), turbine actual speed is smaller
than set value, and a positive speed deviation impacts limiter setting. Thereby GV valve
opening increases and turbine output power increases, to raise grid frequency.
However, when grid frequency reduces to a certain value (f1), the positive speed
deviation makes governor output equal to limiter output. If grid frequency continues to
reduce, turbine will switch to L mode automatically, to limit the increase of GV
opening. Therefore, turbine will no longer increase output and frequency regulation
f = f0
f >f0 f <f0
Y
Y
N
f >f1
GV GV GV
Opening Opening Opening
Turbine Turbine Turbine

Output Output Output
Fig. 3. Flow Chat of frequency regulation in G mode
will be out of action. The purpose is to prevent GV from quick opening when grid
frequency drastically decreases, which may cause reactor overpower and impact on
plant safety.
2.2 L Mode
L mode is mainly used for load control. Figure 4 demonstrates the principle of fre-
quency regulation in L mode. Once governor auto tracking is selected, turbine auto-
matically switches to L mode, and governor setting automatically tracks the sum of
limiter setting and following width (h). Turbine does not take part in frequency reg-
ulation until grid frequency rises to a certain value (f2).
As shown in Fig. 5, when grid frequency decreases (<f0), a positive speed devi-
ation is added to governor setting. However, as governor setting is bigger, limiter
output is used as the final GV opening demand after the smaller selection module.
Under this condition, because limiter setting is unchanged, GV opening and turbine
output will not change with grid frequency fluctuation.
When grid frequency increases (>f0), a negative speed deviation is added to
governor setting. Since the difference between governor setting and limiter setting is
GV Opening/%
Governor setting
h limiter setting
Frequency/Hz
f0 f2
Fig. 4. Schematic diagram of frequency regulation in L mode
f = f0
f <f0 f >f0
Y
Y
N
f >f2
GV GV GV
Opening Opening Opening
Turbine Turbine Turbine

Output Output Output
Fig. 5. Flow Chat of frequency regulation in L mode

following width, whether frequency regulation works depends on the size of grid
frequency increase. If grid frequency does not increase to a certain value (f2), governor
setting reduction is smaller than following width, turbine is still in L mode, and
frequency regulation does not work. Once grid frequency increases higher (>f2), tur-
bine turns into G mode. In this condition, the frequency deviation makes GV opening
and turbine output smaller, and frequency regulation goes into effect.
3 Defects of Original Scheme
According to above analysis, the original scheme of frequency regulation in passive

nuclear power plant has the following characteristics as shown in Table 1:
Table 1. Characteristics of original frequency regulation scheme

Original scheme GBT 31464-2015 Difference
Range G mode: [f1, +∞); Beyond dead band Yes
L ! G mode: [f2, +∞)
Amplitude G mode: h; 6% Yes
L ! G mode: 0
Dead G mode: (−∞, f1), no dead Recommended performance Yes
band band at f0; indicators
L ! G mode: (−∞, f2)
(1) In G mode, frequency regulation takes effect unless grid frequency falls to the
certain value (f1); in L mode, frequency regulation is no longer effective unless
grid frequency rises to the certain value (f2) and automatically switches to G
mode. Frequency regulation function is related to turbine control mode. However,
turbine is generally in L mode in normal operation, and cannot participate in
frequency regulation. If the unit has to participate in frequency regulation, it is
necessary to switch from L mode to G mode. According to GBT 31464-2015 Grid
Operation Criteria, “Grid generators should all participate in frequency regula-
tion.” Thereby, there are some differences.
(2) In G mode, the upper limit is determined by following width (h). When grid
frequency rises to the certain value (f2) and turbine automatically turns to G
mode, the unit participates in frequency regulation. In this case, the unit can only
reduce its output and cannot increase the output. According to “GBT 31464-2015
Grid Operation Criterion”, “the maximum load limit of thermal power unit is not
less than 6% of the rated capacity of the unit, and the unit in the rated load
operation should participate in frequency adjustment.” Although the nuclear
power unit does not have to increase the output during the rated load operation for
reactor safety, at the other power levels, the frequency regulation function to
increase output should be set to support the stability of the grid frequency as much
as possible.
(3) In G mode, the dead band is (−∞, f1), and there is no dead band at the rated
frequency; in L mode, the dead band is (−∞, f2). The dead band is determined by
control mode, following width, and speed governing droop. There is no special
dead band setting at rated frequency in G mode. However, the grid-connected
generator set generally has a dead band, and GBT 31464-2015 Grid Operation
Guideline puts forward basic performance indicators for the dead band. On one
hand, a dead band can avoid unnecessary response of turbine to small changes of
grid frequency, which is beneficial to the stable operation of the unit. On the other
hand, if reactor frequently responds to grid frequency fluctuation, it will cause the
frequent movement and aggravate the mechanical wear of the control rod, which
is not conducive to the operational safety of the unit and should be avoided or
reduced as much as possible. At present, most nuclear power plants have a fre-
quency dead band, and the reactor does not respond to frequency disturbances
within a certain range.
According to the analysis, there are actually no concepts of dead band, amplitude,
and frequency regulation function, and the corresponding functions are achieved by
mode switching and following width. However, the original scheme has some detects
and needs to be optimized in order to meet the requirements of grid operation criteria
and the unit safety.
4 Scheme Optimization
The frequency regulation scheme of passive nuclear power plant is optimized in the
following aspects:
(1) A specialized frequency regulation function is added, and the regulating variable
is introduced into L mode, to solve the problem of no frequency regulation in L
mode. A settable amplitude parameter of frequency regulation is introduced, and
is no longer determined by mode switching and following width. At the same
time, a settable dead band parameter is introduced, in order to solve the problem
that the dead band cannot be set independently.
(2) A specialized power limiter is added in order to avoid the problem of frequency
regulation at full power level and low power level.
After the optimization, the frequency regulation scheme is shown in Fig. 6. When
grid frequency varies, the speed deviation is converted to the regulating variable
through the added frequency regulation function and power limiter function. The fre-
quency regulation variable is introduced into both G mode and L mode. Frequency
regulation in both control modes does not affect turbine load control function.
In the optimization scheme, the amplitude and dead band are reflected in the
frequency regulation function. As shown in Fig. 7, when grid frequency fluctuation
exceeds dead band (g1, g2), the frequency regulation output is between lower limit
(△P1) and upper limit (△P2). The frequency regulation output is calculated out by
speed deviation and speed governing droop. Then turbine automatically increases or
decreases power. The parameters of dead band (g1, g2) and limit (△P1, △P2) and can
Nset Governor setting
Frequency
Nm + regulation
-
g(x)
Power limiter h(x) Following width h M SD

I
N
f(x)
Pm
+
GV
Opening Demand
P
-
+
Pset limiter setting GV
Fig. 6. Optimization scheme of frequency regulation in passive nuclear plant
Frequency correction output/%
P2
Frequency/Hz
g1 g2
P1
Fig. 7. Frequency regulation function
be set manually based on the requirements of plant and grid, independently from
control modes.
At the same time, the power limiter is introduced into the optimization scheme, to
takes into account that frequency regulation at full power level and low power level.
When the unit is at the full power level, if grid frequency decreases, the unit power is
required to be increased, and the steam demand of second loop increases. However, the
reactor power cannot increase because the control rod is already at the top of reactor. It
will cause steam quality degradation and primary loop temperature decrease, which
will seriously cause primary loop over-cooling and reactor overpower [7, 8]. Therefore,
the frequency regulation output has to be limited in order to avoid the risk of reactor
overpower caused by frequency regulation under full power condition. At the same
time, the unit at low power level generally does not participate in frequency regulation.
The power limiter is realized as shown in Fig. 8. When turbine power is more than the
upper limit (W2%), if frequency regulation output is positive (>0), the limiter is active.
Then the frequency regulation output enters locked mode and turbine power no longer
increases. Similarly, when turbine power is less than the lower limit (W1%), if fre-
quency regulation output is negative (<0), the limiter is active. Then the frequency
regulation output enters locked mode and turbine power no longer decrease. The values
of upper limit (W2%) and lower limit (W1%) can be set manually.
Frequency regulation output Turbine power
L <0 H >0 L <W1% H >W2%
& &
Frequency regulation output

N N
M M
Y Y
Fig. 8. Power limiter for frequency regulation function
According to above analysis, the optimization scheme has different characteristics

from original one as shown in Table 2. First, frequency regulation is no longer only
valid in G mode, but effective in both G mode and L mode, which ensure the integrity
of frequency regulation function. Second, the parameters of frequency regulation are no
longer determined by control mode and following width, but can be set manually
according to the requirements of grid and plant, which realize the independence of
frequency regulation function. Third, the optimization considers frequency regulation
at full power level and low power level, realize the function of automatic locking
power, which assures the safety of frequency regulation function. Through above
improvement measures, the optimization scheme not only meets the requirements of
grid operation criteria, but also does not affect the normal operation and safety of plant.
Thereby, the passive nuclear plant is feasible and can completely participate in grid
frequency regulation in both G mode and L mode according to the requirements of grid
operation criteria and plant safety.
Table 2. Comparison of optimization scheme and original for frequency regulation

Original scheme Optimization
scheme
Mode G mode G mode and L
mode
Range G mode: [f1, +∞); (−∞, g1], [g2,
L ! G mode: [f2, +∞) +∞)
Amplitude G mode: h; [△P1, △P2]
L ! G mode: 0
Dead band G mode: (−∞, f1), no dead band at (g1, g2)
f0;
L ! G mode: (−∞, f2)
Settable parameters h g1, g2, △P1,△P2
Whether meet GBT 31464- No Yes
2015
5 Conclusions
Frequency regulation is one of the significant assessment indicators of grid-connected

generator sets. This paper researches the turbine frequency regulation scheme in pas-
sive nuclear power plant, analyses the existing defect, and proposes an optimization
scheme, which provides an important reference for frequency regulation scheme design
in the subsequent passive nuclear power plant.
References
1. Lyu, A.G., Chen, W.H., Huang, W.J.: Implementation study on frequency modulation in
nuclear power plant. Power Syst. Autom. 38(5), 86–88 (2016)
2. Zhan, X.L., Lv, A.G., Wang, X.F., Meng, G.: Study on frequency control in nuclear power
plant. Nucl. Sci. Eng. 31(2), 63–67 (2011)
3. Peng, B., Yu, W.Q., Liu, Y.: Overview of foreign nuclear power plants in load-following.
South. Power System Technol. 5(3), 23–26 (2011)
4. Guo, Z.L.: Cause analysis and solution for the event happened on May 25, 1994 in Daya
Bay NPP. Nucl. Power Eng. 16(5), 436–442 (1995)
5. Shi, Z.Z.: Study on turbine control for frequency regulation in a new type PWR. China High-
Tech Enterp. 10, 81–83 (2015)
6. Xu, X.Y., Song, K., Chen, P.J., Li, Y.L.: Impact analysis on govern valve flow-curves of
nuclear power turbine for the DEH control system. Mech. Eng. (6), 176–177 (2015)
7. Fan, P.F., Cao, X.H.: Analysis of the two Qinshan nuclear power plant primary frequency
operation. Sci. Technol. Innov. 4, 100–101 (2015)
8. Yao, W., Xiao, F.W.: The risk analysis and optimization of primary frequency regulation for
nuclear power plant. Instrumentation 3, 77–79 (2016)
Research and Optimization of the Control
Cooperation Between Turbine Control System
and DCS in Nuclear Power Plant
Xiao-Lei Zhan(&), Kai Gu, Bin Zeng, Xu-Feng Wang,

and Chong Zhang

and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172,
Guangdong, China
xstzhan@163.com
Abstract. In normal operation of the nuclear power plant, the display, control
and record are accomplished in Digital Control System (DCS). Turbine Control
System (TCS) exchanges data with DCS through communication. The control
cooperation between Turbine Control System and DCS is studied, which caused
the turbine tripped during running up to rated speed accidentally, and caused an
abnormal shutdown when switching to Speed mode while in load operation. By
studying TCS and DCS control cooperation scheme and speed set-point tracing
scheme. Improving the speed set logic and communication time, modifying the
communication packet sequence and other measures. Finally the problem of
accidental tripping and abnormal shutdown is solved effectively. By improve-
ment of control scheme, the safety and reliable control changing-over between
TCS and DCS turbine is guaranteed. Meanwhile the availability of nuclear
reactor is enhanced; thus safety and reliable operation of entire nuclear power
plant is guaranteed technically.
Keywords: Turbine trip Nuclear power Optimization

Turbine control system Speed set Control cooperation
1 Preface
The turbine control system in a nuclear power plant is adopted the design basis of “one
key to start and shutdown” of SIEMENS. The speed regulation system plays an
important role in turbine speed-load control and ensures the safety, stability and
economy of nuclear power plant [1]. All function of turbine and generator main and
auxiliary systems of TCS is controlled by SPPA-T2000 platform and DCS function is
realized by HolliAS MACS6 platform. As a result, there are more communication data
between TCS and DCS, comparing with the reference unit the communication time is
much longer. To ensure effective surveillance and manipulation of DCS to TCS and
stable operation of the nuclear power plant, the control cooperation and matching
between DCS and TCS is most important [2–4].

https://doi.org/10.1007/978-981-13-3113-8_13
Research and Optimization of the Control Cooperation 115
During the steam turbine unit startup to rated speed and synchronization to the grid,
the speed set-point fails to transmit from DCS to TCS, the acceleration of speed is
lower than rated value and result in turbine shutdown to turning gear speed. When
turbine speed up to about 463.9 rpm, the output of turbine control system drops to
−80% and all the four main steam governing valves close then all the main steam stop
valves close and turbine trip. There is a risk for the economy operation for nuclear
power plant, so analysis and optimization of the control cooperation strategy must be
supplied to ensure the stability of the turbine unit.
2 Technology Description and Analysis
2.1 Communication Scheme Between TCS Platform and DCS Platform

There are 3 gateways between DCS and TCS based on protocol Modbus/TCP and
TCP/IP as shown as follows [2] (Fig. 1):
Fig. 1. Diagram of communication structure between TCS and DCS
The gateway CM6 and CM7 on TCS site is connected with the gateway COM65
and COM66 on DCS site respectively. The gateways transmit the control command
from DCS to TCS and feedback signals from TCS to DCS. The time-tagged, alarm and
history records signals are transmitted from TCS to DCS by XU protocol.
2.2 Control Principle of Speed Set-Point Tracing

The speed and load control adopt sequence control to startup and shutdown turbine,
pressing on key to open drive valve, test direct current lube oil pump, warm up turbine,
set target speed, connect to grid automatically [5, 6]. According to the operation
condition of nuclear power plant, the target speed set-point should be set as follows
(Table 1).
116 X.-L. Zhan et al.
Table 1. The condition for target speed setting

No. Condition Speed set-point
1 Startup to warm turbine condition 390 rpm
2 Startup to synchronization condition 1515 rpm
3 (a). During connecting to grid Tracing current valid
(b). During critical speed area (450 rpm–1425 rpm) speed set-point
4 (a). Load fluctuation when grid switch and generator 1500 rpm
switch close or throw to zero load
(b). Load control mode (actual load greater than the
minimum load for at least 60 s)
(c). Over-speed test end
5 When over-speed test start 1710 rpm
6 (a). The speed acceleration is lower than the rated value Actual Speed-60 rpm
during critical speed area
(b). The speed is lower than 15 rpm or at least 2 speed
probes fault
(c). Turbine trip
7 During switch over between speed control and load Actual
control manually speed + deviation
8 Setting target speed by operator Manual set-point
During normal operation, the target speed value is set by operator on DCS platform
and sent to TCS through communication. Then the turbine governing system controls
the speed and load. When TCS is priority, target speed value is set by TCS auto-
matically through sequence controller [7, 8]. Considering the bump-less transfer
between TCS and DCS, the speed set-point should be sent from TCS to DCS and then
written by DCS and sent back to TCS. The control logic is shown as follows (Fig. 2).
Fig. 2. Diagram of Speed set-point tracing

2.3 Study in Speed Set-Point Tracing Failure

From above description, the communication time is longer between TCS and DCS, so
the actual control command (XC38) and speed set-point(KM61) from TCS, and the
actual command back from DCS has a lag by a certain time. The time sequence for
speed set-point tracing failure is shown as follows (Fig. 3).
Fig. 3. Time sequence of Speed set-point tracing failure
Note: t1 is digital time from TCS to DCS, t2 is analog time from TCS to DCS, t3 is
analog time from DCS to TCS.
(a). When t = T1, DCS receives the control command XC38(DCS) and sends the
speed set-point KM24(DCS) to TCS(signal KM24(TCS)). Because of time delay,
XC38(TCS) is sent to DCS earlier than KM61(TCS), so the speed set-point KM24
(DCS) to TCS is still the last value of 390 rpm, as shown at time T1.
(b). When t = T2, DCS receives the feedback signal KM61(DCS) and update the
value inside DCS immediately. So the value of KM61(DCS) and KM24(DCS)
change to 1515 rpm.
(c). The time XC38(TCS) is 5 s pulse, XC38(TCS) = 0 after 5 s, the speed set-point
KM61(TCS) follows the value KM24(TCS) from 1515 rpm to 390 rpm. Because
of the time delay, When t = T3, KM61(TCS) follows the value KM24(TCS) at
1515 rpm again.
(d). When t = T4, XC38(DCS) = 0, the speed set-point value inside DCS no longer
traces the value from TCS, at this time the current value inside DCS is still
390 rpm as KM24(DCS) shown at time T4. Because of the time delay, When
t = T5, KM24(TCS) change to 390 rpm.
So finally the speed set-point changes to 390 rpm because of the unreasonable
communication time sequence and the speed set logic. The acceleration of speed is
lower than rated and finally result in turbine shutdown. whose process is shown as
follows (Fig. 4).
Fig. 4. Reason of Speed set-point tracing failure
3 Optimization of the Speed Set-Point Scheme
3.1 The Optimization of the Control Logic

In view of the uncertainty of the communication time, the speed tracing logic should be
modified to realize the control of speed set-point by DCS. By comparing the set-point
between DCS and TCS to switching the control priority, and when control priority
switch from TCS to DCS, speed set-point value can be assigned successfully without
disturbance. The control logic after modification is as follows (Fig. 5).
(a). Control scheme of control priority on TCS
When control priority on TCS, automatic command inside TCS is sent out and the
speed set-point is transmitted by communication from TCS to DCS. So speed set-
point on DCS site always traces the value from TCS. The speed set-point then
turns back from DCS to TCS and compares with the former value on TCS site by
RS controller. When the two values are coincident, the final speed set-point will
adopt the value from DCS and the speed set-point tracing is successful.
Fig. 5. The optimization diagram of speed set-point tracing logic
(b). Control scheme of control priority on DCS

When control priority on DCS, automatic command inside TCS is sent out to DCS
and with the signal of control priority on DCS, so the speed set-point inside DCS
will switch to the value from TCS. When the automatic command inside TCS is
missing, speed set-point will turn back to the value of speed set-point inside DCS.
Because there is communication delay, when automatic command inside TCS is
missing, speed set-point inside DCS is still the former value, not coincident with
the value from TCS, so the output of RS controller still holds, and the speed set-
point is still the value from TCS. Until when the two values are coincident, the
final speed set-point will adopt the value from DCS and the speed set-point tracing
is successful. The time sequence after modifying the speed set-point tracing logic
is shown as follows (Fig. 6).
3.2 The Optimization of the Communication Time
(a). Optimization of data address

To shorten the communication time, adding spare point between the un-
continuous signals to ensure the continuity of the data address and shorten the
communication time. By testing and comparing the data on site, this means can
shorten the communication time
(b). Optimization the function code
The command from DCS to TCS adopts the function code of F15 on DCS side
while the function code of F5 on TCS side, which is not coincident and make the
communication time longer. TCS receives the signals of function code of F15 and
Fig. 6. Time sequence after modifying the speed set-point tracing logic
analyzes the message, wasting longer time to response the command from DCS.
So it is reasonable to modify both function codes on TCS and DCS to F5 to
shorten the communication time about 0.4 s through site test (Table 2).
Table 2. Result of Communication time test

Signal function code The time collecting on Shorten time
site
DCS_FC15_TCS_FC15-COM65A Average 1.428767375
Maximum 1.586726
Minimum 1.273193
DCS_FC5_TCS_FC5-COM65A Average 1.055119617 −0.373
Maximum 1.252471 −0.334
Minimum 0.937807 −0.336
DCS_FC15_TCS_FC15-COM65B Average 1.4306206
Maximum 1.620861
3.3 Field Test Base on Optimization

The optimization scheme is proved to be correct and feasible through field commis-
sioning. Speed set logic is tested and verified as follows (Table 3).
The optimization curve can be seen as bellowing. It can be seen that during kinds of
condition the target speed value can be set successfully and the system is stable and
reliable (Fig. 7).
Table 3. Test sequence

No. Test sequence
1 Setting the warm up speed at 390 rpm/min
2 Setting the synchronization speed at 1515 rpm/min
3 Drop turbine speed manually from 1515 rpm/min to 1490 rpm/min)
4 Rise turbine speed manually from 1490 rpm/min to 1508 rpm/min)
5 Verification of automatic rising and dropping during synchronization,and setting the
minimum load of 50 MW
6 Synchronization to grid and setting the load of 200 MW
7 Switching over between load control mode and speed control mode
8 Verification of running back from 200 MW to zero and setting the load of 200 MW
again
9 Verification of function of dropping to House-load
10 Setting the speed of 390 rpm/min, 200 rpm/min, 1515 rpm/min and 1500 rpm/min
Fig. 7. The test result of speed set-point tracing logic
4 Conclusion
An optimization scheme of the logic modification and the shortening of the commu-
nication time are proposed. The test is done in the simulator and the simulation results
show that the proposed scheme is feasible and can guarantee the success of the function
of turbine speed set-point tracing. Site commissioning and operation practice shows
that this scheme can effectively solve the problem of turbine trip, which is caused by
the control cooperation scheme between TCS platform and DCS platform. Also the
proposed scheme can ensure the safety and reliable operation of the steam turbine
during switchover between the different control platforms. All above provides a
technical support to ensure the safety and economy and reliable operation of the nuclear
power plant.
References
1. Zeng, B., Zhan, X.L., Zhang, C.: Analysis and research on the standardized design of turbine
control system in nuclear power plant. Process Autom. Instrum. 36(11), 36–40 (2015)
2. Li, J., Xu, H.B.: Communication design in turbine protection system based on modbus
protocol. Process Autom. Instrum. 21(4), 35–47 (2006)
3. Cheng, B.H., Zhu, W.: CPR1000 nuclear power project and the third part system
communication fault diagnosis and optimization. Electron. Test 4(X), 65–67 (2013)
4. Wang, Q.W., Fu, Q., Xia, F.Y.: Application of IEC60870-5-104 transmission protocol in
nuclear power plant. Electron. Test. 2013(23), 106–109 (2013)
5. Wang, H.: SIEMENS 1000 MW control logic optimization in turbine DEH system. China
Electr. 47(09), 6–10 (2014)
6. Li, Y.l., Xu, X.Y.: Emergency operation for nuclear power steam turbine control system
response. Instrumentation 24(3), 64–70 (2017)
7. Wang, Z.H., Wang, H.T., Tao, X.Y.: Analysis and simulation optimization of mal-operation
of power load unbalance protection for 1000 MW unit. Sci. Technol. Eng. 18(1), 40–46
(2018)
8. Lu, S.Q., Zhang, Y.J.: Load rejection test of a half speed steam turbine for nuclear power
plant. Power Equip. 32(1), 29–31 (2018)
Risk Analysis and Management of Software
V&V Activities in NPPs
HuiHui-Liang(&), Peng-Fei Gu, Jian-Zhong Tang,

and Wei-Hua Chen

Nuclear Power Engineering Co., Ltd.,, Shenzhen 518172, Guangdong, China
lianghuihuijilin@yeah.net
Abstract. The life cycle of software can be divided into the concept, require-
ments, design, construction and integration phase and so on. The risk analysis
and management should been executed during the software life cycle. The risks
of the instrumentation and control (I&C) system include the technical and
management risks. The concern of risk analysis is different in the software life
cycle. The verification and validation (V&V) effort may identify the technical
and management risks that have a measureable possibility of negative conse-
quences to I&C system in nuclear power plants (NPPs). The risk analysis is one
of the minimum tasks of the software verification and validation. The IEEE
1012-2017 Annex J has described the risk analysis, risk estimation and risk
evaluation in general. The risks of the software V&V activities will be identified
in this paper. Based on the risks of the software V&V activities, the risk
management strategy has been proposed.
Keywords: Software V&V Risk analysis Risk management NPPs
1 Introduction
The digital technology is an important flag to the advanced nuclear power plants. It has
been accepted by the nuclear power plants, and used in the critical system (such as
RPN, RIC). The physical limit can be overcome by introducing the software. Then the
complex logic and computing can be implemented. To ensure the reliability and safety
of software, the development of software shall meet the requirements of standards and
regulations in nuclear power plant. The software for performing category A functions
should comply with the IEC 60880 [1] or IEC 62566 [2], the category B and C need to
follow the IEC 62138 [3] in the nuclear power plants. In order to qualify the software in
accordance with the plant and standards requirements, software V&V (verification and
verification) technology is a common identification method [4]. The risk analysis is one
of the minimum tasks of the software verification and validation. The IEEE 1012-2017
is the standard for software V&V activities, Annex J has described the risk analysis,
risk estimation and risk evaluation in general [5]. The purpose of the risk management
process is to identify potential managerial and technical risks [6]. The process of risk
assessments includes the potential risk identified, the likelihood and consequences,

https://doi.org/10.1007/978-981-13-3113-8_14
124 HuiHui-Liang et al.
making the risk level, proposing the ease measures, performing the risk treatment, the
acceptability and effectiveness of the measures. The risk management mainly contains
making and maintaining the risk management plan, risk monitoring, recording the
information for the successful risk management measures and evaluating the risk
management process. The reference [7] has given the evaluation measures about
software V&V of the safety digital instrumentation and control in nuclear power plant.
The evaluation results can be used for evaluating the risk of the V&V activities.
The development of software can be divided into concept, requirement, design,
implement, and integrate phase. So the process of software verification and validation
also includes five phases. The concern of the risk analysis is different in the software
V&V activities. The risks of the software V&V activities will be given in this paper.
The risk management measurements for the software V&V activities will be proposed
to nuclear power plant software.
2 Risk Cases of Software V&V Activities
Based on the project of software V&V activities in NPPs, some cases have been shown
in Table 1. The risks mainly come from an unenforceable plan, tester and schedule
delay. In order to avoid the upper risks, the organization of software V&V often
performs peer review for the software V&V plan (SVVP) and carries on the overall
training before starting project. The team of software V&V and the organization of
development should keep communication at any time to ensure the project schedule is
controlled. The risks of software V&V activities should be fully identified and given
the risk treatment measures.
Table 1. Cases of risk for software V&V activities

Content Effect
Software V&V plan It may affect the quality and schedule of the software
• Incomplete activities
• Inaccurate
Tester Tester may spend more time, but the results of the
• Insufficient understand the software activities are not perfect
software V&V plan In some extreme cases (such as tester do not operate test
• Insufficient technical equipment according to the regulations), the tester is
background dangerous
• Not implemented as planning
or principle
Schedule delay The project is postponed or cancelled
• Project change due to client
• Lacking the condition to
perform testing
• Clarification of the anomalies
Risk Analysis and Management of Software 125
3 Risk Identification
There are various approaches to identify risks, such as questionnaires, brainstorming,

scenario analysis, lessons learned or other knowledge acquisition approaches [5]. For
software V&V activities in NPPs, the risks can be divided into two categories. One is
the general risk of software V&V activities, another is special risk driven by V&V
effort during the software life cycle.
3.1 General Risks of Software V&V Activities

Commonly, the software V&V team focuses the following seven aspects to ensure the
quality of software testing during the software lifecycle: the tester, machine, material,
method, environment, measure and object. In Table 2, the risks are the general risks of
the software testing which are coming from the software V&V project lessons.
Table 2. General risks of software V&V activities

Risk Risks content
category
Tester • Technical level
Tester cannot fully understand the testing requirements, testing strategies or
the technical background of the measured object
• Quality consciousness
Tester did not pay enough attention to the test task. The qualify
consciousness is weak when tester is over-confidence. The emotion is
anxious caused by the process pressure or doing the same thing for a long
time. Then it will result in failure to find software detects as much as
possible
• Staff mobilization
Staff mobilization may have the risk of impacting the project schedule
Machine Hardware or/and software tools are not sufficient to support testing. Test tools
cannot be in place. Multiple projects use the same tool at the same time. Then
it may impact the project schedule
Material Material means the testing documentation. The requirement change is the key
risk in this part. The uncertainly design or implementation will also affect the
quality of software V&V activities. The risk may come from inadequate test
cases
Method The test method is incomplete or incorrect. The risk of regression test is
random sample tests, so the test may be incomplete
Environment In the testing process, the deviation between the test environment and the real
environment needs to be evaluated
Measure The quality assurance for measuring process needs to be considered. The
risks may be quality, communication and scope management risk. The testing
results do not feedback in time
Object • The quality risk of the measured object may have influence on the testing
plan
• Test version is not uniform. Configuration management is not in place
3.2 Special Risks of Software V&V Activities in NPPs

The safety software used in nuclear power plant is required in emergency cases. In
order to achieve the high reliability required, special care has to be taken throughout the
entire life cycle. The V&V risk analysis is complementary to the risk analysis executed
by the developer. Based on IEC 60880-2006, the safety system used in nuclear power
plant should satisfy with self-supervision, period testing and single-failure principle
requirements. Besides Table 2, the tester needs to consider the following aspects of
risks shown as Table 3. Measures of risk treatment effectiveness shall be communi-
cated to the stakeholders for approval, rejection, or modification.
Table 3. Special risks of nuclear power plant software V&V activities

Risk Content
category
Functionality • Risk that software may not meet the NPPs requirements
• Risk that software may have potential undesired and uncertainty behavior
• Risk that risk treatment performed by developer may have the residual risks
which may lead the system to an unacceptable level
Security • Risk that security threats protections are not adequate
• Risk that security vulnerabilities are not adequately ameliorated
• Risk that tester cannot adequately determine whether security functions meet
required requirement for nuclear power plant
• Risk that secure environment (tools, human etc.) for development and V&V
activities
Human For nuclear power plant, the software V&V activities include the
documentation, diagram, signal, and code review. Testers cannot only have
the ability to test source code, but also need to have nuclear background
knowledge
4 Risk Management of Software V&V Activities
The risks refer to transverse and longitudinal risks for the software V&V activities. The
transverse is risks of different technical routes, such as CPU and FPGA. FPGA tech-
nical needn’t to pay more attention the security risk. But the security risk is the key
point to the CPU software V&V activities. The longitudinal is the risks of software
V&V process, such as concept V&V, software requirement V&V, design V&V. The
risks are different in every V&V phase. Such as the risks of concept V&V mainly come
from tester and method, the risks of implementation V&V may be caused by tester,
environment and tools. So before the risk management of software V&V activities in
NPPs, the software V&V team needs to draw a table like Table 4, and put the risk
category into the Table 4. Then the applicable management methods can be provided.
The risk management should combined with the prior project experience and be
updated along with the project.
Risk Analysis and Management of Software 127
Table 4. Risk identification

Software V&V process Technical
CPU FPGA … …
Concept V&V
Software requirements V&V
Design V&V
Construction V&V
Integration V&V
……
Normality, the risk management process includes plan and implement risk man-
agement, establish and maintain the risk, risk analysis, monitoring and evaluate. So the
risk management can be performed by the following measures.
• Software V&V plan
The risk management process needs to be described in the software V&V plan at the
beginning of the project. The technical and management risks of the software V&V
activities need to be fully identified in SVVP (software verification and validation
plan). The risk analysis should be considered on each phase of the software V&V
activities. The monitor and management strategies should be proposed in SVVP.
• Quality assurance plan
The special quality assurance plan shall exist or be established at an early stage of
the software V&V life cycle. Any deviation from the V&V quality assurance plan
shall be documented and justified.
Configuration management plan
Software V&V configuration management plan should be established earlier in the
software V&V lifecycle. It shall establish responsibility, assign V&V resources, and
make sure the measured object in control. The verification team should have clearly
defined responsibilities and be equipped with adequate means.
• Independence
The software V&V activities can be undertook as part of a third assessment
department of the software development and user. The quality targets may be
provided better assurance.
• Human factors
The V&V team needs to have adequate human resource and nuclear technical
background. Establishing a good communication mechanism and reviewing the test
technique in period are necessary. The verification team should have a perfect
training mechanism.
5 Summary
The risks of software V&V activities in NPPs should focus the general and special
risks. In order to fully assessment the risks, the tester needs to analyses the risk of the
software V&V activities in transverse and longitudinal. Then the V&V team can make
the applicable management strategies in software V&V plan, quality assurance plan
and configuration management plan. Based on the technical route, the tester can be
chosen and given the target training. The V&V team needs to establish the risk
database and continually renew. In order to ensure its effectiveness, the period moni-
toring of the risk management process is necessary. Information on successful risk
assessment and management shall be documented. The risk management process is an
iterative process throughout the life cycle of software V&V activities.
References
1. International Electrotechnical Commission: IEC 60880 Nuclear Power Plants-Instrumentation
and Control Systems Important to Safety-Software Aspects for Computer-Based Systems
Performing Category A Functions. International Electrotechnical Commission, Switzerland
(2006)
and Control Important to Safety-Development of HDL-Programmed Integrated Circuits for
Systems Performing Category A Functions. International Electrotechnical Commission,
Switzerland (2012)
and Control Systems Important for Safety-Software Aspects for Computer-Based Systems
Performing Category B or C Functions. International Electrotechnical Commission,
Switzerland (2004)
4. Gu, P.F., Wang, S.C, Chen, W.H., et al.: A Study about safety I&C system software V&V in
nuclear power plant-final. In: The 24th International Conference on Nuclear Engineering
(2016)
5. Software Engineering Standards Committee of the IEEE Computer Society. IEEE 1012 IEEE
Standard for System, Software, and Hardware Verification and Validation. Institute of
Electrical and Electronics Engineer, New York (2017)
6. IEEE P1540/D7.0: Draft standard for Software Life Cycle Processes–Risk Management
(1999)
7. Gu, P.F., Liu, Z.M., Liang, H.H., et al.: Evaluation measures about software V&V of the
safety digital I&C system in nuclear power plant. In: Lecture Notes in Electrical Engineering,
pp. 234–234 (2018)
The Optimization of Siemens Turbine
Synchronization Strategy
Yan Liu(&), Pu Zhang, Gang Yin, and Chong Zhang

Equipment, China Nuclear Power Engineering Co., Ltd, Shenzhen 518172,
Guangdong, China
voler1988@163.com
Abstract. The Siemens half speed turbine technology has been used in nuclear
plants. When the turbine synchronizes to the grid at idling, the active power
increases slowly. This will cause a reverse power generating to the unit or the
generator low power at positive direction. And in synchronization to the grid
with house load, the initial load has a large fluctuation. The power disturbance at
synchronization will bring a transient shock to the unit, and it is no good for the
coordination between reactor and turbine. This paper improves the strategy of
synchronization for the Siemens turbine control system, modifies the match of
speed setpoint and load setpoint in synchronization. The active power will leave
0 MW quickly at idling synchronization, and it can avoid the reverse power and
low power at positive direction. The controller output won’t have a step change
in synchronization with the house load, so the active power will not fluctuate
greatly. This optimized scheme can reduce the power disturbance effectively for
the turbine of the nuclear plant in synchronization.
Keywords: Siemens half speed turbine Synchronization Idling

House load operation Turbine trip Reactor trip
1 Preface
Siemens half speed steam turbine is single axis three cylinder four exhaust reheat
reactionary condensing type with rated power 1086 MW and rated speed 1500 RPM.
The turbine control and protection platform is T2000 + PCS7 (Siemens distributed
control system) system. After the continuous development and the promotion, the
design concept of T2000 + PCS7 system has been very mature. The hardware
equipment is very reliable, and the TEC4 (Siemens configuration software) configu-
ration is very convenient. T2000 + PCS7 has been widely used in different units
around the world [1]. The synchronization of nuclear power unit requires the coop-
eration and parameter matching of reactor, turbine and generator. But in this process,
due to the influence of the grid and the synchronization system, including the syn-
chronization mode and precision, the nuclear power unit will be subjected to a certain
degree of transient shock. It will lead a transient fluctuation to its operating parameters.
If the turbine regulation system is not fit with the synchronization system, the active
power will increase slowly when the unit is synchronized to the grid at idling, or a large

https://doi.org/10.1007/978-981-13-3113-8_15
130 Y. Liu et al.
initial load fluctuation occurs at synchronization with house load. So there is the risk of
turbine trip and even the reactor trip, which is not conducive to the safety and stable
operation of the nuclear power plant.
2 Event Review
When the turbine unit 1 of Project A nuclear power plant synchronized to the gird, see
Fig. 1, after the load switch was closed in 4 s, the active power fluctuated up and down
with a sinusoidal oscillation, and the oscillation time was nearly 4 s. Then the active
power left the 0 axis, that was to maintain positive and started to increase steadily, and
this process was up to 12 s. This condition could easily cause the reverse power of the
unit or the protection action of the generator at low power, and finally it would lead to a
turbine trip.
Fig. 1. The idling synchronization curve of the unit 1 of Project A nuclear power plant
When the turbine synchronized to the grid with house load, see Fig. 2, the fre-
quency pulse width and the frequency modulation period of the synchronization system
did not match the parameters of the turbine governing system, and the actual speed and
the effective speed setpoint did not change accordingly together before and after the
synchronization. The active power fluctuated. The largest value was up to 103 MW. If
the plant operator did not intervene in time, according to the logic operation results of
the turbine governing system, the active power would automatically increase to
93 MW. Because the house load of the nuclear power plant was about 55 MW, the
high power fluctuation of the second loop would lead to the subcooling of the first loop,
the low level of the steam generator and the risk of reactor trip.
According to the operation parameters in synchronization, the Siemens turbine has
two problems: when the turbine synchronizes to the grid at idling, the active power
increases slowly; and in synchronization to the grid with house load, the initial load
The Optimization of Siemens Turbine Synchronization Strategy 131
Fig. 2. The house-load synchronization curve of the unit 1 of Project A nuclear power plant
fluctuation has a large fluctuation. These situations will pose a threat to the safe
operation of the nuclear plant. The important parameters of the first loop and the second
one in the nuclear plant should not fluctuate greatly after synchronization, and they
should recover quickly or remain in the safe stable conditions. So the Siemens turbine
synchronization strategy needs to be optimized to make the reactor, the turbine and the
generator to work in together. It is beneficial to the security and the economy of the
nuclear plant.
3 The Synchronization Control Principle of Siemens Half

