- Email: [email protected]
An inherently fail-safe electronic logic design for a safety application in nuclear power plant
Accepted Manuscript Title: An Inherently Fail-Safe Electronic Logic Design for a Safety Application in Nuclear Power Plant Authors: Srikantam Sravanthi, R. Dheenadhayalan, K. Devan, K. Madhusoodanan PII: DOI: Reference:
S0957-5820(17)30222-7 http://dx.doi.org/doi:10.1016/j.psep.2017.07.008 PSEP 1110
To appear in:
Process Safety and Environment Protection
Received date: Revised date: Accepted date:
11-2-2017 16-3-2017 6-7-2017
Please cite this article as: Sravanthi, Srikantam, Dheenadhayalan, R., Devan, K., Madhusoodanan, K., An Inherently Fail-Safe Electronic Logic Design for a Safety Application in Nuclear Power Plant.Process Safety and Environment Protection http://dx.doi.org/10.1016/j.psep.2017.07.008 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
An Inherently Fail-Safe Electronic Logic Design for a Safety Application in Nuclear Power Plant
Srikantam Sravanthi*, 1, 2, R. Dheenadhayalan2, K. Devan2 and K. Madhusoodanan2 Homi Bhabha National Institute1 Indira Gandhi Centre for Atomic Research2 Kalpakkam, Tamilnadu-603102, India. *[email protected] Highlights Inherently fail-safe electronic logic circuit is proposed and implemented with very low unsafe failure probability. It is achieved by processing the inputs as synchronized pulses rather than static digital levels. A prototype circuit is built to verify Failure Mode Effect Analysis and results are presented in paper. Unsafe failure probability is calculated. This method can be extended to similar industrial control involving combinational circuits
Abstract: In this paper, an inherently fail-safe electronic logic circuit is proposed. Further, it’s investigated for safety critical application in a nuclear power plant with a very low unsafe failure probability requirement. The application involves control circuit for operation of solenoid valves based on the plant state, wherein the de-energization of certain solenoid valves is considered as a safe state. The inherent failsafeness is achieved by processing the inputs as synchronized pulses rather than static digital levels. Pulse transformers are used at specific locations in the circuit so that energy transition to subsequent stages of the circuit is seized in case of a failure in the previous stage. Such pulse processing is selectively applied to those parts of the circuit for which fail-safe behavior of final control elements is expected. A Failure Mode Effect Analysis (FMEA) is performed for the circuit to systematically ensure that failure of components in postulated modes will result in the fail-safe state. A prototype circuit is built to verify the results obtained from FMEA. The inherency in the circuit is shown to possess a very low unsafe failure probability and quantitatively it is shown. The proposed technique is suggested as a diverse method to control, redundant instrumentation provisions usually provided for safety critical application. This method can be easily extended to similar industrial control involving combinational circuits with modifications. Keywords-Inherently fail-safe, pulse processing and unsafe failure probability. I. INTRODUCTION The Prototype Fast Breeder Reactor (PFBR) is (500MWe sodium cooled) under construction at Kalpakkam, India. During normal operation, the heat generated in the core is removed with dedicated heat exchangers and converted to electrical energy. After the reactor is shut down, the decay heat is removed with Operation Grade Decay Heat Removal (OGDHR) system predominantly using normal heat removal path. During the unavailability of OGDHR, the decay heat is removed with Safety Grade Decay Heat Removal (SGDHR) system. The reactor core is immersed in a large sodium pool. SGDHR consists of four sodium loops each with 8 MWt capacity. In each loop, the heat transfer from sodium pool to the SGDHR loop takes place through a sodium to sodium heat exchanger dipped into the pool (DHX). This heat will be
1
