Reliability Modeling of Digital Control Systems Using the Markov/Cell-to-Cell Mapping Technique The Ohio State University – Nuclear Engineering Program Diego Mandelli Master Thesis Defense

Diego Mandelli – Master Thesis Defense Overview Introduction Objectives System description Markov/Cell-to-Cell Mapping Technique (CCMT) Failure Modes and Effect Analysis (FMEA) Finite State Machine modeling Markov Modeling Cell-To-Cell Mapping Technique Example Initiating Event (EIE) Conclusions

Diego Mandelli – Master Thesis Defense Introduction Instrumentation and control systems (I&C) are widely used in nuclear power plants for: Monitoring Control Protection Since 1940s analog systems have accomplished these tasks satisfactorily, however: inaccurate design specifications susceptibility to certain environmental conditions effects of aging such as mechanical failures environmental degradation.

Diego Mandelli – Master Thesis Defense Introduction Digital systems are essentially free of drift that afflicts analog systems (they maintain their calibration better): Self testing Signal validation Process system diagnostics Fault tolerance Higher data handling Storage capabilities Nuclear power plants are replacing/upgrading obsolete I&Cs Transition from analog to digital technology

Diego Mandelli – Master Thesis Defense Introduction The replacement with a new component affects the safety and the reliability of the overall system. Considerations: 1.Probability Risk Assessment (PRA) is a commonly used tool to examine the safety and reliability of specific systems 2.Conventional PRA tools are based on Fault Trees and Event Trees (FT and ET)

Diego Mandelli – Master Thesis Defense The starting point…. Are ET/FT able to model I&C? What if we have the following: The presence of phenomena which dictates the system’s response (e.g. depending on threshold of process variable values) The effect of process dynamics on the hardware component failure behavior Interactions between controller’s components Multiple failure modes which affects differently the system response In these cases the answer is NO.

Diego Mandelli – Master Thesis Defense What do we need? A type of PRA able to perform also the simulation of both the controller and the process A “Dynamic PRA” What are the goals? show how it is possible to model digital I&C systems for PRA purposes using dynamic methodologies How can I fit the information coming from these methodologies to actual PRA? The starting point….

Diego Mandelli – Master Thesis Defense What did we chose to model digital I&Cs? The Markov/Cell-to-Cell Mapping Technique Objectives What will be the output? 1. CDF of the Top Events 2. Event sequences or Dynamic Event Trees (DET) What are the requirements? dependence of the control action on system history, dependence of system failure modes on exact timing of failures, functional as well as intermittent failures, error detection capability, possible system recovery from failure modes

Diego Mandelli – Master Thesis Defense Simple Event Tree: Event Trees and Dynamic Event Trees Initiating event Large LOCA Reactor Trip Success Failure Yes No Yes Core damageECCS Success Failure

Diego Mandelli – Master Thesis Defense Dynamic Event tree: Initiating Event t = 0t = Δt Success Failure State 1 Failure State 2 t Success Failure 2 t = 2·Δt Failure 1 t = Δt Event Trees and Dynamic Event Trees Event Sequence

Diego Mandelli – Master Thesis Defense Controller Process Sensor n Controller 1 Actuator 1 Controller 2 Actuator 2 Actuator 3 Sensor 1 ….. Type I and II Interactions The classical “Controller + Process” system: Type I InteractionsType II Interactions

Diego Mandelli – Master Thesis Defense Stochastic description of the system evolution: Dynamic interactions between physical process variables (e.g., temperature, pressure, etc.) and the I&C systems that monitor and manage the process Dynamic interactions within the I&C system itself due to the presence of software/firmware (e.g., multi-tasking and multiplexing) The Markov/CCMT methodology

Diego Mandelli – Master Thesis Defense An overview of the Markov/CCMT System Description Type I Interactions Analysis Control Laws: Simulink Model FMEA Type II Interactions Analysis Finite State Machine Description CCMT Markov/CCMT Approach Markov modeling System Analysis System Modeling

Diego Mandelli – Master Thesis Defense System description System Description Type I Interactions Analysis Control Laws: Simulink Model FMEA Type II Interactions Analysis Finite State Machine Description CCMT Markov/CCMT Approach Markov modeling System Analysis System Modeling