Speed Turbine
The speed load controller NPR of Siemens turbine has two operation modes: speed
control and load control. These two modes both use the same PI (propotion and
integration) controller mainly through the condition judgment and dimensional trans-
formation in the input link. PI controller uses the proportional component and the
integral part to regulate the system according to the error [2].
To improve the control efficiency of the system under two operating modes, the
frequency feedforward and power feedforward are added in the PI loop by the Siemens
turbine technology. Frequency feedforward is used in run-up and primary frequency
modulation, while power feedforward is applied to the adjust the active power.
132 Y. Liu et al.
The Siemens turbine uses the speed mode in run-up, house-load operation and load
rejection. Normally it’s on the load mode.
3.1 The Idling Synchronization

When the Siemens turbine generator synchronizes to the grid at idling, the speed and
load controller (NPR) is switched from the speed mode to the load mode. The control
principle is shown in Fig. 3. According to the ideal condition, at this time the speed
setpoint NS and the actual speed NT are both 1500 RPM, so the speed deviation is
zero. Then the output steam demand of the controller is mainly determined by the load
setpoint PS and the actual load PEL. After the turbine just synchronizes to the grid, the
actual load PEL is 0, and the effective load setpoint increases gradually. Through the
PID (proportion, integration and deviation) operation of the positive deviation and the
function of the load feedforward loop, the steam demand SD increases accordingly.
Then the valves will be opened and the actual load of the unit PEL will go up. In this
process, the speed load controller is kept in closed loop operation to control the
generator power [3].
Frequency deviation
Speed set point
NS
Dead band of primary
frequency modulation
KDN frequency
Actual Speed NT feed forward
Power component of primary
frequency modulation
B
Load set point Steam demand
PI controller
PS A SD
Actual load PEL

K power feed
forward
Fig. 3. The control principle of Siemens turbine in load mode
According to the original logic design, the effective load setpoint starts increases
from 0 MW, and the maximum increase rate is 54.3 MW/min. After the unit is syn-
chronized to the grid, the time for the initial load going up to 50 MW requires nearly
1 min following the instructions of sub-loop control. The positive power protection
threshold of the unit is 10 MW, and the process that the active power increases larger
than 0 MW needs nearly 10 s. Because the load increase rate is limited, the process of
the unit operating with the initial load is very slow. Because the synchronization system
needs differential frequency to connect to the gird, the turbine idling speed is required
to be about 1503 RPM, at cutting-in moment the power transmitter may be hit by a
large shock impacted greatly. Then the active power transient fluctuation appears. The
effective load setpoint increases slowly in 10 s after synchronization. Compared to the
load fluctuation value the load setpoint is smaller. So the deviation of the speed load
controller presents a sinusoidal fluctuation due to the fluctuation of active power

transmitter. The PID parameters of this controller are: P = 0.1; I = 1 s; D = 0. The
proportion of PID is weak and the integral function is strong. When the deviation is
sinusoidal, the output change of PID is very small. At this time, the SD growth of the
controller output is mainly dependent on the load feedforward loop. But the load
feedforward loop is also limited by the maximum load increase rate 54.3 MW/min. If
the unit operates with the initial load the initial load too slowly, it will cause a reverse
power generating or the generator low power at positive direction to the unit.
3.2 The House-Load Synchronization

When the unit is synchronized to the grid with house load, as in Fig. 4, the speed load
controller is switched to the speed mode. Because the effective load setpoint is switched
to 0 in the control logic, the output of the controller depends on the speed deviation.
Actual Speed Actual power

house load
Speed set point

Frequency deviation Steam demand
PI contrller
conversion to power SD
K speed feed
forward
Fig. 4. The control principle of Siemens turbine in speed mode
In the process of synchronization with house load, the synchronization system still
adopts the mode of differential frequency to connect to the gird. When the generator is
in the same frequency as the power grid, the synchronization device will send an
acceleration command to the turbine governing system, so that the frequency of the unit
is increased and it will be higher than the frequency of the power grid. In this process,
the closed-loop response time of the turbine governing system is not more than 16 ms,
but the rotating inertia of the turbine body is large and the turbine speed will change
slowly. It is about 4 s from the turbine governing system sending speed regulation
instructions to reach the target value. It is not consistent with the frequency pulse
period of the synchronization device which is 4 s. When the turbine speed does not
meet the requirement of the differential frequency, the system will still continue to send
out the impulse signals to the turbine governing system. As the turbine governing
system receives excessive speed regulation pulse signal, the speed setpoint still increase
after the high voltage switch is closed. The output of the speed load controller will
increase, resulting in the fluctuation of the active power, and the maximum value up to
102 MW.
134 Y. Liu et al.
The synchronization system requires differential frequency to connect to the grid,

so the turbine speed will be raised to 1503 RPM before synchronization, and the speed
setpoint is pulled up to 1507 RPM. However, as the turbine speed is reduced to about
1500 RPM after synchronization, the speed deviation is changed from 4 RPM to 7
RPM. Because the speed load controller is still in the speed mode, according to
conversion of speed governor droop, the increase of this deviation will cause the output
of the speed load controller to increase by 4%, resulting in the fluctuation to the active
power of the turbine.
4 The Optimization Strategy
4.1 The Optimization of Idling Synchronization

Due to the low load increase rate, if the active power needs to be increased as soon as
possible to avoid the reverse power and generator protection of low positive power, it is
necessary to increase the rate to make the output of the controller raise more quickly.
The load increase rate is switched to 900 MW/min in the instant of synchronization.
Considering the stability of the PID closed loop, the active power should not overshoot.
After the simulation test, the optimal time is set to 1 s, and the effective load setpoint
will be increased to 15 MW quickly. After 1 s, the load increase rate is recovered to
54.3 MW/min, and the active power will gradually increase to the initial load value
50 MW set by the sub-loop control. This design makes the positive deviation and the
power feedforward of the speed load controller increase rapidly It can make the steam
demand raise faster and avoids the overshoot of the active power.
The optimization of the idling synchronization is focused on the modification of
load setpoint logic. As shown in Fig. 5, if the load increase rate is switched from
54.3 MW/min to 900 MW/min, it shall meet the following requirements: (1) the actual
load PEL is less than 10 MW; (2) the turbine governing system is in the load mode;
Fig. 5. The logic modification of load setpoint

(3) the high voltage switch and the load switch are both closed, that is, the steam
turbine has been synchronized to the gird; (4) the optimal idling synchronization switch
is closed. After these four conditions are satisfied, the effective load setpoint will
rapidly rise to 15 MW at the rate of 900 MW/min in 1 s, and then the speed load
controller can increase its output through the larger positive deviation and the power
feedforward, so the turbine can bring the initial load 50 MW as soon as possible.
After optimization, the power fluctuation in synchronization has been reduced. As
shown in Fig. 6, the effective load setpoint (red line) after synchronization is increased
rapidly in 1 s at the rate of 900 MW/min, and the load increase rate is restored to
54.3 MW/min after 1 s. The process that the active power (blue line) leaves the 0 axis
to become the positive value only needs 2.8 s, and finally the value reaches to 50 MW
required by the sub-loop control. The power overshoot is less, and the PID control
effect is excellent, the optimization successfully solves the problem of the unit bringing
the initial load too slowly. It is beneficial to the safety and stable operation of the unit.
Fig. 6. The idling synchronization of the unit 1 of Project A nuclear power plant after
optimization
4.2 The Optimization of House-Load Synchronization

Because the frequency pulse width and the frequency modulation period of the syn-
chronization system are not matched with the parameters of the turbine governing
system, they need to be adjusted as follow: (1) the frequency pulse width is changed
from 500 ms to 100 ms, avoiding the power overshoot for the excessive increase of the
turbine speed (2) the frequency modulation period is changed from 1 s to 6 s. Because
of the large inertia of the turbine body, the change of turbine speed has a 4 s delay. This
measure can avoid the synchronization system continue to send the speed pulse signal
to the turbine governing system when it judges that the turbine speed doesn’t meet the
requirement of differential frequency.
136 Y. Liu et al.
Since the speed setpoint does not follow the actual speed change, the output of the
speed load controller is increased. Therefore, it is necessary to optimize the speed mode
of the turbine governing system: the speed deviation before and after synchronization
to the grid is superimposed to the unit effective speed setpoint, so that the effective
speed setpoint can track the unit frequency at the initial stage of synchronization in
10 s:
Ns1 (target speed setpoint after synchronization) = Ns0 (target speed setpoint
before synchronization) + delta N (speed deviation before and after synchronization)
The design can ensure that the speed deviation of the speed load controller is kept
constant. The power disturbance of house load synchronization can be solved by the
method of making the speed setpoint track the speed deviation before and after syn-
chronization through in a short time.
The logic modification of speed setpoint is shown in Fig. 7, if the unit frequency
needs to be tracked, the following requirements shall be met: (1) the actual load PEL
more than 100 MW can not exceed 2 s; (2) the turbine governing system is in the speed
mode; (3) the time that the high voltage switch and the load switch are both closed shall
not exceed 10 s; (4) the optimization switch of house load synchronization is closed;
(5) the speed/load mode switch signal, load rejection signal and speed tracking signal
are not triggered. When the turbine is connected to the grid with house load, the speed
setpoint and the actual speed before synchronization are saved through the memory
block. The turbine speed after synchronization is subtracted from the stored turbine
speed before synchronization, and the deviation is added to the speed setpoint after
synchronization in 10 s, so the unit frequency can be tracked in time. The input of the
controller remains stable, so the active power of the turbine will not fluctuate.
Fig. 7. The logic modification of speed setpoint

Fig. 8. The house-load synchronization curve
After synchronization, the effective speed setpoint fluctuates together with the unit
speed, so that the speed deviation is kept unchanged. Then the output of the steam
turbine is ensured to remain stable. The curve is shown in Fig. 8. The actual load is
55 MW before synchronization, and it can return to 55 MW by closed loop adjustment
after synchronization. The power fluctuation can be solved.
By optimizing the parameters of the synchronization system, and improving the
logic of the speed setpoint of the turbine governing system, the active load of the
turbine before and after synchronization can remain stable at about 55 MW. The output
of the speed load controller is kept unchanged because of the unchanged speed
deviation.
5 Conclusion
Because it is the first application in the field of nuclear power, the relevant control
strategy of Siemens steam turbine needs to be adjusted accordingly and coordinate with
the reactor. The Siemens turbine accepting the initial load is slow when synchronizing
to grid, and there is a problem of the inverse power and positive low power of the unit,
they can easily lead to the generator protection action. Also the parameters of the
turbine governing system and the synchronization system are not matched when the
unit is connected to the grid with house load. The speed deviation can not be kept stable
before and after synchronization. It will result in a large power fluctuation of the second
loop. The steam generator level would be raised and even the reactor is subcool.
After fully absorbing the experience from the prophase operation of the units, the
synchronization logic of the turbine governing system is optimized and the related
parameters of the synchronization system are also modified. After several simulation
tests, the final optimal control strategy is proposed by comparison. This scheme
138 Y. Liu et al.
successfully solves the problem of power disturbance in the synchronization for the
Siemens half speed turbine. It is beneficial to the coordinated control of nuclear power
plant, and it improves the safety and stable operation of the nuclear power plant [4].
References
1. Qiong, W.U., Jun-Ning, L.I.: The application of Siemens turbine governing system in
CPR1000 nuclear power unit. Technol. Dev. Enterp. 35(21), 42 (2016)
2. Wang, S.-Q.: Industrial Process Control Engineering. Chemical Industry Press (2007)
3. Zeng, B.: Analysis and research on the standardized design of turbine control system in
nuclear power plant. Process Autom. Instrum. (11), 39 (2015)
4. Zeng, B.: Study on HP inlet pressure control in nuclear power plant. Chin. J. Nucl. Sci. Eng
(S2) (2011)
Research on the Verification and Validation
Method of Commercial Grade Software
in Nuclear Power Plants
Wang-Ping Ye(&), Ya-Nan He, Peng-Fei Gu, and Wei-Hua Chen

yewangping@126.com
Abstract. With the development of digital technology in nuclear power plants,

more and more commercial grade software is being widely used in nuclear
power plants. However, there has not been formed a unified dedication standards
at domestic and overseas, which not only brings certain difficulties for dedica-
tion, but also has a certain impact on the safety of nuclear power plants. Based
on the analysis of related standards at domestic and overseas, combined with the
software V&V experience in practical work, this paper presents a set of practical
Commercial grade software dedication methods. It can not only guide the
dedication of Commercial grade software of China’s nuclear power plants, but
also can provide a reference for the dedication of commercial grade software of
HPR1000.
Keywords: Nuclear power plant Commercial grade software

Verification and validation Dedication
1 Introduction
With the continuous development of China’s nuclear power technology, more and
more digital devices are being applied to nuclear power plants. Smaller devices such as
smart devices that transmit pressure and level signals, and larger scaled safety digital
instrumentation systems, are increasingly used in the design, construction, operation,
and maintenance of nuclear power plants.
In the past, most of the software used in nuclear power plants was costly imported
which mainly through commercial purchase, such as Mitsubishi’s I&C system TXP,
TXS, Siemens’s industrial software SMATIC S7. However, in recent years, with the
process of “going out” and autonomy of China’s nuclear power technology, more and
more independent research & development software has been used in nuclear power
plants, such as the safety I&C system FirmSys which developed by the China Tech-
energy CO., LTD. Even some safety analysis software has also been gradually local-
ized, such as the neutron transport calculation software SUPERMC which developed
by the Chinese Academy of Sciences Security, also the development of non-safety-
critical software. In addition, with the mass construction of nuclear power plants,

https://doi.org/10.1007/978-981-13-3113-8_16
140 W.-P. Ye et al.
digital equipment in the general industry is gradually applied to nuclear power plants,
such as embedded devices PLC, FPGA etc.
Although a large amount of manpower and resources have been devoted to inde-
pendent research and development, the gap between China’s software industry and
foreign software is unavoidable. At the same time, domestic software lacks long-
running operating experience compared to foreign software, and the safety should be
great concerned. At the same time, in order to save development costs or shorten
progress, self-developed equipment often use some not fully verified commercial grade
software in the R&D process, and also use components that are not available from the
source code, such as operating systems in embedded devices, further increases the
safety risk of the software. For safety-critical autonomous software used in nuclear
power plants, such as DCS, with strict development process, perfect quality assurance
and fully third-party verification and validation, such as white box testing with 100%
coverage, the software quality is credible [5]. However, for commercial grade software,
considering the development costs, it is generally not a perfect development process
and quality assurance. If be applied directly in nuclear power plants, the consequences
would be unimaginable.
How to dedicate these commercial grade software to meet the review requirements
of domestic and foreign regulatory agencies has become a problem that needs to be
solved urgently, also no engineering experience can be used for reference. Based on the
analysis of commercial grade software dedication standards, this article proposes a set
of concrete and feasible commercial grade software V&V solutions draw from the
engineering experience of safety software identification of the nuclear power plants. It
mainly includes the following parts: The first part briefly introduces the status of
application and appraisal of commercial grade software in nuclear power plants; the
second part mainly introduces the differences and connections between commercial
grade software and safety software, and the focus and difficulty of commercial grade
software dedication; the third part analyzes and combs domestic and foreign com-
mercial grade software related standards, and gives a reference to the V&V method; the
fourth part gives a feasible V&V plan, its advantages and disadvantages combining
with the standards analysis results and engineering practice. The fifth part combed and
summarized the content of the plan needs to be improved and the follow-up research.
The sixth part lists the reference literature information referenced in the writing
process.
2 Commercial Grade Software
2.1 Definition
Commercial grade software refers to the software used in commercial grade items,
including system software and application software. Commercial grade items refer to
structures, systems or components that do not design and manufacture under a nuclear
quality assurance program but affect the safety functions of the plant. In general, it is
Research on the Verification and Validation Method 141
not the items specifically designed for nuclear facilities but used in nuclear power
plants. Such items are generally not subjected to the same stringent process control and
verification as nuclear-level items during the design and development process [6].
2.2 Differences and Connections

The software used in nuclear power plants is divided into pre-developed software and
newly developed software. Pre-developed software is Commercial Off-The-Shelf
software that has been developed and is generally not specifically developed for nuclear
power plants, and commercial grade software belongs to this category. New software
refers to that software designed and developed specifically for nuclear power plants.
There are two classification methods for the new software: IEC and IEEE. According to
the importance of the functions performed by the software and the severity of its
failure, the IEC classifies the software into categories A, B and C. For example, the
failure of Class A software can cause catastrophic consequences such as radioactive
leaks; the IEEE classifies software into integrity level 1, 2, 3, and 4 based on the risk of
failure, with integrity level 4 being the highest and equivalent to IEC Class A.
2.3 Difficulty of V&V

The main difficulty in the dedication of commercial grade software is that there are no
unified standards to guide the related work. On the other hand, there are often irregular
documentation, lack of quality assurance, configuration management and software
source code during the development and dedication of commercial grade software.
3 Analysis of V&V Standards
3.1 Standard Classification

For the application of commercial grade software in nuclear power plants, the main
standards are the international standard IEC series and the United States standard.
Among them, international standards IEC 60880 and IEC 62138 present the require-
ments for the dedication of Class A and B, C commercial grade software [3, 4]. The US
standard also has a complete standard system and detailed requirements for the dedi-
cation of commercial grade software. Table 1 provides the details.
3.2 Interpretation of Standards

3.2.1 IEC Standards
IEC 60880 and IEC 62138 are consistent in the process of dedication of commercial
grade software, but differ only in depth. See Table 2 for details. One or more of the
dedication content may be used to prove the correctness of the software according to
the assessment.
142 W.-P. Ye et al.
Table 1. Commercial grade software dedication standards

Level Title Document No.
Laws and Regulations Reporting of Defects and Noncompliance 10CFR21,1995
Quality Assurance Criteria for Nuclear 10CFR50,
Power Plants and Fuel Reprocessing Appendix B
Plants
Nuclear Safety Guidelines, Standard Review Plan USNRC
Requirements and Inspection NUREG 0800
Procedure Criteria for Use of Computers in Safety R.G.1.152-
Systems of Nuclear Power Plants 2011
Inspection Commercial-Grade NRC
Dedication Programs Inspection
Procedure
43004
Actions to Improve the Detection of USNRC
Counterfeit and Fraudulently Marketed Generic Letter
Products 89-02 1989
Licensee Commercial-Grade USNRC
Procurement and Dedication Programs Generic Letter
91-05 1991
Industrial Standards and IEEE Standard Criteria for Digital IEEE 7.4.3.2-
Technical Reports Computers in Safety Systems of Nuclear 2010
Power Generating Stations
IEEE Standard for Software Verification IEEE 1012-
and Validation 2004
Guideline for the Utilization of EPRI NP-5652
Commercial Grade Items in Nuclear 1998
Safety Related Applications
Supplemental Guidance for the EPRI TR-
Application of EPRI Report NP-5652 on 102260 1994
the Utilization of Commercial Grade
Items
Guideline of Evaluation and Acceptance EPRI TR-
of Commercial Grade Digital Equipment 106439 1996
for Nuclear Safety Applications
A Proposed Acceptance Process for NUREG/CR
Commercial Off-the-Shelf (COTS) 6421 1996
Software in Reactor Applications
Table 2. Commercial grade software dedication requirements

Dedication content Class A software Class B software Class C software
Standard compliance analysis √ √ √
Suitability evaluation √ √
Quality assessment √
Operational experience feedback √ √
Supplementary test √ √
3.2.2 IEEE 1012

IEEE-1012 Appendix D provides more detailed options and suggestions for the veri-
fication and validation of reuse software (software libraries, custom software developed
for other applications, COTS software, and existing software), and is mainly divided
into two areas [2].
First, the critical analysis method is used to assign the integrity level of the soft-
ware, and then determine the minimum V&V tasks to be performed by the software
identification according to the standard. For example, when the software integrity level
is 3 and 4, it is necessary to carry out hazard analysis and risk analysis, but when the
software integrity level is 1 and 2, there is no need.
Then, when the development documents and information of the software are
complete and available, V&V tasks of each stage needs to be carried out according to
the minimum task set, such as Concept V&V, Requirement V&V etc., the specific
V&V process suggested in Fig. 1.
OperaƟon and Maintenance

OperaƟon and
Maintenance
V&V
InstallaƟon and InspecƟon
InstallaƟon and
InspecƟon V&V
Manufacturing Requirements ValidaƟon System Acceptance
Concept
V&V VerificaƟon Acceptance V&V
System Requirement ValidaƟon System IntegraƟon

Requirement VerificaƟon Test V&V
V&V
SoŌware Requirement ValidaƟon SoŌware IntegraƟon
Design VerificaƟon
V&V
SoŌware Design
Implement
VerificaƟon
V&V
SoŌware Implementaion
Fig. 1. Software V&V process
When the V&V inputs like documents and codes required for carrying out the
minimum tasks in each stage are not available and the software requires high confi-
dence, substitute analysis and test methods should be permitted instead of the IEEE
1012 requirement V&V tasks to generate objective conclusions about the correctness,
completeness, accuracy and usability of the reused software. The following alternative
methods should be considered (decreasing as desired):
a) Black box testing.
b) Review developer’s quality assurance.
c) Operational history.
d) Audit results.
e) Artifacts.
f) Reverse compilation.
g) Prototyping.
h) Prior system results.
144 W.-P. Ye et al.
3.2.3 IEEE 7.4-3.2

IEEE Std. 7-4.3.2-2010 Section 5.17 provides guidance on how the commercial-off-
the-shelf (COTS) digital equipment which not developed under a nuclear quality
assurance program and performing the intended safety functions can meet the nuclear
power plant’s dedication process [1]. The terms and provisions for the commercial
grade dedication of digital equipment are basically the same as those in the EPRI
reports. According to the requirements of this standard, the dedication process for
digital equipment consists of preparation phase, performing phase, and design review
phase. The detailed requirements for each phase are shown in Table 3.
Table 3. Dedication process and requirements

Identification Identification requirements
process
Preparation 1. Use effects analysis (FMEA) and fault tree analysis (FTA) to identify
phase the potential risks and hazards that may interfere with COTS item to
achieve their safety functions;
2. Identify the safety functions performed by COTS item and conduct
dedication, including performance requirements, accuracy, time
response, system integrity, and configurability or programmability;
3. Evaluate the computer security risks and hazards associated with the
system, including impact on hardware, software, interfaces to other
systems, and life cycle documentation, as well as plant procedures for
the COTS items to determine if the risk is acceptable.
Performing 1. Developing detailed acceptance criteria, including physical
phase characteristics, performance characteristics, and development process
characteristics such as software model and version numbers, response
time, and traceability;
2. Determine the acceptance method, such as special test, commercial
grade survey, source verification, evaluation, etc.
Design review 1. Evaluate the life cycle process, including design, development, quality
phase assurance, review, testing, configuration management and change
control;
2. Evaluate failure modes and effects analysis of vendor or dedicating
entity;
3. Evaluate the operating history in similar safety critical applications.
3.2.4 EPEI NP-5652

EPRI NP-5652 is the main report of commercial grand dedication (CGD), in which
EPRI describes the background, objectives, basic concepts, overall processes and basic
methods of CGD, and proposes a dedication method consisting of technical assessment
and acceptance. The main task of CGD is to verify and evaluate the critical charac-
teristics of the project using appropriate acceptance methods. See Table 3 for details.
Critical characteristics often include physical and performance characteristics,
depending on safety features, environmental conditions, and item failure mechanisms
(Table 4).
Table 4. CGD appraisal process and requirements

Dedication process Dedication requirements
Technical assessment Identify safety functions
Failure modes and effects analysis (FMEA)
Identify critical characteristics
Acceptance method Special tests and inspections
Commercial grand survey
Source verification
Item/supplier performance record
3.2.5 EPRI NP-106439

This report refers to the four methods of commercial grade item dedication proposed by
EPRI NP-5652 to evaluate the critical characteristics of commercial digital equipment.
This report classifies the critical characteristics of commercial digital devices into three
major categories, physical characteristics, performance characteristics, and depend-
ability characteristics, and provides examples of verification methods and acceptance
criteria for various types of characteristics. Through the verification of these charac-
teristics, it is possible to evaluate whether commercial digital equipment (including
software) meets the needs of nuclear power plant related safety functions. Specific
requirements are detailed in Table 5.
Table 5. Identification process and requirements

Critical Acceptance object Acceptance method
Characteristics
Physical Hardware Verification through inspection and
characteristics measurement
Software Identify requirements for expected and
unexpected functions
Performance Response time, progress Testing
characteristics and other performance Design review
indicators Failure analysis
Operating history review
Dependability Hardware Seismic test, EMC, aging and other
characteristics hardware identification
Software Evaluation of software development and
quality assurance processes, including
evaluation of V&V processes, configuration
management, and operational records
146 W.-P. Ye et al.
3.3 Summary and Analysis

Through the analysis of above-mentioned standard’s requirements, commercial grade
item dedication is basically the same in requirements and methods. Both require the
completion of commercial grade dedication through evaluation of critical characteris-
tics, development process quality records (including V&V, configuration management
records), and operation records. Among them, software is the focus of quality control in
digital commercial grade items [7, 9]. The most effective and direct method is to
conduct software independent verification and validation (V&V).
Because the equipment suppliers in the design and development process of com-
mercial grade software generally follow the industrial standards, the records, docu-
ments, reports, etc. of the development process are often incomplete or do not fully
meet the requirements of the nuclear industry standards, and may not be able to carry
out the software entire life cycle V&V. Therefore, an alternative analysis must be taken
to comprehensively evaluate the QA operational status, performance, and operational
feedback of commercial grade items, in order to make better judgments on software
quality.
4 V&V Method
4.1 V&V Plan
Although the standards have made corresponding requirements for the evaluation of
commercial grade software, but each standard has different emphasis. IEEE 1012
focuses on the verification and validation of the software entire lifecycle, and gives the
minimum set of tasks and V&V requirements for each software V&V phase, which is
suitable for the identification of software with complete development documents and
data. EPRI NP-5652 provides an evaluation and acceptance method for commercial
grade software and it is suitable for the dedication of incomplete or hard-to-get soft-
ware. IEC 60880 and IEC 62138 require both.
Combined with engineering experience, the IEEE 1012 is more performable than
other standards in the V&V of the software entire life cycle. IEC 60880 and IEC 62138
are superior to EPRI NP-5652 in terms of evaluation and acceptance.
4.2 Cases
The software of the non-safety control system used in nuclear power plants developed
by a non-nuclear enterprise in China who carries out software development and quality
assurance of the entire life cycle according to the waterfall model, and the relevant
development documents and data are complete [8, 10]. For this software, the corre-
sponding V&V work is carried out in accordance with the requirements of the IEEE
1012 integrity level 2, and the specific V&V flow and tasks are shown in Table 6.
The control software of a foreign smart device is intended to be applied to a
domestic nuclear power plant. The software belongs to category A and needs to be
identified accordingly. However, due to confidentiality and other requirements, it is
impossible to provide complete software data for independent identification throughout
Table 6. V&V phases and tasks

V&V phase V&V tasks V&V method
Concept Concept document evaluation, traceability Document review
V&V analysis, security analysis
Requirement Requirements document evaluation, Document review
V&V traceability analysis, safety precaution
analysis
Design V&V Design document evaluation, traceability Document review
analysis, safety precaution analysis
Implement Source code and document evaluation, Document review, static
V&V traceability Analysis, security analysis, unit analysis, White box
testing testing
Test V&V Integration test, system test Black box testing
the entire life cycle [11]. Finally, according to the requirements of IEC 60880, the
foreign software was subjected to the identification of standards compliance, opera-
tional experience evaluation, and supplementary testing to verify whether the software
meets the requirements of Class A software [12].
5 Summary
Although IEC and United States have given corresponding requirements and methods
for the dedication of commercial grade software and have certain enforceability.
However, the supervision and dedication of commercial grade software in China is still
insufficient at now, and more in-depth research is needed to carry out.
At the same time, with the departure of HPR1000, due to the lack of successful
experience, there is still some uncertainty in how to prove the dedication of the soft-
ware is sufficient to meet the GDA and EUR review requirements. More exchanges and
discussions are needed.
References
1. Nuclear Power Engineering Committee of the IEEE Power Engineering Committee: IEEE 7-
4.3.2. IEEE standard criteria for digital computers in safety systems of nuclear power
generating stations. Institute of Electrical and Electronics Engineers, New York (2010)
2. Software Engineering Standards Committee of the IEEE Computer Society: IEEE 1012.
IEEE standard for software verification and validation. Institute of Electrical and Electronics
3. International Electrotechnical Commission: IEC 60880. Nuclear power plants instrumenta-
tion and control systems important to safety software aspects for computer based systems
performing category A functions (2006)
4. International Electrotechnical Commission: IEC 62138, Nuclear power plants-
instrumentation and control systems important for safety-software aspect for computer-
based systems performing category B or C functions (2004)
148 W.-P. Ye et al.
5. Ye, W.P., Tang, J.Z., Chen, W.H.: Software V&V methods for safety digital I&C system of
nuclear power plants. At. Energy Sci. Technol. 49(zengkan1), 377–381 (2015)
6. Gu, P.F., Wang S, Chen, W.H.: A study about safety I&C system software V&V in nuclear
power plant. In: International Conference on Nuclear Engineering (2016). V001T04A005
7. He, Y.N., Gu, P.F., Xi, W.: Research on status monitoring and reliability prediction method
of digital control system for nuclear power plant. At. Energy Sci. Technol. 51(12), 2338–
2343 (2017)
8. Liang, H.H., Gu, P.F., Tang, J.Z.: The Software Security Analysis for Digital Instrumen-
tation and Control Systems of NPPs. Nuclear Power Plants: Innovative Technologies for
Instrumentation and Control Systems (2018)
9. Zhao, J., He, Y.N., Gu, P.F.: Reliability of digital reactor protection system based on
extenics. SpringerPlus 5(1), 1953 (2016)
10. Liang, H.H., Gu, P.F., Tang, J.Z.: A Study of Implementation V&V Activities for Safety
Software in the Nuclear Power Plant. Nuclear Power Plants: Innovative Technologies for
11. Gu, P.F., Liu, Z.M., Liang, H.H.: Evaluation Measures about Software V&V of the Safety
Digital I&C System in Nuclear Power Plant. Nuclear Power Plants: Innovative Technologies
for Instrumentation and Control Systems (2018)
12. Xi, W., Gu, P.F., Liu, W.: A Study and Application about Software V&V Requirement
Management Scheme in Digital RPS. Nuclear Power Plants: Innovative Technologies for
Research on Application of Sequence Control
Strategy in Conventional Island System
of Nuclear Power Plant
Hai-Ying Fan1(&), Song-Di Ji2, and Xin-Nian Huang1

1
and Equipment, China Nuclear Power Engineering Company Ltd.,
Shenzhen 518172, China
f9haiying@yeah.net
2
China Nuclear Power Operations Com. Ltd., Shenzhen 518000, China
Abstract. Sequential control has been widely used in thermal power units.
There are only few applied systems in CPR1000 nuclear power projects. The
implementation and the characteristics of the sequential control technology are
described through an engineering application example of sequential logic
modules in the functional group level control utilized at the conventional island
systems of a third generation nuclear power plant. The application of functional
group-level sequential control can effectively reduce the operator’s work
intensity and improve the automatic control level of nuclear power plants. The
application in the nuclear power project provides a demonstration case for the
sequential control strategy of large-scale adoption of conventional island sys-
tems in nuclear power plants, laying the foundation for the automatic start-up
and shutdown of nuclear power plant units.
Keywords: Sequence control Conventional Island Functional group level

Module
1 Introduction
The application of the sequential control in the thermal power unit has been relatively
mature and extensive, and plays an increasingly important role in the safety and eco-
nomic operation of large-scale units. At present, the control of auxiliary machines in
the conventional island of the nuclear power plant Chinese PWR (CPR) project mainly
uses a single drive-level device operation with interlock control; however, the appli-
cation of sequential control is not widely applied. The conventional island auxiliary
systems of nuclear power plants are closely related to the production process of the
power plants. Their normal operation is an important condition to ensure the stable and
full production of the units. The automatic control of nuclear power plants is relatively
conservative and the level of automation needs to be further improved.
Sequential control technology has been successfully applied in thermal power,
metallurgical and chemical industries, and the steam-water separation system of the
CPR project. Using sequential control can not only reduce a lot of cumbersome
operations, but also avoid misoperation by the operator. By introducing and widely
https://doi.org/10.1007/978-981-13-3113-8_17
150 H.-Y. Fan et al.
applying sequential control strategy in the conventional island system of a third-

generation nuclear power project, the automatic control level in the plant has been
significantly enhanced.
2 Sequential Control Technology Overview
Sequential control refers to automatically performing a series of operations on the unit

equipment and system in the production process according to a pre-determined pro-
cedure, condition or time, so as to change the working status of the equipment and the
system [1]. Sequential control is a more advanced program control method widely used
in large-scale thermal power units. The sequential control system basically adopts three
levels of equipment driving level, function group level and unit level. The unit level is
the highest level of sequential control, also known as unit start-stop system, which can
automatically start and stop the entire unit with a small amount of manual intervention.
The equipment level control is the basic level of the sequence control system.
The equipment drive level control applications in the conventional island system of
nuclear power plant are very mature. There are seven kinds of drive level logic
modules, and the logic control of the pump/fan, electric valve and solenoid valve can
be used. Manual operation can be performed via the single device operation icon in the
main control room screen. For example, the start or stop operation of an auxiliary
machine and its ancillary equipment or a local related process system is based on the
operation of a single device. The operator can start, stop or perform switching through
a single device at the operator station. The equipment is linked and controlled by
linkages. Based on the basis of the drive level, how to set the functional group-level
sequential control logic and application method of the conventional island auxiliary
machine and equipment of the nuclear power plant is the focus of this article.
3 Functional Group Sequence Control in Conventional

Island System
According to DL/T 5423-2009, the conventional island switch quantity control system
should use subgroup-level and functional group-level sequential control modes. The
equipment group or auxiliary process system with fixed sequence of start/stop opera-
tion should adopt sequential control [2].
3.1 Design of the Functional Group Sequential Control Logic Module

The functional group level is a process-flow based and includes equipment associated
with sequential control. Functional group control is characterized by associating the
processes with each other, and the associated devices are relatively centralized to start
or stop the sequential control. For the start and stop of a thermal system and auxiliary
machines, the operator only needs to press a button, and the auxiliary equipment and
related equipment of the thermal system will automatically act according to the order
and time interval of the safety start and stop, and the operator only needs to monitor the
Research on Application of Sequence Control Strategy 151
implementation of each step, thereby reducing a lot of tedious operations. At the same
time, in the sequential control logic design, the operations of each device are set with
strict safety interlock conditions. Regardless of the automatic sequence operation or
single device manual operation, as long as the device action conditions are not met, the
device will be locked, thus avoiding the misoperation ensuring the safety of the
equipment.
The second-generation CPR1000 nuclear power project has few functional group-
level sequential control systems. New sequential control strategies are included in the
conventional island system control of the third-generation nuclear power project under
construction, and are divided into five functional group levels according to the char-
acteristics of the process system. Auxiliaries include high-pressure heaters, low-
pressure heaters, circulating pumps, feed pumps, condensate pumps, auxiliary equip-
ment including inlet valves, outlet valves, oil pumps, and/or recirculation valves on
auxiliary equipment.
The design method of the function group sequential logic: Incorporate one or more
auxiliary machines of the nuclear power plant and its associated equipment into the
control logic circuit of a function subgroup; set the subgroup according to the order and
conditions of the auxiliary operation requirements. The operational sequence of the
auxiliary machine and related auxiliary equipment, and the feedback signal of the
execution status of the upper preferentially started auxiliary machine or equipment
works as the permission condition of the next level auxiliary machine or auxiliary
device program. In logic design, it is necessary to accurately analyze and classify the
operational sequence, interrelationships, associated conditions, program return, and
manual intervention of all devices belonging to this group.
3.2 Application of Functional Group Sequential Control Logic Module

The sequence control logic is implemented in the Digital Control System (DCS). The
start-up operation of the function group is provided on the human-machine interface
CRT of the DCS. The operator can start and stop the related group of devices in the
function group through the operator station.
According to DL/T 5423-2009, Sequential control design should follow the prin-
ciple of protection and interlock priority. When the protection and interlocking
instructions appear during the sequence control, the control process should be inter-
rupted, and the process system should be executed according to the protection and
interlock instructions. Sequential Control Interrupts an ongoing program and keeps the
process system in a safe state during any automatic fault or operator interruption. Each
step of the sequential control system shall have an allowable condition for preventing
misoperation, and shall have feedback conditions that have been performed in the
previous step [2].
In order to clearly illustrate the logical conditions and logical relationship of the
functional group of the sequential control, the following examples demonstrate the
applications in a specific thermal system on how to implement two typical functional
group electric feed pumps and high and low pressure heaters in the conventional island
of a nuclear power plant.
3.2.1 Functional Group of Feeding Water Pump