dissipated to the atmosphere (ultimate heat sink) through sodium to air exchangers (AHX). To achieve very high reliability, the sodium flow in the SGDHR loop and air flow through AHX is by natural circulation. Dampers are provided to control air flow through AHX to control the heat removal from the reactor core. System description is in [1]. When the reactor shuts down, the dampers are to be designed to open reliably. The opening action is to be automatic, and it should have very low probability of failure on demand. Both inlet and outlet air flow path have two dampers, each controlling one half of the available flow area. As shown in fig.1 the one damper is pneumatically driven and the other damper is electrically driven (motor operated). This arrangement is provided for diversity in design. The pneumatic damper is controlled using a set of solenoid valves. Both the damper systems deploy relay logic to control opening and closing of dampers. Solid state electronics was not preferred due to unsafe mode failure. The control logic for pneumatic dampers receives seven digital inputs and drives six solenoid valves. The equivalent combinational logic circuit is shown in fig. 2. Notwithstanding the status of all other valves, the opening of valves V3 and V4 will drive the dampers to open fully. Thus, de-energization of valves V3 and V4 are crucial in ensuring fail- safe operation of the dampers. Since both pneumatic and electrical damper control is through relay logic, a study has been initiated to diversify the control logic with same/equal unsafe failure probability for future fast breeder reactor designs. After careful consideration, an “inherently failsafe” solid state logic to control dampers has been designed and discussed in this paper. The inherent fail-safe is achieved by processing the inputs in terms of synchronized pulses rather than static digital levels. Pulse transformers are used at specific locations in the circuit, so that energy transition to subsequent stages is seized in case of a failure in the previous stage. Such pulse processing is selectively applied only to those parts of the circuit for which fail-safe behavior of final control elements is expected. The proposed method, with due modifications, can be extended to similar industrial control involving combinational circuits. The approach towards reducing Probability of Failure on Demand (PFD) using various technologies is explained in Section II. An inherently fail-safe electronic logic circuit is proposed and investigated for a decay heat removal application in a sodium cooled pool type fast reactor in Section III. Experimental results are discussed in Section IV. The technique uses a minimum number of components and all probable failure modes are experimentally verified. The detailed Failure Mode Effect Analysis (FMEA) is given Section V. Unsafe failure probability calculations are presented in Section VI. Future possible improvements are discussed in Section VII. Finally, conclusions are drawn in Section VIII.
II.
APPROACHING PROBABILITY OF FAILURE ON DEMAND WITH INHERENT FAIL-SAFE DESIGN
Safety Instrumented Function (SIF) is performed by safety loop consisting of a sensor(s), logic solver(s) and final control element(s). Electromagnetic relays and valves are commonly used final control elements. Safety Instrumented Systems (SIS) use Built-In Self Testing (BIST) and proof testing to detect failures and drive plant to safe state. Fail-safe is the design attribute that causes the SIS to go to a predetermined safe state in the event of specific failure [2]. Safety criteria for Nuclear Power Plant (NPP) demand online testing of shutdown systems right from the sensor to final control elements [3]. Another criterion in [3] is that systems and components related to safety shall be designed for fail-safe behavior so that failure does 2
not prevent the performance of the intended safety function. The requirement in [4] states that design techniques such as testability, fail-safe design and diversity shall be used in instrumentation and control for high functional reliability. In an NPP, decay heat removal function after reactor shutdown demand very low failure frequency in the order of 10-6 to 10-7 per reactor year. Such an order of reliability can only be achieved with a failsafe design. For instance, [5] shows reliability analysis of SGDHR in PFBR. The nuclear industry has seen a slow transition from relay based logics to solid state electronics and then computer based logic execution [6]. Relay logics are still in use for important safety applications like the execution of voting logic in shutdown systems and actuation of final control elements in decay heat removal systems [7-9]. Relay logics are desired for their very low failure probability in unsafe mode (stuck close) (19% as per RAC FMD-91) [10], immunity to EMI/EMC disturbances and a very rich industrial experience. However, they are not amenable for BIST, and only a periodic black-box type testing is done as part of surveillance. When solid state electronics is employed for such applications, they are designed with continuous online self-diagnostics and a provision to drive final control elements to the fail-safe state to achieve the