Reliability Modeling of Digital Control Systems Using the Markov/Cell-to-Cell Mapping Technique

1
Reliability Modeling of Digital Control Systems
Using the Markov/Cell-to-Cell Mapping Technique
Diego Mandelli
Master Thesis Defense

• The Ohio State University Nuclear Engineering
  Program

2
Overview

• Introduction
• Objectives
• System description
• Markov/Cell-to-Cell Mapping Technique (CCMT)
• Failure Modes and Effect Analysis (FMEA)
• Finite State Machine modeling
• Markov Modeling
• Cell-To-Cell Mapping Technique
• Example Initiating Event (EIE)
• Conclusions

3
Introduction

• Instrumentation and control systems (IC) are
  widely used in nuclear power plants for
• Monitoring
• Control
• Protection
• Since 1940s analog systems have accomplished
  these tasks satisfactorily, however
• inaccurate design specifications
• susceptibility to certain environmental
  conditions
• effects of aging such as mechanical failures
• environmental degradation.

4
Introduction

• Digital systems are essentially free of drift
  that afflicts analog systems (they maintain their
  calibration better)
• Self testing
• Signal validation
• Process system diagnostics
• Fault tolerance
• Higher data handling
• Storage capabilities
• Nuclear power plants are replacing/upgrading
  obsolete ICs

Transition from analog to digital technology
5
Introduction
The replacement with a new component affects the
safety and the reliability of the overall system.

• Considerations
• Probability Risk Assessment (PRA) is a commonly
  used tool to examine the safety and reliability
  of specific systems
• Conventional PRA tools are based on Fault Trees
  and Event Trees (FT and ET)

6
The starting point.
Are ET/FT able to model IC?

• What if we have the following
• The presence of phenomena which dictates the
  systems response (e.g. depending on threshold of
  process variable values)
• The effect of process dynamics on the hardware
  component failure behavior
• Interactions between controllers components
• Multiple failure modes which affects differently
  the system response

In these cases the answer is NO.
7
The starting point.
What do we need?
A type of PRA able to perform also the simulation
of both the controller and the process
A Dynamic PRA
What are the goals?

• show how it is possible to model digital IC
  systems for PRA purposes using dynamic
  methodologies
• How can I fit the information coming from these
  methodologies to actual PRA?

8
Objectives
What did we chose to model digital ICs?
The Markov/Cell-to-Cell Mapping Technique
What are the requirements?

• dependence of the control action on system
  history,
• dependence of system failure modes on exact
  timing of failures,
• functional as well as intermittent failures,
• error detection capability,
• possible system recovery from failure modes

What will be the output?

1. CDF of the Top Events
2. Event sequences or Dynamic Event Trees (DET)

9
Event Trees and Dynamic Event Trees
Simple Event Tree
10
Event Trees and Dynamic Event Trees
Dynamic Event tree
Success
Success
Event Sequence
Failure 1
Initiating Event
Failure 2
Failure State 1
Failure State 2
t
t 0
t ?t
t 2?t
t ?t
11
Type I and II Interactions
The classical Controller Process system
12
The Markov/CCMT methodology
Stochastic description of the system evolution

• Dynamic interactions between physical process
  variables (e.g., temperature, pressure, etc.) and
  the IC systems that monitor and manage the
  process
• Dynamic interactions within the IC system itself
  due to the presence of software/firmware (e.g.,
  multi-tasking and multiplexing)

13
An overview of the Markov/CCMT
System Description
Type I Interactions Analysis
Type II Interactions Analysis
FMEA
Control Laws Simulink Model
System Modeling
Finite State Machine Description
Markov/CCMT Approach
CCMT
Markov modeling
System Analysis
14
System description
System Description
Type I Interactions Analysis
Type II Interactions Analysis
FMEA
Control Laws Simulink Model
System Modeling
Finite State Machine Description
Markov/CCMT Approach
CCMT
Markov modeling
System Analysis
15
System description
Digital Feedwater Control System (DFWCS)

• Main Feedwater System Components
• Main Feedwater Valve (MFV)
• Bypass Flow Valve (BFV)
• Feedwater Pump (FP)
• The purpose is to maintain the water level inside
  each of the SGs optimally within 2 inches
• The controller is regarded as failed if water
  level in a SG is
• above 2.5 ft (30 inches) ? High Failure
• below 2 ft (-24 inches) ? Low Failure

16
System description
Digital Feedwater Control System (DFWCS)

• 5 Pairs of sensors
• 2 Computers (MC,BC)
• MFV Controller
• BFV Controller
• FP Controller
• PDI Controller