Refer to Fig. 1. The auxiliary machine includes a water pump 21, and the auxiliary
equipment consists of an inlet valve 22, an outlet valve 23, and a lubricating oil pump
24. Starting the logic for this functional group sequence is shown in Figs. 2 and 3.
Fig. 1. The process diagram of feed water pump
① The start command of the sub-function group is set on the CRT, and the
permission condition for the start of the display. ② Program or step is also available. It
may also be the execution status of the previous sequence. ③ Sequential control
output. ④ Step setting switch, in some sub-function group, skip the step due to device
condition or operation, use the step switch to set. ⑤ Sequential control execution
check, when the step control command is issued, the program execution is interrupted
and alarmed when the specified time has not been completed. ⑥ When there is a jump,
the command is accessed.
When the water pump 21 is to be started, a status feedback signal of the water valve
outlet valve 23 is obtained through the signal input 31 (P11, P12). If the state feedback
signal showing the closed status of the valve has been obtained, the closed state signal
is used as the next step. When the water valve 22 is opened, the logic circuit 3
automatically sends an instruction to open the water inlet valve 22 through the signal
output terminal 32 (S01). If the state feedback signal of the water valve 23 is not
obtained within a specified time, the program is interrupted, sending an alarm
instruction to the alarm 5.
When the signal input terminal 31 (P21, P22) of the logic circuit 3 obtains the
feedback signal of the open status from the water inlet valve 22, the open state signal is
used as the start condition for the next lubricating oil pump 24 and the logic circuit 3
automatically sends the instruction to turn on the lubricating oil pump 24 through the
signal output terminal 32 (S02). If the feedback signal of the water inlet valve 22 is not
acquired within the pre-defined time, the program is interrupted and the abnormality
signal is sent to alarm 5.
When the feedback signal of whether the lubricating oil pump 24 has been started is
acquired on the accessory device through the signal input 31 (P31, P32) of the logic
Outlet Open End

valve23 Yes
NO
NO
Close
Yes
Inlet valve22
Alarm
NO
OPEN
YES
Lubricating oil pump

24
NO
OPEN
YES
Pump21
YES NO
OPEN
Fig. 2. The logical block diagram of feed water starting
circuit 3, such as obtaining the state feedback signal of the start, this start state signal
works as the start condition for the next water pump 21; the logic circuit 3 automat-
ically issues an instruction to open the water pump 21 through the signal output
terminal 32 (S03). If the status feedback signal of the lubricating oil pump 24 is not
acquired within the pre-defined time, the program is interrupted and an alarm is issued
to the alarm 5.
When the feedback signal of the water pump 21 is obtained on the accessory device
through the signal input terminal 31 (Pn1, Pn2) of the logic circuit 3, the logic circuit 3
automatically issues the instruction to open the outlet valve 23 through the signal
output terminal 32 (S0n). When the water outlet valve 23 receives the opening request
Fig. 3. The logical module of sequence control
from the signal output terminal 32 (S0n), it opens automatically and completes the
control program. If the valve can’t be opened, it sends an alarm instruction to the alarm
device 5.
The sequence control execution status check is displayed on the human-machine
interface CRT of the DCS. When the check control instruction is issued, the next-step
start condition is initiated, as described above, via the signal input 31 of the logic
circuit 3 on the accessory device. If the feedback signal of whether the water outlet
valve 23 is closed is unchanged after the predetermined time for the closing signal, the
program interrupting command is executed and the alarm is issued. Similarly, the other
subsidiary conditions are the same. When the cause of the interruption of the program
is eliminated, the reset button 41 may be selected, and then the operator performs the
operation and continues the function group step until each step of the program is
completed.
3.2.2 Functional Group of High Pressure Heater and Low

Pressure Heater
The sequence control of high and low pressure heater has been configured in the third-
generation nuclear power project, which is suitable for manually switch on-off the
single high or low pressure heater under certain operational requirements. In the case of
isolation between high and low pressure heaters, when the put-into service is required,
the operator manually starts the sequential start control system, which can automati-
cally complete the sequential control of the related feed water inlet and outlet valves,
the steam inlet bypass drain valve, and the steam inlet isolation valve, thus reducing the
operational work load on individual equipment (Fig. 4).
Fig. 4. The logical block diagram of #3&4 LP
4 Conclusions
The dedicated logic modules and related sequential logics of conventional island
sequential control have been applied in the logic diagram of the third-generation
nuclear power projects under construction. This logic, which is based on the start/stop
sequence of auxiliary machines and auxiliary equipment of the process system, can
effectively reduce the work load of operators improve the level of automatic control,
and enhance the safety and economic operation of nuclear power plant, also provides
application cases for the subsequent use of sequential control technology in large-scale
nuclear power projects. It makes the solid foundation to achieve automatic start-up and
shutdown of nuclear power plant units.
References
1. East China 6 provinces and 1 city Electrical Engineering (Electricity) Institute. 600 MW
thermal power generating unit training materials (Second Edition) thermal automation, (9),
pp. 73–74. China Electric Power Press, Beijing (2006)
2. DL/T 5423-2009 Design code for instrumentation and control system of conventional island
of nuclear power plants
Optimization of Control Solution for Deaerator
Water Level Protection in Nuclear Power Plant
Ying Meng(&) and Jie-Qing Huang

Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172,
Guangdong, China
ying_meng2008@163.com
Abstract. Feed-water deaerator system in nuclear power plant is important to

guarantee the feed water quality as it takes part in the important function for
heating and deaerating of feed water in the secondary circuit. Consequently, the
level protection function of deaerator relates directly to safety and economic
efficiency of the entire power plant. With experience feedback from several
nuclear power plants, this article proposes a complete optimization solution
including instrumentation configuration for deaerator water level protection so
as to reduce the probability of trigger due to the operation transient or instrument
failure, so-called malfunction. Feasibility and reliability of optimization is based
on the instrument performance, control logic and the comparison between the
optimization solution and the original solution. The benefits of optimization
solution are presented by employing technology of nowadays.
Keywords: Deaerator Water level protection Control solution

Optimization
1 Introduction
The preliminary heated feed-water from the low pressure feed-water heater system is
heated and deaerated in the feed-water heater system and then sent to steam generator
via the high pressure feed-water heater system, in which feed-water is heated to the
required temperature. The feed-water deaerating tank is an important equipment since it
takes part in the important function for heating and deaerating of feed water in the
secondary circuit. The main functions of feed-water deaerating tank are control of
pressure, adjustment of water level and protection of water level in deaerating tank [1].
The trigger of the water level protection function will directly shut down the secondary
circuit feed-water pump or close the bled steam isolation valve, which may further
cause major conditions such as water loss in secondary circuit, turbine trip and reactor
trip [2]. In conclusion, the water level protection function of the deaerator is very
important, and the control solution for implementation of such function should have
excellent stability so as to reduce the probability of trigger due to the operation tran-
sient or instrument failure, which is so-called malfunction. Deaerator water level
instrumentation diagram for several nuclear power plants of generation II+ pressurized
water reactor (CPR1000) at present is shown in Fig. 1. In addition to the protection

https://doi.org/10.1007/978-981-13-3113-8_18
Optimization of Control Solution 157
Fig. 1. A general view of deaerator water level instrumentation
function, the deaerator is equipped with water level alarms for four different levels,
which are achieved by corresponding water level switches. The water level measured
by the deaerator water level measuring device can be displayed and read in the main
control room, the value of which can be used to control manually water feeding or
draining in order to maintain the water level [3].
2 Control Logic of Deaerator Water Level Protection

Function
Control logical diagrams for several CPR1000 nuclear power plants are shown in the
following figures. Figure 2 represents deaerator high-high water level protection
function and Fig. 3 represents low-low water level protection function. The high-high
water level protection function is implemented via double one-out-of-two logic. This
logic reduces effectively the failure probability when the system is in danger, as well as,
increases the failure probability when the system is in safety, guaranteeing the safety
while system is in operation. However, it brings risks to the economical efficiency of
the power plant. The low-low water level protection function of the deaerator adopts
the control logic of two-out-of-three, which can not only reduce the failure probability
when the system is in danger, but also the failure probability when the system is in
safety. Both the safety of system in operation and the economical efficiency of the
power plant are well-balanced [4].
Fig. 2. Control logic of deaerator high-high water level protection function

158 Y. Meng and J.-Q. Huang
Fig. 3. Control logic of deaerator low-low water level protection function
3 Field Problem Analysis of Deaerator Water Level

Protection Function
So far, deaerators in several CPR1000 nuclear power plants met the malfunction of
water level protection function. For example, a high-high water level switch triggers
the closing of the suction isolation valve and the trip of the condensate pumps, during
the load dumping at 80% power platform in a certain nuclear power plant. As a result,
the second circuit loses the water supply and thus leads to the reactor trip. According to
data analysis on site, the triggering time of such protection is at 9:38 am. A period of
time before the trigger time, there is no sharp spike in the curves of pressure in
deaerator, feed-water flow rate to deaerator and deaerator water level as showed in
Figs. 4 and 5. What’s more, the installation inspection of the high-high level switch
triggered the action and on-line performance tests found no abnormalities. Therefore, it
can be confirmed that a short-term false water level appeared at a local position inside
the deaerator, resulting in the occurrence of this shutdown event. Another nuclear
power plant also experienced a continuous triggering of a high water level alarm. No
abnormalities were found after installation inspection and on-line testing. Finally,
change of measurement point location resolved the problem. Similar failure events
have also occurred in Chinese thermal power plants [5].
According to experience feedback of several power plants, the false water level at a
local position due to the structure and transient cannot be eliminated completely even if
the instrument performance is excellent and the installation is correct, since the body of
deaerator is too large and the internal structure is complex. Besides, there is also a risk
of faulty operation in the existing control solution of the protection function, which
seriously affects the economic efficiency and reliability of the power plant.
Fig. 4. Monitor curves of deaerator feed-water flowrate and water level
Fig. 5. Monitor curves of pressure in deaerator

4 Control Solution Optimization for Deaerator Water Level

Protection Function
In order to optimize the existing control solution for deaerator water level protection
function, sufficient redundancy of instrumentation and reasonable control logic should
be considered to eliminate the adverse effects caused by false water level [6].
According to the results of the logic analysis, the typical control logic of two-out-of-
three can be considered as a good design proposal for balancing the safety of system in
operation and the economic efficiency of the power plant. It is theoretically feasible to
directly add level switches based on existing control solution to achieve the reasonable
logic, but it is difficult in real project construction. According to the installation of level
instruments showed in Fig. 1, there are already 18 level instruments on the deaerator.
Besides, there are also pressure instruments, temperature instruments and other test
points. Moreover, due to the importance of the system function, the level switches used
are float switches which are in stable performance. The volume of a float switch is
large. The water level switch itself cannot display readings, it should therefore equip
with local level instrument for switch calibration and on site reading. To avoid
excessive opening in deaerator body, balance containers are set for the level switch and
the corresponding level instrument. However, the balance container itself is also rel-
atively large. Therefore, the installation space for the deaerator is extremely tight,
which is also the experience feedback of several plants constructors. If two-out-of-three
logics are implemented in protection function and alarm function, three more level
switches will be required. Besides, the related level instruments and balance containers
have to be added. As a result, the installation on site will be more difficult. A solution
guaranteeing the redundancy with limited instruments can be considered as a truly
optimization. That’s the reason why the analogical transmitters are used to replace the
level switches. The main difference between the analogical transmitters and the level
switch is the value treatment. Contrary to the level switch with a float, level transmitter
needs calculation before transmitting the value, which means that it will take more
time. However, with the development of instrumentation technology, the level trans-
mitters with 300 ms action time are very popular today. Even with 500 ms of control
system calculation cycle, the entire calculation time is within 1 s, which is acceptable
compared to the action time of relative valve, that’s between 16 s and 28 s according to
system process analysis. The optimization employs three level transmitters to replace
nine level switches and corresponding five local level sensors as well as remove a level
sensor which is only used for monitoring. Control logics of high-high level protection
and low-low level protection are changed to two-out-of-three, as shown in Fig. 6.
Regression logic will be one-out-of-two in order to guarantee the safety and reliability
of power plant in operation. The logics of the high level alarm and the low level alarm
are designed in the same way as well.
Fig. 6. The optimized logic diagram of deaerator water level protection solution
5 Advantage and Generalization of Optimization Solution
Optimized control solution for deaerator level protection function possesses serval
advantages comparing to the original one:
1. Better stability: reduce the malfunction due to short-term false water level at a local
position in deaerator.
2. Better visibility: easier to determine whether instrumentation of protection function
operates normally.
3. Less space for installation: improve the quality of installation.
4. Less work for the maintenance team since the reduce of level switches so no need
for period test of level switches.
5. Easier for system modification since the level sensors are used and the setting of
alarms will be more flexible.
The current optimization solution has been used in the design of advanced nuclear
power plants, named the third generation and has proved to be in good performance
after commissioning. It’s valuable to generalize such optimization such as in the
subsequent transformation of CPR1000 nuclear power plants. The water level pro-
tection function of various tank equipment in nuclear power plants can refer to this
optimization solution.
6 Conclusion
The use of analog sensor instead of water level switch combining two-out-of-three
control logic can mostly guarantee the safe and stable operation of the entire power
plant. The optimized instrument configuration and control solution can effectively
reduce the malfunction of protection functions due to transient or instrument failure.
What’s more, it has strong feasibility from the point of instrument procurement and
installation, control logic design and other aspects. Relevant recommendations for
deaerators control solution in conventional power plants and nuclear power plants can
also be found in recent international standards, ensuring again the feasibility and
reliability of the proposed optimization [7, 8]. At the same time, this optimization
proposal serves as an important reference for the protection function control solution
design of similar devices.
References
1. Jiang, H.Y.: Introduction to level control and maintenance of the integrated deaerator. In:
Power Station Auxiliary Equipment, 107th edn, Haerbin (2008)
2. Deng, S.X.: Simulation and prediction of deaerator water level for a 1000 MW unit under
FCB condition. In: Thermal Power Generation, 2nd edn, Guangdong (2015)
3. Zhang, C.Z.; Optimization of deaerator water level control in nuclear power plant. In: Science
& Technology Vision, 104th edn, Zhejiang (2016)
4. Li, L.: Analysis on reliability of water level protection system of deaerator. In: Huadian
Technology, 33rd edn, Beijing (2011)
5. Wu, J.: Malfunction treatment and preventive measures for water level protection of
deaerator. In: Equipment Management and Maintenance, 9th edn, Sanxi (2015)
6. Huang S.W.: Reason analysis of unit due to the false water level signal of deaerator and its
preventive measures. In: Journal of Jiangxi Vocational and Technical College of Electricity,
3rd edn, Guangdong (2009)
7. ASME TDP-1-2006: Recommended Practices for the Prevention of Water Damage to Steam
Turbines Used for Electric Power Generation: Fossil-Fueled Plants. The American Society of
Mechanical Engineers, USA
8. ASME TDP-2-2012: Prevention of Water Damage to Steam Turbines Used for Electric Power
Generation: Nuclear-Fueled Plants, The American Society of Mechanical Engineers, USA
Study on Layout Design and Mechanical
Calculation of Seismic Instrumentation Tubing
in Digital Nuclear Power Plant
Shuai Huang(&), Yuan-Jiang Li, Xing-Gao Zhan, and Hai-Tao Wu
Sate Key Laboratory of Nuclear Power Safety Monitoring Technology

and Equipment, China Nuclear Power Engineering Co., Ltd., Shenzhen 518172,
Guangdong, China
409637771@qq.com
Abstract. Since the requirements of digital nuclear power plant of China’s

current construction of the signal transmission is high, and at the request of the
high precision and complex working conditions, there is great significance to
control the nuclear power plant “neural network” through the accurate and
reliable signal in the digital platform integration analysis. In order to ensure the
important signals can still transfer effectively in earthquake condition, this paper
mainly combines engineering design, study on the standard requirements and
principle for layout and mechanical calculation and seismic analysis of the
instrumentation tubing in digital nuclear power plant. Establishment interface of
instrumentation tubing and mechanical calculation according to the 3D model
(three-dimensional model), the design method of seismic instrument pipeline of
nuclear power plant is formed. It provides guidance and practical basis for the
seismic design of instrumentation pipeline of the following intelligent digital
nuclear power plant.
Keywords: Digital nuclear power plant Instrumentation tubing

Mechanical calculation Seismic analysis Design method
1 Introductions
CGNPC currently under construction and operation of nuclear power units are among
the highest in the world. With the development of large capacity generating set high
parameters, system is more and more sophisticated. The increase of unit capacity
makes the economy, safety and reliability of the whole unit operation requirement is
higher. Along with the development of digital technology, digital requirements of
nuclear power plant is becoming more higher, in addition to the requirement of digital
system itself, to the side of the local measurement signal authenticity requirement also
more higher. So there is very important to ensure that the local measurement signal in
the earthquake, pipeline vibration and other operating conditions can be real and
effective, especially for digital control strategy of power plant. Combining with the
engineering design, study on mechanical calculation of instrumentation tubing, seismic
analysis and arrangement principle, the design method of seismic instrument pipeline
of nuclear power plant is formed.
https://doi.org/10.1007/978-981-13-3113-8_19
164 S. Huang et al.
2 Brief Description of the Design of Instrument Tube

of Nuclear Power Plant
For the nuclear power plant of the early CPR project, the instrument tube is designed in
two-dimensions, and the mechanical calculation is based on the mechanical model of
the pipeline according to the ISO drawing of the pipe.
Currently, the course of a new technology Plant all items layout Design by three-
dimensional in PDMS (Plant Design Management System), completed from the tra-
ditional two-dimensional drawing Design to the 3D Design innovation. Before the 3D
layout design, We develop sensors installation standard drawing and mounting bracket
standard drawing base on each type of meter and manufacturer information, installation
requirements, etc., each system is in the instrument 3D Design in accordance with the
requirements of system selection and arrangement of the corresponding mounting
bracket and installation standards and arrangement in PDMS model. To ensure the
reliability of the measurement signal (Under various working conditions and site
conditions), if the instrument has seismic requirements, it’s support and instrumentation
tubing needs to mechanical calculation, After the mechanical calculation is passed, the
piping layout design is completed, and automatically output ISO drawings from the
model for site construction.
3 Study on Mechanical Calculation of Seismic Instrument

Tube
3.1 Method for Stress Analysis of Instrument Tube

In general, piping stress analysis is divided into two parts, the static analysis and
dynamic analysis, static analysis is that piping analysis is under the action of static load
on the piping, the results are satisfactory and up to standard. Dynamic analysis is
mainly refers to the piping vibration analysis, seismic analysis of pipeline, water
hammer and the analysis of the vibration of the pipeline under the shock load, its
purpose is to make the earthquake and the impact of vibration under control [1].
Whether a detailed stress analysis is required depends on pipe diameter, tempera-
ture, pressure and connected equipment of piping. ASME B31.3(American Society of
Mechanical Engineers), piping flexibility analysis method is divided into simplified
approximate analysis and detailed stress analysis [2].
Now the piping stress analysis software using numerical analysis methods are based
on the finite element method, so before the analysis and calculation, first piping need to
be divided into finite unit by the node, establishing a calculation model of the piping.
The calculation model should be set up node in some points such as piping endpoints,
pipe constraint points, the lifting point and the point of a given displacement, elbow or
branch points, pipe diameter, pipe wall thickness change point, insulation thickness,
insulation materials change point, temperature and pressure change points, pipe
external load change, material change point (including stiffness change) etc.
After the calculation model is established and the input data is correct, the piping
can be calculated.
Study on Layout Design and Mechanical Calculation 165
3.2 Principle of Stress Calculation of Instrumentation Tubing

The factors affecting the stress of the instrument are the net weight of the instrument,
the thermal expansion, the relative displacement of the first support point, the seismic
displacement in the three directions, and the internal pressure of the instrument tube.
The key of instrument pipe stress analysis and calculation is design of instrument
tube path from the process pipe connection point to the first support. Due to the
instrument tube’s stress is combined action by the migration of thermal expansion and
the earthquake migration, its regularity is not strong, for thermal expansion, although it
is necessary to be flexible to meet the requirements (instrument tube of angle 90, The
more corners, the longer the better), but not enough to meet the seismic requirements,
so there should be a balance between the two. There are two main factors to deter-
mining the stress value: one is the path shape of the instrument tube and the other is the
setting of the support span on the instrument pipe.
3.3 Analysis of Common Problems in Mechanical Calculation

In most cases, they can’t get a satisfactory result by the computer program in the first
time, so need to modify repeatedly, until calculation model and calculation results are
satisfactory and up to standard. In this process, when the results do not meet the
requirements, usually exist the following problems and handling:
1) Excessive stress: lack of support.
2) The secondary stress exceeds the standard: the pipe is not flexible enough or the tee
must be strengthened.
3) Excessive cold displacement: lack of support.
4) hot horizontal displacement is too large: lack of protection or P shape bend, pipe
bracket should be extended.
5) Excessive force of the machine and equipment: the pipe is not flexible enough, and
the setting of the support is not reasonable.
6) The level of the fixed support and the limit bracket is too large: the fixed point, the
location of the limit point and the flexibility of the pipe are not enough.
7) The vertical force of the support lifting point is too large: consider adding a spring
support.
8) Improper combination of calculation conditions: adjusted condition combination.
4 Layout Design of Seismic Instrument Tube and Mechanical

Calculation Output
Based on the study of mechanical calculation and the analysis a large number of
problems and data of mechanical calculation of instruments tubes in the previous
nuclear power plant projects, the layout design and flexible design of instruments tubes
are important factors to meet the seismic requirements.
166 S. Huang et al.
4.1 General Layout Principle of Seismic Instrument Tube

and Instrument Tube Bracket
In the current legal requirement,Generally speaking, the layout of instrument pipeline
should meet the following requirements [3, 4]:
• Meet the requirements of system design;
• Meet the requirements of installation, test and welding inspection;
• Meet the requirements of pipeline stress calculation;
• Meet the requirements of radiation protection;
• Meet the requirements of economic.
However, the above requirements can only be used to guide the overall design of
instrumentation tube layout. There is no detailed guidance specification in the imple-
mentation process. After the practice of nuclear power project and the study of existing
standards, the following principles can be generally followed for the path of instru-
mentation tube:
1) According to the space size and the possible installation location of the first support
to determine the approximately path of instrument tube.
2) In the alternate bending path of the instrument tube, the stress effect is better, and
the stress requirements are easy to be satisfied.
3) Instrument tube path should contain at least a 90 s effect is better, and the stress
sliding support cannot be too close to the elbow.
4) There can be only one fixed support on the straight of the instrument tube, and the
rest can be supported by sliding support.
5) The maximum span of support (Lmax) requirements: the maximum allowable
distance between the two supports on the horizontal straight pipe. The basic
principle of the span calculation is: the maximum deflection of the pipe under the
action of gravity is less than or equal to 2.5 mm (include the heat preservation
weight), so as to ensure that there is no negative slope in the pipeline. See Table 1
for details.
Table 1. The maximum allowable span between the two supports of the straight pipe.
Size Maximum allowable span.
Nominal diameter Outer diameter Thickness Horizontal line Vertical line
DN (in) mm mm mm mm
3/8′′OD 9.525 1.65 1200 1700
1/4′′ 13.7 3.02 1200 1400
1/2′′ 21.3 2.11 1200 1400
3/4′′ 26.7 2.11 1200 1400
1′′ 33.4 4.55 1200 1400
4.2 Method for Instrument Tube Flexibility Design

Whether there is enough flexible pipe system to meet the needs of thermal compen-
sation, such as thermal compensation, building subsidence displacement, the surface
subsidence displacement, the device interface displacement, the main line displacement
and displacement difference between building. Through the analysis and research on
the mechanical calculation of the instrument tube of each project in the early stage of
nuclear power plant, the flexibility of Instrument tube can be guaranteed by design the
minimum leg length (Lnec), Lnec is refers to the distance between the pipe changing
direction point or the connection point that produces a larger displacement to the
nearest bracket, see Fig. 1.
Fig. 1. Schematic diagram of tube leg length
Minimum leg length Lnec is the sum of equivalent of the pipe, elbow or elbow
unconstrained length. The tube leg is perpendicular to the direction of its absorption
displacement (such as thermal expansion compensation, connection point displace-
ment), and the absorption displacement produces a certain deformation without
excessive load.
Pipe thermal expansion compensation. Dlaxial The calculation is as follows:
Dlaxial ¼ e laxial
168 S. Huang et al.
In the formula:
e ¼ a DT Unit thermal expansion,
a Linear thermal expansion coefficient [1/°C],
DT Temperature difference (°C),
laxial Distance of the two supports with the same constraint direction [mm] [5].
According to the material type, the thermal expansion of each meter can be
determined by Fig. 2, and the pipe thermal expansion compensation. Dlaxial With the
pipe diameter information, the minimum length of leg length (Lnec) required for
thermal expansion compensation is found in Fig. 3. Check Lnec whether it meets the
requirements.
Fig. 2. The thermal expansion of different material pipes per meter
4.3 3D Piping Model Setting

According to the layout design specification and the flexible design method of pipeline,
the 3D layout design of pipeline is carried out,In order to connect with the mechanical
calculation software, research the 3D piping model and the mechanical calculation
interface, and the setting requirements of the model are as follows:
1) In PDMS, the piping must conform to the technical specification of the pipe 3d
model to ensure the correct extraction of pipe grade, pipe element ordinate and pipe
nominal diameter.
2) The setting of branch attributes in the 3D model is shown in Table 2.
Fig. 3. The Maximum allowable tube leg table of stainless steel tube
Table 2. Setting requirement of branch attribute

Attribute Identifier The data Setting requirement
type
Medium duty string According to piping design requirement, add
medium code correctly
Head href DBREF According to piping design requirements, correct
connection integer setting; If the model is not connected, then it is left
information blank
Tail connection tref DBREF According to piping design requirements, correct
information integer setting; If the model is not connected, it is empty
Design Temperature Numbers According to the piping design requirement, the
temperature design temperature should be added correctly
Design Pressure Numbers According to piping design requirement, add design
pressure pressure correctly
When Branch is modeled, following the rules, the tail of a Branch must be con-
nected to the head of another Branch to ensure that the two connected points of
branches are the end and the head; Do not head to head, tail to tail.
3) Requirements for the attributes setting of Pipe see Table 3.
4) Requirements for connection information attributes setting of the pipe parts (such
as TEE, OLET, TEE valves) see Table 4.
170 S. Huang et al.
Table 3. Setting requirement of pipe attribute

type
Medium duty string According to piping design requirements, add
media code correctly
Wall :ims - wt. string According to the pipe design wall thickness,
thickness correct setting
Material :ims - string According to piping design material, correct
material setting
Table 4. Setting requirement of connection information

type
Branch Cref DBREF According to piping design requirements,
connection integer correct setting; If the model is not connected,
information then it is left blank
Table 5. Setting requirement of structure of the support logic virtual point

Attribute Identifier The Setting requirement
data
type
A support :ims - al string According to piping design requirement, correct
annotate setting. The format is “support name - function”
information
Table 6. Setting requirement of the virtual point attribute in the wall symbol
Attribute Identifier The Setting requirement
data
type
Sign the information Stext string According to piping design requirement,
in the wall symbol correct setting. The format is “the name of the
perforated hole”
5) Requirements for the design of the structure of the support logic virtual point see
Table 5.
6) Requirements for the virtual point attribute in the wall symbol see Table 6.
7) The piping model can be checked by data consistency, there is no dotted line, and
there is no overlap between adjacent components.
8) The MDS tools should be used to establish the virtual point points of the logical
support points and the virtual point points of the physical support; The coordinates
of the logical support point must be strictly coincident with the corresponding solid
point coordinates; Two or more logical support points cannot be built in the same
coordinate; Two or more solid support points cannot be built on the same
coordinate.
9) The virtual point cannot be built with MDS, and the virtual point tool of the special
pipe should be built.
4.4 Mechanical Platform Analysis Process and Analysis Results

According to the requirements of mechanical calculation, using the nuclear power plant
piping mechanical platform PipeMesh to realize the synergy between 3D model layout
design and mechanical analysis.
The process of the automatic data integration and analysis platform about instru-
ment pipeline mechanics is shown in Fig. 4.
Design Procedure Content Input
Calculation Unit Create Calculation Unit PDMS Model System PID
Modeling Geometric Model PDMS Model
Floor Response Spectra
Seism Displacements
Loading
Generate Calculate Fiche
Force Analysis
Material
Displacement Mass
Solve Pipestress
Seismic Stress
Output Result Piping Displacement Equipment ILoad
Reaction Force Piping Function
RCCM Stress Ratio<1
Piping Function Ratio<1

Evaluate Result
Displacements<Allowable Value
Reaction Force On support<Displacements<Allowable Value
Fig. 4. The process of the automatic data integration and analysis platform about instrument
pipeline mechanics
172 S. Huang et al.
Fig. 5. The nodes of analysis piping 3D model
After the mechanical calculation software input 3D mode, the calculation node is
generated when the pipeline is analyzed as shown in the Fig. 5.
Mechanical calculation and analysis results.
The analysis results of mechanical calculation mainly include:
1) Report of piping stress Calculation;
2) The results are divided into two parts, the support stress checking and anchorage
stress checking;
3) Instrumentation tubing mechanics calculation: The instrumentation tubing calcu-
lation depends on pipeline of the allowable stress, tensile strength, elastic modulus,
thermal expansion coefficient, pipeline layout and so on, in calculating if the ratio is
less than 1, the calculation is feasible;
4) If the load of support point, such as horizontal support point, fixed point, limit point
and guide point is too large; the load value should be submitted to civil engineering.
5 Conclusion
This research provides guidance and practical basis for digital nuclear instrumentation
tubing seismic design, in the process of engineering design, mechanical calculation for
instrumentation tubing, seismic analysis and arrangement principle combined with the
mechanical model, establishment of a complete instrumentation tubing and mechanical
model of interface.
References
1. Tang, Y.J.: Stress Analysis of Pressure Pipeline. China Petrochemical Publishing House,
Beijing (2003)
2. ASME Code for Pressure Piping, B31.3, Process Piping
3. Design and construction rules for mechanical components of PWR nuclear islands Section E
(2000+2002)
4. RCC-E Design and construction rules for electrical equipment of nuclear Islands (1993)
5. Design Procedure DP 05.01/02 Mechanical analysis of piping and supports, AREVA
Research on the Verification and Validation
Method of Safety Analysis Software in Nuclear
Power Plants
Ya-Nan He(&), Wei Xiong, Peng-Fei Gu, and Jian-Zhong Tang

yanan_he@126.com
Abstract. With the wide application of software in nuclear power plants design
and control process, the regulatory has strengthened its supervision. At this
moment, the software used for safety analysis of nuclear power plants design
also needs to carry out strict qualification work, which is the first time that the
qualification of safety analysis software is required in China. How to carry out
the qualification work to ensure the correctness of self-developed safety analysis
software has become an urgent problem to be solved. Base on the interpretation
of the regulatory requirements for safety analysis software, compare with the
analysis of software verification and validation (V&V) requirements in IEEE
1012, a method for safety analysis software qualification has been pointed out in
this paper. This method draws on the successful experience of nuclear power
plant safety-level software V&V, provides a complete V&V process and clear
V&V tasks, and characterizes by easy to execution.
Keywords: Nuclear power plants Safety analysis software Qualification

V&V
1 Introduction
In recent years, the requirements of safety for nuclear power plants have been more
stringent at domestic and overseas, and the scope of supervision also has become more
and more detailed especially after the Fukushima nuclear accident. For nuclear power
plants, from the qualification of the original hardware equipment to the qualification of
software equipment, and to the qualification of intelligent equipment, and then the
qualification of computer software for safety analysis, the requirements of regulators
are more and more strict [2].
With the independent evolution of nuclear power in China, the hardware equipment
and software equipment that originally relied on imports have been being researched
and developed independently by domestic manufacturers at now, such as DCS. In
terms of hardware qualification, there is a full set of mature qualification methods to
ensure its reliability, such as seismic qualification and electromagnetic compatibility
qualification [4, 6]. On the software side, a complete qualification process and method
for safety-related software has been formed, but more research on the qualification of
https://doi.org/10.1007/978-981-13-3113-8_20
non-safety related software is needed, such as commodity-level software and computer

software for safety analysis [5].
On April 18, 2004, “The Safety Regulations for Nuclear Power Plant Design”
numbered HAF 102-2004 was issued by the National Nuclear Safety Administration. It
pointed out that “the computer program, analysis method and nuclear power plant
model applied in safety analysis must be verified, validated and fully consider various
uncertainties.” for the first time at the legal level. On June 5, 2006, the National Nuclear
Safety Administration issued the “Safety Evaluation and Verification for Nuclear
Power Plants” numbered HAD 102/17-2006. In this regulation, the qualification
requirements of HAF102-2004 were further clarified, and all computer programs used
in the safety analysis were required to be verified and validated. On December 20,
2017, the National Nuclear Safety Administration issued the “Development and
Application of Computer Software Used for Safety Analysis in Nuclear Power Plants”
(Trial), in which put forward the specific requirements for the development and
qualification of computer software for safety analysis. The guidelines require that self-
developed safety analysis software, such as neutron radiation analysis software, must
comply with stringent development requirements. At the same time, the entire verifi-
cation and validation process must be taken.
The structure of this paper is as follows: The first chapter is introduction, in which
introduces the background of the qualification of the computer software used for safety
analysis; The second chapter is the safety analysis software, and the definition and
types of the safety analysis software will be introduced in this part; The third chapter is
the analysis and interpretation of relate standards, the requirements of the supervision
department; Chap. 4: Combining the standard analysis and engineering practice, a
feasible V&V plan is given. The fifth chapter is the summary and prospects. It explains
the advantages and disadvantages of the plan, and points out the content to be studied.
Chap. 6 gives the references cited in the paper.
2 Safety Analysis Software
Safety analysis software refers to the safety analysis software, which is used for the
safety analysis of the design basis accidents in nuclear power plants. It usually includes
radiological analysis programs, neutron physics programs, fuel behavior programs,
thermal hydraulic programs, containment thermal hydraulic programs, structural pro-
grams, severe accident analysis programs, radiological consequences analysis programs
and probabilistic safety analysis programs.
At present, seven types of safety analysis software, such as radiological analysis
procedures, are mandatory for qualification, but serious accident analysis procedures
and probabilistic safety analysis procedures have not yet been mandated. The object of
qualification is the self-developed safety analysis software, including newly developed
software and the software upgraded from existing computer software. For the foreign
safety analysis software purchased and non-computer software, such as software based
on FPGA or PLC technology, do not need to be qualified.
176 Y.-N. He et al.
3 Standard Analysis
For the qualification of safety analysis software, the National Nuclear Safety Admin-
istration had issued the “Development and Application of Computer Software Used for
Safety Analysis in Nuclear Power Plants” (Trial), in which the development require-
ments and qualification requirements of the safety analysis software were explained. It
should be noted that the guideline is still trial version at present, and it may be adjusted
according to the effects of implementation.
3.1 Development Requirements

Different from the instrument control software of nuclear power plants, safety analysis
software usually does not have mature process requirements, so it is necessary to
establish an evaluation model at the beginning of development [3]. The evaluation
model needs to identify various operating conditions, simulation objects, performance
indicators, phenomena and processes. Meanwhile, it is necessary to define the evalu-
ation benchmarks of development in the early phases in order to judge whether the
software is correct after the development is completed. Because the safety analysis
software is used to simulate the real conditions of nuclear power plants, the accuracy of
the evaluation model is crucial to the correctness of the calculation results.
The guidelines recommend a set of typical methods for the evaluation model
development and evaluation process (EMDAP), including the establishment of eval-
uation model capability requirements, the development of evaluation data benchmarks,
the development of evaluation models, and the suitability of evaluation models, a total
of four basic elements, 23 items content.
3.2 Qualification Requirements

“Development and Application of Computer Software Used for Safety Analysis in
Nuclear Power Plants” divides the qualification activities of safety analysis software
into 8 phases including requirement V&V, design V&V, implement V&V, test V&V,
model evaluation V&V, installation and checkout V&V, operation V&V, and main-
tenance V&V [7, 8]. The guidelines require specific tasks to be carried out in each
V&V phase. See Table 1 for details.
Through the analysis of the V&V tasks in Table 1, the V&V requirements of the
safety analysis software are basically equivalent to the IEEE 1012-2004 V&V
requirements for the integrity level 2 [1] (Table 2).
3.3 Summary and Analysis

According to the comparison and analysis of the “Development and Application of
Computer Software Used for Safety Analysis in Nuclear Power Plants” and IEEE
1012-2004, the V&V requirements of the safety analysis software are basically the
same as the V&V requirements of the IEEE 1012-2004’s IL2 software, and the specific
implementation details are stricter than IL2 level.
The main differences between the two V&V requirements are as follows:
Table 1. V&V phases and tasks

V&V Phase V&V Tasks
Requirement V&V Traceability analysis
Evaluation model requirement assessment
Interface analysis
Software system test plan V&V
Design V&V Traceability analysis
Software design evaluation
Interface analysis
Software component test plan V&V
Implement V&V Traceability analysis
Source code and source code documentation evaluation
Interface analysis
V&V test case generation and verification
V&V test procedure generation and verification
V&V test execution and verification
Test V&V Traceability analysis
Acceptance V&V Test Procedure Generation and
Verification
Integrated V&V test execution and verification
System V&V test execution and verification
Model Evaluation V&V Perform experiment/validation of power plant data
Uncertainty assessment
Installation and checkout Installation configuration audit
V&V Installation checkout
V&V Final Report Generation
Operation V&V Evaluation of new constraints
Operating procedures evaluation
Evaluate proposed changes
Maintenance V&V SVVP revision
Evaluate proposed changes
Anomaly evaluation
Migration assessment
Retirement assessment
Task iteration
1. IEEE 1012 has the concept V&V phase. The main reason is that the safety analysis
software is a pure software product and there is no mature process requirement. For
instrument control software and common software, it not only has mature power
plant process requirements or user requirements, but is generally a combination of
software and hardware. The differences are shown in Fig. 1;
2. IEEE 1012 divides integrated V&V, qualification V&V, and acceptance V&V into
separate chapters, and “Development and Application of Computer Software Used
178 Y.-N. He et al.
Table 2. V&V requirements for IL2 software from IEEE 1012

V&V Phase V&V Tasks
Concept V&V Traceability analysis
Concept document evaluation
Interface analysis
Requirement V&V Traceability analysis
Requirements evaluation
Interface analysis
Software qualification test plan V&V
Software acceptance test plan V&V
Design V&V Traceability analysis
Design evaluation
Interface analysis
Software component test plan V&V
Software integration test plan V&V
Software component test design V&V
Software integration test design V&V
Software qualification test design V&V
Software acceptance test design V&V
Implement V&V Traceability analysis
Source code and source code documentation evaluation
Interface analysis
Software component test case V&V
Software integration test case V&V
Software qualification test case V&V
Software acceptance test case V&V
Software component test procedure V&V
Software integration test procedure V&V
Software qualification test procedure V&V
Software component test execution V&V
Test V&V Integration V&V Traceability analysis
Software integration test execution V&V
Qualification V&V Traceability analysis
Software qualification test execution V&V
Acceptance V&V Traceability analysis
Software acceptance test procedure V&V
Software acceptance test execution V&V
Installation and checkout V&V Installation configuration audit
Installation checkout
Operation V&V Evaluation of new constraints
Operating procedures evaluation
(continued)
Table 2. (continued)
V&V Phase V&V Tasks
Maintenance V&V SVVP revision
Anomaly evaluation
Migration assessment
Retirement assessment
Task iteration
Fig. 1. Difference between safety analysis software, instrument control and common software
for Safety Analysis in Nuclear Power Plants” merges them into test V&V, but the
requirements are consistent;
3. Mainly due to the fact that the correctness of the evaluation model of safety analysis
software is yet to be verified, “Development and Application of Computer Software
Used for Safety Analysis in Nuclear Power Plants” increase the model evaluation
V&V;
4. In terms of V&V tasks, the requirements of the two are basically the same with
slight differences.
4 Qualification Plan
4.1 V&V Process
According to the analysis of the qualification requirements of the safety analysis
software in Chap. 3, it can be seen that the qualification of the safety analysis software
is basically the same as the process, tasks, requirements, and methods of the IEEE 1012
for the IL2 software V&V. “Development and Application of Computer Software Used
180 Y.-N. He et al.
for Safety Analysis in Nuclear Power Plants” is a newly released requirement and there
is no good case for engineering practice. However, IEEE 1012 has very detailed
requirements for the tasks and requirements of each V&V phase, and it is easy to
execute, and there are many practical engineering experiences that can be used for Ref.
[9]. Therefore, for the qualification of the safety analysis software, reference can be
made to IEEE 1012. The specific V&V process is shown in Fig. 2.
Fig. 2. V&V process of safety analysis software
4.2 V&V Tasks