desired level of unsafe failure probability [11&12]. In solid state electronics, time delays are much shorter than conventional systems employing relays. Inherent fail-safe circuits do not require diagnostics since any of the failures in the circuit will automatically lead to a safe state of the final control element. It is possible to prove that such circuits have a lower unsafe failure probability since the periodicity of self-test is tending to zero and the issues arising out of failures in diagnostic circuitry does not exist [13]. However, the improved reliability comes with increased spurious actions. Moreover, it has to be proved that circuit is fail-safe under all permissible failure cases. Practices of inherent safety have also been developed in the chemical industry. These designs will eliminate adverse events even though their probabilities are small. Some of the factors considered in inherent safety designs are higher loads than those foreseen, worse properties of materials, imperfect theory of the failure mechanism and possibly unknown failure mechanism and human error [14]. Inherent safer designs are not easily adopted as other process safety features and also often ignored in recommendations made after accidents [15]. It also gives a brief summary of major accidents such as Bhopal, Chernobyl and Spads etc. [16] paper reviews progress in inherent safety. Basic concepts and its incorporation into regulation and accident investigation are introduced. A System can fail either in safe or dangerous mode. As per IEC 61508 dangerous failure is a failure which has the potential to put the SIS in a hazardous or fail-to-function state. Safe failure is a failure which does not have the potential to put the SIS in dangerous or fail to-function state [17]. The total failure rate (λ) of a component is given by λ = λD + λS where λD and λS are respectively the dangerous and safe failure rates. λD can be then subdivided into λDD and λDU. λDD is the dangerous detected failure rate for a system (fail in a direction that would defeat the purpose of the SIS) and these failures are detected by online tests. λDU is the dangerous undetected failure rate for a system, and these failures are undetected by online tests [18]. λDNI (Dangerous Non Inherent failure rate)is the failure rate which refers to those combinations of 3
dangerous failures in inherent fail-safe circuitry that do not take the system to automatic safe state. TI is the time interval between two subsequent automatic tests done on the logic to reveal dangerous failures. The proof test is conducted manually to reveal all undetected failures (if any). PTI is the time interval between subsequent proof tests. Special test points are to be provided in the circuit to ensure complete fault coverage. IEC 61511 indicates that PFD is the appropriate measure to be used for low demand mode [19]. It is appropriate dependability parameter for such systems since the system is normally idle, and is expected to operate with a very high probability during an infrequent demand. Table I compares various approaches to reduce PFD such as relay logic, solid state electronics logic with periodic testing and inherent fail-safe circuit. The basic equation to calculate PFD is
1 𝑇 𝑃𝐹𝐷𝐴𝑣𝑔 (𝑡) = ∫ 1 − 𝑒 −𝜆𝐷𝑡 𝑇 0
=
𝜆𝐷 𝑇 2
For 𝜆𝐷 𝑇 ≪ 1
From the table I, it can be seen that relay logic relies on the low unsafe mode failure of electromagnetic relays (contacts getting welded), whereas PFD is reduced in solid state electronics by incorporating periodic testing. This helps in detection of dangerous failures. PFD can also be reduced with inherent failsafe logic by designing a circuit with λDNI as minimal as possible. For diversity sake, either option-2 or 3 has to be chosen. Option-3 has the potential to deliver very low PFD compared to option-2. However, option-2 is ubiquitous in NPP safety systems since it is not easy to design/prove complex systems with very low λDNI. However, considering the simplicity of the combinational logic for the given application, option-3 is attempted by anticipating lower PFD than option-2. From discussions in subsequent sections, it would be clear that the success of this attempt depends on the fail-safe design of AND GATE. After extensive literature survey, recent work on fail-safe LOGIC GATES is not found. Because the general industry trend is moving towards FPGA/CLPD based designs and option-2 would be the natural choice for performing self-diagnostics. However, for nuclear industry with emphasis on very low PFD and simplicity in specific applications, it is thought that option-3 can be pursued. The work in [20&21] presents