17
System description
Operating modes
BFV (MFV closed) FP (minimum speed)
1 Low power automatic mode (Power lt 15) 2
High power automatic mode (15 lt Power lt
100) 3 Automatic transfer from Low to High
power mode 4 Automatic transfer from High to
Low power mode
MFV (BFV closed) FP
18
Control laws
The control logic and the control laws and have
been derived from the code of DFWCS of an
existing plant written in C
19
Control laws
Control laws determine the feedwater flow demand
which is translated into position (MFV) and speed
(FP) through look-up tables.
20
Control logic
The position and the speed of the actuated
devices may depend on the status of the MC and BC.
FP
MFV
BFV
PDI
21
Control Laws
System Description
Type I Interactions Analysis
Type II Interactions Analysis
FMEA
Control Laws Simulink Model
System Modeling
Finite State Machine Description
Markov/CCMT Approach
CCMT
Markov modeling
System Analysis
22
Simulink model
The control logic and the control laws and have
been implemented in a Simulink in order to tune
and to verify the control laws
23
Simulink model an example scenario
The control logic and the control laws and have
been implemented in a Simulink model in order to
tune and to verify the control laws.
The scenario is a power transient from 70 to
72.5. This has been modeled thorugh a sequence
of finite ramps of 0.5 each.

• The purposes were the following
• Obtain a stable response of the controller
• Obtain a reasonable response of the actuated
  devices

24
Simulink model an example scenario
Results
25
Simulink model an example scenario
MFV response
26
Failure Modes and Effect Analysis
System Description
Type I Interactions Analysis
Type II Interactions Analysis
FMEA
Control Laws Simulink Model
System Modeling
Finite State Machine Description
Markov/CCMT Approach
CCMT
Markov modeling
System Analysis
27
FMEA and Finite State Machine
Failure Modes and Effect Analysis (FMEA) tool to
analyze the possible failure modes and their
consequences on the dynamic of the system

1. Failure type
2. Detection of the failure
3. Effect of the failure on the controller
4. Effect on the process

Finite State Machine is a model of behavior
composed of a finite number of states,
transitions between these states, and actions.

1. Transition Conditions
2. Transition
3. Actions

28
Computer FMEA

• Communications

Loss of one or both inputs Sensor out of range or
impossible rate of change

• Input from sensors

• Output to the controllers

Loss of output

• Loss of Power

Roundoff/truncation/sampling rate errors Unable
to meet needed response requirements Watchdog
timer fails to activate Watchdog timer activates
when computer has not failed Arbitrary value
output

• Internal Failures

Define the intra-computer and computer-computer
interactions
29
Intra-Computer interactions
A. Operating Computer is operating correctly B.
Loss of One Input Computer is operating
correctly but data are not received from one of
the two sensors (for each measured quantity). C.
Loss of Both Inputs Computer is operating
correctly but data are not received from both
sensors (for each measured quantity). D.
Computer Down Computer itself recognizes loss of
input(s) or input(s) being out of range and takes
itself down. The other computer takes the control
of the process automatically (if it is operating
correctly) . E. Arbitrary output Computer does
not realize input(s) out of range or error in
processing data. Random data are generated.
30
Inter-Computer interactions

• Two types of failure have been identified
• Recoverable (e.g., Loss of input)
• Not recoverable (e.g., Watchdog timer fails to
  activate)

By this, it is more convenient to talk about
primary and secondary computer

• Primary computer computer sending output to the
  controllers
• Secondary computer computer in stand-by

31
Inter-Computer interactions
D
D
D
B
C
B
C
B
C
E
E
E
A
A
A
32
Controller FMEA
Define the Computer-Controller-Actuated Device
interactions
High Output Low Output Arbitrary Value Output

• Internal Failures

• Loss of Power

• Communications

• Input from computer (Loss of input) included in
  the Computer-Computer interactions

• Output to the actuated Device

Loss of output
Computer erroneously reported failed Computer
erroneously reported not failed MFV, BFV, FP
controllers do not agree from which computer to
accept input.

• Error in the communications

33
Computer-Controller-Actuated device interaction
Output Low
Output High
Arbitrary Output
Freeze
Device Stuck
0 vdc output
34
The Markov/CCMT Approach
35
The Markov/CCMT Approach
Recall Stochastic description of the system
evolution But, so far the system modeling has
given a deterministic description of the
system. The Markov/CCMT approach convert the
information contained in the system modeling step
from a deterministic to a statical view point
36
Cell-to-Cell Mapping Technique
System Description
Type I Interactions Analysis
Type II Interactions Analysis
FMEA
Control Laws Simulink Model
System Modeling
Finite State Machine Description
Markov/CCMT Approach
CCMT
Markov modeling
System Analysis
37
CCMT

• CCMT is a technique used to represent the
  dynamics of the system
• The state space (CVSS) is an n-dimensional space
  (one dimension for each internal variable)
• CVSS is divided into cells Vj (possibility to
  capture uncertainties and errors in the
  monitoring phase of the process)
• Setpoints must fall on the boundary of Vj and not
  within Vj
• Note coupling between the discretization of the
  CVSS and the time step (?t) of the simulation
• Top Events (Fail High or Fail Low)
• are modeled as sink cells

38
CCMT
The goal is to determine the probability at time
t to transit from cell j to j given component
state combination n.
g(jj,n,t)
the dynamic behavior of the system control
logic of the control system hardware/firmware/so
ftware states
j
j
The algorithm
j
j
t
t (k1)?t
t (k)?t
39
Markov modeling
System Description
Type I Interactions Analysis
Type II Interactions Analysis
FMEA
Control Laws Simulink Model
System Modeling
Finite State Machine Description
Markov/CCMT Approach
CCMT
Markov modeling
System Analysis
40
Markov modeling
Goal determine a probabilistic model which can
describe the evolution of all the components of
the controller
Markov transition diagrams have been chosen What
do I need?