The main difference between the V&V of software for safety analysis and common
software is the need for model evaluation V&V. The model evaluation V&V needs to
evaluate the correctness of the software calculation results based on experimental data
or actual power plant data, and generally includes the content recognition and
sequencing, validation matrix and uncertainty analysis. The phenomenon recognition
and sequencing need to identify the important physical phenomena in different time
periods according to the different operating conditions of the power plant, and also
determine the degree of influence of the phenomenon on the calculation performance
index. The validation matrix is important to prove the correctness of software calcu-
lation results for these important phenomena through design examples such as inter-
national benchmark questions, reference procedures, and measured data of power
plants for the qualified phenomena. These tasks are very technically demanding, and
generally require professional institutes specializing in radiation analysis and neutron
physics to undertake them. However, these professional institutes generally possess the
theoretical knowledge of safety analysis, but little is known about the theory and
practical knowledge of software testing.
Requirements V&V, design V&V, implementation V&V, and test V&V can be
carried out by professional software testing laboratories. These laboratories generally
have professional testing theory and rich software testing experience, and can perform
high-quality verification and validation work. At the same time, the professional
software testing laboratory has a perfect system for quality assurance and configuration
management in the software testing process, and can guarantee the validity and cor-
rectness of the evaluation results.
For installation and checkout V&V, operation V&V and maintenance V&V, due to
the V&V involved in the specific use of users (safety analysts), the V&V process must
be completed jointly by professional institutes, software developers and professional
software testing laboratories.
Based on the above analysis, the V&V recommendation for the safety analysis
software adopts the task division mode as shown in Table 3. This makes use of the
advantages of professional institutes, software developers, and professional software
testing laboratories to better perform V&V on safety analysis software.
Table 3. Division of V&V tasks

V&V phase V&V organization
Requirement V&V Professional software assessment staff
Design V&V
Implement V&V
Test V&V
Model Evaluation V&V Professional software assessment staff
Installation and checkout V&V Software developer
Operation V&V Professional safety analyst
Maintenance V&V
5 Summary and Prospects
This paper analyzes the requirements for the qualification of safety analysis software
based on the “Development and Application of Computer Software Used for Safety
Analysis in Nuclear Power Plants”, and clarifies the V&V and V&V tasks of the safety
analysis software. At the same time, through the analysis of IEEE 1012-2004 software
verification and validation requirements for IL2 level, combined with the practical
experience of nuclear power plant safety software qualification, the qualification
methods of safety analysis software are pointed out, including V&V process and V&V
task division.
Although requirements V&V, design V&V, implementation V&V, test V&V, and
other phases of V&V development have already had many mature experiences, the
design of test plans, test procedures, test contents, test methods, and test cases has
corresponding specifications to guide the actual work. However, the model evaluation
182 Y.-N. He et al.
of V&V is still the first required in nuclear power plants, and no corresponding work
has been carried out before. How to effectively carry out model evaluation V&V and
how to prove the adequacy, validity and correctness of the test are need to do more
research.
References
1. Software Engineering Standards Committee of the IEEE Computer Society. IEEE 1012. IEEE
Standard for Software Verification and Validation. Institute of Electrical and Electronics
2. Ye, W.-P., Tang, J.-Z., Chen, W.-H., et al.: Software V&V methods for safety digital I&C
system of nuclear power plants. At. Energy Sci. Technol. 49(zengkan1), 377–381 (2015)
3. Gu, P., Wang, S., Chen, W., et al.: A study about safety I&C system software V&V in nuclear
power plant. In: International Conference on Nuclear Engineering (2016). V001T04A005
4. He, Y.-N., Gu, P.-F., Xi, W., et al.: Research on status monitoring and reliability prediction
method of digital control system for nuclear power plant. At. Energy Sci. Technol. 51(12),
2338–2343 (2017)
5. Liang, H.-H., Gu, P.-F., Tang, J.-Z., et al.: The Software Safety Analysis for Digital
Instrumentation and Control Systems of NPPs. Nuclear Power Plants: Innovative Technolo-
gies for Instrumentation and Control Systems (2018)
6. Zhao, J., He, Y.-N., Gu, P.-F., et al.: Reliability of digital reactor protection system based on
extenics. SpringerPlus 5(1), 1953 (2016)
7. Liang, H.-H., Gu, P.-F., Tang, J.-Z., et al.: A study of implementation V&V activities for
safety software in the nuclear power plant. Nuclear Power Plants: Innovative Technologies for
8. Gu, P.-F., Liu, Z.-M., Liang, H.-H., et al.: Evaluation Measures about Software V&V of the
Safety Digital I&C System in Nuclear Power Plant. Nuclear Power Plants: Innovative
Technologies for Instrumentation and Control Systems (2018)
9. XI, W., Gu, P.-F., Liu, W., et al.: A Study and Application about Software V&V Requirement
Management Scheme in Digital RPS. Nuclear Power Plants: Innovative Technologies for
A Study About Configuration Management
Process for Safety DCS Software V&V
in Nuclear Power Plant
Wei Xiong(&), Ya-Nan He, Peng-Fei Gu, Hui-Hui Liang,

and Jian-Zhong Tang

Equipment, I&C Equipemnt Qualification and Software V&V Laboratory, China
Nuclear Power Engineering Co., Ltd, Shenzhen 518172, China
349238416@qq.com
Abstract. Software verification and validation (V&V) is the key technology to

improve the quality of software in nuclear power plant and ensure the safe
operation of DCS. The configuration management (CM) is an important mean to
standardize the software V&V process and improve the efficiency and quality of
the software V&V. However, in the current configuration management process
for safety DCS software V&V in nuclear power plant, the baseline management
of input files has some deficiencies. The paper proposes a method for input file
baseline management through research standards and combined practical
experience, which can provide reference for the CM in subsequent software
V&V project.
Keywords: Software V&V CM Baseline management
1 Introduction
CM is a discipline applying technical and administrative direction and surveillance to:

Identify and document the functional and physical characteristics of a configuration
items (CI), control changes to those characteristics, record and report change pro-
cessing and implementation status, and verify compliance with specified requirements.
For software configuration management (SCM), ISO/IEC12207-2008 describes the
SCM including CM plan, Configuration Identification, Configuration, Configuration
Control, Configuration Status Accounting, Configuration Evaluation, Release Man-
agement and Delivery [1]. The National Energy Bureau issued NB/T20335 in 2015
with reference to IEEE 828-2012 and RG 1.169, which describes the SCM process that
adds the CM management process in addition to the above requirements [2].
For DCS software V&V in nuclear power plant, CM is necessary. IEEE 828-2012
clearly stipulates that CM is central to, and provides essential services to, all the major
processes of systems and software engineering that including V&V. At present, con-
figuration management has been applied to the safety DCS software V&V process of
nuclear power plant, and a basic configuration management process has been formed.
However, there are still some shortcomings in the current configuration management

https://doi.org/10.1007/978-981-13-3113-8_21
184 W. Xiong et al.
process. For example, the way of input file baseline management needs to be improved.
The paper proposes a solution to the lack of baseline management of input files by
studying regulations and standards and combining practical experience.
2 Status
At present, the configuration management of the safety DCS software V&V of nuclear
power plant mainly include CM Planning, CM Management, Configuration Identifi-
cation, Configuration Change Control, Configuration Status Account, Configuration
Audit, Release Management and Delivery, Due to the special nature of the software
V&V, its configuration items not only contain output files of the V&V, but also the
object files of the V&V (input files), and the input files is the basis of the software
V&V. Usually the number of input files is much higher than the number of output files
in the project. The way to effectively ensure that the input files obtained by V&V
personnel are the latest and valid, directly related to the effectiveness of V&V.
In order to effectively control these input files, software configuration management
introduces the concept of baseline. In the configuration management process, the
baseline is the CI or a group of CIs entering a form of formal control through formal
review at different points in its life cycle [4].
In the current configuration management process, the management process of the
input file baseline mainly includes: receiving the input file, performing the audit by
configuration management engineer (CME), and updating the file in the input file
baseline library by CME after the audit is passed, establishing a new input file baseline.
The CME notifies the affected party of the latest input file baseline, and the affected
party can obtain a new baseline file from the input file baseline library. However, this
method has some disadvantages as follows:
(1) For a new input file, it is not enough to be audited by CME alone. It can’t
guarantee its correctness, and it can’t guarantee that input files meet the access
conditions of the V&V. If these files are used as a baseline. The effectiveness of
V&V activities can’t be guaranteed.
(2) The establishment process of the baseline is not standardized, and it relies heavily
on CME, which is prone to human error.
The above deficiencies may lead to the establishment of incorrect input file base-
lines, resulting in incorrect software V&V objects, affecting the validity and correctness
of V&V, and wasting labor and time costs.
3 Standard Requirement
Through the study of NB/T20335-2015 and ISO/IEC12207-2008, the main tasks of

baseline management should include:
(a) Identify baselines
(b) Establish criteria for baselines
A Study About Configuration Management Process for Safety 185
(c) Define how baselines are established

Detailed standard requirements for each task are shown in Table 1.
Table 1. Tasks and requirements

Task Requirements
Identify baselines Identifying the CIs that establish baselines
Establish criteria for Defining criteria for establishing a CI as a baseline
baselines
Define how baselines are Identifying the events that establish a baseline
established Identifying the items that are to be controlled in the baseline
Identifying the procedures used to establish and change the
baseline
Identifying the authority required to approve changes to the
approved baselined items
4 Baseline Management Method
According to the above standard requirements, based on the experience of CM for

safety DCS software V&V in nuclear power plant, the paper proposes a feasible
baseline management method for input files. By establishing a standardized input file
baseline management process, this method can be used to make up for the short-
comings in the current software V&V CM process. The method consists of three parts:
defining the content of the baseline, defining the criteria for establishing baselines, and
the baseline establishment or change process, where the first two parts are prerequisites
for the baseline establishment or change process.
The personnel related to the baseline management of input files in the software
V&V process are as follows: Project Manager (PM), Technical Supervisor, CME,
Project Leader, Software V&V Engineer, Quality Assurance Engineer (QA). The PM,
quality assurance team leader, technical supervisor, and V&V team leader formed the
Configuration Change Board (CCB) [5].
The specific content of the method is as follows.
4.1 Contents of the Baseline

According to the IEEE1012-2004 standard, software V&V mainly consists of five
stages, Concept V&V process, Requirement V&V process, Design V&V process,
Construction V&V process, Test V&V process [3].
Each phase needs to establish an input baseline for that phase before it begins. For
the software V&V team, the latest version of input files provided by the customer
should be identified as CI. Before the start of each phase of the software V&V, identify
the CIs required for the phase, and use the reviewed CIs as the input file baseline for the
project at that stage, and use the baseline items to carry out the corresponding V&V
work. Therefore, it is the basis for establishing the input file baseline to define the
186 W. Xiong et al.
required configuration items in the input file baseline for each phase. According to the
IEEE1012-2004, combined with the experience of safety DCS software V&V in
nuclear power plant, the detailed CIs required for the input file baseline at each stage
are shown in Table 2. In the actual project, appropriate adjustments can be made
according to the project characteristics and user requirements.
Table 2. Configuration items required for each stage

Software V&V processes CIs
Software concept V&V Contract, System requirement specification, Functional design
process specification
Software requirement Functional design specification, Software requirements
V&V process specification, System logic diagram, System analog diagram,
System function diagram
Software design V&V System function diagram, Software configuration diagram
process
Software construction Software configuration diagram, Code
V&V process
Software test V&V FAT/FT test plan, FAT/FT test procedure, FAT/FT test report
process
4.2 Criteria for Establishing Baselines

In the software V&V configuration management process, the criteria for establishing
the input file baseline need to be clearly defined. Before the start of each phase of the
software V&V, the input documents must be reviewed by the jury based on the criteria
for the input file baseline. The jury should include at least the client, V&V personnel,
project leader and technical director. In this way, it is possible to avoid the occurrence
of input file errors and the failure to meet the V&V admission conditions due to
personal factors.
Based on the experience of software V&V, the paper has formed the following
criteria for reference:
(a) Adequacy of input files
(b) Whether the input file is the latest officially published document of the customer
(c) Whether the input file content meets the V&V work requirements of this stage
4.3 Baseline Establishment or Change Process

The establishment/change of the baseline should be standardized and streamlined, and
it cannot be decided by only a few individuals. The paper summarizes the practice and
forms the baseline establishment/change process as shown in Fig. 1.
An example of baseline application form as shown in Fig. 1 is shown in Fig. 2.
Fig. 1. Baseline establishment or change process
Fig. 2. Example of a baseline application form

188 W. Xiong et al.
4.4 Baseline Identification and Release

4.4.1 Baseline Identification
The baseline consists of CIs, which should first identify the CI. The CI should be
assigned a unique identifier. The identification rules can refer to the following
examples:
CI identifier = Project identification/V&V stage/file type/file name/version
E.g: XX Project/Design V&V process/System function diagram/XXX/A
The baseline identifier includes the project name, project ID, baseline name, ver-
sion, release time, and list of configuration items included, and forms a baseline release
table (as shown in Fig. 3).
Fig. 3. Example of a baseline release table
4.4.2 Baseline Release

In order to ensure the correctness and consistency of the release of input file baseline,
configuration audit is required at the time of baseline release. The specific requirements
are as follows:
The CME is responsible for the physical audit activity of the baseline based on the
configuration repository. The coverage is the configuration items in the input file
baseline, the audit results are reflected in the input file baseline application form.
After the baseline audit is passed, the corresponding input file is stored in the
corresponding location in the configuration repository according to the content of the
input file baseline application form. The CME will notify the affected person by E-mail
(or other suitable means), and the message title and content should be solidified, such as:
(1) Title:[xxx nuclear power plant DCS software V&V project] + baseline name
(2) Attachment to the mail: Baseline application form after signing
(3) The content of the email includes: the name and version of the configuration item
included in the baseline; the name of the baseline; the storage path of the con-
figuration item in the configuration repository.
5 Conclusions
According to the research of NB/T20335-2015 and ISO/IEC12207-2008, combined

with the configuration management practical experience of safety DCS software V&V
in nuclear power plant, the paper proposes a method of input file baseline management
in software V&V configuration management process. By establishing a standardized
input file baseline management process, this method can solve the problem of poor
baseline correctness of input files and irregular management of baseline in the current
configuration management process, ensure the correctness of the baseline of software
V&V input files, improve the effectiveness of software V&V, and avoid waste of labor
and time costs. At present, this method is being applied to the configuration man-
agement of the project of safety DCS software V&V in Fangchenggang Phase II
nuclear power plant, and has achieved good results.
References
1. NB/T 20335: Nuclear power plant software configuration management (2015)
2. ISO/IEC12207: Systems and software engineering-Software life cycle processes (2008)
3. IEEE1012: IEEE Standard for Software Verification and Validation (2004)
4. Yu, H.X., Chen, K., Bai, Y.C.: Application of baseline in software configuration
management. Comput. Appl. Softw. 2, 43–45 (2006)
5. Jiang, W., Liu, L.K.: Research on baseline in software configuration management. Comput.
Technol. Dev. 6, 6–10 (2016)
Research and Application on the Gateway
Design of Digital Control System of Nuclear
Power Plant
Yue-Liang Sun(&), Zhi-Jia Wang, Hong-Tao Sun, and Wei Bai
China Techenergy Co, Ltd., Beijing 100094, China

SunYueLiang@cgnpc.com.cn
Abstract. The alarm and display signals can be transmitted by hard wiring
between the safety DCS and the Non-safety DCS in nuclear power plants, and
also by the Gateway system. Based on different platforms from suppliers, the
configuration between the two systems is an important issue. This paper ana-
lyzes and researches the functions, system structure and interface, software
configuration of Digital Control System Gateway system. And then puts forward
the system data transmission and processing, parallel–control/stand-by redun-
dant allocation, software communication design plans etc. As the interface
system between the different safety level systems, it is accessible to be con-
nected to other platform systems, widely applicative, and convenient for
maintenance. And it also supports huge communication capacity. The Gateway
system had been passed the factory test and applied in some domestic nuclear
power plants.
Keywords: Nuclear power plant Gateway System design
1 Introduction
As the “Nerve center” of the nuclear power plant (NPP), the instrumentation and
control (I&C) system is an important guarantee for NPP to operate safely, reliably and
economically. So it is necessary to ensure its high safety and reliability. The I&C
system is usually made up of Safety class Digital Control System (DCS), Non-safety
class DCS and other special control systems.
Safety DCS mainly completes the protection functions of nuclear reactor, and
monitors protection parameters related to reactor safety. If any of those parameters
exceeds the protection designed value, the emergency shutdown function and engi-
neered safety features will be actuated automatically to limit the development of
accidents and mitigate the consequences of accidents. It ensures the safety of reactors,
NPP equipments and personnel, and prevents the release of radioactive materials to the
surrounding environment. Non-safety DCS relatively accomplishes power normal
operations such as startup, shutdown and operating, and monitor the states of the
nuclear islands, conventional islands, electrical system and BOP. And it communicates
with the third-party systems and the common units [1].

https://doi.org/10.1007/978-981-13-3113-8_22
Research and Application on the Gateway Design 191
There are many signal interactions between Safety DCS and Non-safety DCS.
According to specific transmission requirement, data can be transmitted by hard wiring
or Gateway system.
Hard wiring is usually used to transmit some signals, which required high data
transmission speed, high reliability. Besides, there are some security important func-
tional signals that are collected by Safety DCS, and meantime used in Non-safety DCS
device control.
Besides, signals for alarm and display from Safety are usually transmitted by
Gateway. Compared with hard wiring, Gateway communication is more flexible. It can
accomplish not only lager transmission number, more excellent extensibility, and more
simple and convenient transformation, but also with less space and better economy.
Considering of the different functional class on both sides, Gateway system are
usually set in pairs in the DCS. Based on the features of the different platforms, there are
many design plans for Gateway system. This paper introduces and analyses the Gateway
system for one internal operating nuclear power plant systematically, as shown in Fig. 1.
Legend:
Hard wiring
Safety Non-safety
Network communication DCS side DCS side
Gateway Gateway
A A
SNET
Safety System Bus
Safety Non-safety Control

OPS Control
OPS
station station
OPS OPS OPS DCS side DCS side
RPS DTS ESFAS
Gateway Gateway
Non-safety B B Safety Safety
class DCS class DCS
Server Server
class DCS
System Bus
OPS
Third-party
Non-safety OPS system
class DCS OPS
SCIS
Human-Machine Data Bus Safety Non-safety

MNET
class DCS class DCS
Fig. 1. The structure sketch of NPP Digital Control System
2 Design of Gateway System

2.1 Design Principle
The single failure, redundancy, independence, isolation are required for safety I&C
systems. Even in the case of a single failure of component devices or a channel or
under the assumption of removal of a device on power, They are so designed that they
can keep safety function to prevent the common mode failure [2, 3].
2.2 Function
The Gateway system mainly completes the functions about data transmission, data
processing, redundancy and fault self-diagnosis between Safety and Non-safety DCS.
192 Y.-L. Sun et al.
The functions class of Gateway system are defined as Non-safety class and realized by
the Non-safety class devices on the basis of its safety importance.
2.2.1 Data Transmission

According to the Gateway’s location in the DCS structure and data flow, signals
transmitted by Gateway are as follows:
• Safety class signals transmitted to Non-safety DCS, such as safety process signals,
alarm signals, log and system status signals.
• Operation screen request signals from Non-safety Visual display unit(VDU) to
Safety control and information system (SCIS).
Gateway functions can be configured according to the requirement of practical
engineering. Data transmission capacity of single Gateway system can reach 5000 to
10000 data variables.
2.2.2 Data Processing

Gateway system receives processing and alarm signals from Safety DCS. Redundant
signals can be transmitted to Non-safety DCS after logic processing in Gateway sys-
tem. By that way, it can reduce the variable number of communication and the data
logic process scale of control stations or servers in Non-safety DCS.
2.2.3 Redundancy
Redundancy is configured to improve the reliability of Gateway system. When any of
the redundant devices has a single failure, it can ensure that the functions of the system
can still be implemented normally to avoid the total loss of the Gateway functions [4].
2.2.4 Fault Self-diagnosis

The Gateway is the link of Safety class and Non-safety class systems. The Gateway
provides real-time diagnosis for important device status and functions, such as the
operation status of Gateway main process unit and network communication modules,
communication status of all ports and network, and system power supply situation. In
addition, after the Gateway system collects all the abnormal information of its devices,
it can report to the operator or I&C personnel in the Main Control Room in time for
corresponding measures.
2.3 System Interface

2.3.1 Connection Pattern
On the basis of its system functions, the Gateway needs to connect the platform
systems with different functional classes.
For the Safety DCS, the Gateway system communicates with any node on the
network bus with network. It receives information (including engineering parameters
and alarm, status and alarm of safety class devices, and I&C alarm) and sends them to
Non-safety DCS, and transfers operation screen request signals from Non-safety VDU
to Safety control and information system (SCIS).
The communication between Safety and Non-safety DCS is used by optical fibre
equipment, as shown in Fig. 2.
Non-safety class DCS

Legend:
Ring network bus Non-safety DCS Non-safety DCS
side side
Isolator (Safety class) Gateway A Gateway B
Cable
Fibre
Photoelectric Photoelectric
converter A converter B
Data flow
Photoelectric
converter
Safety DCS Safety DCS Safety DCS

side side
Gateway A Gateway B
Safety System Bus
Human-Machine Data Bus
Safety control and information system (SCIS)
Fig. 2. Interface schematic of Gateway system
2.3.2 Redundancy Configuration

To meet the single failure and redundancy criterions, redundancy is configured in the
Gateway system to improve its availability. Redundant configuration usually has two
ways: control-standby redundancy and parallel redundancy. When choosing the
redundant way, it can be known through the simplest configuration of the Gateway (as
shown in Fig. 3): while establishing the Gateway path, there are still some additional
redundant processing in the minimum device configuration plan. Table 1 shows the
results of redundancy configuration for Gateway system.
In order not to increase the redundancy processing of the Non-safety DCS, when
the control-standby redundancy is configured, the communication connections between
the Gateway systems on both sides increase. At the same time, because of the diagnosis
and switchover links in the safety DCS Gateway, the Non-safety DCS Gateway should
realize the switchover of the control and standby input of the Safety DCS Gateway.
And it should also take into account the switchover of its own control-standby
redundancy, which increases the fault probability, thereby reducing the reliability of the
network system. So, control-standby redundancy should be configured in Non-safety
DCS Gateway, and the parallel redundancy should be chosen for safety DCS Gateway,
as shown in Fig. 3.
Without considering on redundant processing links or data scale of redundant
processing, parallel redundancy can also be applied to Gateway on both sides. For the
reason that its scale of communication link is the same as the parallel (for Safety DCS)-
control-standby (for Non-safety DCS), it also can improve the reliability of the
Gateway system. Its fault modes are the same as that in parallel (for Safety DCS)-
control-standby (for Non-safety DCS), which is shown in Fig. 3.
Table 1. The results of redundant configuration for Gateway system

Non-safety Control-standby Control- Parallel Parallel
DCS side standby
Gateway
Safety Control-standby Parallel Parallel Control-standby
DCS
Gateway
Data No need, but the No need needed in needed in Non-safety DCS
redundant Non-safety DCS Non-safety Gateway, and the Non-
processing is complex DCS safety DCS is complex
Gateway
Control- Control-
standby standby
Train A Train B Train A Train B
Non-safety class Non-safety class

Safety class Safety class
Control-
standby Parallel
1. Non-safety DCS Gateway: Control-standby 2. Non-safety DCS Gateway: Control-standby

Safety DCS Gateway: Control-standby Safety DCS Gateway: Parallel
Parallel Parallel
Non-safety class Non-safety class

Safety class Safety class
Control-
Parallel standby
3. Non-safety DCS Gateway: Parallel 4. Non-safety DCS Gateway: Parallel

Safety DCS Gateway: Parallel Safety DCS Gateway: Control-standby
Fig. 3. Redundant configuration of Gateway system

Safety DCS Gateway: Parallel Safety DCS Gateway: Parallel Safety DCS Gateway: Control-standby
Non-safety DCS Gateway: Control-standby Non-safety DCS Gateway: Parallel Non-Safety DCS Gateway: Control-standby
Gateway output fails Gateway output fails
Non-safety DCS Non-safety DCS Non-safety DCS Non-safety DCS

Gateway A Gateway B Gateway A Gateway B
output fails output fails output fails output fails
Non-Safety Non-Safety Non-Safety Safety DCS Gateway Non-safety Safety DCS Gateway
Safety DCS Safety DCS
DCS DCS DCS fails DCS side fails
Gateway A Gateway B
Gateway A Gateway B Gateway A Gateway B
fails fails
fails fails fails fails
: Or
Safety DCS Safety DCS Safety DCS Safety DCS

side side side side
: And Gateway A Gateway B Gateway A Gateway B
fails fails fails fails
Fig. 4. Fault logic analysis of Gateway system
The Gateway system for some nuclear power unit is set redundantly and inde-
pendent of each other. They are arranged in different Gateway cabinets to improve
communication independence and reliability. Two safety DCS Gateways are connected
to the network bus and it can communicate with all the devices through the network
communication modules [5]. The Gateway from different side are connected with each
other by fibre cables. Two safety DCS Gateways send redundant datas to Non-Safety
DCS Gateways at the same time. The source and quantity of the data are exactly the
same. Two Non-safety DCS Gateways are connected to the Non-safety DCS network
through the Ethernet cards to communicate with all devices in the SNET (or MNET)
(Fig. 4).
Gateway systems of each train include safety DCS and Non-safety DCS side. For
example, safety DCS Gateway a-A and Non-safety DCS Gateway a-A of train A or
safety DCS Gateway a-B and Non-safety DCS Gateway a-B of train B, are independent
with each other, using different paths to transmit datas (Fig. 5).
Non-safety class network
Control
-
Non-safety standby Non-safety Non-safety Parallel Non-safety
DCS DCS DCS DCS
Gateway a-A Gateway a-B Gateway b-A Gateway b-B
Parallel Parallel
Safety DCS Safety DCS Safety DCS Safety DCS
Gateway a-A Gateway a-B Gateway b-A Gateway b-B
Safety class bus
Fig. 5. Redundant configuration of Gateway system
2.4 System Structure

2.4.1 System Hardware Structure
Safety DCS Gateway system contains main communication devices, such as Gateway
main process unit module, network communication module 1(used to communicate
with safety DCS), network communication module 2 (used to communicate with Non-
Safety DCS and third-party systems) and optical-electric converter etc. Non-Safety
DCS Gateway system contains main communication devices such as Gateway main
control unit and optical-electric converter. Figure 6 shows the system composition of
Gateway system.
Safety DCS Gateway
Power supply
card Network
Safety DCS
communication
Fibre network
module 1
backboard bus
Main Process Non-safety DCS Gateway

Cabinet
Unit card
Network
Optical-electric Optical-electric Main Control
communication
converter converter Unit
module 2
Cable Cable
Fan unit
Fibre
Grounding unit
Non-safety
DCS network
Fig. 6. System composition of Gateway system

2.4.2 System Software Structure

In order to isolate communication, different platform products and independent com-
munication networks are applied to Safety and Non-Safety DCS Gateways. For an
example, FirmSys platform is used in Safety DCS Gateway and HOLLIAS-N platform
is used in Non-Safety DCS Gateway.
Work Mode
There are two operation modes in the Gateway system: running mode and failure mode
(Fig. 7 and Table 2).
Normal Operation mode Failure mode

Initialization
power-on completed Self recovery
Initialization
Running by eliminating
the alarm
Normal
recovery
• Loss of power
Loss of Power • Faults: system hardware failures
or platform software can not
receive or send data normally
Fig. 7. Transformation schematic for operation modes of Gateway system
Table 2. Operation modes of Gateway system

Mode Status
Running mode Functions run normally
Failure mode Application fails, such as alarm, fault or loss of power
Communication Mode
Gateway system software contains platform software and application software. Plat-
form software uses the FirmSys platform and HOLLIAS-N platform. And application
software is configured according to the actual functional requirements of the engi-
neering. The Safety DCS Gateway communicates with the Non-safety DCS Gateway
based on the UDP protocol. The protocol belongs to the transport layer protocol. The
Ethernet protocol is used in the physical layer and the data link layer, and the IP
protocol is used in the network layer. UDP layer is located on the upper layer of the IP
layer. The application accesses the UDP layer and then transmits the datagram using
IP layer. The IP layer indicates the IP addresses of source host and destination host, and
the UDP layer indicates the source port and destination port on the host. The com-
munication mode is set to 100 M full duplex.
Software Configuration
To implement system function, corresponding functional application software should
be configured in the Gateway. Gateway system mainly fulfils the following application
configuration tasks, as shown in Table 3.
Table 3. Gateway system application software

Number Function description Application software configuration
1 Data receiving and • Configuration that receive data variables;
sending • Configuration that send data variables
2 Data intermediate Implementing corresponding processing logic based on
processing functional algorithm block
3 Redundant Receiving and sending diagnosis status of redundant
configuration station
diagnosis
4 Self-diagnosis Outputting self-diagnosis results after collecting interface
information of system hardware and software and
judging by a specific logic
3 Conclusion
It is discussed the one-way data transmission processing between different safety class
systems in this paper. And the proper redundant configuration is set to meet the single
failure and redundancy principles. Taking into account the configuration size of the
system, the Gateway network communication is based on UDP protocol. This Gateway
system can not only undertake large scale data transmission, but also facilitate the
function expansion, upgrading and maintenance of I&C system. As a Gateway system
based on localization I&C platform, its feasibility and reliability has been verified after
passing factory acceptance test successfully. The Gateway system has been applied to
many domestic NPP projects, which provides a reference for the design and application
of the Gateway system in NPP I&C platform in the future.
References
1. International Atomic Energy Agency. Instrumentation and Control Systems Important to
Safety in Nuclear Power Plants (2005)
2. IEEE Power Engineering Society, Criteria for digital computer in safety systems of nuclear
power generating stations (2003)
3. IEC 61513. Nuclear power plants-Instrumentation and control for systems important to safety
general requirements for systems (2001)
4. GB/T-12788: Criteria for class 1E power system for nuclear power generating stations (2008)
5. Wang, D., Chen, C.P., Yan, J.: Pondering a new-generation security architecture model for
power information network. Autom. Electr. Power Syst. 02, 1000–1026 (2016)
Algorithm Research of the ICCMS for Qinshan
Phase II NPP Based on FirmSys Platform
Xin-Xin Fan(&), Bo Zhang, Hong-Tao Sun, Li-Min Xia, and Wei-

Zhi Zheng
China Techenergy Co., Ltd., Beijing, China

fanxinxin@cgnpc.com.cn
Abstract. The ICCMS is a safety level system, which monitors the cooling
state of reactor core and the water level of reactor pressure vessel. The ICCMS
of Qinshan Phase II NPP has been running for over ten years since combined to
the grid, and the algorithm of the original system is only for traditional simu-
lation system. There is no algorithm for digital control system. So it needs to
design and development new algorithm for new ICCMS system to solve it. This
paper mainly introduces the design process of the algorithm in new ICCMS
system; it has three parts which are core temperature measurement, core cooling
monitoring, and the water level of reactor pressure vessel measurement. The
overall algorithm is split into twelve subroutines which are called through a root
program by modularization method. It is not only a suitable solution for ICCMS
system of Qinshan Phase II NPP but also can be used for reference of the design
of core cooling monitoring system for PWR nuclear power station under EOP
regulations. At present, the modified ICCMS system is running well. It proves
that the new algorithm designed is fully complies with the original operating
procedures.
Keywords: ICCMS FirmSys Modularization
1 Introduction
The Qinshan Phase II Nuclear Power Plant (NPP) is an important milestone on the road
of autonomous construction of nuclear power in China [2]. The inadequate core cooling
monitoring system (ICCMS) will continuously monitor the core temperature, super-
cooling margin, and reactor pressure vessel (RPV) under normal operating conditions
and accident conditions [1]. It provides a reliable proof for the operators to understand
the reactor core cooling and the water level of RPV. However, since combined to the
grid, the original ICCMS system has been running for more than ten years. The
reliability and economy of operation must be solved by designing and developing a
new system. But the original system is traditional simulation system, and the original
system has low calculation accuracy, the design of new algorithm for digital control
system is extremely urgent. The design of algorithm has no reference currently, only
through the conversion of text requirements, and then generates the corresponding
engineering application software.

https://doi.org/10.1007/978-981-13-3113-8_23
200 X.-X. Fan et al.
The new system will be designed by China Techenergy Co., Ltd. (CTEC) based on
FirmSys which is platform for safety DCS. The FirmSys is independently researched
and developed by China Techenergy Co., Ltd. which is up to the requirements of
various nuclear safety regulations and standards [5]. The new algorithm for new
ICCMS system will be designed based on this platform. According to the algorithm
requirements of the three functions of ICCMS for Qinshan Phase II NPP, the new
algorithm for digital control system designed will realize the calculation and moni-
toring of them.
2 Algorithm Requirement
The ICCMS system is a nuclear safety grade system. It has three functions which are
core temperature measurement, core water level measurement, and core cooling
monitoring [3]. The ICCMS system of Qinshan Phase II NPP is different from the
conventional three-loop PWR [4]. The primary coolant circuit uses a two-loop layout.
It has 30 core outlet thermocouples in the reactor, distributed in three parts which
are the middle and the surrounding area (120°*300°) and the surrounding area
(300°*120°). So the core temperature and cooling of each area needs to be partitioned
monitor for operator to ensure it. The absolute pressure of the primary coolant circuit is
calculated through a complex pressure checking process. It will provide an accurate
pressure value used for calculating the saturation temperature. The water temperature
which used for calculating water density also needs to be determined after corre-
sponding verification, and then the water level of RPV will be calculated.
2.1 The Function of Core Temperature Measurement

The coolant temperature of the ICCMS system of Qinshan Phase II NPP is measured
by thirty thermocouples at the outlet of the core. These thermocouples and the
extension wires connected to the thermocouples and the core cooling monitoring
cabinets are divided into columns A and B.
The cold junction compensation of the thermocouples is implemented in the
ICCMS system cabinet. The temperature of the cold junction is measured by three
RTDs in the cabinet, and the most reliable cold junction temperature value is obtained
through the calibration procedure.
2.2 The Function of Reactor Pressure Vessel Water Level Measurement

Core water level monitoring provides the information about the water level of RPV
during and after an accident on the reactor for the operator. In the ICCMS system,
when all reactor coolant pumps stopped, the system gives the precise pressure value of
the reactor pressure vessel. When one reactor coolant pump is running at least, it
indicates the water level trend of RPV. In accident conditions, the system will perform
the trend of changes in the water level of RPV continuous to operators. The ICCMS
system of Qinshan Phase II NPP uses differential pressure gauges to measure the
Algorithm Research of the ICCMS for Qinshan Phase II NPP 201
pressure values at the top and bottom of the RPV to obtain the corresponding differ-
ential pressure signal. These instruments of pressure measurement include three ranges:
• Narrow range instrument (without main pump operation)
• Wide range instrument (with main pump operation)
• Reference range instrument
2.3 The Function of Core Cooling Monitoring

The function of core cooling monitoring includes the calculation of supercooling
margins for the reactor core and hot legs, the minimum supercooling margins for
monitoring the core cooling, and so on.
The analog signals (single column) are required for the above functions as follow:
• 15 temperature signals of the reactor core thermocouple
• 2 temperature signals of the hot leg
• 2 temperature signals of the cold leg
• 2 pressure signals at the entrance of RRA hot leg (0 MPa to 20 MPa)
• 3 pressure signals of the pressurizer (11 MPa to 18 MPa)
And the digital signals (single column) as follow:
• Non-P10 signal from reactor protection system
• 2 signals of the reactor coolant pump status
In order to calculate the saturation temperature, it is necessary to use two pressure
signals at the entrance of the RRA hot leg and three pressure signals from the pres-
surizer to perform a complicated pressure checking process. Through the pressure
checking process, a coincident effective pressure value is determined and any incon-
formity signal will be indicated simultaneously. The process is divided into ten cases
based on the validity of the five pressure signals and the consistency of these values.
Therefore, it is necessary to determine the precise pressure value in these ten cases. In
the case of five pressure values inconsistencies, the most reliable pressure value will be
selected.
3 Algorithm Implementation
The first step in the data processing of the ICCMS system is to check the availability of
each input signal. For analog signals, by checking whether the signal is within or out of
the range, which takes into account the tolerance of the upstream channel and the
sensor. The analog signal which out of the measuring range (standard signal 1 V*5 V,
thermocouple signal 0 mV*50 mV for example) will be rejected by the procedure
program. For digital signals, its validity status depends on the status of the acquisition
card. When the acquisition card is in a normal state, the signal is valid, otherwise it is
invalid. If the data is unavailable, it cannot participate in subsequent operation.
The ICCMS system is designed based on FirmSys platform by CTEC. It is divided

into two redundant columns A and B. The algorithms of the two columns are the same,
but the input signals and calculation processes are independent of each other, and the
calculation results are output and displayed separately. The redundancy and indepen-
dence of the design are achieved.
The algorithm structure of the ICCMS system is mainly divided into three parts:
core temperature measurement, reactor pressure vessel water level measurement, and
core cooling monitoring. The overall algorithm is split into twelve subroutines. They
are called by root and operated independently and executed in order of internal exe-
cution: from top to bottom, from left to right, periodically executed. The cycle is
25 ms. The overall algorithm structure and the distribution of twelve subroutines of
column A are shown in Fig. 1.
Fig. 1. Algorithm structure diagram of ICCMS (for column A)
3.1 Core Temperature Measurement and Cooling Monitoring

In order to avoid single fault, the core temperature measurement is divided into two
columns A and B. Each column includes fifteen K-type thermocouples installed at the
outlet of the core, which is distributed in three regions respectively. They are middle
area, peripheral area (120°*300°) and peripheral area (300°*120°).
3.1.1 Core Temperature Measurement