Diego Mandelli – Master Thesis Defense System description Digital Feedwater Control System (DFWCS) Main Feedwater System Components: Main Feedwater Valve (MFV) Bypass Flow Valve (BFV) Feedwater Pump (FP) The purpose is to maintain the water level inside each of the SGs optimally within ± 2 inches The controller is regarded as failed if water level in a SG is: above 2.5 ft (+30 inches) → High Failure below 2 ft (-24 inches) → Low Failure

Diego Mandelli – Master Thesis Defense System description Digital Feedwater Control System (DFWCS) 5 Pairs of sensors 2 Computers (MC,BC) MFV Controller BFV Controller FP Controller PDI Controller

Diego Mandelli – Master Thesis Defense System description 1 Low power automatic mode (Power < 15%) 2 High power automatic mode (15% < Power < 100%) 3 Automatic transfer from Low to High power mode 4 Automatic transfer from High to Low power mode BFV (MFV closed) FP (minimum speed) MFV (BFV closed) FP Operating modes:

Diego Mandelli – Master Thesis Defense Control laws The control logic and the control laws and have been derived from the code of DFWCS of an existing plant written in C ++

Diego Mandelli – Master Thesis Defense Control laws Control laws determine the feedwater flow demand which is translated into position (MFV) and speed (FP) through look-up tables.

Diego Mandelli – Master Thesis Defense Control logic The position and the speed of the actuated devices may depend on the status of the MC and BC. FP: MFV: BFV: PDI:

Diego Mandelli – Master Thesis Defense Control Laws System Description Type I Interactions Analysis Control Laws: Simulink Model FMEA Type II Interactions Analysis Finite State Machine Description CCMT Markov/CCMT Approach Markov modeling System Analysis System Modeling

Diego Mandelli – Master Thesis Defense Simulink model The control logic and the control laws and have been implemented in a Simulink in order to tune and to verify the control laws

Diego Mandelli – Master Thesis Defense Simulink model: an example scenario The control logic and the control laws and have been implemented in a Simulink model in order to tune and to verify the control laws. The scenario is a power transient from 70% to 72.5%. This has been modeled thorugh a sequence of finite ramps of 0.5% each. The purposes were the following: 1.Obtain a stable response of the controller 2.Obtain a reasonable response of the actuated devices

Diego Mandelli – Master Thesis Defense Simulink model: an example scenario Results:

Diego Mandelli – Master Thesis Defense Simulink model: an example scenario MFV response:

Diego Mandelli – Master Thesis Defense Failure Modes and Effect Analysis System Description Type I Interactions Analysis Control Laws: Simulink Model FMEA Type II Interactions Analysis Finite State Machine Description CCMT Markov/CCMT Approach Markov modeling System Analysis System Modeling

Diego Mandelli – Master Thesis Defense FMEA and Finite State Machine Failure Modes and Effect Analysis (FMEA): tool to analyze the possible failure modes and their consequences on the dynamic of the system 1.Failure type 2.Detection of the failure 3.Effect of the failure on the controller 4.Effect on the process Finite State Machine: is a model of behavior composed of a finite number of states, transitions between these states, and actions. 1.Transition Conditions 2.Transition 3.Actions

Diego Mandelli – Master Thesis Defense Computer FMEA Input from sensors Loss of one or both inputs Sensor out of range or impossible rate of change Output to the controllers Communications: Loss of Power Internal Failures Roundoff/truncation/sampling rate errors Unable to meet needed response requirements Watchdog timer fails to activate Watchdog timer activates when computer has not failed Arbitrary value output Define the intra-computer and computer-computer interactions Loss of output

Diego Mandelli – Master Thesis Defense Intra-Computer interactions A. Operating: Computer is operating correctly B. Loss of One Input: Computer is operating correctly but data are not received from one of the two sensors (for each measured quantity). C. Loss of Both Inputs: Computer is operating correctly but data are not received from both sensors (for each measured quantity). D. Computer Down: Computer itself recognizes loss of input(s) or input(s) being out of range and takes itself down. The other computer takes the control of the process automatically (if it is operating correctly). E. Arbitrary output: Computer does not realize input(s) out of range or error in processing data. Random data are generated.