• a set of mutually exclusive and exhaustive states
• probability of transitions between states has
  been determined

Markov transition diagrams have been deducted
from the Finite State Machine description.
41
Markov modeling
For each component, a Markov transition diagram
has been determined
42
Markov modeling
The goal is to determine
h(nn,j?j) or h(nn,j?j,k)
Probability that a component state combination
change from n to n during a transition from j to
j.

• Note
• failure rates may depend on process variables
  like temperature, pressure.
• failure rates may depend on time

43
System Analysis
System Description
Type I Interactions Analysis
Type II Interactions Analysis
FMEA
Control Laws Simulink Model
System Modeling
Finite State Machine Description
Markov/CCMT Approach
CCMT
Markov modeling
System Analysis
44
System Analysis

• Markov Modeling h(nn,j?j)
• CCMT g(jj,n,t)

Since these two transition probabilities are
independent
q(n, jn, j,t) h(nn,j?j) g(jj,n,t)
45
System Analysis
Graphically
q(n, jn, j,t) h(nn,j?j) g(jj,n,t)
J
CCMT g(jj,n,t)
j
q(n, jn, j,t)
Markov Modeling h(nn,j?j)
j
N
n
n
46
Markov/CCMT and Dynamic Event Trees
(N, J)
(2, j2)
(2, j2)
1
(2, j2)
(1, j0)
(1, j3)
(1, j0)
(1, j3)
2
t
(2, j2)
(2, j2)
(1, j0)
(1, j0)
(2, j2)
(1, j3)
(1, j3)
47
An Example Initiating Event
Most of the analysis performed for Level 2 PRA
assumes that the reactor is shutdown in all the
initiating events. Assumptions
1. Turbine trips 2. Reactor is shutdown 3. Power
P(t) is generated from the decay heat 4. Reactor
power and steam flow rate decay from 6.6 of
initial power and the analysis starts 10 second
after reactor shutdown 5. Feedwater flow and
level are initially at nominal value 6. Off-site
power is available 7. Main computer is failed
48
The Example Initiating Event considerations

• DFWCS is working in Low Power mode
• MFV is not used
• FP set at minimum speed
• BFV only is able to change the feedwater flow
• 5 internal variables CVSS is 4-D

49
The Example Initiating Event
Only one controller is considered BFV controller

• Hypothesis
• Only Loss of both inputs can occur (and not
  possibly one)
• Loss of communications between the sensors and BC
  and between BC and BFV controller cannot be
  recovered.
• Only the BFV controller failure can generate
  arbitrary output. If BC generates arbitrary
  output due to internal failure, it is recognized
  by the BC.
• The BFV controller cannot fail in Output High
  mode.
• FP cannot fail

50
The Example Initiating Event
Controller/Device Communicating
Device Stuck
Arbitrary Output
Freeze
0 vdc Output
51
The Example Initiating Event

• Ad-hoc program has been built in Java
• The simulator
• solve the set of 4 different differential
  equation using Runge-Kutta
• Implement control laws
• Generate event sequences
• Determine probability of Low Failure and High
  Failure at each time step

52
The Example Initiating Event Results
An example of Event Sequence
53
The Example Initiating Event Results
The importance of the failure timing the Freeze
state.
54
The Example Initiating Event Results
55
The Example Initiating Event Results
What is the effect of changing the Markov time
step (?t) on the Cdf of the Top Events (High
Failure and Low Failure)?

• 3 different Markov time steps have been chosen
• 4 hours
• 8 hours
• 12 hours

56
The Example Initiating Event results
57
The Example Initiating Event results
58
Consideration
Power behavior affect the behavior of the Cdf of
the Top Events.

• The number of event sequences strictly depend on
• The number of time steps
• The number of component state combinations N

Given a mission time (e.g., 24 hours) it is
possible to decrease the the number of time steps
increasing the Markov time (?t).

• N can be reduced
• Reducing the number of components by merging two
  or more components together
• Reducing the number of states of a component by
  merging two or more states together (e.g., merge
  all states that have the same impact on the
  dynamics of the system)

59
Conclusions

• The Markov/CCMT methodology has been presented.
• The modeling of digital control systems (DFWCS)
  through Markov/CCMT has been shown
• Type I interaction have been modeled using CCMT
• Type II interactions have been modeled using
  Markov Transition diagrams
• The output of the analysis are
• Generation of Event sequences
• Evaluation of the Cdf of the Top Events

60
(No Transcript)