In the ICCMS system, the availability of fifteen core thermocouple signals will be
checked by the subroutine TRIC. It includes the disconnection check of the thermo-
couple signal and the judgment of the high and low threshold through comparison
module. Once a signal is unavailable, it will get rid of the procedure and a corre-
sponding alarm will be informed to the operators. If all of the core thermocouple
signals are not available, the average core temperature, maximum core temperature, and
minimum core temperature will be replaced by the calculated value of the previous
cycle (the CPU processing cycle of the ICCMS system is 25 ms).
Three RTDs located in cabinet accomplish the cold junction compensation of the
core thermocouple signal in one column. The subroutine is TCOLD. It converts the
three thermal resistance values (X) into physical temperature values (°C) firstly, and
then checks it to achieve an effective cold junction compensation temperature for the
core thermocouple signals.
For the characteristics of Qinshan Phase II NPP, it is necessary to monitor the D-
value between the maximum temperature and the minimum temperature in the three
areas of the reactor core separately. Once the value in an area exceeds the threshold, an
alarm is informed to the operators, and the area is also indicated. The maximum
temperature and the minimum temperature of the effective thermocouple signals in the
three areas are respectively calculated by the subroutine INVALID, and the maximum
D-value in the three areas is obtained; and the average core temperature is calculated
and indicated.
3.1.2 Core Cooling Monitoring

The ICCMS system monitors the cooling status of the reactor core through the sub-
cooling margin. The minimum subcooling margin (DTSAT) is the main monitoring
parameter, which is the D-value between saturation temperature and the maximum core
temperature (TSAT–TRIC MAX). An alarm will be generated to inform the operator that
the core is poorly cooled as well as the minimum subcooling margin is lower than 20 °
C. But it will be blocked when the reactor power exceeds 10% FP. This alarm is
implemented in the subroutine OUTPUT.
The subroutine TSAT calculates the core saturation temperature and core sub-
cooling margin. It includes the minimum subcooling margin, subcooling margin based
on each core thermocouple temperature, and subcooling margin based on the hot leg
temperature in two loops.
The primary circuit absolute pressure value (PABS) used to calculate the saturation
temperature (TSAT) needs to be obtained by a relatively complicated pressure checking
process. Therefore, a subroutine PABS is designed separately to implement this pro-
cess. In the implementation process, the results of ten cases are switched by special
provision conditions, and an effective primary circuit pressure value is output finally.
3.2 Reactor Pressure Vessel Water Level Measurement

The ICCMS system measures the reactor pressure vessel water level by the differential
pressure method. It includes two columns A and B for measurement respectively. Each
column is equipped with three ranges of differential pressure transmitters which are
wide range and narrow range and reference range. The wide range of differential
pressure transmitter is used for the condition that one main pump is operation at least.
The narrow range of differential pressure transmitter is used for the condition that all of
main pumps are outage. The reference range of differential pressure transmitter is used
to compensate for differential pressure levels in the capillary. The ICCMS system
calculates the water density and the steam density through these differential pressure
signals and the primary circuit pressure signal and the hot or cold leg’s temperature
signals and the core thermocouple temperature signals after calibration. Then the
reactor pressure vessel water level value will be calculated.
3.2.1 Water Density and Steam Density Calculation

In the ICCMS system, the value of the temperature TDENS used to calculate the water
density will be determined first. The flow chart of the calculation method is shown in
Fig. 2. It will be noted that all of the processes must be calculated based on the
available signals. The data which is unavailable must be either rejected or replaced with
the calculated value of the previous cycle. Therefore, the subroutine TDENS is
designed separately to implement the logic shown in Fig. 2.
Fig. 2. Flow chart of the temperature used to calculate the density
In the second automatic switching logic in Fig. 2, when the second highest value of
the available reactor core thermocouple temperature signals is 400 °C, the calcu-
lation temperature TDENS takes the reactor core saturation temperature value TSAT .
When all of the available reactor core thermocouple temperature signals are <380 °C,
the value of TDENS takes the output value of the MIN SELECTOR. The process which
estimates the second highest value of the reactor core thermocouple temperature signals
is 400 °C or not is implemented by the algorithm block SEC15.
Finally, the subroutine RHO calculates the water density value according to TDENS,
and calculates the steam density value according to different conditions of primary
circuit pressure value.
3.2.2 RPV Water Level Calculation

The calculation of RPV water level is implemented in subroutine LVSL. It is calculated
separately under consideration of static pressure, installation position and other factors.
The RPV water level in ICCMS system is indicated by two cases which are main pump
operation and no main pump operation. When there is no main pump operation, the
RPV water level is calculated and displayed in units of m directly. When there is one or
two main pumps operation, the water level value h calculated by formula directly is
only the calculated RPV water level value but not the real RPV water level value. It
will be compensated to obtain the RPV water level trend value displayed in unit of % in
safety visual display unit (S-VDU).
Table 1. Part of the algorithm block applied in the program

No. Block symbol Block name Function
x
1 PT100 For converting the industrial platinum value
PT100 temperature to temperature value
y calculation
x
2 Thermocouple For converting the electrical value of K type
C TC_K temperature thermocouple to temperature value
y calculation
3 X1 X2 X3 X4 X5
Counting block For calculating the number of input signals
MOD TOTA
Y
of 0 or 1 to assist the reappearance function
of alarms
4 x Reappearance For realizing the reappearance function of
BS_TO
BLINK
block alarms
s
Y1 Y2 v
x1-x15
5 15 input signals For comparing whether the value of second
T
T
SEC15 Y
y comparison highest in 15 input signals exceeds the
s1-s15 threshold value T (comparison parameter)
When there is no main pump operation, the RPV water level is monitored by
narrow range pressure transmitter. If the RPV water level is too low, there is a risk that
the fuel assembly inside the reactor will melt out of the RPV water level. Monitoring
the RPV water level is important. Therefore, the ICCMS system needs to give alarm
indications of low water level and low low water level respectively when the value of
RPV water level is lower than 7.5 m and 5.4 m. This alarm is realized in subroutine
OUTPUT and displayed on main control room. Then the operators can operate cor-
rectly follow corresponding procedures.
Some of the algorithm blocks applied in ICCMS system program are shown in
Table 1.
4 Algorithm Verification and Validation (V&V)
According to the requirements of IEEE1012-2004, an independent V&V is performed

for the engineering application software life cycle of the algorithm above by these
technical methods, such as assessment, analysis, testing and so on. It includes concept
V&V, requirements V&V, design V&V, implementation V&V, test V&V, etc. [6]. The
software of ICCMS is safety DCS system, and the software integrity level is level4. In
the implementation process, the engineering application software is tested in codes by
C++ Test 7.3 and WorkBench 3.0 after eight rounds of verification. It includes static
analysis, code review, and dynamic testing. The test of units and functions on cabinet is
performed using test devices such as process detectors, digital multimeters, precision
resistance boxes, etc. Combined with document evaluation, interface analysis, critical
analysis, hardware/software/user requirement analysis, traceability analysis, etc., the
problems in the software development process were found and all of them are effec-
tively solved ultimately.
The algorithm and engineering application software of modified ICCMS system
correspond with the requirements of the standard regulations, contracts, and system
requirements specifications based on the result of V&V activities above.
5 Conclusion
Although the ICCMS system is only used for monitoring reactor core cooling status
and RPV water level, it plays a vital role in whether operators can take corrective
measures after normal or accident conditions.
After the transformation, the ICCMS system has passed various tests in Unit 1 and
2 of Qinshan Phase II NPP successfully. During commissioning phase of the reactor,
the consistency of the reactor core temperature measurement value is very good, the
values are relatively stable; the D-value of maximum and minimum temperature in
three core areas is shown clearly, the checking process of primary circuit pressure is
normal, and the subcooling margin of core temperature is indicated clearly. The
measurement value and theoretical calculation value of RPV water level are the same
basically, to correspond with the design requirements. The interface between ICCMS
system and the other systems of nuclear power plant corresponds with the design
requirements, it ensures the data receive and transmit safety. The new ICCMS system
has realized expected functions and reached predetermined technical specifications
since it was put into operation. The successful application of the new ICCMS system in
Qinshan Phase II NPP proves that the new algorithm which is designed based on
FirmSys platform is fully complies with the original operating procedures, meets the
corresponding standards, and solves the problem of the transition from the original
analog system to the digital control system.
References
1. Guangdong Nuclear Power Training Center: 900 MW Pressurized Water Reactor Nuclear
Power Plant System and Equipment. Atomic Energy Press, Beijing (2005)
2. Li, W.P., Zhang, F., et al.: Design of core measurement system for Qinshan Nuclear Power
Plant Phase II. Nucl. Power Eng. 24(2), 224–226 (2003)
3. He, Z.X., Li, B., et al.: Core cooling monitoring system design for Qinshan Nuclear Power
Plant Phase II expansion project. Nuclear Power Engineering 29(1), 5–9 (2008)
4. Li, G., Xie, Y.Q., Liu, C.M., et al.: Digital reconstruction scheme of core cooling monitoring
system for PWR Nuclear Power Plant. Nucl. Sci. Eng. 32(2), 206–211 (2012)
5. Zhang, L.B., Liang, Z.Q., Xie, Y.Q., et al.: Reformation practice of core cooling monitoring
system in Daya Bay Nuclear Power Plant. Nucl. Saf. 15(3), 35–41 (2016)
6. IEEE Standard for Software Verification and Validation (2004) IEEE Std 1012TM
Application of Mosaic Instruments on Back-up
Panel in Nuclear Power Plant
Zhi-Guo Ma(&), Chao Gao, Qing-Jun Meng, Hong-Tao Sun,

and Fu-Ju Xie
China Techenergy Co., Ltd., Bldg 5, no. 5 Yongfeng Rd, Haidian 100094,
Beijing, People’s Republic of China
mazhiguo@cgnpc.com.cn
Abstract. The mosaic instruments installed on the back-up panel (BUP) have
uniform dimensions and are demonstrated to be not only a modern style of main
control room (MCR) but also conveniently installed, maintained and powerfully
extended. As the human-machine interface equipments, mosaic instrument
needs to consider the requirement of human factors (operability, readability,
prevention of malfunction) and independence (physical separation and electrical
isolation) in the nuclear power plant (NPP) designing process in order to insure
the NPP in safe status This paper mainly introduces the type and dimension
character of the mosaic instruments and describe the human factors engineering,
independence application characters that how to meet the standard requirements
when the mosaic instruments are used on BUP in main control room of NPP. As
the development of nuclear industry, for the NPP, the application of mosaic
instruments will be a new choice.
Keywords: Mosaic instrument Human factors Independence

Back-up panel Nuclear power plant
1 Introduction
Conventional instruments have been used on BUP in NPP, such as Hong Yan He NPP
Unit1*Unit4, Ning De NPP Unit1*Unit4 and so on. However, due to the dimensions
of the conventional instruments are different from each other, different dimension cut-
out should be done on the surface of the panel during the engineering design. Once
there is some need to add some new equipments on the panel, the structure of the panel
also need to be changed in engineer design modification. The modification will be very
hard for the installed panel, have a strong impact on the project time and increase the
project cost. The mosaic instruments installed on the mosaic panel have uniform
dimensions and are demonstrated to be not only a modern style of MCR but also
conveniently installed, maintained and powerfully extended. Nowadays the mosaic
instruments have been widely used in MCR of NPPs, such as Lingao Phase-II NPP,
Yang Jiang NPP Unit5&6, Hong Yan He NPP Unit5&6, Tian Wan NPP Unit5&6 and
so on. As the development of nuclear industry, for the NPP, the application of mosaic
instruments will be a new choice. This paper mainly introduces the type and dimension
character of the mosaic instruments and describe human factors engineering,

https://doi.org/10.1007/978-981-13-3113-8_24
Application of Mosaic Instruments on Back-up Panel 209
independence application characters that how to meet the standard requirements when
the mosaic instruments are used on BUP in main control room of NPP.
2 Introduction of BUP
BUP as the back-up of computer information and control system(KIC) in nuclear

power plant, its main function is be able to bring the unit into and maintain in the safe
state during the normal condition and the design basis accident once KIC is not
available. The KIC system is a process control system based on computer systems, in
order to prevent the common cause failure between BUP and KIC, BUP is usually
designed with only hardware to accomplish the principle of diversity between KIC and
BUP to ensure the safety and reliability of the nuclear power plant. The main hardware
equipments that make up the BUP are the human-machine interface equipments. These
equipments mainly include controls and display devices, the controls ensure the
operator’s orders can be distributed to the controlled equipments and the display
devices realize the feedback information of the equipment can be displayed correctly.
The dimensions of conventional controls and display devices are different and large.
The whole panel would be quite bulky and not convenient to be installed, maintained
and modified. However the mosaic instruments are demonstrated to be not only a
modern style of MCR but also conveniently installed, maintained and powerfully
extended which would be a new choice for BUP design in nuclear plant.
3 Introduction of Mosaic Instruments
Mosaic instruments are the equipments (such as controls, measuring instruments, lamp
indicator, etc.) installed on the mosaic panel which have the uniform dimensions.
Controls are mainly including pushbutton controls, rotary controls and so on, analog
indicate instruments and digital indicate instruments are mainly included in the mea-
suring instruments, lamp indicator are mainly including alarm lamp, lamp, etc.
The controls supply the human-machine interface for the operator, according to the
process requirements, the rebound type or the self retention type controls could be
chosen.
The process of physical quantities are generally indicated on the analog indicate
instruments through the pointer, and indicated on the digital indicate instruments by the
numbers.
The alarm lamps mainly provide the visual warning to the operator, in order to warn
the operators to take corresponding intervention behavior. The alarm lamps are lit or
flashing after the alarm signal is triggered. General alarm lamp colors are red, yellow,
green, white, orange, cyan and so on.
The lamps are usually used to provide the equipment feedback information to the
operators. Red, yellow, green, white, etc. colors are commonly used on lamps.
210 Z.-G. Ma et al.
3.1 Dimensions of Mosaic Instruments

The dimensions of the mosaic equipments are determined by the criteria IEC 61554-
1999 Panel mounted equipment- Electrical measuring instruments-Dimensions for
panel mounting. Common used dimensions by IEC 61554-1999 are shown in Table 1:
Table 1. Common used dimensions (IEC 61554-1999) [1]

Shape Dimension (Width High) Unit (mm)
Square 36 36, 48 48, 72 72, 96 96, etc.
Rectangular lateral 48 24, 72 36, 96 24, 96 48, etc.
Rectangular upright 24 48, 24 96, 36 72, etc.
The criteria GB/T 1242-2000 Dimensions for panel mounted indicating and
recording electrical measuring instruments defines not only the dimensions shown in
Table 1, but also the dimensions which are multiples of 10 shown in Table 2:
Table 2. Common used dimensions (GB/T 1242-2000) [2]

Shape Dimension (Width High) Unit (mm)
Square 40 40, 60 60, 80 80, 100 100, etc.
Rectangular lateral 80 40, 120 60, etc.
Rectangular upright 40 80, 60 120, etc.
A manufacturer’s typical mosaic instruments are shown in the following Fig. 1:
Fig. 1. A manufacturer’s typical mosaic instruments
In the Fig. 1, lamp and alarm lamp are in the first column, pushbutton controls and
rotary controls are in the second and third column, analog and digital indicator
instruments are shown in the fourth column, other blank space are blank tiles.
3.2 Installation of Mosaic Instruments

The installation process of conventional instruments could be divided into two parts.
As shown in Fig. 2, the lower part is the panel, the top part is the instrument, different
dimension cut-out should be done on the surface of the panel during the engineering
design. Once there is need to the add new equipment, the structure of the panel should
also be changed. However, the installation process of mosaic instruments is divided
into three parts shown as Fig. 3. The lower part is the panel, the middle part is the grid
and the top part is the instrument. The mosaic instruments are installed on the grid and
then the grid is installed on the panel. If the layout of panel need to be changed, only
the grid need to be changed and the grid could be changed easily. So from the
installation point of view, mosaic instruments have obvious advantages.
Fig. 2. Installation process of the conventional instruments
Fig. 3. Installation process of the mosaic instruments
4 Design Principles of Human Factors
The designing process of the back-up panel in the whole life cycle needs to consider the
factors such as task, work environment, equipment, personnel, organization and sup-
port etc. As the human-machine interface equipments, mosaic instrument needs to
consider the influence of human factors on nuclear power plant in the designing
process.
The TMI nuclear accident in the United States is a typical nuclear accident caused
by human failure. After the accident, the Nuclear Regulatory Commission(NRC) first
212 Z.-G. Ma et al.
put forward the application of human factors engineering to reduce human error and are
widely reflected by the Nuclear Safety Administration all over the world, its published
NUREG 0700 Rev.2 Human-System Interface Design Review Guideline is the current
comprehensive and detailed human engineering criteria, which provides a reference
basis for the design of human factors engineering [3]. In addition, China also pro-
mulgated the corresponding nuclear safety law HAF J0055-1995 Principles of Human
Factors Engineering for control room design of nuclear power plants, the principle of
human factors engineering design for human-machine interface equipments in main
control room of nuclear power plant is clarified by this law, due to the nuclear safety
law has mandatory constraint, the design principle of the human-machine interface
equipments must meet the requirements of HAF J0055-1995, as for those not stipulated
in HAF J0055-1995, can refer to NUREG 0700 Rev.2 for implementation. The users of
BUP in domestic nuclear power station are Chinese operators, people in different
countries have certain differences, so in the design of human factors engineering, those
related to Human Dimensions need to be implemented based on the criteria GB/T
10000-1998 Human Dimensions of Chinese Adults, as for those not stipulated in GB/T
10000-1998, can refer to NUREG 0700 Rev.2 for implementation.
Because of the complexity of nuclear power process, it is necessary to operate
different equipment according to different operating conditions, then the quantity of the
instruments will be very large. The designer will choose the small size mosaic
instruments as far as possible to meet the spatial layout. At last on the limited plate
surface, the equipment arrangement is more compact. Therefore, in view of the feature
of the small size of mosaic instrument and the compact layout panel, according to the
requirements of the standard, human factors engineering design can be considered from
operability, readability, prevention of malfunction etc.
4.1 Operability
The selected equipments need to be suitable for human operation and should conform
to people’s general operating habits. According to HAF J0055, the controller needs to
have appropriate size and appropriate torque, NUREG 0700 gives detailed recom-
mended size and torque requirements for controller [4]. Commonly used operators
include pushbuttons, rotary selector controls, key-operated controls, etc. Take the
pushbutton for example, NUREG 0700 indicates that the size of the pushbutton needs
to be determined in different operation modes to determine the size of the button, as
shown in Fig. 4.
Resistance should be 10 to 40 oz (2.8 to 11.1 N) for fingertip operation and 10 to
80 oz (2.8 to 22.2 N) for thumb or palm operation [5].
Choosing controls should satisfy the requirement of the standard, but NUREG 0700
is not mandatory, so the deviations from the NUREG 0700 in the design process need
to be approved by the relevant superintendent, such as the owner company, the
upstream design company and the relevant regulatory authority.
Diameter(D) Displacement(A)
Fingertip Thumb Palm Fingertip Thumb or
Operation Operation Operation Operation Palm
Minimum 10mm 19mm 40mm 2mm 3mm
Maximum 25mm 25mm 70mm 6mm 38mm
Fig. 4. Recommended dimensions for circular buttons
4.2 Readability
Appropriate and clear identification can facilitate the operator to respond to tasks
quickly and accurately. Mainly two factors for consideration are the font height and
color contrast.
The font height should not subtend less than 15 min of visual angle as measured at
the maximum viewing distance, a visual angle of 20 min is preferred. The design
process is based on the size of the mosaic panel, combined with the eye height from
floor from 5th percentile female to the 95th percentile male to determine the maximum
distance from the eye to the mosaic instrument, and then calculate the minimum height
of the font according to the angle of view. The calculation formula is:
The minimum font height = the farthest viewing distance 0.004
The best font height = the farthest viewing distance 0.006
The same device font height in the same area should be kept as consistent as
possible to avoid excessive clutter of the disc and reduce the operator’s visual load.
The contrast between font color and background color should be obvious, avoid the
poor contrast situation, such as the red letters on green background, green letters on red
background, orange letters on white background and so on.
The detail requirement of NUREG 0700 is that for adequate legibility, colored
symbols should differ from their color background by an E distance (CIE Yu’v’) of 100
units or more [5].
4.3 Prevention of Malfunction

HAF J0055 explicitly suggests that the probability of a control being accidentally
triggered will be minimized. In addition to the adoption of procedures, guardianship
and other administrative means to prevent the wrong operation of personnel, but also
214 Z.-G. Ma et al.
should consider the measures of the equipment itself for the prevention of malfunction.
At the same time, due to the smaller size of the mosaic instrument and the compact
panel layout, it is more necessary to consider the design of the prevention of mal-
function of mosaic instruments. Therefore, in order to reduce human factor fault and
meet the safety requirements of NPP, prevention of malfunction should be an important
design factor in the application process of mosaic instruments.
Physical protection and interlock protection are mainly designed protective mea-
sures for the prevention of malfunction of mosaic instruments.
1. Physical protection
Physical protection measures are designed as follows:
• The controls should keep a distance with the edge of the panel, prevent the
person from touching the equipment in the process of walking, NUREG0700
section 11.1.1 gives 75 mm as the minimum reference distance.
• When nearby the edge of the panel, concave or flat-type controls should be
chosen to prevent accidental operation.
• Add a cover on the controls or choose a covered control. The controls could be
operated only after opening the cover.
• Increase the distance between the controls under the condition of space per-
mitting, in order to prevent the operation of one device from being accidentally
hit by another device
2. Interlock protection
Interlock protection is mainly achieved by adding the interlock logic between
different controls.
The equipment control order, release order and order of BUP operation mode are
performed “AND” interlock logic. When only under the BUP operation mode, the
release order button and the equipment control are pushed at the same time, the order of
the equipment control could be performed. The BUP operation mode is achieved by
three self-maintenance controls which perform the 2 out of 3 logic. At least two
controls are set to BUP mode to trigger the BUP operation mode, in order to ensure the
BUP operation mode is a real signal. Even if one of them is fault, the BUP mode could
also be trigged normally. The release order is achieved by two self-reset buttons which
perform “OR” logic. If design only one release button, once the release button is fault,
the equipment control order could not be sent. So the redundancy release buttons is
necessary. The detail designed measure is shown as Fig. 5.
Physical protection and interlocking protection are complementary and comple-
mentary, both with the purpose of prevention of malfunction of mosaic instruments to
ensure the safety and reliability of NPP.
Fig. 5. Interlock protection measure
5 Principles of Independence
IEEE384-2008 Criteria for Independence of Class 1E Equipment and Circuits propose

that physical separation and electrical isolation shall be provided to maintain the
independence of Class 1E circuits and equipment for proper safety function so that the
safety functions required during and following any design basis event can be accom-
plished [6].
As the safety class equipment, the back-up panel must meet the requirements of
independence in the design process.
Independent design should be considered among the following types of mosaic
instruments:
• Equipments between safety class and non-safety class;
• Equipments in different trains of the same safety class.
The main methods of achieving independence are physical separation and electrical
isolation.
5.1 Physical Separation

There is a need for entity separation between mosaic instruments performing safety and
non-safety functions, as well as between different trains of safety class equipments,
meanwhile the cables connected to mosaic instruments are also required to meet the
requirement of physical separation.
The physical separation is realized mainly by the separation distance, the barrier or
the combination of the two. BUP is belong to nonhazard area, so according to
IEEE384-2008, the minimum separation distance is shown in Table 3:
216 Z.-G. Ma et al.
Table 3. Minimum separation distances for nonhazard areas

Open to open configurations 2.5 cm (1 inch) horizontal
7.6 cm (3 inch) vertical
Enclosed to enclosed configurations 2.5 cm (1 inch) horizontal
2.5 cm (1 inch) vertical
Enclosed to open configurations 2.5 cm (1 inch) horizontal,
7.6 cm (3 inch) verticala
a
Vertical separation may be reduced to 2.5 cm (1 inch) if the
enclosed is below the open [6].
In places where the minimum separation distance cannot be satisfied, barriers such
as metal ducts, metal covers and metal flexible pips should be set up between equip-
ments that need to be separated.
5.2 Electrical Isolation

Electrical isolation is mainly through the isolation device between two electrical lines
to prevent the failure of one of the electrical circuits (such as EMI, electrostatic
accumulation, short circuit, circuit breaker, grounding, and maximum credible voltage),
resulting in an unacceptable consequence of another electrical circuit [7].
IEEE384-2008 gives some acceptable isolation devices, mainly including ampli-
fiers, control switches, current transformers, fiber-optic couplers, photo-optical cou-
plers, relays, transducers, power packs, circuit breakers, etc. Meanwhile the criteria
require that the isolation devices should be considered as part of safety class circuit.
Combined with the functional characteristics of the BUP, the mosaic instruments
which have only one signal belong to either safety class or non-safety class. It is not
possible the signal at the same time to be safety class and non-safety. So for these
instruments physical separation is the only factor which should be considered to satisfy
the independence principle. For the instruments which have two or more signals, all the
signals connected to the instrument may not belong to the same class. The controls
generally have several contacts. During the design process, maybe some contacts
should connect to safety class distributed control system (DCS), and the other contacts
should connect to the non-safety class DCS for some controls. If all the contacts are
directly connected with safety and non-safety class DCS, the distance between different
contacts is so short that the physical separation requirement cannot be satisfied
according to IEEE 384, so for this type of instrument, the following electrical isolation
method shown as Fig. 6 is proposed to apply on this type of instrument.
Fig. 6. Method of electrical isolation for controls
As shown in Fig. 6, the contact 1 signal is directly connected with the safety class
DCS, the contact 2 is isolated by the safety class isolation relay, and then transmitted to
non-safety class DCS. Due to add the safety class isolation relay, the contact 1 and 2
are all belong to safety class. The requirements of physical separation and electrical
isolation between safety class signal and non-safety class signal which is described in
IEEE384 are met at the same time.
6 Disadvantages
The advantages of mosaic instruments are very prominent, but there are also disad-
vantages in the implementation of the project, mainly in the following areas:
• Conventional instrument using label for identification, which can be replaced freely,
but mosaic instrument using spraying technology, as there is not any domestic
supplier that meets the requirements of nuclear standard, all products have to be
imported, even if a device code is changed, which cause a long period of manu-
facturing and high cost.
• When the layout of panel is compact, due to the small size of mosaic instruments,
the requirement of the minimum separation distance cannot be met according to the
criteria IEEE-384, mass of metal covers, metal flexible pips are needed to design to
meet the independence of instruments and cables.
218 Z.-G. Ma et al.
7 Summary
In order to ensure the safety and reliability of the nuclear power plant, during the
engineering design application, not only need to follow the human factors regulations
and standard requirements to reduce human error, but also need to consider the
independence between the safety class instruments and non-safety class instruments
and the independence in different trains of safety class. Mosaic Instrument is favored by
many nuclear power plants due to is simple installation, strong expansion and neat
surface, but its shortcomings cannot be ignored either, there is some need to weigh the
pros and cons to choose the right type. With the development of nuclear power in
China, mosaic instruments will be a new option for nuclear power plant.
References
1. IEC 61554: Panel mounted equipment-Electrical measuring instruments-Dimensions for panel
mounting. International Electrotechnical Commission (1999)
2. GB/T 1242: Dimensions for panel mounted indicating and recording electrical measuring
instruments (2000)
3. Yang, H.L., et al.: Discussion on verification criterion and method of human factors
engineering for nuclear power plant controller. Atomic Energy Sci. Technol. 48(Suppl.),
1043–1047 (2014)
4. HAF J0055: Principles of Human Factors Engineering for control room design of nuclear
power plants (1995)
5. NUREG 0700 Rev.2: Human-system interface design review guideline. U.S. Nucl. Regul.
Comm. (AAA, 2211) (2002)
6. IEEE 384(2008) Criteria for Independence of Class 1E Equipment and Circuits. The Institute
of Electrical and Electronics Engineers
7. Lu, C., et al.: Independence Design of Safety Class DCS System in Nuclear Power Plant.
Nucl. Sci. Eng. 32(Suppl. 2), 222–230 (2012)
Equipment Qualification and Methods
Application for Class 1E Digital
Instrumentation and Control System
Jin Fan1, Liang Li2(&), Yong-Bin Sun3, and Hua-Ming Zou3

1
China Nuclear Power Engineering Co., Ltd., Beijing 100840, China
2
Nuclear and Radiation Safety Center, MEP, Beijing 100082, China
liliangfj@126.com
3
China Techenergy Co. Ltd., Beijing 100094, China
Abstract. Based on comparison of the existing and effective standards of

equipment qualification for Class 1E digital instrumentation and control system
at home and abroad, this paper puts forward the applicable standards of
equipment qualification to China. 4 qualification methods have been proposed in
IEEE 323 and GB/T 12727, due to economy, time, and effective models,
combined methods are common used. Combined methods analyze qualification
standards, functions, operational data, test indicators, and empirical feedback of
the equipment that has been certified and put into operation, and then conduct
analysis of suitability of analogous equipment qualification, in order to deter-
mine qualification test items that can’t meet requirements of the technical
specifications. The performance of analogous equipment is proved by the results
of supplementary qualification test items. For technically mature products,
combined methods can reduce equipment qualification test items, so as to reduce
test cost, and speed up progress of the project.
Keywords: Digital instrumentation and control system

Equipment qualification Standard Combined methods
1 Introduction
According to the directory of civil nuclear safety equipment issued by the National
Nuclear Safety Administration (revised in 2016), Class 1E DCS belongs to the category
of instrument control system cabinet equipment for 1E electrical equipment [1]. It is the
central nervous system of nuclear power plants and is used to ensure the safe and stable
operation of nuclear power plants. Therefore, it is necessary to verify the consistency of
its design and reliability goals through equipment qualification. Equipment qualification
can be used to prove that there are no design defects, manufacturing defects, and defects
caused by improper storage and transportation that may cause the equipment to fail [2].
With the acceleration of the domestic production of Class 1E DCS equipment, it is
urgently necessary to form a complete system of independent nuclear power equipment
qualification standards suitable for China’s national conditions. The Chinese GB/T
12727 is equivalent to IEC 60780. It is a standard in the promulgated Class 1E
equipment qualification standards [3]. Other special qualification standards should meet
https://doi.org/10.1007/978-981-13-3113-8_25
220 J. Fan et al.
the requirements of GB/T 12727. By comparing GB/T 12727, IEEE 323, and RCC-E B
volumes, GB/T 12727 and RCC-E B volumes are basically the same in terms of the
principles and methods of Class 1E DCS equipment qualification. GB/T 12727 is
basically the same as IEEE 323 in terms of procedures for the qualification of Class 1E
DCS equipment. Therefore, in view of the fact that the domestic downstream quali-
fication standards are compiled with reference to the IEEE standards, IEEE 323 can be
used as a standard guideline for the qualification of domestic Class 1E DCS equipment.
2 Methods of Equipment Qualification
The United States Nuclear Regulatory Commission NUREG-0800 Chapter 7 provides

management guidelines related to instrumentation and control systems [4], 4 qualifi-
cation methods have been proposed in IEEE 323 and GB/T 12727, namely demon-
stration analysis, operating experience, type test, and combined methods [5]. Among
them, characteristics of demonstration analysis, operating experience, and type test are
shown in Table 1.
Table 1. Characteristics of equipment qualification methods

Methods Characteristics
Demonstration Combined with the operating experience and test data, the mathematical
analysis model is used for the logical derivation, and the performance of the
equipment is proved
Operating The performance of analogous equipment is proved by collecting and
experience analyzing the data of the approximate equipment’s stable operation in
harsh environment
Type test On the basis of clarifying the mechanism of aging, an accelerated aging
method is used to simulate the equipment capability in a specific
operating environment
For different types of equipment, demonstration analysis needs to establish mathe-

matical models with different degrees of complexity. Based on operational experience
and test data, logical derivation is carried out to prove the performance of the equipment.
This method is difficult and the analysis results are not credible enough. By collecting
and analyzing the data of the approximate equipment running stably in the harsh
environment, operating experience proves the performance of the analogous equipment.
This method is vulnerable to the limitations of the approximate equipment operating
data, and the reliability of the analysis results is not credible enough too. Type test
analyzes the environmental conditions that may be experienced during the operation of
the equipment by simulating the actual operating conditions. Environmental conditions
are based on the equipment qualification outlines; they consider a certain amount of
qualification margin to prove that the equipment can complete the expected functions
under such conditions. At the same time, it verifies whether it meets the equipment
requirements of the technical specifications for nuclear power plant. The analysis results
of this method have high reliability, but there is a problem of high test cost.
Equipment Qualification and Methods Application 221
So in the course of implementation, due to factors such as economy, time, and

effective models, it is rare to use only one of the methods described in Table 1 for
qualification. It is common to use a combination of these methods. Due to the different
environmental characteristics of the equipment, the emphasis of the combined methods
applied to the equipment qualification is also different.
3 Combined Methods
Combined methods first analyze qualification standards, functions, operational data,

test indicators, and empirical feedback of the equipment that has been certified and put
into operation, and then conduct analysis of suitability of analogous equipment qual-
ification, so as to determine the qualification test items that can’t meet requirements of
the technical specifications. The performance of analogous equipment is proved by the
results of supplementary qualification test items.
As nuclear power plant Class 1E DCS equipment, in addition to physical variable
detection equipment and enforcement agencies, is generally installed among electrical
equipment with ventilation and air-conditioning, its operating conditions are mild
environment. For mild environmental equipment, if the aging mechanism of the
equipment does not have seismic correlation, and its aging parameters are detectable,
the qualification can be achieved by improving the quality assurance system of
equipment design, manufacturing, storage, transportation, installation and commis-
sioning, and regular performance monitoring and fault trend analysis, as well as
application of seismic qualification [6].
4 Application of Combined Methods
DCS equipment manufacturer has obtained the civil nuclear safety electrical equipment
design and manufacturing license issued by the National Nuclear Safety Administration
of China, typical equipment name is Class 1E digital control and protection system
cabinet. According to requirements of units 3 and 4 of the Fangchenggang nuclear
power plant, typical equipment to be added is Class 1E chilled water system cabinet.
The manufacturer adopts combined methods to analyze the applicability of the quali-
fication standards, quality assurance process, product type, functional performance, test
conditions and application hardware configuration.
Standards for equipment qualification and testing are selected according to three
levels, main body standards, guidance and specific standards, and general implementation
standards. Standards adopted for Class 1E chilled water system cabinet are in line with
standards adopted for Class 1E digital control and protection system cabinet, and the
required functions and performance are covered in the completed qualification products.
Class 1E chilled water system cabinet adopts Class 1E instrument control platform
(FirmSys) products that have been officially released and applied to Class 1E digital
control and protection system cabinet, the scope, functionality, performance, and
operating environment of products have been verified in application of multiple nuclear
power plants. There is no new product development activity in the design and
222 J. Fan et al.
manufacture of Class 1E chilled water system cabinet, and no new types of outsourced
components are added.
Qualification test items based on IEEE 323 requirements are shown in Table 2. By
comparing test conditions of qualification test items of Class 1E digital control and
protection system cabinet and Class 1E chilled water system cabinet, it is concluded
that only seismic test items can’t be fully enveloped. Floor response spectrum used in
qualification of Class 1E digital control and protection system cabinet is 5.365 g in the
maximum acceleration horizontal direction and 2.885 g in vertical direction, while the
floor response spectrum maximum horizontal acceleration 6.4 g and vertical 3.2 g in
Class 1E chilled water system cabinet. Therefore, it is necessary to carry out additional
seismic test for Class 1E chilled water system cabinet.
Table 2. Test items for equipment qualification of Class 1E DCS

Types of test Items of test
Benchmark function test under normal Performance or functional tests, dielectric strength,
environmental conditions insulation resistance, grounding continuity
Tests under extreme environmental Environmental temperature test, alternating
conditions humidity and heat test, electromagnetic
compatibility test, long-term operation test, load test
Non-seismic mechanical vibration test Vibration test
Simulated accident conditions test Seismic test
Since SSE and OBE are twice the relationship, take OBE as an example to compare
the response spectrum, as shown in Figs. 1 and 2.
Fig. 1. Comparison of horizontal response spectrum for seismic test
In course of seismic qualification test, the first dynamic characteristic exploration is

carried out and the condition of equipment is monitored after thermal start work of the
Fig. 2. Comparison of vertical response spectrum for seismic test
seismic table is normal. After the test personnel and test instruments are in normal
working conditions, the shock wave is input according to the required response
spectrum and 5 OBE and 1 SSE tests are conducted. After the OBE and SSE tests, the
detection was completed and the second dynamic feature exploration was performed.
Class 1E chilled water system cabinet’s self-vibration fundamental frequency (The base
frequency calculated at the top of the cabinet) X, Y, and Z directions are 33.75 Hz,
16.78 Hz, and 33 Hz. The self-vibration fundamental frequency in three directions is
outside the excellent frequency band of the seismic wave. The seismic table measured
acceleration test response spectrum (TRS) envelope required response spectrum (RRS),
the envelope situation is shown in Figs. 3 and 4. The test results show that Class 1E
Fig. 3. TRS envelope RRS of OBE human seismic waves

224 J. Fan et al.
Fig. 4. TRS envelope RRS of SSE human seismic waves
chilled water system cabinet meets requirements of technical specifications of units 3

and 4 of the Fangchenggang nuclear power plant.
5 Conclusions
Through the comparative study of the domestic and foreign standards based on
equipment qualification, it is proposed that the IEEE standard is applicable to the
qualification of Class 1E DCS equipment in China, and IEEE 323 can be used as a
guideline standard.
Through combined methods analysis, some test items can be avoided, the reduction
of the test items can reduce the test cost accordingly. The combined methods have
certain reference value for simplifying the supervision and management process of the
China nuclear safety regulatory agency, and speeding up the application of the license
change of Class 1E DCS equipment manufacturers.
References
1. Directory of civil nuclear safety equipment (Revised in 2016). National Nuclear Safety
Administration, Bei Jing, China (2016)
2. Li, M.C., Lin, J., Fu, M.X., etc.: Qualification test on class 1E charger and inverter in nuclear
power plant. Nucl. Saf. 13(2), 77–82 (2014)
3. Huang, W. J., Zhang, M., Zhang, Y. B., etc.: A preliminary study on qualification of
instrumentation and control system for nuclear power plants. Nucl. Power Eng. 35(6), 111–
114 (2014)
4. NUREG 0800-S7. Standard review plan section 7 [S]. Washington D.C, U.S (2005)
5. IEEE Std. 323-2003. IEEE standard for qualifying class 1E equipment for nuclear power
generating stations. New York, U.S (2004)
6. Fang, Q.X., Sun, Z.Z., etc.: Seismic qualification of Class 1E equipment. In: Mechanics 2000
Academic Conference Proceedings, pp. 669–670 (2000)
Study on Itemized Requirements of Safety
Digital I&C System in NPP
Tao Bai1(&), Ji-Xiang Shu2, Peng-Fei Gu1, and Ya-Nan He1