Diego Mandelli – Master Thesis Defense Two types of failure have been identified: 1. Recoverable (e.g., Loss of input) 2. Not recoverable (e.g., Watchdog timer fails to activate) Inter-Computer interactions By this, it is more convenient to talk about primary and secondary computer: Primary computer: computer sending output to the controllers Secondary computer: computer in stand-by

Diego Mandelli – Master Thesis Defense Inter-Computer interactions BC D E A BC D E A BC D E A 3 Macro States (MS) 2: 1: Operating with 2 computers Operating with 1 computer, possible recovery 3: Operating with 1 computer, no recovery

Diego Mandelli – Master Thesis Defense Controller FMEA Internal Failures High Output Low Output Arbitrary Value Output Loss of Power Define the Computer-Controller-Actuated Device interactions Input from computer (Loss of input): included in the Computer-Computer interactions Communications Error in the communications Computer erroneously reported failed Computer erroneously reported not failed MFV, BFV, FP controllers do not agree from which computer to accept input. Output to the actuated Device Loss of output

Diego Mandelli – Master Thesis Defense Computer-Controller-Actuated device interaction 0 vdc output Output High Output Low Arbitrary Output Freeze Device Stuck

Diego Mandelli – Master Thesis Defense The Markov/CCMT Approach

Diego Mandelli – Master Thesis Defense The Markov/CCMT Approach Recall: Stochastic description of the system evolution But, so far the system modeling has given a deterministic description of the system. The Markov/CCMT approach convert the information contained in the system modeling step from a deterministic to a statical view point

Diego Mandelli – Master Thesis Defense Cell-to-Cell Mapping Technique System Description Type I Interactions Analysis Control Laws: Simulink Model FMEA Type II Interactions Analysis Finite State Machine Description CCMT Markov/CCMT Approach Markov modeling System Analysis System Modeling

Diego Mandelli – Master Thesis Defense CCMT CCMT is a technique used to represent the dynamics of the system The state space (CVSS) is an n-dimensional space (one dimension for each internal variable) CVSS is divided into cells V j (possibility to capture uncertainties and errors in the monitoring phase of the process) Setpoints must fall on the boundary of V j and not within V j Note: coupling between the discretization of the CVSS and the time step (Δt) of the simulation Top Events (Fail High or Fail Low) are modeled as sink cells

Diego Mandelli – Master Thesis Defense CCMT the dynamic behavior of the system control logic of the control system hardware/firmware/software states The algorithm: t t = (k+1)·Δt t = (k)·Δt j j’ j” j’ g(j|j’,n’,t) The goal is to determine the probability at time t to transit from cell j’ to j given component state combination n’.

Diego Mandelli – Master Thesis Defense Markov modeling System Description Type I Interactions Analysis Control Laws: Simulink Model FMEA Type II Interactions Analysis Finite State Machine Description CCMT Markov/CCMT Approach Markov modeling System Analysis System Modeling

Diego Mandelli – Master Thesis Defense Markov modeling Goal: determine a probabilistic model which can describe the evolution of all the components of the controller Markov transition diagrams have been chosen What do I need? a set of mutually exclusive and exhaustive states probability of transitions between states has been determined Markov transition diagrams have been deducted from the Finite State Machine description.

Diego Mandelli – Master Thesis Defense Markov modeling For each component, a Markov transition diagram has been determined

Diego Mandelli – Master Thesis Defense The goal is to determine: h(n|n’,j’→j) or h(n|n’,j’→j,k) Probability that a component state combination change from n’ to n during a transition from j to j’. Note: failure rates may depend on process variables like temperature, pressure…. failure rates may depend on time Markov modeling

Diego Mandelli – Master Thesis Defense System Analysis System Description Type I Interactions Analysis Control Laws: Simulink Model FMEA Type II Interactions Analysis Finite State Machine Description CCMT Markov/CCMT Approach Markov modeling System Analysis System Modeling

