CCF in Digital I

1
CCF in Digital IC and Risk Informed Design
IAEA TM-32565

• Taeyong Sung
• PSA and Reliability Division
• Canadian Nuclear Safety Commission
• taeyong.sung_at_cnsc-ccsn.gc.ca

2
Introduction

• An CNSC expert opinion rather than CNSC official
  position
• CCF in Digital IC system is one of the
  significant issues in Nuclear industry
• Experience with CANDU can help in reducing
  susceptibility of Digital IC system to CCF
• Risk-informed approach can facilitate the effort
  in reducing the susceptibility

3
CCF in Risk Analysis

• CCF is a major contributor in risk analysis
• CCF is one type of Dependent Failures
• Definition
• A dependent failure in which two or more
  component fault states exist simultaneously, or
  within a short time interval, and are a direct
  result of a shared causes (NUREG/CR-6268)
• Whose causes are not normally explicitly modeled
  in basic event in system model (IAEA Safety
  Series 50-P-4)

4
CCF in Digital System

• CCF is a critical factor in Digital IC system
  for NPPs
• High redundancy in Digital IC system
• 2/3 or 2/4 logic ? CCF is a dominant contributor
• Possibility of risk concentration
• Reduce defence-in-depth
• CCF in shared component (inter/intra system CCF)
• Between different safety system actuation signals
• Between Rx trip signal and safety system
  actuation signal
• Among different trip signals
• Between different channels in same trip signal
  (intra system CCF)
• Depend on the architecture of system and plant
• Common globalize part
• Software
• High susceptibility to environment-Temperature,
  EMI.

5
CANDU Reactor

• CANDU design approach minimizes vulnerability to
  CCF by use of separation and diversity
• CANDU has used Digital IC system for safety
  function for decades
• CCF effect in safety function is controlled by
  diversity in system design and plant architecture

6
Computer Based Systems in CANDU Power Stations
7
CANDU- Defence-in-Depth

• Normal Operation and Control Function
• Digitalized system
• Dual Control Computer (DCC)
• Reactor Trip
• Digitalized system
• Two independent diverse Shutdown Systems (SDSs)
• Special Safety System Actuation
• Analog IC
• Independent from DCC and SDSs

8
CANDU-DCCs

• Normal Operation and limited safety function
• Unit power regulation, Primary pressure and
  inventory control, Secondary pressure and level
  control, and Turbine run-up and etc
• Fully computerized control system
• Two identical, independent digital computers,
• Two computers run simultaneously, one acting as
  instantaneous back-up to the other

9
CANDU-Shutdown System

• Two independent and diverse Shutdown Systems
  (SDSs)
• Different physical arrangement including
  reactivity control device
• Separation from other safety systems and control
  systems

10
CANDU Shutdown Systems-Darlington
11
CNSC Regulation-Shutdown System

• There must be at least 2 shutdown systems each
  capable of shutting down the reactor
• physically independent of each other and of
  process systems
• of diverse design
• with redundant components
• physically separated
• with unavailability target lt 0.001
• For each design basis accident, there should be
  at least two effective trip parameters

12
CNSC Regulation-DID

• Separation and independence requirement
• Between special safety system and process systems
• Special safety systems Two shutdown systems,
  Emergency core cooling system, Containment system
• Among special safety systems
• Between two shutdown systems

13
Insight form CANDU Design

• Simple but fundamental regulatory requirement
• Licensing process not prescriptive
• Gap analysis based on new findings and knowledge
• Through the process, CANDU design has evolved
• Latest CANDU reactor (Darlington) shows
• Diversity is essential to control inter/intra
  system CCF
• Diverse IC architecture in line with
  defence-in-depth is a way to avoid risk
  concentration

14
Risk-Informed Design

• PSA technique is a useful tool to estimate
  integrated risk contribution and propose
  improvement from risk prospective
• Youngkwang 34 (CE system 80 family)
• Aux-Feedwater system flow control modification
• to control CCF
• Alternate AC source
• Power operated relief valve (Feed and Bleed
  capability)
• Risk informed design approach will be beneficial
  for Digital IC system
• Screening analysis from conceptual design stage
• Proactive risk information feedback into design
• Plant risk as well as system reliability
• Screening values for CCF is still necessary to
  perform screening analysis

15
CCF Quantification

• Parametric Modeling Approaches
• ?-Factor, MGL (Multiple Greek Letter), ?-Factor
  method, UPM (Unified Partial Method) and etc.
• Expression of likelihood of CCF based on
  experience or knowledge
• Difficulty in quantification
• Limited experience and knowledge on CCF in
  Digital IC system

16
CCF under Risk-Informed Approach- Unified Partial
Method (ISBN-085 356 4337)

• UPM has advantage in design stage and Digital IC
• An alternative programmatic approach without
  enough experience to estimate CCF parameter using
  mathematical approach
• allow the analyst to carry out a structured
  assessment of the susceptibility of a system to
  CCF
• allow the analyst to recoded the process of the
  assessment in an auditable manner
• Easy to apply to screening analysis Two options
• System level cut-off
• Component level ?-factor
• Possible to re-calibrate the methodology if a
  customized analysis is required
• Software is considered, but not for Digital IC
  system

17
UPM Estimation of CCF Parameter

• CCF parameter is estimated by two steps
• Eliciting the level of defence against CCF for 8
  sub-factors based on individual estimation table
• Each table relates to a different aspect of
  system design or operation and its effectiveness
  in DEFENDING against dependent failures
• Design
• REDUNDANCY( DIVERSITY), SEPARATION,
  UNDERSTANDING, ANALYSIS
• Operation
• M.M.I., SAFETY CULTURE
• Environment
• CONTROL, TESTS
• Assign the sub-factors into an estimation table
• the weighting factors are based on the experience

18
UPM Understanding Subfactor 1/2
19
UPM Understanding Subfactor 2/2
20
UPM Partial Beta Factor Estimation Table
21
UPM - Limitation

• The process may be subjective
• Sub-factors and weighting based on non Digital
  IC component
• Sub-factors and/or weighting should be revisited
  in accordance with the Digital IC system
  characteristics
• Software
• Limited operating experience
• CCF analyst may have limited knowledge about
  Digital IC system characteristics

22
Intra System CCF-System Reliability

• System model
• Fault tree, Reliability block diagram
• Equipment design and system architecture
• System boundary
• Manufactures data is essential to perform CCF
  analysis
• Availability of detailed equipment design
  information

23
Inter System CCF-Plant Risk

• Defense-in-depth in plant level
• Plant level risk model Event tree or simplified
  plant risk model
• System dependency has to be modeled explicitly
• Earlier assessment is more beneficial

24
Conclusion

• CCF is a major contributor in risk assessment
• CCF is a critical factor for Digital IC system
  in NPPs
• Experience with CANDU can help in reducing
  susceptibility of Digital IC systems to CCFs
• Diversity and defence-in-depth
• Risk analysis can provide valuable information to
  reduce CCF
• More RD is necessary for a CCF evaluation method
  to take into account Digital IC characteristics
• Close cooperation between IC designer and risk
  analyst

25
Discussion

• What is the regulatory confidence level?
• Should CCF include software?
• Different uncertainty level between HW CCF and SW
  failure
• How to interpret operating experience from
  different system?