1
and Equipment, I&C Equipemnt Qualification and Software V&V Laboratory,
China Nuclear Power Engineering Co., Ltd., Shenzhen 518172, Guangdong,
China
tao_bai@cgnpc.com.cn
2
Shenzhen Middle School, Shenzhen, China
Abstract. Software reliability for digital instrumentation and control (I&C)

systems is critical, which malfunction may give wrong action and endanger the
nuclear power plants. Software verification and validation (V&V) is an effective
means of improving software reliability. With the further research on safety-
critical software used for NPPs, the quality of V&V has become key concern of
the safety regulatory authorities around the world. Traceability is the basic
requirement on I&C functions during the life cycle V&V activities. In this
paper, necessity of implementing itemized requirements on I&C function is
studied according to the nuclear safety regulations and related standards. What’s
more, key points of itemized requirements are proposed by learning from
CPR1000 NPPs’ project experience. It would be helpful to ensure the software
V&V quality with proper workload.
Keywords: Digital I&C system Safety software Software life cycle

Itemized requirements Verification and validation
1 Introduction
Nowadays, more and more digital instrumentation and control (I&C) systems are
adopted by nuclear power plants (NPPs). Especially safety-critical digital protection
system is used as critical safeguard against the severe accidents like reactor core
damage, release of radioactive materials and etc. It is the software that realizes control
functions executed by CPU, which malfunction may give wrong action and endanger
the nuclear power plants. Therefore, software reliability for digital I&C systems is
critical to the safety of NPPs. Different from the stochastic failure of analog I&C
systems, software failure may be caused by systematic design fault, human error and
tools failure. Some traditional analog system (hardware) reliability analysis methods
are not applicable to software. Software reliability qualitative analysis and quantitative
analysis methods are still in discussion. The consensus amongst the world’s experts is
that rigid lifecycle quality management, and verification and validation (V&V) are the
most effective ways to improve the software reliability presently. With the further

https://doi.org/10.1007/978-981-13-3113-8_26
Study on Itemized Requirements of Safety Digital 227
research on safety-critical software used for NPPs, the quality of V&V has become key
concern of the safety regulatory authorities around the world.
According to the requirements of nuclear safety regulations and related standards,
some mandatory software V&V activities through life cycle phases are defined for the
different safety-graded software explicitly [1–4]. For safety-critical software, the
required scope, intensity and degree of rigor associated with the V&V activities and
tasks are the highest among all graded I&C systems. It should be mentioned that
traceability analysis is the most basic one for safety-critical software and I&C systems
and affects the quality of other V&V activities directly. Traceability analysis is also
required by EUR [5]. It is used to confirm implementation and validation of require-
ments, where neither any extra function is allowed, nor is any necessary function
missed. The quality of traceability analysis depends on the granularity of itemized I&C
function requirements. The finer granularity of itemized I&C function requirements is,
the easier it is to find the potential software failure, and the higher quality the trace-
ability analysis gets. However, it also means heavier burden of V&V activity. There-
fore how to effectively itemize I&C functions is an important question.
In this paper, the V&V activities through software life cycle related nuclear safety
regulations and standards are analyzed in Sect. 2. Necessity of implementing itemized
requirements on I&C function during software development life cycle is studied
according to the nuclear safety regulations and related standards in Sect. 3. What’s
more, key points of itemized requirements are proposed by learning from some NPPs
project experience in Sect. 4. Finally, Sect. 5 gives the conclusion.
2 Software Life Cycle
ISO/IEC 12207 defines the software life cycle processes at a high level and their
corresponding minimum tasks, but how to perform these tasks is not given clearly [6].
As shown in Fig. 1, V&V processes related to the software life cycle are defined in
IEEE 7-4.3.2 and IEEE std. 1012 [2, 3]. Seven processes for software life cycle are
defined, including Acquisition, Supply, Development, Operation, Maintenance,
Organizational and Other Supporting. Moreover, Development Processes are divided
into six phases further, i.e., Concept, Requirements, Design, Implementation, Test, and
Installation and checkout. Different mandatory V&V activities and tasks with their
assessment criteria are defined for safety-graded software as part of the software life
cycle explicitly. Verification of a software product of a phase should be performed
before the start of the next phase and shall be performed before the completion of the
next phase, as required by IEC 60880 [4].
In each phase of software life cycle, software fault or failure is inevitable because of
human error, systematic design fault and tools failure. Software reliability qualitative
analysis and quantitative analysis methods have not been accepted universally.
Therefore, the feasible and practical measures are used to focus on the product quality
of each phase. V&V activities should be performed to ensure that the product meets the
requirements of its input of each phase and no new errors are induced, so that the
reliability of final product is limited within the acceptable level.
228 T. Bai et al.
As the most basic requirement, each I&C function documentation should be

traceable throughout the software life cycle. Traceability analysis should be performed
to demonstrate that each I&C function integrated in the digital I&C systems are
complete with respect to their system design specification. That is, neither any extra
function is allowed, nor is any necessary function missed. However, the granularity of
itemized I&C function requirements would affect the quality of V&V activities,
especially of traceability analysis directly. Therefore, how to effectively itemize I&C
functions is an important issue.
Other
Acquisition Supply Development Operation Maintenance Organizational
Supporting
V&V processes support all life cycle

processes
Documentation
IEEE 1012/IEEE 7-4.3.2 Software V&V Process
Configuration
Management
Quality
Assurance
Management
V&V Activities
Process Review
Problem
resolution
...
V&V Tasks
Fig. 1. Software life cycle processes according to IEC 12207
3 Necessities of Itemized Requirements
IEEE has published a series of standards on recommended practice for software

development documentation, such as IEEE std. 1233, IEEE std. 830 and IEEE std.
1016 [7–9]. However, development teams do not comply with these standards rigidly
and do not develop their software documents according to software quality charac-
teristics hierarchically.
Shown in Fig. 2 as an example, it describes the maintenance tool design of digital
protection system for a CPR1000 NPP in software concept phase. On one hand, the
design description of functions, interface, separation and isolation for the maintenance
tool is mixed in one paragraph. On the other hand, the function interfaces with on-line
monitoring, diagnosis and parameter calibration are not given, which need to be
searched for and checked by the V&V team from the other parts of the documents. As a
result, it will burden the traceability analysis and may decrease the quality of V&V
activity.
Maintenance tool performs on-line monitoring, diagnosis and parameter

calibration throuth maintenance network for the safety-critical distributed
control system. Due to the maintenance tool is non-safety related, the physical
separation and electrical isolation from the safety-critical systems are realized
by the following measures (where detailed information are omitted).
Fig. 2. Snapshot of maintenance tool design description
4 Discussions on Itemized I&C Requirements
Learning from some NPPs project experience, difficulties of itemized I&C require-
ments are discussed and key points are proposed for implementation of itemized I&C
function requirements.
4.1 Difficulties of Itemized I&C Requirements

According to our practical experience, the following difficulties are summarized.
(1) Granularity of itemized I&C function requirements
As the example shown in the previous section, if one paragraph is defined as a
traceable item, one-to-many mapping will exist in the traceability matrix, where some
slight but important information may be overlooked among the traceable items. It
means the itemized I&C function requirements are coarse and are difficult to be
managed effectively.
However, the finer granularity of itemized I&C function requirements is, the easier
the potential software failure is found, and the higher quality the traceability analysis
could be increased. It would increase the workload of V&V team.
(2) Identification number coding rules for itemized I&C function requirements
It is necessary to define well-defined and readable identification number coding
rules for itemized I&C function requirements. Unfortunately, the traceable items are
not coded or are coded without uniform coding rules for different projects in practice. It
should be studied what kinds of key information be given, such as information of
system, sub-system or components, quality characteristics and so on.
(3) Itemized requirements for I&C diagrams
Compared with the language description of I&C functions, diagram description is
more accurate, more intuitive and easier to be understood. Usually, there are all kinds
of I&C diagrams used in project practice, including Logic Diagrams (LD), Analog
Diagrams (AD), Function Diagrams (FD) and Configuration Diagrams. There are
nearly 10 thousands pages of I&C diagrams for the safety-critical I&C system. Each
page of I&C diagrams may contain large amounts of data, such as functions, interfaces,
setting values and etc.…If one page is defined as a traceable item, too much data may
be ignored easily. The pages of I&C diagrams are also strongly correlated with each
230 T. Bai et al.
other. As a result, it would be hard to analyze the traceability among those I&C
diagrams. Moreover, it would also be very hard to trace the relationship between
documents and diagrams due to their completely different ways of expression.
4.2 Key Points of Itemized I&C Requirements

Good practice on itemized I&C requirements can be learned from some new generation
NPP projects. Their document architecture is defined and I&C requirements are
itemized, refined and marked by specific identification numbers. Itemized I&C
requirements in upstream documents are inherited by downstream documents explic-
itly, which makes it easy for V&V team to trace and review I&C requirements.
Based on the above discussion, an itemized scheme for I&C requirements is pro-
posed. Its key points are listed as follows.
(1) To specify new document architecture, where I&C requirements are itemized
according to quality characteristics defined in NUREG-0800 BTP-7-14 shown as
Table 1 [10].
(2) To define four-segment identification number coding rules as shown in Fig. 3.
The first segment is used to identify different I&C systems, such as RPR for
reactor protection system in CPR1000 NPPs. The second segment is used to mark
the documents produced in different development phases, as shown in Table 2.
The third segment is used to identify the quality characteristics in Table 1, and the
last segment is the serial number according to the specific quality.
(3) To define four-segment identification number coding rules for signals and
parameters of each I&C function requirement, which is also very critical and
should be checked and traced during V&V. Similarly, a four-segment identifi-
cation number should be defined, as shown in Fig. 4. The first segment is used to
identify different systems or equipment, which the signal is generated or the
parameter is used by. The second segment is used to define signal types, such as
input signal (AI, DI), output signal (AO, DO) or parameter (PAR). The third
segment is used to identify the signal characteristics, such as FLW for flow, MT
for temperature measurement, PP for primary pump and so on. The last segment is
the serial number according to the specific signal characteristics.
Table 1. Quality characteristics in NUREG-0800 BTP-7-14

Quality characteristics Quality identifier
Accuracy QACC
Capacity QCAP
Functionality QFUN
Reliability QREL
Robustness QROB
Safety QSAF
Security QSEC
XXX – XXX – XXX – XXX
Serial Number
Quality Identifier
Document Identifier
System Identifier
Fig. 3. Identification number coding structure of itemized I&C requirements
Table 2. Definition of document identifier

Phase of development process Document identifier
Concept SyREQ, SyDES
Requirements SfREQ
Design SfDES
Implementation CmTST
Test SfTST, SyTST
XXX – XXX – XXX – XXX
Serial Number
Signal Characterisitics Identifier
Signal type or Parameters Identifier
System or Equipment Identifier
Fig. 4. Identification number coding structure of signals and parameters
(4) To use the special tools like DOORS. It is capable of developing itemized I&C
Requirements and generating identification number coding number automatically.
5 Conclusions
With the digital technologies are used in NPPs, software reliability and V&V quality
have caused widespread concerns around the world. Traceability is the basic require-
ment on I&C functions during the life cycle V&V activities. How to effectively itemize
the I&C functions is an important question for traceability analysis. From the viewpoint
of V&V, necessity of itemizing requirements on I&C function is discussed and key
points of itemized requirements are proposed by learning from CPR1000 NPPs’ project
experience to ensure the software V&V quality with proper workload.
232 T. Bai et al.
References
1. HAD 102/16: Computer-based safety-critical system software of nuclear power plants (in
Chinese), National Nuclear Safety Administration (2004)
2. IEEE Std. 1012: IEEE standard for software verification and validation (2004)
3. IEEE Std. 7-4.3.2: IEEE standard for digital computers in safety systems of nuclear power
generating stations (2010)
4. IEC 60880: Nuclear Power Plants-Instrumentation and Control Systems Important to Safety-
Software Aspects for Computer-based Systems Performing Category A Functions (2006)
5. EUR: European Utility Requirements for LWR Nuclear Power Plants, Rev. E (2016)
6. ISO/IEC 12207: Information Technology-Software Life Cycle Processes (1995)
7. IEEE Std. 1233: IEEE Guide for Developing System Requirements Specifications (1998)
8. IEEE Std. 830: IEEE Recommended Practice for Software Requirements Specifications
(1998)
9. IEEE Std. 1016: IEEE Recommended Practice for Software Design Specifications (1998)
10. NUREG-0800 BTP-7-14: Guidance on Software Reviews for Digital Computer-based
Instrumentation and Control Systems, Rev. 5 (2007)
Instrument Survivability Assessment During
Severe Accident in HPR1000
Liu Li(&) and Guo Lin
China Nuclear Power Engineering Co., Ltd., Beijing 100840, China

liuli@cnpe.cc
Abstract. The Fukushima Nuclear Accident has attracted social public atten-
tion to the severe accident. The instruments used to monitor the processing of
severe accident could perform the function correctly in the time frame required
during and after the Severe Accident Management Guidance (SAMG). Inter-
national and domestic regulations and standards are all required these instru-
ments available during severe accident. However, it’s still not set down relevant
standard that how to analyze the instrument survivability assessment and qualify
these instruments. This paper introduces the requirements of relevant regulations
and standards, factors, methods of instrument survivability assessment and
technology status of instrument survivability assessment. On the basis of
assessment method of second-generation plus nuclear power plants, the
assessment method of HPR1000 was studied and confirmed. It is improved and
optimized on environment, qualification requirement, etc.
Keywords: Severe accident Survivability assessment Time frame

Environment condition
1 Introduction
The Fukushima Nuclear Accident has attracted social public attention to the severe
accident. NNSA has demands on the management of severe accidents at nuclear power
plants. In order to ensure that Severe Accident Management Guidance (SAMG) can
effectively work during and after severe accident, the survivability of equipment and
instruments are needed for severe accidents.
HPR1000 is the third generation pressurized water reactor (PWR) with a wholly-
owned intellectual property formed by China National Nuclear Corporation (CNNC)
Corporation on the basis of thirty years’ experience in R & D, design, construction and
operation of nuclear power plants. Active + passive safety system are used in
HPR1000.Diverse approaches are available to perform safety functions both in DBA
and BDBA/SA conditions. These design characteristics meet the requirements of the
third generation of nuclear power plants.
At the beginning of the design, HPR1000 considered severe accident prevention
and mitigation measures and exhaustive envelope curve of severe accident environ-
mental condition as well as the time frame which instrumentation needed to perform
functions during and after severe accidents. This paper presents relevant regulations,
standards, assessment factors, qualification requirements, process and methods of

https://doi.org/10.1007/978-981-13-3113-8_27
234 L. Li and G. Lin
survivability assessment of equipment and instruments during and after severe accident
in HPR1000.
2 Codes and Standards
For the HPR1000 nuclear power plant, it is necessary to provide the severe accident
environmental conditions and the accuracy requirements during and after the severe
accident in the technical specification for the instruments, and purchase the instrument
that meets the requirements of severe accident. HPR1000 has comprehensive design for
severe accidents from environmental conditions research, instrument qualification, the
time frame that the instrument needs to perform functions, signal acquisition and
control, power supply and so on. On the basis of the above design, auxiliary test and
alternative solution are supplemented if necessary (Table 1).
Table 1. Codes and standards

Designation Content
HAF102-“Safety Code on Nuclear Power instrumentation and recording equipment
Plant Design”- Sect. 6.4.1.2 should be sufficient to provide as practical
information as possible to determine the status
of a nuclear power plant during a severe
accident and to make decisions during the
period of accident management [1]
RCC-E-Design and Construction Rules for This standard provides the requirements of
Electrical components of nuclear Islands purpose of the procedure and details of
implementation [2]
10CFR 50- Domestic Licensing of A description of the measures taken to assure
Production and Utilization Facilities that the quality and level of detail of the
systematic processes that evaluate the plant for
internal and external events during normal
operation, low power, and shutdown (including
the plant-specific probabilistic risk assessment
(PRA), margins-type approaches, or other
systematic evaluation techniques used to
evaluate severe accident vulnerabilities) are
adequate for the categorization of SSCs
3 Assessment Factors
Due to the significant increase in radiation dose during severe accidents, a large amount
of high temperature and high pressure steam, combustible gas and aerosol are gener-
ated in the containment. Such harsh environmental conditions may cause the perfor-
mance degradation or failure of the instrument in the containment [6].
Instrument Survivability Assessment 235
Based on the current research of instrument survivability assessment, instrument

availability during and after severe accident conditions is primarily related to the
following factors:
3.1 Instrument Working Principle

Different types of instruments have different working principles. Corresponding to
different working principle has different key components and failure mechanism, under
severe accident environmental conditions of severe accidents will show different failure
characteristics. Therefore, when assessing the survivability of instrument during and
after severe accident, the working principle of the instrument is an indispensable factor
[3].
3.2 Instrument Installation

During severe accidents, the environmental conditions of each location in the con-
tainment are different, and some instruments may also be submerged. Therefore, the
environmental conditions during and after severe accident of the actual installation
position of the instrument should be fully taken into account when assessing the
survivability of instrument. Precise installation of the instrument and environmental
conditions of the installation position are the preconditions for accurately determining
whether the instrument is available when it needs to perform its function [7].
3.3 Time Frame

The phenomena and environment at different stages of a severe accident will directly
affect the environmental conditions that need to be used in the instrument survivability
assessment in this stage. The time frame is the time span that instrument needs to
perform its functions in severe accident. The assessment of instrument survivability
should be carried out in combination with the requirements of the available time frame
and the actual environmental conditions in this time frame. The instrument surviv-
ability time frame is divided into 3 h, 24 h and 15 days three categories in HPR1000
according to the severe accident process.
3.4 Instrument Qualification

The qualification of the instrument shall demonstrate that the instrument has the right
performance of the specified function under the normal and accident environmental
conditions during the instrument life time. Comparing and analyzing the environmental
conditions of severe accidents and the qualification test data of the instrument is the
most directly way to evaluate whether the instrument is available during and after
severe accidents [4, 5].
The instrument list in Severe accident is divided into “must be used” list and “can
be used” list in HPR1000. The instruments listed in “must be used” and installed in the
containment should be qualified according to the severe accident environmental con-
dition. These include many types of instruments, such as pressure transmitters,
thermocouple, RTD, radiation monitoring instruments, hydrogen concentration mea-

suring instruments. These instruments are designed and qualified taking into account
the related instrument manufacturing, ageing screening of electronic elements of
instrument, qualification requirements of instrument of HPR1000.
3.5 Related Support Equipment

In order to ensure that the instrument channel is available during and after severe
accidents, the reliability of the power supply under normal and accident conditions also
has a direct impact on the availability of monitoring information in severe accident and
therefore the entire instrument channel required for a severe accident should be pow-
ered by a reliable power supply [8]. HPR1000 have two engineered independent
division of 72-Hr 220 V AC power supply system which provides power for the
passive system. The instrument and equipment can be operated continuously for 72 h
during and after severe accident. The cables, necessary penetrations, control cabinets in
these instrument channel need to meet the relevant severe accident environmental
conditions. These designs ensure that the instrument during and after the severe
accident signal is accurately transmitted and processed to provide the operator with the
correct information. In addition, the cables and electrical penetrations used in the
instrument channel of severe accident are also qualified according to the severe acci-
dent environmental conditions. The equipment for power supply, signal acquisition and
processing is analyzed or tested in accordance with the relevant requirements. These
designs make the instrument channels available during and after the severe accident.
4 Instrument Survivability Assessment Process
The methods for instrument assessment survivability of severe accidents commonly

used in China nuclear power plant are different. But the purpose is the instrument can
withstand the serious environmental conditions of the accident and perform the func-
tions properly within the time frame that needs to perform its function.
Severe accident instrument survivability assessment flow chart is usually shown in
Fig. 1.
(a) Define the parameters that need to be monitored for SAMG, select the instruments
to be assessed and provide the instrument list of severe accident,
(b) Determine the environmental conditions in which the monitoring instrument is
installed during and after severe accident, and combine the characteristics of
different types of instruments to identify the qualification requirements that the
instrument needs to meet,
(c) Select the instrument survivability assessment method according to whether the
environmental conditions change with time,
(d) List the assessment factors of instrument survivability assessment,
(e) Assess the survivability based on the above factors.
According to the severe accident environmental conditions, the time frame of
instrument and instrument qualification, the assessment methods can be divided into
Fig. 1. Instrument survivability assessment process
two category: one is based on environmental conditions extreme values and the other is
based on time frame and environmental conditions curve in this time frame, these two
methods are widely used in nuclear power plant in-serve and under construction.
5 HPR1000 Instrument Survivability Assessment
HPR1000 severe accident instrument survivability assessment is based on the detailed

temperature-pressure envelope curve and time frame.
Taking the discharge flow rate measurement (tag number: CIS003MD) of the
Cavity Injection and Cooling system as an example, the time frame of this instrument
required to perform its function is 24 h. This instrument is mainly used to evaluate
whether the water injection strategy is successful and evaluate the capacity of the
current cavity injection.
The instrument uses qualified capacitive differential pressure transmitter which is
installed inside containment room R215 and the signal is transmitted from the cable via
electrical penetration and acquisition by train A cabinet of severe accident monitoring
and control system. These equipments are all qualified according to the severe accident
conditions inside and outside containment by qualification test according to relevant
standards. Then it is sent to the operator workstation, backup panel (BUP) and
emergency management center.
Compare the temperature and pressure curve of its qualification test with the
envelope of severe accident conditions inside containment of in HPR1000 as Fig. 2.
It can be seen from Figs. 2 and 3 that the temperature and pressure curve of the
instrument qualification test within 24 h can envelop the requirements in time frame.
Fig. 2. CIS003MD qualification pressure curve and HPR1000 requirements
Fig. 3. CIS003MD qualification temperature curve and HPR1000 requirements

As a general rule, the damage caused by beta and gamma radiation differs. For large
total integrated dose (typically greater than 1 MGy), it is thus recommended that no
equivalence be assumed between the two types of radiation, and to apply the two tests
successively in the lab. The integrated dose of gamma in this time frame is
1.08 105 Gy and the integrated dose of beta was 3.71 105 Gy. After beta was
equivalently converted, the integrated dose of gamma was 4.79 105 Gy, which is
less than that 1 MGy. The integrated dose of CIS003MD radiation test is
1.1 106 Gy.
HPR1000 has independent severe accident monitoring and control system. There
are two independent 72-hour uninterruptible power supply systems that supply SA
cabinets and are also divided into train A and train B. The instrument channel can
maintain operation for 72 h during severe accident and station black-out (SBO). All
components of the channel have been qualified to severe accident conditions including
seismic test and work well during severe accident. The signal acquisition and pro-
cessing of CIS003MD is carried out in the train A SA cabinet and meets the
requirements of power supply and environment of severe accident conditions.
In summary, CIS003MD is available and performs its function in the time frame
required in severe accident conditions.
6 Conclusion
Based on the analysis of the assessment factors and technical status of severe accident
instruments, this paper presents the flow chart of survivability assessment of severe
accident instrument. Assessment of equipment in severe accident was performed
according to the flow chart and qualification of instrument and related support
equipments.
The instruments and related supporting equipments installed inside containment
and must be used during and after severe accidents have been qualified according to the
environmental conditions of severe accidents. The qualification test provides direct data
and ensures high confidence of instrument survivability assessment in HPR1000.
References
1. HAF102, Safety Code on Nuclear Power Plant Design, National Nuclear Safety Adminis-
tration, China, pp. 17–38 (2016)
2. RCC-E, Design and Construction Rules for Electrical components of nuclear Islands,
AFCEN, France, p. 58 (2005)
3. EPRI TR-102371, Instrument Performance Under Severe Accident Conditions, Electric
Power Research Institute, America (1993)
4. EPRI TR-103412, Assessment of Existing Plant Instrumentation for Severe Accident
Management, America (1993)
5. Youjun, H.: Study of Instrument Survivability Evaluation Methods During Severe Accident in
Nuclear Power Plant. University of South China (2014)
6. EPRI, NRC, DOE, Three Mlile Island Technical Information and Examination Program:
Instrumentation and Electrical Summary Report, p. 7 (1985)
7. NUREG/CR-5444, Instrumentation Availability during Severe Accident for a Boiling Water

Reactor with a MARK 1 Containment. EGG-2661 (1992)
8. NP-4354 Large-Scale Hydrogen Burn Equipment Experiments. EPRI Technical Report
(1985)
Influence Analysis of the Halogen Cables Used
in the Safety Related Circuits of AP1000
Nuclear Power Plant
Xin-Yu Wang1, Cong Li2(&), Jing-Yuan Yang1, and Qi Wu1

1
Nuclear and Radiation Safety Center, Beijing 100822, China
2
State Nuclear Power Engineering Corporation, Shanghai 200233, China
lic@snpec.com.cn
Abstract. The nuclear cable development is to non-halogen. However, due to

the limitation of the non-halogen material performance and the excellent per-
formance of halogenated materials, some halogen cables are still used in some
area, equipment or systems in the nuclear power plant. This paper is to card the
requirements of the halogen materials required in the nuclear safety rules and
regulations in different countries. And this article takes an actual sample that
AP1000 used halogen cables in some circuits and equipment. By analysis of the
influence of adopting halogen cables in AP1000 Nuclear Power Plants, it is
finally confirmed that some halogen cables can be used.
Keywords: Halogen cables Damage on equipment and personnels

Fire protection
1 Introduction
Currently, the nuclear power plant has been developed to the third generation. The 3rd
generation technology includes AP1000, EPR, VVER, and Hualong No.1. Each gen-
eration NPP has been with the related developed equipment. The old ones are replaced
by the new ones. Through the analysis of the nuclear cables development and the
collection of information got from the NPP owners, we can clearly understand the
development of the new cables. And it is the premise for cable products improvement
and development.
The essence of the nuclear cable development is cable materials development.
China cable industry started to develop the nuclear cable materials in the 1980s. The
cable materials have been developed into the 3rd generation with the development of
the NPPs (Table 1).
For the above table, the nuclear cable development trend to non-halogen cable.
However, due to the limitation of the non-halogen material performance and the
excellent performance of halogenated materials, some halogen cables are still used in
some area, equipment or systems in the nuclear power plant. This paper is to discuss
the requirements of the halogen materials required in the nuclear safety rules and
regulations in different countries. And by taking an actual sample that AP1000 NPPs

https://doi.org/10.1007/978-981-13-3113-8_28
242 X.-Y. Wang et al.
Table 1. Insulation and jacket materials used in China NPPs

st
Project 1 generation 2nd generation 3rd generation material
material material
Qin Shan I NPP Qin Shan II, II NPP San Men NPP
Hai Yang NPP
Tai Shan NPP
Insulation Flame retardant EPR LSOH, flame LSOH, flame, retardant
retardant EPR, crosslinked polyethylene
XLPE, XLPO (XLPE), Ethylene propylene
rubber (EPR),
tetrafluoroethylene (ETFE)
Jacket Low halogen flame Thermosetting or Thermosetting or
retardant thermoplastic non- thermoplastic non-halogen
chlorosulfonated halogen flame flame retardant materials,
polyethylene (CSPE) retardant materials polyvinyl chloride (CPE),
crosslinked polyethylene
(XLPO), tetrafluoroethylene
(ETFE)
use halogen cables to analysis the safety of adopting halogen cables. Finally, it is
confirmed that some halogen cables can be used in AP1000 NPPs.
2 Technical Requirements of the Nuclear Power, Control

and Instrumentation Cables Used in AP1000 NPP
2.1 Technical Requirements

The cable insulation and jacket shall minimize the use of the plastic materials, espe-
cially the PVC and neoprene (Table 2).
Table 2. Technical requirements for the AP1000 cables

Operating Thermal Cable Cable jacket UL VW-1 IEEE 1202
temperature life insulation
90 °C 60 years XLPE, CPE, Single insulated Completed
EPR or XLPO, core and cable
ETFE EVA or completed cable
ETFE
The cables or wires with such insulation shall the thermal aging test, radiation test
and long-term immersion test. The thermal aging test shall verify that the cables
thermal life is 60 years under the 90 °C conductor operation temperature [1].
The cables or wire with the above jacket materials shall pass the flame-retardant
test. And the cables routed in the cable tray shall be UL qualified. If the low smoke and
Influence Analysis of the Halogen Cables Used 243
zero halogen materials are used for the cable jacket, these materials shall meet all the
technical requirements, especially the flame retardant test requirement.
The wires installed in the auxiliary electrical cabinets shall use the flame retardant
thermosetting SIS (NEC rated 90 °C) insulation and stranded conductors. And the
wires shall pass UL VW-1 flame test [2].
The cables laid in the cable trays shall pass IEEE 1202 flame test and shall be UL
qualified. Both the aged and un-aged cable samples shall pass the IEEE 1202 flame test.
2.2 AP1000 Requirements and Limitations for Halogen Materials

The Design Control Document (DCD) of AP1000 NPP does not exclude the use of
halogenated cables or halogenated materials, but requires that halogenated materials be
minimized as stated below:
The use of halogenated plastics should be minimized in accordance with Branch
Technical Position CMEB 9.5-1. Halogenated plastics such as polyvinyl chloride
(PVC) and neoprene should be used only when substitutable non-combustible materials
are not available. If halogenated plastics must be used inside containment, the details of
the use must be documented.
3 Regulatory Requirements for Halogen Limitation
3.1 NRC Regulatory Requirements for Halogen Materials

In accordance with (NRC) Branch Technical Position CMEB 9.5-1, the plastic mate-
rials, especially the halogen plastic materials, shall be minimized to be used in the
nuclear power plant, such as the such as the polyvinyl chloride (PVC) material and
neoprene material. These materials could be used only when any substitute noncom-
bustible material is not available.
So, based on the above statement, NRC requires that the use of plastic materials and
halogen materials should be minimized, but it is not forbidden.
3.2 NNSA Regulatory Requirements for Halogen Materials

China regulation HAD 102/11-1996 “Fire Protection of Nuclear Power Plant”
Sect. 4.2.2 states that “no halogen material shall be preferred for the cables and wires”.
Also, the Sect. 6.5.1 states that “for the cables in a large amount, the cable insulation
and jacket shall be flame retardant, low smoke and corrosion” [3].
In the guideline of the HAD102, it is stated that this regulation is the supple-
mentation of HAF102 “Safety Rules of Nuclear Power Plant Design”. Some methods
or proposals that may be differently from HAD102 also can be adopted in practical
work. But these adopted methods or proposals should keep the same safety level of the
regulation HAD102, and should not increase the risk of the plant and the public.
NNSA has the same requirements for halogen material as NNSA. But NNSA has
much stricter and detailed requirement that the low smoke and halogen free materials
are preferred.
3.3 The Conformity of AP1000 Requirements to Regulatory

Requirements
The Design Control Document (DCD) of AP1000 NPP does not exclude the use of
halogenated cables or halogenated materials, but requires that halogenated materials be
minimized as stated below:
The use of halogenated plastics should be minimized in accordance with Branch
Technical Position CMEB 9.5-1. Halogenated plastics such as polyvinyl chloride
(PVC) and neoprene should be used only when substitutable non-combustible mate-
rials are not available. If halogenated plastics must be used inside containment, the
details of the use must be documented.
The above AP1000 DCD requirements is conformity to NRC regulatory require-
ments. But it does not define the use of the low smoke halogen free materials.
4 Total Amount of Halogen Cables Used in AP1000 NPPs
The quantity of halogen cables and the total amount of the nuclear island cables used in
one AP1000 project are sorted out and shown in Table 3.
The halogen cables of the safety-related circuits and equipment listed in Table 4 are
mainly distributed in the circuits and equipment listed in Table 4.
Table 3. The halogen cables used in some AP1000 project

Location AP1000 nuclear cable Qty Halogen cable Qty Accounting
(kM) (kM) 100%
Inside/outside 770 25 3.25%
containment
Based on the statistics in the above table, the number of halogen-containing cables
in the nuclear island of some AP1000 NPPs accounted for only 3.25% of the total.
5 Influence of Halogen Cables on Personnel and Equipment
5.1 Characteristics of Halogen Cables in Safety-Related Circuits

and Equipment
The following conclusion can be drawn from Table 4 of Sect. 4:
(1) Halogen cables in safety-related circuits and equipment are mainly routed in metal
conduits and metal claddings (cabinets, cable trays). At the same time, such cables
shall meet the UL VW-1 or IEEE 1202, or equivalent IEC, ICEA flame retardant
standards. This performance can reduce the risk of fire propagation.
Table 4. The halogen cables distributed in safety-related circuits and equipment

Equipment Building Cable routed Cable types Cable
location/condition QTY/M
PMS cabinets Auxiliary Cable conduit and cable 18 AWG 3608
internal circuits building trays
Nuclear Inside In metal jackets COAX 2560
instrumentation containment cable
system circuits TRIAX
cable
QUADAX
cable
Burst valve Inside In the 1/2” sealed 2/C 270
containment waterproof metal flexible 16AWG
conduits cable
Speed sensor of Inside In steel stainless braid Speed 12
RCP containment jacket sensor
pigtail
Safety class valves Inside Conduit 10–18 1494
containment AWG
RCP medium Auxiliary Installed in the cabinets 10–18 4900
voltage switchgear building AWG
cabinet
IDS panel Auxiliary Installed in the cabinets 10–14 490
building AWG
Fuse panel Auxiliary Installed in the cabinets 14 AWG 430
building
IDS motor control Auxiliary Installed in the cabinets 2/0, #8, #2, 9800
center building 10–14
AWG
AC distribution Auxiliary Installed in the cabinets 14 AWG 300
panel building
Terminal box of Auxiliary Installed in the cabinets 10–18 610
spare battery building AWG
250VDC Auxiliary Installed in the cabinets 14 AWG 370
switchgear cabinet building
Cable QTY 24844
(2) Most of the halogen cables in the table belong to the secondary circuit of the
cabinet or the instrument control circuit. They are used to transmit weak current or
low-level signals, and the current through them is insufficient to cause fire.
5.2 Analysis of Influence of Halogen Cables on Personal and Equipment

Outside the Containment
Halogen cables outside containment are routed in well-ventilated areas or rooms, and
these locations usually have no long-term residence.
Taking the auxiliary building as an example, the equipment in the rooms of the
auxiliary building is isolated from the structural wall or floor. These structural barriers
are used to prevent the spread of fire across the area. At the same time, the auxiliary
building is further divided into multiple fire protection areas by fire barriers. The third
generation AP1000 NPP is designed to reduce the risk of fire by limiting the number of
combustibles in a single area.
In addition, the ventilation system works continuously. In the event of a partial fire
due to the electrical short circuit, the smoke of the halogen cables burning couldn’t be
accumulation in the fire area.
If the partial fire due to short circuits or conditions become increasingly severe, the
local fire detection equipment will issue an alarm to inform the operating personnel in
the main control room about the emergency. Persons in the NPP will receive a noti-
fication and will retreat the commander. At the same time, the local automatic sprinkler
(if any) will start.
For areas that do not have automatic sprinklers, Operators of the NPP (such as the
fire brigade) will use the fire station or fire extinguisher to perform artificial fire
extinguishing. By design, the dampers in the ventilation ducts in these areas are
automatically isolated to stop the fresh air supplied into the fire area. Personnel entering
the area after a fire are limited to firefighters and firefighters wear appropriate personal
protective equipment. After the fire has been extinguished, smoke and other combus-
tion by-products will be purified by using a ventilation subsystem or alternate tem-
porary ventilation if the area is recovered to be used.
5.3 Analysis of Influence of Halogen Cables on Personnel and Equipment

Inside the Containment
Inside the containment, the ventilation system continues to operate in a cyclic operation
mode. Although regular personnel will enter the containment during normal power
plant operations, personnel access is strictly limited due to the radiation environment.
In the event that the halogen cables partially catch fire, the halogen production may be
considered to accumulate in the containment vessel.
The U.S. Department of Transportation accepted the transportation industry’s best
practices which included the use of BSS 7239, Test Method for Toxic Gas Generation
by Materials on Combustion for determining the acceptability of the gases produced
during fire. The BBS7239 standard stipulates that the toxic hydrogen fluoride limit is
200 PPM. The plant designer has conducted a conservative assessment of the maxi-
mum number of halogen cables required for the release of this toxicant. A halogen
instrumentation cable sample of “XXX Exane15” with 18 AWG conductor was chosen
for analysis. The hydrogen fluoride result of these two samples is not more than 20
PPM, which is far less than the standard requirement 200 PPM. It should be noted here
that as the size of the copper core increases, the weight of the cable jacket decreases
with respect to the total weight of the cable, so for much more halogen cable con-
ductors are more than 18 AWG, so the less hydrogen fluoride will be produced.
The NPP designer’s assessment showed that if the toxic content is to reach the limit
of 200 PPM as defined by BBS7239, 29.6 km (95,000 ft) of cable must be burned. The
number of cables has greatly exceeded the criteria for identifying local incidents of a
plant. At this time, the inside containment fire detection system should have issued an
alarm. At the same time, the number of cables exceeds the total number of halogen
cables with a 4 km safety rating in the shell as reported in Table 3 (Fig. 1).
250
200
150
100
50
0
Toxic Hyrdrogen Fluoride Release based on the QuanƟty of the Halogen
Cables
29.6 kM 25 kM
Fig. 1. Release of toxic hydrogen fluoride (PPM)
As mentioned above, during normal power plant operation, access to the inside
containment is controlled. In the event of a fire, personnel inside the containment will
also be evacuated. Persons entering the area after a fire are limited to firefighters and
they wear appropriate personal protective equipment. After the fire has been extin-
guished, smoke and other combustion by-products will be purified by using a venti-
lation subsystem or alternate temporary ventilation if the area is to be used.
In the shutdown condition of the power plant, good continuous ventilation is
maintained within the containment to support relevant maintenance activities. There-
fore, there is no accumulation of chlorine products inside the containment due to partial
events. In the event of a more serious fire, the personnel inside the containment will be
evacuated. Persons entering the area after a fire are limited to firefighters and they wear
appropriate personal protective equipment. After the fire has been extinguished, smoke
and other combustion by-products will be purified by using a ventilation subsystem or
alternate temporary ventilation if the area is to be used.
6 Related Fire Prevention Situations and Corresponding