Diego Mandelli – Master Thesis Defense Markov Modeling: h(n|n’,j’→j) CCMT: g(j|j’,n’,t) System Analysis Since these two transition probabilities are independent: q(n, j|n’, j’,t) = h(n|n’,j’→j) · g(j|j’,n’,t)

Diego Mandelli – Master Thesis Defense CCMT g(j|j’,n’,t) System Analysis N J j’ j n’ n q(n, j|n’, j’,t) = h(n|n’,j’→j) · g(j|j’,n’,t) Markov Modeling h(n|n’,j’→j) Graphically: q(n, j|n’, j’,t)

Diego Mandelli – Master Thesis Defense Markov/CCMT and Dynamic Event Trees t (N, J) (1, j 0 ) 1 2 (2, j 2 ) (1, j 3 ) (2, j 2 ) (1, j 3 ) (2, j 2 ) (1, j 3 ) (1, j 0 ) (2, j 2 ) (1, j 0 )

Diego Mandelli – Master Thesis Defense 1.Turbine trips 2.Reactor is shutdown 3.Power P(t) is generated from the decay heat 4.Reactor power and steam flow rate decay from 6.6% of initial power and the analysis starts 10 second after reactor shutdown 5.Feedwater flow and level are initially at nominal value 6.Off-site power is available 7.Main computer is failed An Example Initiating Event Most of the analysis performed for Level 2 PRA assumes that the reactor is shutdown in all the initiating events. Assumptions:

Diego Mandelli – Master Thesis Defense The Example Initiating Event: considerations DFWCS is working in Low Power mode MFV is not used FP set at minimum speed BFV only is able to change the feedwater flow 5 internal variables: CVSS is 4-D

Diego Mandelli – Master Thesis Defense Hypothesis: Only Loss of both inputs can occur (and not possibly one) Loss of communications between the sensors and BC and between BC and BFV controller cannot be recovered. Only the BFV controller failure can generate arbitrary output. If BC generates arbitrary output due to internal failure, it is recognized by the BC. The BFV controller cannot fail in Output High mode. FP cannot fail The Example Initiating Event Only one controller is considered: BFV controller

Diego Mandelli – Master Thesis Defense The Example Initiating Event Arbitrary Output 0 vdc Output Freeze Device Stuck Controller/Device Communicating

Diego Mandelli – Master Thesis Defense The Example Initiating Event Ad-hoc program has been built in Java: 1.The simulator: 1.solve the set of 4 different differential equation using Runge-Kutta 2.Implement control laws 2.Generate event sequences 3.Determine probability of Low Failure and High Failure at each time step

Diego Mandelli – Master Thesis Defense The Example Initiating Event: Results An example of Event Sequence:

Diego Mandelli – Master Thesis Defense The Example Initiating Event: Results The importance of the failure timing: the Freeze state.

Diego Mandelli – Master Thesis Defense The Example Initiating Event: Results

Diego Mandelli – Master Thesis Defense The Example Initiating Event: Results What is the effect of changing the Markov time step (Δt) on the Cdf of the Top Events (High Failure and Low Failure)? 3 different Markov time steps have been chosen: 4 hours 8 hours 12 hours

Diego Mandelli – Master Thesis Defense The Example Initiating Event: results

Diego Mandelli – Master Thesis Defense The Example Initiating Event: results

Diego Mandelli – Master Thesis Defense Consideration Power behavior affect the behavior of the Cdf of the Top Events. The number of event sequences strictly depend on: 1.The number of time steps 2.The number of component state combinations N Given a mission time (e.g., 24 hours) it is possible to decrease the the number of time steps increasing the Markov time (Δt). N can be reduced: Reducing the number of components by merging two or more components together Reducing the number of states of a component by merging two or more states together (e.g., merge all states that have the same impact on the dynamics of the system)

Diego Mandelli – Master Thesis Defense Conclusions The Markov/CCMT methodology has been presented. The modeling of digital control systems (DFWCS) through Markov/CCMT has been shown: Type I interaction have been modeled using CCMT Type II interactions have been modeled using Markov Transition diagrams The output of the analysis are: Generation of Event sequences Evaluation of the Cdf of the Top Events

Diego Mandelli – Master Thesis Defense