Mitigation Measures
The fire protection plan of the power plant covers many aspects, including the fol-
lowing basic elements:
• Identify and control flammable products.
• Use permanently installed fire detection subsystem.
• Use automatic sprinklers or other subsystems where necessary and appropriate.
• Use permanently installed fire hoses and portable fire extinguishers.
• Develop a written fire protection strategy and plan.
• On-site fire brigade training and qualifications.
Halogen cables in safety-related circuits and equipment are mainly distributed in
auxiliary building and inside the containment. Physical isolation is used among the four
1E electrical channels, and between the four 1E electrical channels and non-safety
related areas to ensure safety.
The main control room minimizes the risk of fire in the main control room by
reducing the number of cables. There are persons staying in the main control room, and
they can quickly discover and extinguish fires in the area. The main fire detection and
fire-fighting measures in the main control room are fire detectors, fire hydrants, and
mobile fire extinguishers.
The entire steel containment is a fire zone with a fire detection and automatic fire
suppression system. Safety-related cables are protected by fire barriers when they pass
through the fire protection zone in non-safety related areas.
In the areas outside the steel containment and main control room, the layout of the
power plant equipment and the routing of the cables are designed to assure the safe
shutdown of the NPP in condition that all the equipment in any fire protection area
(except the fire protection of the fire resistance limit of 3 h) cannot perform function
due fires.
all the components function to assure that in any fire protection area (except the fire
protection of the fire resistance limit of 3 h) are not operational due to fire. Safe
shutdown.
Cables are mainly routed in dedicated cable structures, such as cable channels,
cable trenches, and cable shafts. They can also be routed directly along cable trays and
cable conduits in the rooms or corridors.
Layout between Class 1E and non-11E cables and redundant Class 1E cables is
physically or spatially isolated and meets the requirements of the IEEE 384 standard.
Cable trays are equipped with continuous cable temperature detectors.
The electrical penetration assemblies are used to for cables go through reactor
walls, which have a fire-resistance limit of not less than 3 h and can withstand the
environmental conditions of the design basis event.
In order to solve the problem that the halogen cables in the safety-related circuits
and equipment may generate toxic gases after combustion, hazards can be reduced
through management measures. Firstly, the fire source must be controlled to ensure that
no fires occur, and the configuration and management of labor and defense supplies are
strengthened. Employees’ safety education and necessary fire drills, equipped with
necessary respirator and gas masks in hazardous areas are to reduce the personal injury
caused by toxic gases.
References
1. IEEE: IEEE Standard for Qualifying Class 1E Electric Cables and Field Splices for Nuclear
Power Generating Stations. Standard IEEE 383, The Institute of Electrical and Electronics
Engineers, New York, USA (2003)
2. IEEE: Design and qualification of class 1E control boards, panels, and racks used in nuclear
power generating stations, Standard IEEE 420 The Institute of Electrical and Electronics
Engineers, New York, USA (2001)
3. NNSA: Nuclear power plant fire prevention, HAD102/11, China (1996)
Network Risk Management Based
on the ALARP Criteria for Nuclear Power
Plant
Xiao-Jun Liu and Jun-Long Tan(&)
State Nuclear Security Technology Center, Beijing 102401, China

Xiao-Jun_Liu@snstc.org, 370317710@qq.com
Abstract. The safety problems of nuclear power plants are getting more and
more serious. Digital control system is widely used in nuclear power plants in
China, which reduces the possibility of human error and reduces the workload of
operators, but at the same time brings new risks to the operation of nuclear
power plants. The network security law was formally implemented in June 1,
2017. The baselines for nuclear power plant networks should not be considered
only economic. Security is the most important thing. Input or increase network
security equipment, it does not necessarily lead to the promotion of network
security. This article analyzes the network security risks of nuclear power plants
based on the ALARP Criteria, discusses the balance between inputs and risks,
and proposes network risk management recommendations for nuclear power
plant network security.
Keywords: ALARP (As low as reasonable Practical) Nuclear power plant

Network security Risk
1 Establish a Correct Network Security Concept
On April 19, 2016, general secretary Xi Jinping delivered an important speech at the
Symposium on Internet Security and Informatization. This paper makes a systematic
discussion on the development of China’s network security and information technol-
ogy. Points out the way forward for the development of the network information
industry and provides a fundamental guidance. General secretary Xi Jinping pointed
out: “Network security and information technology are two wings and two wheels
driving together. We must plan, deploy, advance and implement together. To do a good
job of network security and information work, we should deal with the relationship
between security and development so as to achieve a coordinated and consistent
development.”
The general secretary of Xi discussed that: “Network security is dynamic rather
than static. Information technology change faster and faster, the past scattered inde-
pendent network become highly correlation, depend on each other, the threat of net-
work security sources and attack means changing, that rely on several safety equipment
and security software to keep safe forever idea is inappropriate, it is necessary to
formulate a concept of dynamic and comprehensive protection.”

https://doi.org/10.1007/978-981-13-3113-8_29
Network Risk Management Based on the ALARP 251
With the development of digital technology, the application of digital technology in

nuclear power plant has become a general trend. Information security of nuclear power
plant is an important factor influencing nuclear power development. The information
security environment of industrial control system is in rapid change [1]. However, due
to the particularity of nuclear power plants, the safety of network information should be
paid more attention.
The establishment of dynamic and comprehensive protection concept has become a
new era of network security of the most important. Network security is not just the
increase of various network security devices, but more need to be the balance of
investment and risk management of network security risk, so as to achieve the security
and development coordination.
2 The Main Content of Risk Management
It requires people to understand from the perspective of decision-making that risks are
related to people’s purposeful activities, choices of action plans and future changes of
things when studying risks. The formation process of risk and the objectivity, loss and
uncertainty of risk together constitute the basis of risk formation mechanism analysis
and risk management.
People are generally risk averse and want to reduce risk loss and pursue the balance
optimization of risk and benefit. The development of risk management is closely
related to enterprise development and social background. Risk management is first seen
in the United States as a discipline and diffuses into Latin America, Asia and Western
Europe. Most enterprises in the United States have full-time departments for risk
management, and many colleges and universities offer courses on risk management at
the school of business administration. As a science and art, risk management needs
both qualitative analysis and quantitative estimation. It requires both rationality and
humanity. It takes more than a theoretical guidance and needs multiple methods to
support it [2].
Risk management from risk consciousness mainly includes risk analysis, risk
evaluation and risk control. According to the process of risk formation, risk analysis
contains risk identification and risk assessment. Risk assessment requires frequency
analysis and consequence analysis, which includes scenario analysis and loss analysis.
Available through risk analysis, risk evaluation of the specific system all risk, doesn’t
refer to the corresponding risk criteria and acceptability, and determine whether the risk
of system can be accepted, whether to take safety precautions, it is risk assessment.
Both Risk analysis and assessment are always called risk assessment. Quantitative risk
assessment (QRA) is required for risk assessment. With risk assessment, it takes the
appropriate measures and countermeasures for risk assessment, to control, suppress,
and decrease risk, it is risk control. Risk management is not only to qualitative analysis
of the risk factors, risk of accidents and loss situation, but also evaluate risks quanti-
tatively based on risk criteria and acceptability as far as possible. For industrial
enterprise profit oriented, they also want to evaluate the risk, and offer the monetary
measurement standard.
252 X.-J. Liu and J.-L. Tan
3 Quantitative Risk Assessment of Nuclear Power Plant

Network
The purpose of risk management is to ensure that all incidents that pose a threat to
cybersecurity are prevented through reasonable steps. Network security threats and
network security protection measures are interactive. Improper network security pro-
tection may not only fail to reduce the security risks of the network, waste a lot of
money, but also may incur greater security threats. Therefore, thorough risk analysis of
network security is a necessary prerequisite for reliable and effective safety protection
measures.
The establishment and development of nuclear power plant network QRA from
within, not only for reliability analysis, safety analysis, quality management, project
management and so on various professional analysis as the foundation, in terms of
external power for the user, the government and the social public, consultancy, and
many other related subjects. The plant network QRA to enterprise’s function mainly
reflects in: Through QRA is advantageous to the enterprise to control the risk levels
within a standard level of risk, and the principle of the minimum feasible; QRA can
help enterprises comprehensively identify risks and prioritize them according to their
priorities, in order to help managers focus, financial and material resources, in the field
of important emergency risk control, so as to make risk management decisions more
reasonable, more effective and less costly. Through various risk management solutions
or QRA’s security improvements, decision maker can choose the options to make the
solution better and make decision support for the company. The risks of the nuclear
power plant network will have several impacts on other enterprises and subjects and
generate amplification effect. The power system is safe, reliable, efficient and superior
is the common aspiration of all trades and government departments. The implemen-
tation of QRA in nuclear power plant network is of practical significance. ALARP rules
are a better way for the network of nuclear power plants to implement QRA [3].
4 Risk Criteria and Acceptability
The determination of risk acceptance criteria is a decision-making process. In risk

analysis, the ALARP criterion is the most commonly used risk acceptability criterion,
as shown in the figure. The ALARP rule was first proposed by the UK health, safety
and environment (HSE) authority for risk management and decision-making,it has
become the basic framework for the establishment of acceptable risk criteria.
The ALARP rule applies to the assessment of personal risk of death, environmental risk
and property risk.
The ALARP rule means that any industrial activity is risky and cannot be com-
pletely eliminated by preventive measures. There must be a balance between risk levels
and benefits [4].
As shown in the Fig. 1, the ALARP criterion consists of two risk boundaries (upper
limit and lower limit). They are respectively called the acceptable risk upper limit and
the acceptable risk lower limit. The two lines divide the risk into three areas: the risk
Network Risk Management Based on the ALARP 253
Fig. 1. ALARP criterion
unacceptable area, the reasonably practicable minimum area (ALARP Area), and the
risk acceptable area. If the risk level obtained from the risk assessment falls within the
risk unacceptable area, the risk will not be acceptable in any way except in special
cases. For the device in the design stage, the design scheme cannot be passed; for
existing installations, production must be stopped immediately and mandatory mea-
sures must be taken to reduce risk levels. If the risk level is risky and acceptable, the
risk level is low, and there is no need for safety improvement. If the risk level is in the
ALARP Area, we need to examine the consequences of implementing various risk
reduction measures and conduct cost-benefit analysis to determine whether the risk is
acceptable. If the increased risk prevention measures have no significant impact on
reducing the level of system risk, the risk may be considered unacceptable.
The risk criteria and acceptability should follow the minimum allowable principle.
ALARP principle can be used for the risk system, and the lower the risk level, the
harder it is to reduce the risk further, the higher the risk will be on an exponential curve.
In other words, the marginal benefit of venture improvement measures investment
decreases and eventually tends to zero or even negative. Therefore, a compromise must
be made between the level of risk and the cost. If the risk level of nuclear power plant
network quantitative risk assessment is higher than the acceptable limits, the risk
rejection. If the risk level is below the acceptable line, the risk is acceptable and no risk
improvement measures are required. When the risk level is between the unacceptable
line and the acceptable line, it falls into the ALARP area, we invest risk analysis and
risk cost-benefit analysis on the cost of improvement at that time.
The analysis turns out that if there’s a chance to increase the risk and improve the
risk of investing in the network and the risk level of the network, the risk is acceptable,
254 X.-J. Liu and J.-L. Tan
the risk is acceptable, which is to allow the risk to exist to save investment costs. The
economic interpretation of ALARP principle is similar to the law of diminishing
marginal returns of input factors.
5 Conclusion
The nuclear power plant network QRA is an integrated study that covers reliability
engineering, risk analysis, security engineering. On the basis of the continuous con-
clusion, scientific exploration of theory and practice forms a future of guidance and
prediction through careful and detailed analysis, theory and practice. According to the
industry feature of nuclear power plant network, QRA of nuclear power plant network
not only has a good technical and material foundation, but also has great potential for
the development of QRA of nuclear power plant network.
Through the risk analysis based on ALARP criterion, the risk estimation of all risks
in the network system of the nuclear power plant can be obtained. According to the
corresponding risk standards and acceptability, the risk of the system is judged to be
acceptable, the investment and risk are balanced well, and the corresponding safety
measures are adopted to promote the common progress of security and development of
nuclear power plants network.
References
1. Bell, D.E., LaPadula, L.J.: Secure compter system. MTR-2527 (1973)
2. Hui, Z., Hua, D., Weiting, Q., Weilu, Q.: Engineering construction project risk assessment
standards based on ALARP criterion. Industrial Safety and Environmental Protection (2017)
3. Biba, K.: Integrity considerations for secure computing systems. Mitre Report MTR-3153
(1975)
4. Rao Tummala, V.M., Burchett, J.F.: Applying a risk management process (RMP) to manage
cost risk for an EHV transmission line project, 17
Analysis of Communication Failures
in Radiation Monitoring System of a Nuclear
Power Plant
Guang-Feng Li1, Xin-Yu Wang2(&), Jing-Yuan Yang2,

and Hong-Wei Sha1
1
Daya Bay Nuclear Power Operation & Management Co., Ltd., Shenzhen
518000, China
2
Nuclear and Radiation Safety Center, Beijing 100822, China
wangxinyu@chinansc.cn
Abstract. The radiation monitoring system equipment of a nuclear power plant

in Guangdong has repeatedly experienced communication failures and the
standard RS485 interface communication is used inside. The RS485 commu-
nication mode is simple in hardware, convenient in control, low in cost, and high
in communication rate. But the RS485 bus also has problems such as anti-
jamming, self-adaptation, insufficient communication efficiency, etc. So incor-
rect handling of any details can lead to communication failure. Based on the
practical application of the radiation monitoring system in the power plant, this
paper analyzes the causes of the failure, investigates the factors that affect the
communication failure, and implements anti-interference measures according to
specific conditions, which solves the communication problems in the radiation
monitoring system of the power plant. The improved method provided by this
work can not only solve the communication problem of the system, but also
solve the problem of nuclear power and the electrical industry to carry out anti-
interference design and increase anti-interference measures to avoid repeated
occurrence of the same problem.
Keywords: Radiation monitoring system RS485 communication

Fault analysis Anti-interference
1 Introduction
On January 18, 2017, the nuclear power plant radiation monitoring system fault alarm
appeared in the main control room of a nuclear power plant in Guangdong. The
parameters of the spent fuel pool radiation monitoring channel on the workstation of
the nuclear power plant radiation monitoring system stopped refreshing, and the
maintenance personnel checked and found that the equipment communication fault
caused the problem appear. The radiation monitoring system uses RS485 communi-
cation to realize the communication between the local processing unit data unit and the
remote display unit of the 15-m monitoring cabinet. The standard RS485 interface
circuit is widely used in the field of automation due to its simple hardware structure,
convenient control, low cost and fast communication speed. However, the RS485 bus

https://doi.org/10.1007/978-981-13-3113-8_30
256 G.-F. Li et al.
still has shortcomings in anti-jamming, self-adaptation, communication efficiency, etc.,

improper handling of some details in use often leads to communication failure [1].
Nuclear power plant radiation monitoring system has many equipment, complicated
wiring and installation location, and communication is highly susceptible to interfer-
ence. Therefore, RS485 communication anti-interference problem is particularly
important in complex environments.
2 The RS485 Communication Failure Analysis
The RS485 signals are known for long distances and multiple users, but the RS485
signals usually encounter interference with the complicated working conditions on the
site. Interference is a signal-independent electrical signal that is inserted into or
superimposed on the system power supply or signal cable, often in the form of an
electric or magnetic field [2]. The RS485 communication interference is roughly
divided into four types:
1. Hardware failure: Generally there is a history of high voltage stringing in the circuit,
such as lightning strike or leakage. It can cause problems in the RS485 chip of the
individual equipment of the system and affect the overall reception;
2. Line faults: For example, a partial short circuit or a signal line break may often
cause the system to work locally or normally, but the operation is unstable.
3. Matching interference or line reflection interference: The system load matching is
unreasonable. Such as: long signal lines, star wiring with long distance, excessive
loads, no system matching resistance, etc. It can cause the system to not work
stably;
4. Electromagnetic interference: EMI that Electromagnetic Interference which refers to
the system’s normal operation through transmission or radiation that emits electro-
magnetic waves and affects other systems or other subsystems within the system [3].
The above four situations often do not exist alone, but are accompanied by each
other and intensify each other, which make the system worse. Based on the four kinds
of interference of the RS485, this paper combines the specific conditions of the on-site
radiation monitoring system to analysis and operate the following fault causes:
First, considering that the RS485 chip of one or some local receiving devices is
damaged due to lightning strikes or high voltage of the RS485 network, etc. during use
of the device. The maintenance personnel replaced the complete equipment of the
faulty channel separately, and the fault reappeared;
Secondly, the line communication fault, usually the fault mode can transmit data
under certain conditions. Once the condition changes, the system will work partially or
completely. This fault usually shows a bus short circuit or an open circuit in the bus.
When the short circuit occurs, the receiving device near the short circuit point and after
the short circuit point will be normally received. For this mode, the maintenance
personnel check the line resistance value and the fastening condition of each terminal
block, and no abnormality is found;
Analysis of Communication Failures in Radiation 257
Third, in the process of transmission along the wire, the electrical signal includes
the current signal and voltage signal which has a certain hysteresis and reflection due to
the distributed inductance, capacitance and resistance of the wire. The multiple
reflection of the signal greatly prolongs the transmission time of the signal. There are
two main factors affecting the reflected wave: one is the impedance of the transmission
line, the impedance of the transmission line is reasonably configured, the reflected
wave interference can be suppressed or the number of reflections can be suppressed; the
second is the signal frequency. The higher the signal frequency, the easier it is to
generate reflected wave interference. The RS485 communication loop of the nuclear
power plant radiation monitoring system has a baud rate of 19200 bps. Under the
condition that the signal frequency is determined, the impedance matching method is
usually used to eliminate the reflected wave interference. In the communication circuit
of the radiation monitoring system of the nuclear power plant, the matching resistance
bus matching method is adopted. This method reduces the reflection and absorption
noise caused by the mismatch, and effectively suppresses the noise interference.
Generally, the characteristic impedance of the twisted pair is about 100 ohms to 130
ohms, and the field actually sets 120 ohms. The schematic diagram is shown in Fig. 1.
Fig. 1. Transmission line impedance matching diagram
The higher the signal frequency, the easier it is to generate reflected wave inter-
ference. Usually the transmission rate is selected between 1200 to 19200 bps [4]. The
communication distance is less than 1 km, and 4800 bps can be selected from the
viewpoints of communication efficiency, number of nodes, and communication dis-
tance. When the communication distance is more than 1 km, the reliability of data
transmission should be improved by adding a relay module or reducing the rate. The
actual distance of the radiation monitoring channel of the spent fuel pool is not more
than 1 km, and the baud rate is set to 19200 bps.
In actual construction, the RS485 usually uses a twisted pair or shielded twisted
pair cable, which is connected by parallel connection, star + parallel connection and
hand-in-hand. One line is generally connected with 32 receiving terminals. Many chips
have 64 or 128 load capacities, but most of them are realized by reducing input
resistance, improving sensitivity, and reducing baud rate. The communication circuit of
the nuclear power plant radiation monitoring system is simple, but for historical rea-
sons, the communication cable uses coaxial. The cable does not use twisted pair cable.
One local processing unit only communicates with one remote display unit. The load
258 G.-F. Li et al.
capacity is not exceeded. At the same time, the polarization voltage setting of the
remote display unit is normal, and the resistance of the terminal resistor is normal.
Fourth, electromagnetic interference generally enters the instrumentation and
control system through conduction and direct radiation. For example, capacitive or
electromagnetic coupling directly radiates electromagnetic field interference into the
control system or through input and output signal lines and power lines. And ground, to
transmit interference to the control system. Electromagnetic interference that causes
equipment performance degradation or failure must have three elements at the same
time. First, there is an electromagnetic field, followed by an interference source and an
interfered source, and finally a coupling path with electromagnetic interference to
transmit energy from the interference source. To the interfered source [5].
The ground wire is the collection point of the protection and shielding of the plant
equipment. It can also be an interference transmission medium according to the above.
In general, the grounding of the instrument control equipment is generally based on the
concept of two grounding systems, namely protection grounding and working
grounding. The grounding system usually adopts one-point grounding. The whole
instrumentation equipment forms a radial grounding system through the instrument
grounding busbar or insulated cable. The radial grounding system is connected to the
grounding grid through one point and is insulated from other grounding loops. The
design signal grounding point is conventionally independent of protection. Grounding
point, for the nuclear auxiliary plant where the faulty channel is located. Because of the
design reasons, the equipment protective grounding and working grounding adopt the
common grounding point in the plant.
Cables are widely used in the communication of radiation monitoring systems in
nuclear power plants. In digital control systems with high-frequency signals, cables are
the main source of interference. They are the main generator of high-frequency
interference and the main receiver. The cable acts as a generator that radiates elec-
tromagnetic noise into space; as a receiver, it can sensitively receive electromagnetic
noise emitted from adjacent sources of interference.
3 Problem Description and Analysis
On February 3, 2017, the maintenance personnel discovered that the plant’s video
recording and on-the-spot tracking of the plant resulted in frequent communication
failures during the operation of the plant’s spent fuel sucking device. After several on-
site verifications, the failures were repeated and the cause of the failure was caused by
external interference. The device content log and the fault record waveform are as
follows (Figs. 2 and 3).
Industrial control field electromagnetic interference can be roughly divided into
three categories: First, power frequency interference, second, random spike interfer-
ence, and third, high-frequency electromagnetic interference. Power frequency inter-
ference is mainly caused by the power grid, and its characteristic is 50 Hz. The peak
interference is mostly caused by the frequent start and stop of high-power electrome-
chanical equipment. High-frequency electromagnetic interference mostly interferes
with equipment through space electromagnetic coupling [6].
Fig. 2. Spent fuel pool radiation monitoring channel communication fault log
Fig. 3. Spent fuel pool radiation monitoring channel communication Abnormal Waveform
Spent fuel pool radiation monitoring channel interferes with the presence of cou-
pled high-frequency signals during the fault, and the signal has burrs. The analysis is
related to spikes and high-frequency electromagnetic interference (Fig. 4).
The nuclear power plant radiation monitoring system signal is processed by the
local processing unit and passed through the ground terminal box which is numbered
260 G.-F. Li et al.
Fig. 4. Recorded high-frequency and glitch disturbance waveforms on site
KRT039CR at the bottom of the vehicle, the junction box which is numbered
PMC310CR at the top of the vehicle, and the junction box which is numbered
PMC309CR at the top of the spent fuel plant. It is sent to the cabinet located 15 m away
from the LX electrical plant to complete the signal display. The circuit is complicated.
The grounding is 15 m grounding of the LX electrical plant and the grounding of the
spent fuel plant [7] (Fig. 5).
Fig. 5. Spent fuel pool radiation monitoring channel communication Circuit Structure
3.1 High Frequency Electromagnetic Interference

High-frequency electromagnetic interference generally interferes with the equipment
through spatial coupling. Therefore, it is suspected that the circuit of the communi-
cation loop near other equipment or cables is disturbed.
The on-site inspection equipment spent fuel pool radiation monitoring channel
communication cable overlaps with the driving cable, the overlap is the PMC310CR to
PMC309CR cable that at the top of the driving;
In the field test, the cable that the KX factory ground wire was not included was
replaced with a twisted pair cable. When the signal was transmitted independently, the
number of communication failures decreased significantly (Fig. 6).
Fig. 6. Nuclear auxiliary plant nuclear power plant radiation monitoring equipment layout
3.2 Spike Interference Analysis

Most of the spike interference is caused by the frequent start and stop of high-power
electromechanical equipment, which affects the grid or interferes with the equipment
through the ground.
The spent fuel pool radiation monitoring channel is powered by C-column alter-
nating current uninterruptible power supply, which has nothing to do with the power
supply of the sucking device; the on-site inspection of the suction device power reg-
ulator heater has a ground current of 2–60 mA that is alternating current during the
working phase of the heater, and the sucking device There is an energy release
phenomenon;
The spent fuel pool radiation monitoring channel communication line PMC309CR
to 003 cabinet section, the outer armoured metal skin is grounded to the electrical
building 15 m electrical ground, the inner metal mesh shield layer grounding is KX
factory public relations, the driving top KRT folding cable shielding grounding posi-
tion Nuclear auxiliary plant public land [8];
The On-site measurement of the auxiliary equipment in the nuclear auxiliary plant,
the driving, the spent fuel pool radiation monitoring channel, the local equipment and
the electrical box casing wiring are all on the same ground (Fig. 7).
262 G.-F. Li et al.
Fig. 7. Nuclear auxiliary plant equipment grounding position
4 Solution
4.1 Reduce the Interference of Suction Devices
The main equipment for the on-site test sucking device to interfere with the loop is the
heater power regulator. The original power regulator adopts the half-cycle mode. This
mode works according to the principle of half-wave switching. During the entire cycle,
no direct current component is generated, but external there are many disturbances.
Later in the analysis, the power regulator mode is changed to the periodic mode. The
power supply voltage of this mode can be switched periodically. In this operating
mode, almost no harmonics are generated. At the same time, the cycle output mode is
used. The power regulator has a smaller component and higher efficiency than the half-
wave mode component, and the measured interference is significantly reduced (Fig. 8).
Fig. 8. Regulator operation mode before (left)-after (right) waveform adjustment

4.2 Demolition of Nuclear Auxiliary Plant Spent Fuel Pool Radiation

Monitoring Channel Communication Shielding Ground Wire
Through the above analysis and test, it can be seen that the nuclear auxiliary plant
ground line will introduce relevant interference into the communication loop through
the ground line, so the nuclear shield signal layer of the nuclear auxiliary plant is
grounded and removed.
4.3 Modify the Top of the Vehicle’s Spent Fuel Pool Radiation
Monitoring Channel Related Folding Cable Shield Grounding
Position
After the ground wire of the relevant spent fuel pool radiation monitoring channel is
removed, the communication fault waveform still has occasional instability. After
confirming that there is still interference in the folding cable at the top of the traffic, the
analysis of the spent fuel pool radiation monitoring channel is broken. Interference,
adjustment of the spent fuel pool radiation monitoring channel folding cable shielding
layer local grounding adjustment for the electrical plant 15 m after grounding, the
interference burr disappeared (Fig. 9).
Fig. 9. Spent fuel pool radiation monitoring channel equipment ground adjustment before (left)
- rear (right) waveform
After the above analysis and test to confirm the root cause of this communication
failure, the high-power equipment sucking device is put into operation and raises the
interference intensity of the nuclear auxiliary plant, causing the communication failure
of the spent fuel pool radiation monitoring channel.
This method effectively reduces the interference by reducing the interference
intensity of the sucking device, removing the grounding line of the interference
transmitting carrier, and modifying the shielding grounding position of the easily
disturbing line, and successfully solves the problem.
264 G.-F. Li et al.
5 Conclusion
Anti-interference is a complex system engineering. In the design, construction and

commissioning, we must carefully consider the interference problem of the instrument
control system. The grounding and shielding methods, and the addition of high-power
equipment near the communication circuit all need to cause our problems. Concerned,
this paper provides a way to solve the communication interference problem, effectively
solve the interference problem of the nuclear power plant radiation monitoring system,
and meet the requirements of the field operation. At the same time, the solution to the
problem summarized in this paper is beneficial to the electrical engineer to optimize the
anti-interference design or Increase anti-jamming measures to avoid recurrence of the
same problem.
References
1. Chen, Z.-P.: Fieldbus and Industrial Control Network Technology. Publishing House of
Electronics Industry, Beijing (2008)
2. Ge, C.-H.: Anti-Jamming Technology of Industrial Measurement and Control System.
Metallurgical Industry Press, Beijing (2006)
3. Lu, G.-Q.: Electromagnetic Compatibility Theory and Technology in Communication
System. Beijing Broadcasting Institute Press, Beijing (2000)
4. Jian, C.U.I.: Siemens Industry Network Communication Guide. Mechanical Industry Press,
Beijing (2004)
5. Hu, C.-H., Liu, C.-R., Guo, W.-S.: Embedded Network Programming: Serial Communication,
Industrial Bus, Sensor Network Application Development. Publishing House of Electronics
Industry, Beijing (2011)
6. Qiu, G.-Y., Luo, X.-J.: Circuit, 5th edn. Higher Education Press, Beijing (2006)
7. Ling, Q., Guo, L.-Y., et al.: Radiation Measurement Technology in Nuclear Power Plants.
Atomic Energy Press, Beijing (2001)
8. Zang, X.-N., Shen, S.-B.: Nuclear Power Plant Systems and Equipment. Tsinghua University
Press, Beijing (2003)
Design of Geological Disaster Monitoring
and Early-Warning System for Mountainous
Nuclear Facilities
Zuo-Ming Zhu(&), Jin-Xing Cheng, Wei-Wei Wen, You-Peng Wu,

Xin Gao, Rong-Zheng Xu, and Bin Zhang
High-Tech Institute of Beijing, Beijing 100085, China

z375745363@126.com
Abstract. According to the types of geological disasters such as landslides and

mudslides that are prone around mountainous nuclear facilities, the design
principles of “progressiveness, stability and reliability, convenience for expan-
sion, economy and practicality, and security and confidentiality” were proposed;
slope shallow displacement, slope deep displacement and local rainfall were
selected as the monitoring indicators; and then, a geological disaster monitoring
and early-warning system for mountainous nuclear facilities was designed to
provide technical support for improving the safety management level of
mountainous nuclear facilities. The system has been put into trials at several
high-risk slopes in some mountainous nuclear facilities to carry out further
experimental research and improvement.
Keywords: Mountainous nuclear facilities Geological disasters

Monitoring and early-warning System Design
1 Introduction
Due to the special importance of nuclear facilities in mountainous areas, both domestic
and international related institutions have been attaching great importance to the safety
of the mountainous nuclear facilities and the prevention and control of geological
disasters. The prevention and treatment of geological disasters in mountainous nuclear
facilities are all considered in the most unfavorable circumstances and managed with
the most insurance and safety measures; for disaster entities that have not yet been
remedied and have been remedied but still need to be evaluated critically, the moni-
toring and early-warning projects are carried out to ensure the safe operation of
mountainous nuclear facilities [1–3].
China is one of the countries with the most serious geological disasters in the world.
Collapses, landslides, mudslides, ground subsidence, land subsidence, ground fissures
and many other types of geological disasters are very serious [4–6]. Collapses, land-
slides and mudslides account for 44.8% of the country’s land area. How to take
reasonable technical measures to minimize such losses has become a problem that we
urgently need to solve.

https://doi.org/10.1007/978-981-13-3113-8_31
266 Z.-M. Zhu et al.
The current geological disaster monitoring system is being developed from tradi-
tional manual monitoring to on-line monitoring. The main technical parameters of
traditional monitoring are measured manually by using traditional instruments to the
site. The monitoring workload is large due to many factors such as weather, labor, and
site conditions. There are certain systematic errors and human errors in the impact, and
it is impossible to timely monitor and present the safety deficiencies of the monitoring
objects, which all affect the level of geological disaster monitoring. The development
of on-line monitoring technology well solves the problems existing in traditional
manual monitoring and can well compensate for the lack of manual monitoring [7–9].
In this paper, targeted analysis of the types of geological hazards such as landslides
and mud-rock flows that are prone to occur around mountainous nuclear facilities will
be carried out, and related monitoring indicators will be properly selected. On this
basis, a geological disaster monitoring and early-warning system will be designed for
mountainous nuclear facilities to provide technical support for improving the safety
management level of mountainous nuclear facilities.
2 Design Principles
The design of the geological disaster monitoring and early-warning system should
follow the principles of “progressiveness, stability and reliability, convenience for
expansion, economy and practicality, and security and confidentiality”. Comprehensive
consideration should also be given to important factors such as construction and
maintenance, and at the same time leave room for future transformation and expansion.
• Progressiveness. It adopts advanced technologies such as Internet, cellular network
bandwidth transmission, embedded language conversion, etc. It adopts a system
software platform and terminal acquisition and transmission equipment and adopts a
BS structure. As long as the computer can access the Internet, you can view and
manage it through the browser if you have permission to operate.
• Stability and reliability. Due to the particularity of the use environment of the
geological disaster monitoring and early-warning system, it must be ensured that the
system is stable and reliable. Select stable and reliable network server and server-
specific operating system as the carrier of disaster monitoring and early-warning
platform; geological disaster monitoring and early-warning platform has the
authority operation function, which ensures the reliable operation of the system
from the application; the data transmission adopts a large area covered wireless
mobile communication network, which is efficient and reliable.
• Convenience for expansion. It supports all kinds of existing communication access,
such as GSM, GPRS, 3G, cable broadband, wireless WLAN, serial port, wireless
serial port networking, etc., and the parallel operation of these systems can be
realized; the monitoring terminal supports most of the existing digital, analog and
switch sensors, and the special sensors added in the future can be accessed by
simply modifying the hardware and software; the system design requires opening
part of the database to facilitate other systems to retrieve data from the system.
Design of Geological Disaster Monitoring 267
• Economy and practicality. The goal of system operation is convenience, simplicity,

and high efficiency, which fully embodies the characteristics of rapid response, but
also facilitates the operation personnel to set information, view information, and
release information. The hardware uses self-developed stable equipment at afford-
able prices.
• Security and confidentiality. The system can implement strict rights management
according to actual needs. Only hold a key with certain rights, it can be accessed,
monitored, managed, and operated, which can ensure that the system is safe and
reliable.
3 Monitoring Indicator Selection
In order to achieve real-time monitoring and early warning of geological disasters, it is

necessary to establish a corresponding monitoring index system to determine the
amount to be monitored. Based on previous research results, the currently used indi-
cators for geological disaster monitoring methods can be divided into four categories:
deformation monitoring indicators, monitoring indicators for physical and chemical
fields, monitoring indicators for inducing factors, and groundwater monitoring indi-
cators (as shown in Table 1).
For mountain nuclear facilities, taking into account that geological safety issues
have been fully considered at the time of design and construction, the most likely types
of geological disasters are generally landslides and mudslides.
Landslides are mainly caused by local displacements of geological structures. For
this reason, the monitoring method can be set as the monitoring target’s observation
point’s displacement of the geological structure. Therefore, the shallow displacement
and deep displacement of the potential landslide body need to be monitored at the same
time.
When the area with unstable geological structure is impacted by large-scale rain-
water in a short period of time, due to the inconvenience of rainwater diversion, the
surface soil layer looses and collapses and a debris flow is formed. Therefore, the
monitoring of debris flow is mainly to monitor the rain at the target observation point.
The monitoring objects and methods are shown in Table 2.
4 Monitoring System Design

4.1 Overall Design
Referring to the existing experience of monitoring and early warning of landslides and
debris flows, based on real-time monitoring of local rainfall, combined with monitoring
of surface displacement and deep displacement of the disaster body deformation,
combined with the geological environment and regional conditions of the monitoring
area, set the corresponding warning threshold to realize the early warning and forecast
of landslide and debris flow. Through the rainfall threshold triggering monitoring and
early warning, and then based on the visual information obtained by the deformation
Table 1. List of major geological hazards monitoring indicators

Indicator type Specific Types of geological hazards to which
indicator the monitoring indicators apply
Deformation monitoring Surface Collapse, landslides, mudslides, land
indicators displacement subsidence, etc.
Deep Collapse, etc.
displacement
Tilt All types of geological hazards
Monitoring indicators for Stress field Collapse, landslides, mudslides, etc.
physical and chemical fields Strain field Collapse, landslides, mudslides, etc.
Infrasound Rock collapse, landslides, mudslides,
etc.
Geological Landslides, mudslides, etc.
body
temperature
Radon anomaly Ground fissures, collapse
Monitoring indicators for Rainfall Geological disasters that are easily
inducing factors induced by atmospheric precipitation
Human Geological disasters that may be
engineering induced by human engineering
activities
Groundwater monitoring Groundwater Landslides, mudslides, ground
indicators dynamics collapse, etc.
Pore water Landslides, mudslides, etc.
pressure
Groundwater Landslides, mudslides, ground
quality collapse, seawater intrusion, etc.
Table 2. Monitoring methods and parameters of landslides and mudslides

Monitoring Cause of formation Monitoring method Monitoring parameter
object
Landslides Displacement of Slope shallow Pull rope sensor
geological structure displacement (pull cord extension length
sensor) change
Slope depth Inclination sensor tilt
displacement (Tilt angle variation
sensor)
Mudslides Large-scale impact of Local rainfall (Rain Short-term rainfall and
rain in a short time gauge) cumulative rainfall
displacement of the disaster body for analysis and judgment, the accuracy of moni-
toring and early warning is improved.
The system is mainly composed of abnormal information acquisition unit, monitor

host control unit, upper computer management software, data transmission unit, and
system power supply. The overall structure of the system is shown in Fig. 1.
Abnormal information acquisition unit
Slope shallow Slope shallow Slope depth Slope depth Local rainfall Local rainfall
displacement displacement displacement displacement
No. 1 No. m No. 1 No. m No. 1 No. m
RS485
Monitoring host Monitoring host

No. 1 No. m
RS485
PC remote control
Fig. 1. Overall structure of the monitoring and early warning system
The anomaly information collection system consists of three kinds of acquisition

subsystems (shallow displacement, deep displacement and rainfall), and the collected
information is transmitted to each monitoring host through a wired method (RS485
bus).
Monitoring system acquisition station host structure is shown in Fig. 2. When the
value of the abnormal information exceeds the alarm threshold, an alarm in the form of
a buzzer whistling sound and a red high-brightness flashing light will remind people to
escape from the danger zone and take emergency rescue work.
4.2 Key Component Selection

4.2.1 Shallow Displacement Monitoring
The MPS-S series pull rope displacement sensor was adopted to monitor the shallow
displacement. When the effective displacement occurs in the shallow part of the local
area, the pull rope sensor will give the corresponding electrical signal. The signal is
collected by the central processing circuit and transmitted to the superior monitoring
center through the networking to realize remote shallow displacement monitoring.
4.2.2 Deep Displacement Monitoring

The depth displacement monitoring has a certain degree of difficulty. Considering the
engineering application, a kind of tailorable landslide body depth measurement system
is designed using the inclination sensor. The SCA100T high-accuracy dual-axis tilt
sensor manufactured by VTI of Finland is adopted, which can collect the angle
information indirectly by measuring the component of the gravitational acceleration.
Shallow
displacement GPRS/GSM
sensor module
Deep Signal
STM32
displacement condition-
sensor controller
ing circuit
Solar energy
generation
Rainfall sensor
system
Power management module Battery
Fig. 2. Monitoring system acquisition station host structure
Corresponding supporting hardware circuit and information acquisition software are

also developed.
4.2.3 Rainfall Monitoring

The SRY-1 capacitive digital type high precision rain gauge is adopted. The rain gauge
uses the upper and lower electric valves to control the water intake and the drainage, so
that the capacity-grid rain gauge does not lose the rainfall during the recording of
precipitation, and the measurement accuracy is high, the operation is convenient, and
the reliability is good.
4.2.4 Automatic Monitoring Station Power Supply

Due to the small flow of people and the complex terrain environment at the target
monitoring sites, it is not convenient for long-term manual intervention. Therefore, the
power supply of the monitoring station is mainly powered by 12 V batteries and solar
panels, and the solar charging is controlled. The capacity of the storage battery is
predicted and the measurement results are reported to the central station so that the
management personnel can easily grasp the operation status of the equipment.
The monitoring system acquisition station is shown in Fig. 3.
4.3 Data Collection-Point Deployment and Data Transmission

Monitoring stations should be deployed in places that are representative and easy to
care and maintain. They should be laid at a density of 5–10 km2/station, and the density
of deployment can be increased at locations where the geological disasters are
potentially severe.
By constructing a disaster recovery communication network, geographically dis-
persed various types of monitoring information that are automatically collected are
Fig. 3. The monitoring system acquisition station
transmitted to the monitoring and early warning platform using a communication

channel, automatically, accurately, and in a timely manner. The communication mode
adopted for long-distance transmission is GSM/GPRS (GSM-SMS is used as a backup
mode), and the local transmission uses an RS485 bus to connect each acquisition
module. In order to ensure the compatibility and consistency of the system, the system
adopts a unified data format. The data format is mainly used for telemetering terminals
and data sharing software.
4.4 System Management Software

The system will effectively manage the monitoring information, make accurate judg-
ments, and put forward measures to deal with disasters, so as to minimize the damage
caused by geological disasters and sudden damages. The monitoring and early warning
system management software framework is shown in Fig. 4.
The system management software has functions such as data query, statistics chart
generation, warning setting, automatic warning, manual warning, remote control, data
integration, log management, and 24-h real-time monitoring.
5 Conclusion
Targeted analysis of the types of geological hazards such as landslides and mud-rock
flows that are prone to occur around mountainous nuclear facilities was carried out, and
related monitoring indicators such as slope shallow displacement, slope deep dis-
placement and local rainfall were properly selected following the design principles of
“progressiveness, stability and reliability, convenience for expansion, economy and
practicality, and security and confidentiality”. On this basis, a geological disaster
monitoring and early-warning system for mountainous nuclear facilities was designed
Fig. 4. The system management software framework
to provide technical support for improving the safety management level of moun-
tainous nuclear facilities. The system has been put into trials at several high-risk slopes
in some mountainous nuclear facilities to carry out further experimental research and
improvement; the corresponding research results will be reported in the follow-up
papers.
References
1. Connor, C.B.: A quantitative literacy view of natural disasters and nuclear facilities.
Numeracy 4(2) (2011)
2. Guo, R.P., et al.: Risk Assessment of Respond of Nuclear Power Plant to Natural Disasters.
Henan Science (2012)
3. Zhou, X.: Prevention of natural disaster in Qinshan nuclear power plant. Nucl. Saf. (2017)
4. Dong, Y., et al.: Geological disaster monitoring and early-warning information management
system in three gorges reservoir area. Saf. Environ. Eng. (2008)
5. Huang, H.F.: Application of geological disaster technical monitoring and early-warning
information integration in three gorges reservoir area based on google earth. J. Anhui Agric.
Sci. (2010)
6. Xu, P.B.: The network emergency research on geological disaster monitoring and early
warning in three gorges reservoir areas. J. China Three Gorges Univ. (2011)
7. Hong, X., et al.: Research on the automatic monitoring early-warning system based on
wireless sensor networks for geological disaster. Microcomput. Appl. (2011)
8. Yuan, H., et al.: Geological disaster on-line real-time monitoring and early-warning system
research based on the flex viewer framework. J. Nat. Disasters (2013)
9. Yuan, H., et al.: The all-time geological disaster monitoring and early warning with mobile
terminal. Inf. Technol. (2014)
Research on Anti-seismic Qualification
for Nuclear Safety Class I&C Equipment Base
on Single-Frequency Wave Technical
Yong-Bin Sun, Ze-Sheng Hao(&), Hua-Ming Zou, Lei Wang,

and Qiao-Rui Du

haozesheng@cgnpc.com.cn
Abstract. Multi-frequency wave method and single-frequency wave method

can be used in anti-seismic qualification for nuclear-safety-class equipment. At
present, multi-frequency wave is the most commonly method used for anti-
seismic qualification. Due to long work period of qualification, large input of
manpower and high test cost, multi-frequency wave method has become the
bottleneck for the development of anti-seismic qualification techniques for
nuclear-safety-class Instrumentation & Control equipment. As the qualification
techniques for nuclear-safety-class I&C Equipment in China are becoming
increasingly mature, the single-frequency wave method has become an efficient
and low-cost method with reusable results for the qualification techniques of
nuclear-safety-class I&C equipment. This paper puts forward an anti-seismic
test method by use of sine beat in accordance with the requirements on anti-
seismic tests for I&C equipment of nuclear power plants in the national stan-
dards of nuclear industry and in combination with the test features of Single-
frequency wave method. Viewing from specific cases of sine beat tests on
nuclear-safety-class I&C equipment, the sine beat method has been proven to be
applicable and feasible, serving as an economical, efficient and reliable anti-
seismic qualification method for equipment of nuclear industry.
Keywords: Multi-frequency wave Single-frequency wave

Anti-seismic qualification Sine beat
1 Introductions
Nuclear-safety-class I&C equipment shall be qualified for the anti-seismic test before
being applied to nuclear power plant. To achieve this goal, type test method, operating
experience method, analytical method or the combination of these methods can be used
for equipment qualification [1].
Type test method is the mainstream anti-seismic qualification method in the current
nuclear industry. In this method, a typical equipment model is selected for anti-seismic
test. According to GB13625 single-frequency wave method and multi-frequency wave
method can be adopted for anti-seismic qualification. Featured with long work period,
large manpower input and high test cost, the multi-frequency wave method is generally
used for the first-set qualification of complex equipment. Due to the short work period

https://doi.org/10.1007/978-981-13-3113-8_32
Research on Anti-seismic Qualification for Nuclear Safety Class 275
and high reusability of anti-seismic qualification results, the single-frequency wave

method can be used for qualifications of component-level products [2].
2 Introduction of Anti-seismic Testing
Single-frequency wave method and multi-frequency wave method are generally used
for anti-seismic qualification test.
2.1 Multi-frequency Wave Method

For the multi-frequency wave method, unidirectional, bidirectional or tri-directional
artificial time history test is generally adopted. Unidirectional test can be performed on
OX, OY or OZ axis. Bidirectional test can be performed on OX-OZ axis and OY-OZ
axis, in which, OX and OY axes are horizontal, while OZ axis is vertical. Tri-
directional artificial time history test is applicable to safety-class equipment such as
cabinet and panel that are directly mounted on the building floor of nuclear power
plant, where the floor acceleration is already known [3].
In the multi-frequency wave method, artificially simulated acceleration time history
is commonly used as the input wave. According to the required response spectrum for
equipment, artificially simulated acceleration time history enveloping response spec-
trum can be generated. The test response spectrum obtained from inversion calculation
with such artificial time history shall envelope the required response spectrum under
the same damping ratio. The input artificial acceleration time histories shall meet the
eight regulations in HAFJ0053 [4].
In the anti-seismic test with multi-frequency wave method, the required response
spectrum for a nuclear power project is applied to the whole engineering model
equipment, and artificially generated anti-seismic wave is adopted for anti-seismic test.
As the special anti-seismic test equipment shall be used to generate artificial seismic
wave, and established engineering model equipment are usually of heavy type, the
required response spectrum can’t be conservative enough, and the anti-seismic test
results are not reusable for other nuclear power projects with more strict requirements
on response spectrum. Therefore, model equipment shall be re-established, and test
shall be re-performed, leading to even longer qualification period, more input of
manpower and higher costs in tests.
2.2 Single-Frequency Wave Method

In case of single-frequency wave method, unidirectional or bidirectional single-
frequency sine beat is commonly used for tests. Unidirectional single-frequency sine
beat tests can be performed on OX, OY or OZ axis separately. Vibrating table moving
on slope which inclines along the horizontal axis can be adopted in bidirectional single-
frequency sine beat test, with the mounting surface maintained as horizontal and the
inclination angle of vibrating table as 45°.
Sine beat is a continuous sine wave of a certain frequency modulated from a lower
sine wave. The duration of a sine beat is half of the modulated frequency cycle. It is
276 Y.-B. Sun et al.
Europe and America country equipment’s most common used earthquake wave when
monitoring in anti-seismic test. Sine beat wave is similar to structure’s resonance under
horizontal earthquake wave in actual earthquake, that means earthquake wave through
a building pass to a structure and make structure generate likeness sine beat wave on
the structure’s natural frequency. There are few vibrating tables with bidirectional
single-frequency sine beat in China at present, however, unidirectional single-
frequency sine beat test method is sufficient to meet the requirements for anti-seismic
test for nuclear I&C equipment.
Unidirectional single-frequency sine beat test is applicable to nuclear safety-class
equipment of the following characteristics:
(1) It’s not directly mounted on building floor of nuclear power plant;
(2) The floor acceleration is transmitted to equipment under anti-seismic qualification
through cabinet and panel or other intermediate structures;
(3) The required response spectrum for equipment mounting position is unknown.
Like sine beat method, single-frequency wave method is an approximate simulation
of real seismic motion. Real seismic motion is multi-frequency random motion in
nature. In this method, it’s simulated by multiple single-frequency motions, so the
method can only be an approximate simulation. It is most reasonable to adopt single-
frequency wave method only when the following conditions are met:
(1) Required response spectrum is controlled by single frequency, for example, the
response spectrum at floor of high elevation belongs to this type due to the
filtration by structures.
(2) The equipment has only one main frequency from 0–33 Hz and the responses at
other natural frequencies are weaker compared to that at the main frequency; or
the natural frequencies are all above 33 Hz; or there are several natural fre-
quencies from 0–33 Hz with relatively large frequency interval and no coupling
effect on each other.
The advantages of sine beat method include:
(1) The nuclear-safety-class I&C platform system is divided into many independent
components;
(2) Conservative spectral recommended by standards are adopted to perform sine beat
tests for components;
(3) By demonstrating that components of nuclear-safety-class I&C system meet the
anti-seismic requirements, the entire nuclear-safety-class I&C system is proven to
meet the anti-seismic requirements.
Therefore, the results of anti-seismic tests by use of sine beat technique can be
reused in different projects, leading to significant reductions in economic, time and
human costs.
3 Single-Frequency Sine Beat Technique
When single-frequency sine beat test method is used, the model is stimulated by several
pre-set sine beat vibrations at fixed frequencies. These fixed frequencies can be pre-set
frequencies or dangerous frequencies identified from sine vibration test response
inspections. There is interval between individual sine beats, giving the model a fall time
for free response. According to practical engineering experience, the interval between
sine beats shall be greater than 2 s.
3.1 Single-Frequency Sine Beat Function

General mathematical expression of single-frequency sine beat [5, 6]:
2pft
aðtÞ ¼ a0 sinft sin ð1Þ
m
Through Fourier transformation on formula (1), the mathematical expression of

acceleration single-frequency sine beat function is obtained:

1 1 1 1 1
aðtÞ ¼ a0 1 sin2p 1 ft þ 1 þ sin2p 1 þ f t ð2Þ
2 m m m m
Where:
m
a0 t ð3Þ
2f
a0 Measured value in test, which means the maximum peak value of the test wave, it
equal to or less than the modulated wave peak value;
f Test frequency; predetermine frequency or critical frequency tested by vibration
response;
m Ratio of test frequency and modulated frequency of acceleration sine beat, equal
to (2n − 1), in which n is the number of cycles of acceleration sine beat. The
following Fig. 1 shows the sine waveforms when n equals to 3, 5, 10 and 20
respectively, in which the waveform with n = 5 is the optimal sine waveform.
n=3 n=5 n=10 n=20
Fig. 1. Sine waveforms

3.2 Requirements of Single-Frequency Sine Beat Technique

3.2.1 Required Response Spectrum for Single-Frequency Sine Beat
Required response spectrum is put forward against safe shutdown earthquake (SSE).
When the same damping ratio is adopted, the response spectrum for operating basis
earthquake (OBE) can be a half of the response spectrum of corresponding SSE. The
required response spectrum put forward against anti-seismic qualification for compo-
nents or equipment is determined through analysis of response spectrums in horizontal
and vertical directions required for certain elevation at which the equipment is installed
plus a certain safety margin; for device installed on the equipment, as it is not rigidly
fixed onto civil structure, when anti-seismic test is directly performed, actual working
conditions shall be simulated, dynamic filtration and amplification functions caused by
mounting support and equipment shall be considered for the required response spec-
trum, the estimated response spectrums of this device at respective mounting positions
on the equipment shall be enveloped. For response spectrum applied in anti-seismic
qualification of device, after the applicability of considered applications is confirmed,
response spectrums recommended in Annex B of NB/T20040-2011 can be adopted, as
shown in the following Fig. 2:
Fig. 2. Horizontal and vertical response spectrums applicable to anti-seismic test of device
(damping ratio: 5%)
The acceleration values of required response spectrums at key frequency points are
as shown in the following table (Table 1).
Table 1. Values at special points of horizontal and vertical response spectrums applicable to
anti-seismic test of device
Special point/anti- Below 2 Hz 10 Hz 20 Hz 35 Hz Above
seismic level 2 Hz 35 Hz
SSE/S2 0.2533 m 40 m/s2 300 m/s2 300 m/s2 60 m/s2 60 m/s2
1/2SSE/S1 0.1266 m 20 m/s2 150 m/s2 150 m/s2 30 m/s2 30 m/s2
3.2.2 Response Spectrum of Single-Frequency Sine Beat Test

The response spectrum of single-frequency sine beat test shall be larger than or equal to
the required response spectrum. The peak acceleration shall be at least not less than the
zero period acceleration of the required response spectrum. Based on frequency range
of 1–100 Hz against required response spectrum for single-frequency sine beat, expand
the frequency to both sides of 15 Hz as the center frequency, and generate the test sine
beat spectrum at each frequency point with 1/3 octave, according formula (2), test
response spectrum should envelope the required response spectrums at each frequency
point [7, 8] (Fig. 3).
Fig. 3. All frequency points test response spectrum VS required response spectrum
4 Application Examples
4.1 Back Ground of Single-Frequency Sine Beat Test

Some company has performed anti-seismic tests on a batch of mosaic instrumental
equipment (used for display and I&C on safety-class panel). This mosaic instrumental
equipment is used in nuclear power plants A and B. As the design seismic motions of
civil structures and the panel structures used for mounting mosaic instrumental
equipment are different in nuclear power plants A and B are different, if multi-
frequency wave method is used for anti-seismic test, qualification model equipment
shall be established respectively in power plants A and B to perform two anti-seismic
tests, which will cause high time and economic costs, and the anti-seismic test results
are not reusable for other nuclear power plants. When single-frequency wave method is
adopted, sine beat test is directly performed on mosaic instrumental equipment, no
complex model equipment is required for test, and the test results are reusable for
different nuclear power plants. Therefore, sine beat method is adopted for anti-seismic
test on mosaic instrumental equipment.
4.2 Requirement of Single-Frequency Sine Beat Test Technique

Single-frequency sine beats are input in three principal axis directions respectively.
In the test, the response value at the equipment’s center of gravity is greater than the
required test response spectrum; test response spectrum shall envelope the required
response spectrum.
The single-frequency sine beat tests should be performed at the natural vibration
frequency of equipment and the frequency points within the range of 1–100 Hz at a 1/3
octave.
The amplitude of single-frequency sine beat shall be at least equal to the zero cycle
acceleration of the required response spectrum. Beat sequence of more than 5 beats is
selected.
The number of cycles of each beat is determined by the critical damping ratio of
equipment and the magnification times of test response spectrum, n = 5.
The total duration of single-frequency beat test should be 15–30 s.
In each beat test, in order to reduce the mutual interference and coupling between
beats, enough time gap (at least 2 s) between beats is required to avoid overlying or
coupling of beginning and end.
Requirements of sine beat test are as follows (Table 2).
Table 2. Requirements of sine beat test for mosaic (example)

Frequency range Test class Frequency OBE input (g) SSE input (g)
point
1* 00 Hz, with 5 cycle wave for 2.0 Hz Vertical 1.2, horizontal Vertical 1.3, horizontal
15 Hz as the each frequency 0.6 0.8
center point, 5 beats for 3.0 Hz Vertical 1.65, horizontal Vertical 1.9, horizontal
frequency, each frequency 0.9 1.4
frequency points points, and time 4.0 Hz Vertical 2.33, horizontal Vertical 3.3, horizontal
taken at interval between 1.7 2.6
1/3 octave beats greater
5.0 Hz Vertical 2.75, horizontal Vertical 3.6, horizontal
than 2 s
1.9 2.8
6.0 Hz Vertical 4, horizontal 2.8 Vertical 5.6, horizontal
4.2
7.5 Hz Vertical, horizontal 4.5 Vertical, horizontal 9
9.45 Hz Vertical, horizontal 5 Vertical, horizontal 10
18.9 Hz Vertical, horizontal 3.3 Vertical, horizontal 6.6
4.3 Effectiveness of Spectrum of Single-Frequency Sine Beat

Response spectrum of single-frequency sine beat test for mosaic equipment shall
envelope the estimated response spectrum at position where equipment is installed,
thus, when multi-frequency wave anti-seismic test is performed on installed equipment,
the response spectrum at the highest position shall be collected to compare with the
response spectrum of single-frequency sine beat test for mosaic equipment. The results
prove that the response spectrum of sine beat test for mosaic equipment can fully
envelope the response spectrum at the installed position. The specific enveloping sit-
uation is as shown in the following Fig. 4.
Beat spectrum of component VS response spectrum at highest installed position Beat spectrum of component VS response spectrum at highest installed
of cabinet for which the qualification has been completed (horizontal) position of cabinet for which the qualification has been completed (vertical)
Accelerated velocity
Accelerated velocity
Beat spectrum of component Beat spectrum of component

response spectrum at highest response spectrum at highest
installed position of cabinet for installed position of cabinet for
which the qualification has which the qualification has been
been completed completed
Frequency Hz
Frequency Hz
Fig. 4. Comparison between single-frequency sine beat spectrum and response spectrum at
highest installed position of completed model equipment
5 Conclusions
This paper puts forward an anti-seismic testing method by use of single-frequency sine
beat against the problem that time and economic costs for component-level anti-seismic
tests shall be reduced and the results reusability shall be achieved, in accordance with
the requirements on anti-seismic tests for I&C equipment of nuclear power plants in the
national standards of nuclear industry and in combination with the test features of
multi-frequency wave method and single-frequency wave method; in combination with
specific cases of sine beat tests on nuclear-safety-class I&C equipment, this method has
been proven to be applicable and feasible, serving as an economical, efficient and
reliable anti-seismic qualification method for equipment of nuclear industry.
References
1. GB 12727-2002, Nuclear power plants-Electrical equipment of the safety system-
Qualification
2. GB13625-1992, Anti-seismic qualification of electrical equipment of the safety system for
nuclear power plants
3. NB/T20040-2011, Anti-seismic qualification test rules of safety classified electrical equip-
ment for nuclear power plants
4. HAF-J-0053-1995, Guide on anti-seismic qualification for nuclear power equipment
5. Wang, Shu-Rong, Ji, Fan-yu: Environmental test technology. Publishing House of Electronics
Industry, Beijing (2016)
6. MIL-STD-810G-2009: Environmental engineering considerations and laboratory tests
7. IEEE Std 323-2003 IEEE standard for qualifying class 1E equipment for nuclear power
generating stations
8. EPRI TR-107330-1996 Generic requirements specification for qualifying a commercially
available PLC for safety-related applications in nuclear power plants
The Approaches of Prevention, Detection,
and Response for Cybersecurity of I&C
Systems in NPPs
Jianghai Li(&), Chao Guo, Wen Si, and Xiaojin Huang
Key Laboratory of Advanced Reactor Engineering and Safety of Ministry of

Education, Collaborative Innovation Centre of Advanced Nuclear Energy
Technology, Institute of Nuclear and New Energy Technology, Tsinghua
University, Beijing 100084, China
lijianghai@tsinghua.edu.cn
Abstract. The framework of prevention, detection, and response has been

proven an effective approach to enhance cybersecurity of Information Tech-
nology (IT) systems. This framework can be also applied to Instrumentation and
Control (I&C) systems in Nuclear Power Plants (NPPs), although there are
significant differences between IT systems and I&C systems. The differences
include the operational real-time requirement, the distinct communication pro-
tocols, and the continuous availability of the systems. These specified require-
ments must be well addressed when applying the framework of prevention,
detection, and response to I&C systems. Therefore, the specific approaches to
implement this framework for I&C systems are proposed. For prevention, the
monitoring and auditing for I&C systems is suggested to meet the real-time
requirement. For detection, the intrusion detection approach based on physical
data is presented to deal with the distinct communication protocols. For
response, the intrusion-tolerant control is proposed to maintain the continuous
availability. The above three approaches together form the overall solution for
cybersecurity of I&C systems in NPPs. The reasons why these proposed
approaches can deal with the specified challenges of I&C systems security are
elaborated in this paper.
Keywords: Cybersecurity I&C systems Nuclear power plants

Intrusion detection Intrusion-tolerant
1 Introduction
Since most of the newly-built Instrumentation and Control (I&C) systems in nuclear
power plants (NPPs) are digital, cyber-attacks to these digital systems become a real
possible threat [1]. Cyber intrusions could deeply affect the safe and stable operation of
nuclear power generation via digital I&C systems. The cyber ways affecting the con-
trolled power generation process includes stopping the communication between control
stations and human-machine interfaces (HMIs), tampering the measurements of sen-
sors, falsifying the commands to actuators. In the above ways, cyber intrusions could
disable the functions of subsystems, cause physical damage to equipment, disrupt the

https://doi.org/10.1007/978-981-13-3113-8_33
284 J. Li et al.
nuclear reaction process, and thus may turn a cybersecurity incident into a nuclear
safety incident.
The framework of prevention, detection, and response has been proven an effective
approach to enhance cybersecurity of widely used digital Information Technology
(IT) systems [2]. This framework can be also applied to I&C systems in NPPs,
although there are significant differences between IT systems and I&C systems. These
differences include the strict operational real-time requirement, the distinct communi-
cation protocols, and the continuous availability through the whole lifecycle. These
specified requirements must be well addressed, when applying the classic framework of
prevention, detection, and response to the new application of I&C systems.
The rest of the paper is organized as follows. Section 2 reviews the cybersecurity
risks of I&C systems and the inapplicability of IT security controls. Section 3 describe
the prevention solution, monitoring and auditing. The intrusion detection based on
physical data will be covered in Sect. 4. To response in incident condition, the concept
of intrusion-tolerant control and its implementation is illustrated in Sect. 5. Above
approaches are summarized in Sect. 6.
2 The State of Art
The actual situation of existing I&C systems poses real risks of cyber intrusions. First,
there is no common practice of security upgrades for I&C systems [3]. Due to the poor
patching management of I&C systems, many security vulnerabilities, including the
known ones, exist in software and hardware of I&C systems, and will remain there for
a long time. Second, due to the limited resources of I&C components, basic security
measures, such as encryption, antivirus, are difficult to be deployed on each I&C
devices. From the above two facts, it can be concluded that cyber intrusion against I&C
systems is entirely possible to become a reality.
However, the present cybersecurity approaches mainly for IT systems are often
inadequate or inapplicable in addressing challenges associate with digital I&C systems.
The security goals, the operational environment, and the response strategies of I&C
systems are much different from those of IT systems [4]. Therefore, the present
cybersecurity approach cannot be applied to I&C systems directly.
Therefore, an overall cybersecurity solution is needed for I&C systems in NPPs.
The framework of prevention, detection, and response will be customized and applied
to provide the overall solution.
3 Prevention – Monitoring and Auditing
The best way for security is to prevent security incidents before occurring. To achieve
this goal, the security situation of I&C systems should be aware. Monitoring and
auditing will benefit the cyber situation awareness of I&C systems. Monitoring focuses
on the real-time security situation of I&C systems, while auditing is accountable for the
long-term storage of security records for analysis, auditing, and forensic use. Ano-
malous behaviors beyond the normal patterns will be noticed by the monitoring and
auditing.
The Approaches of Prevention, Detection, and Response 285
Since the operational continuity and real-time is the first priority of I&C systems,
when deploying the monitoring and auditing into the I&C systems, the impact on the
normal operation of I&C systems should be carefully considered. Another factor to be
considered is the retrofit of adding the monitoring and auditing system to existing
facilities.
In I&C systems, control devices of I&C systems, such as operator stations, I/O
servers, control stations, are connected by the communication network, i.e. network
switches. The security monitoring points could be deployed in three possible locations
in I&C systems (Fig. 1):
A. on control devices,
B. between control devices and the network, and
C. beside the network.
Deployment on location A is to install software (SW) on hosts, such as operator
stations, engineer stations, and I/O servers. The software will monitor the activities of
hosts and detect the abnormal behaviour. The advantage of this deployment location is
that both external attacks from the network and internal attacks from the host can be
detected. The disadvantage is the requirement of installing additional software on the
host, which could cause software compatibility problems and management issues.
Deployment on location B is to insert a new hardware (HW) module between the
control devices and the network, through which all the network traffic flow in and out
of control devices will pass. The advantage of this deployment location is that the HW
module can perform intrusion detection and intrusion prevention on the traffic flow at
the same time. The disadvantage is that processing of network data packets may bring
the packet delay, which will have negative impact of the normal operation. Moreover,
if the intrusion prevention rules are not appropriate, the normal operation could be
disturbed or interrupted.
Deployment on location C is to install intrusion detection device beside the network
switch. The device monitors the backup of all the traffic over the network by a mirroring
switch port. The advantage of this deployment location is that the actual network traffic
does not go through the device so that it does not have any impact on normal operation.
Fig. 1. Deployment locations of monitoring points

286 J. Li et al.
The above three deployment locations will be assessed from both the impact of
normal operation and the retrofit amount of existing facilities. See in the Table 1.
Table 1. The assessment of three deployment locations

Location Impact on normal operation Retrofit for existing facilities
A Possible yes Adding SW
B Possible yes Adding SW and HW. Re-wiring
C None Adding SW and HW
4 Detection – Physical Data-Based Intrusion Detection
Intrusion detection is the most effective way for the awareness of cyber-attacks [5]. The
major difference between I&C systems and IT systems is that the physical data can be
obtained and transmitted via distinct control protocols of I&C systems. These control
protocols include OPC, Siemens S7, Modbus TCP, and so on. The major characteristic
of I&C systems brings one challenge, as well as one advantage. The challenge is that
the distinct control protocols have to be dealt with. The conventional intrusion
detection cannot be applied into I&C systems directly. On the other hand, the
advantage of obtaining physical data could be utilized for more advanced intrusion
detection. Unlike the conventional intrusion detection for IT systems merely based on
cyber data, the proposed intrusion detection for I&C systems will be based on the
combination of cyber data and physical data. The physical data will be extracted from
network packets by the technique of data packet inspection (DPI) [6]. The specialized
DPI can deal with the control protocols, making full utilization of the information of
network packet in three levels.
The first level is the use of the general network flow statistics and general packet
analysis. This type of information includes temporal quantities such as traffic amount of
network flow, duration of the flow, average packet interval, as well as spatial quantities
such as source address, destination address, source port, destination port, topology, and
so on. Usually the use of general information alone for intrusion detection would lead
to high false alarm rate and high miss alarm rate. However, for the ICS, the runtime
workflow is relatively fixed, the communication objects are also relatively fixed, so the
temporal and spatial distribution of network flow is relatively stable. The first level
usage of communication flow information is able to accurately detect the attacks of
obvious characteristics, such as the denial of service (DoS) attack.
The second level is the use of information related with industrial control protocol.
To obtain such information, the deep packet inspection based on industrial control
protocol is required. The results of the inspection include the industrial protocol type,
the values of the protocol fields. The industrial control protocol is designed mainly for
the efficiency of communication between devices, not for security. Therefore, there is
no encryption, authentication, or other security mechanisms in industrial protocols.
Packets can be easily stolen, tampered, or forged. With this weakness, the attacker can
launch a malformed message attack against the industrial control protocol, causing the
receivers to fail to process the malformed message and get blocked. Through the deep
inspection of data related with industrial protocol, we are able to detect the malformed
packet which does not conform to the protocol standard data structure.
The third level is the use of information related with the physical controlled objects.
To obtain such information, not only the industrial control protocol, but also the
configurations of control systems are required. With the control configuration, the data
in the control packet can be restored to quantities or commands with actual physical
meanings, such as the temperature, the pressure, the valve switch status, the motor
start/stop commands, and so on. Attacks at this level require an in-depth understanding
of the control process. The most famous example of such an attack is “Stuxnet”
malware. Through the deeper inspection of data with the control configuration, we are
able to detect the data packet which does not meet control requirements.
After the data inspection of the network packets, the detection algorithms will be
applied on the extracted data. In general, intrusion detection methods can be catego-
rized into two categories: anomaly detection and characteristic detection. The anomaly
detection establishes the legal behavior model from the data of the normal operations.
Then the legal model is used as the benchmark to test the current operational data in the
way of statistical test to detect anomalies. Characteristic-based detection is to compare
the operational data with known malicious characteristics to determine whether there is
malicious behavior. These two detection methods have their own advantages and
disadvantages. The characteristic-based detection method is efficient and accurate, but
can only identify the known attacks. The unknown attacks can be detected by the
anomaly detection. But if the established legal behavior model is incomplete, it will
bring more false-positive alarms.
The choice of the intrusion detection method should be determined based on the
patterns of the extracted data. When the data pattern is simple and fixed, such as the
pattern of data extracted from the second level following the standard packet structure,
the characteristic detection can be applied to detect the suspicious packets that con-
taining malicious code, such as shutdown the devices or download new configurations.
When the data flow is complex and variable, such as the operation flows extracted from
the third level, the anomaly detection by the machine learning algorithms is preferred.
5 Response – Intrusion-Tolerant Control
The response approach is the actions taken after the occurring of security incidents.
Due to the requirement of continuous availability, I&C systems should keep available
even in the case of cybersecurity incidents. Thus, how to response to security incidents
in order to maintain the availability of I&C systems leads to the approach of the
intrusion-tolerant control [7].
The operation of controlled power generation process requires I&C systems to be
functional at every stage. I&C systems are accountable for monitoring, control, and
protection for the whole NPP. Many processes and systems require continuous moni-
toring by I&C systems, even during the shutdown stage. For those intermittent working
systems, the startup and stopping procedures of them are also controlled by I&C systems.
Thus, it is necessary for I&C systems to be continuous working for other systems.
288 J. Li et al.
To realize the intrusion-tolerant control that keep I&C systems available continu-
ously, three steps are needed to be implemented in sequence: the intrusion detection,
the intrusion assessment, and the intrusion response (see in Fig. 2).
Fig. 2. Steps of intrusion-tolerant control
The goal of intrusion detection is to detect cyber intrusions before the physical
impact happens. For the intrusions that aim to cause physical damage on the controlled
systems or equipment, there is a time period between the start of cyber-attacks and the
breakdown of physical systems [8]. If the cyber intrusion could be detected quickly
enough, it is possible to prevent intrusion before any physical damage is done. Even if
physical damage is already made on a part of subsystems, the sooner the intrusion is
detected, the smaller the damage range would be.
As soon as the intrusion is detected, an assessment on the intrusion is performed by
pre-configured rules and/or human experts. The tasks of the intrusion assessment are
estimating the range of the intrusion, evaluating the extent of the intrusion, and making
a judgment about the types of intruders or malwares. For example, is the intrusion only
into several hosts or over the whole I&C system network? Does the intrusion attempt to
steal the information or disturb the operation? Are the intruders or malwares adver-
saries in general or specific to the NPP? This information provided by intrusion
assessment will help to decide how to respond the intrusion.
Based on the result of intrusion assessment, the response will be taken to the
intrusion. For the intrusions that doesn’t compromise any I&C components or disturb
any controlled processes, the dedicated security software can handle them without
human intervention. For example, an ordinary virus imported by portable device can be
detected and eliminated by anti-virus software automatically before any damage is
made. In this case, neither any damage is made by the virus, nor any additional harm is
caused by the virus elimination. For the intrusions that cannot be handled automatically
by the software, human operators should be alerted to switch the compromised com-
ponents to the unaffected backup ones. Thanks to the safety design principles of
redundancy in controlled process, many I&C components, especially the critical ones,
have their online alternatives, such as I/O servers, network switches, processing
modules of control station. Due to another safety design principle, diversity, many of
the redundant alternatives have different attributes, e.g. different architectures, hard-
ware or software. Therefore, the diverse alternatives are not prone to be affected by the
same cyber-attack. For the worst case that not only I&C components are compromised
but also physical systems are disturbed, the intrusion-tolerant control cannot be
achieved. In this case, the safety protection systems should be actuated to drive the
process to a safe state.
To summarize the above three steps of the intrusion-tolerant control, the early
intrusion detection and the accurate assessment are the bases of the appropriate
intrusion response. Differentiate responses to different intrusion situations is the
essential of the intrusion-tolerant control. The situation beyond the capacity of the
intrusion-tolerant control will be dealt with the safety protection system.
6 Summary
The framework of prevention, detection, and response is customized and applied to

I&C systems. For prevention, the monitoring and auditing approach is discussed,
focusing on the impact on normal operations. For detection, the physical data-based
intrusion detection is proposed to handle the distinct control protocols. For response,
the intrusion-tolerant control that is able to keep I&C systems operating properly in the
event of cyber intrusions is elaborated. The approaches of prevention, detection, and
response provide an overall solution for cybersecurity of I&C systems.
Acknowledgement. This paper is jointly supported by National Natural Science Foundation of

China (Grant No. 61502270, 71801141, U1736116) and the National S&T Major Project (Grant
No. ZX069).
References
1. International Atomic Energy Agency: Instrumentation and control (I&C) systems in nuclear
power plants: a time of transition (2008).
2. Davidson, R.: Integrating Prevention, Detection and Response Work Flows: SANS Survey on
Security Optimization. (2017)
3. Valkama, R.: Computer Security for Nuclear I&C Systems. Regional Training Course on
Computer Security for Industrial Control Systems at Nuclear Facilities; 22 Aug 2016.
Daejeon, Republic of Korea (2016)
4. Li, J., Huang, X.: Control system security in nuclear power plant. Atomic Energy Science and
Technology 46(suppl.), 411–416 (2012)
5. Yang, A., Sun, L., Wang, X., Shi, Z.: Intrusion detection techniques for industrial control
systems. J. Comput. Res. Dev. 53(9), 2039–2054 (2016)
6. Francia, G., Francia, X., Pruitt, A.: Towards an in-depth understanding of deep packet
inspection using a suite of industrial control systems protocol packets. J. Cybersecur. Educ.
Res. Pract. 2016(2) (2016)
290 J. Li et al.
7. Stakhanova, N., Basu, S., Wong, J.: A Taxonomy of Intrusion Response Systems. Computer
Science Technical Reports. 1 Jan 2006
8. Li, J., Huang, X.: Cyber attack detection of I&C systems in NPPs based on physical process
data. In: 2016 24th International Conference on Nuclear Engineering. American Society of
Mechanical Engineers (2016)

(Lecture Notes in Electrical Engineering 507) Yang Xu, Hong Xia, Feng Gao, Weihua Chen, Zheming Liu, Pengfei Gu - Nuclear Power Plants_ Innovative Technologies for Instrumentation and Control Systems_.pdf

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Lecture Notes in Electrical Engineering 507) Yang Xu, Hong Xia, Feng Gao, Weihua Chen, Zheming Liu, Pengfei Gu - Nuclear Power Plants_ Innovative Technologies for Instrumentation and Control Systems_.pdf

Uploaded by

Copyright:

Available Formats

Lecture Notes in Electrical Engineering 507

Nuclear Power Plants:

• Communication Engineering, Information Theory and Networks

All other Countries:

More information about this series at http://www.springer.com/series/7818

Weihua Chen Zheming Liu

Nuclear Power Plants:

Feng Gao Weihua Chen

Zheming Liu Pengfei Gu

ISSN 1876-1100 ISSN 1876-1119 (electronic)

Library of Congress Control Number: 2018967732

© Springer Nature Singapore Pte Ltd. 2019

Shenzhen, China Pengfei Gu

Product Information Committee of China Instrument and Control Society

College of Nuclear Science and Technology of Harbin Engineering University

Yang Xu, Department of Engineering Physics, Tsinghua University, Beijing, China

Secretary of Organizing Committee

Xiaolian Wang, Product Information Committee of China Instrument and Control

Director of Executive Committee

Yuzhou Yu, Product Information Committee of China Instrument and Control

Communication Design of Low Residual Error Probability

Discussion for Uncertainty Calculation of Containment

A Study About Conﬁguration Management Process for Safety DCS

Research on Anti-seismic Qualiﬁcation for Nuclear Safety Class I&C

China Techenergy Co., Ltd. (CTEC), Beijing 100094, China

Abstract. As the scale of petrochemical industry and electric power industry

Keywords: Function safety Residual error probability FirmSys

© Springer Nature Singapore Pte Ltd. 2019

2 Residual Error Probability Requirements

Fig. 1. Safety function loop

requirements for the communication residual error probability should be assigned to

Table 1. Correspondence of residual error probability, PFD and SIL

3 Design Method for Safety Communication with Low

3.1 Analysis of Relevant Design Factors

KSL ðPeÞ ¼ RSL ðPeÞ v m ð1Þ

By analyzing the above assessment methods, the corresponding design elements

3.2 Related Design Methods for the Residual Error Probability

Fig. 2. Proper and improper CRC polynomials

Where, dmin Represents

Fig. 3. The trend of Hamming distance as the code values increase

{32} 0x8F6E37A0 {1,3,28} {1,1,15,15} {1,1,30} {1,1,30} {32} {32}

3.3 Redundant Schema Design for Communication Systems

KSL ðPeÞ ¼ CNM ðRSL ðPeÞÞM v m ð4Þ

3.4 Firmsys Safety Communication Design

Based on the requirement of functional safety, combining with the experience of

Abstract. Today Safety Digital Control System (DCS) is widely applied in

Keywords: FMEDA Diagnostic coverage False alarm rate

© Springer Nature Singapore Pte Ltd. 2019

2 FMEDA in the Development of FirmSys

The development of FirmSys follows a V model shown in Fig. 1, and it demonstrates

System design System integration

Module Requirement Module Validation

Module design Module testing

Fig. 1. FirmSys development lifecycle model

In the module design phase, the pre-design of self-diagnostics is ﬁrstly conducted to

3 Self-diagnostics Assessment and Improvement

3.1 Enhance Diagnostic Coverage

Table 1. An FMEDA example of a resistor

3.2 Decrease the FAR

3.3 Quantitative Assessment

Table 2. FMEDA analysis results of DO module

Table 3. Failure rates of DO module

Based on the experience of developing FirmSys, the paper introduces a method to

Xiu-Hong Lv, Yun-Tao Zhang(&), Zong-Sheng Cao, Fei Wu,