various fail-safe logic blocks for safety systems. Fail-safe performance is achieved by converting clock pulse to high frequency oscillation and reshaping back to pulse in every stage. The reactor safety system with these blocks has been tested in test reactor. A high frequency pulse (in MHz) will be generated during ON pulse duration. However, the AND logic is not completely fail-safe. In this paper, a fail-safe AND logic design is proposed with safe outputs guaranteed for the failure of every component in the block. Dependability is demonstrated in terms of confidence on very low λDNI using FMEA. Quantitative analysis for such inherent systems is required only for certain combinations of dormant failures accumulated over time and is also described in subsequent sections. 4
III. INHERENTLY FAIL-SAFE PULSATING LOGIC A fail-safe valve driver circuit for controlling valve energization and de-energization comprising of pulse generators, combinational logic and driver circuit is shown in fig. 3. The idea is to generate synchronized pulses from static digital inputs, perform AND, OR operations on pulses and charging the capacitor to the holding voltage of solenoid valves. A. Pulse generator Each digital input from the field has a corresponding pulse generator with a common charging and discharging circuit. The pulse generator generates 5 V rectangular pulses at its output. Based on remote switch position (SW1-SW7 in the field) output of pulse generators are connected to further stages. Pulses from pulse generators have to be time synchronized, for correct truth table execution. The frequency and duty cycle of rectangular pulses have to be chosen in line with the Voltage-Time (VT) product of pulse transformers and the charging/discharging capacities used in subsequent stages. Pulse circuit has been built with conventional 555 timers in astable multivibrator mode. Pulses are fed to next stage in control with remote switches (SW1-SW7). The multivibrators share a common charging and discharging circuit as shown in fig. 3 for time synchronization. Timer output pulse with TON of 50μs and TOFF of 150μs is chosen to match pulse transformer VT product. Minor trigger voltage variations in 555 timers can drive the multivibrators out of synchronization. Hence, a low magnitude inductor (L) in series with the charging path is used. L will not allow sudden changes in current direction and this time gap allows all timers to come into trigger level during a charging cycle. B. Combinational logic circuit In this stage is AND, OR operations are performed on timer output pulses as shown in fig.3. i. Fail-safe AND gate A fail-safe AND gate should prevent transmission of pulses to downstream stages when anyone of the input is not pulse, even under one or more of its input stuck at LOW/HIGH/OPEN and under the failure of its internal components. This cannot be achieved using commercially available gates. Fig. 4 depicts fail-safe design of 2- input AND gate. The basic idea is that energy is extracted from first input (A) pulses through a pulse transformer and stored as DC in a capacitor (C). This, in turn, provides required current for the second input (B) pulses to get transmitted further.
5
A pulse transformer PT1 with VT product of 50V-μs (5V*10μs) and PT2 with VT product of 250V-μs (5V*50μs) is chosen in AND stage. This variation in VT product is chosen such that a stuck at HIGH in A will not pass through the pulse transformer (PT1) whereas a stuck at HIGH in B will only switch a DC and hence does not pass through the pulse transformer (PT2). During the open mode of failure of C (C2 in fig.3), output (Y) is 10μs ON (as against 50 μs when normal), which is not sufficient to charge a 24V capacitor (C3 in fig.3). All other failures like transistor short and open are automatically taken care by PT 1 and PT2.Failures (like timer resistor or timer diode failures) which lead to pulse duty cycle change are seized with appropriate VT product pulse transformers. AND logic truth table is verified with this design. ii. OR gate A fail-safe OR gate should not produce pulses at the output when none of its input receive pulses. Thus, fail-safe is achieved inherently by pulse logic execution and no special OR gate circuitry is required. Hence, commercially available OR gate is used. A logic family which treats any OPEN input as LOW is preferable so as to accommodate signals which are directly connected to OR gate. Alternatively a pull down resistor can be connected to input pins when a logic family which treats any OPEN input as HIGH is used. Pull down resistor SHORT or OPEN does not affect safety, since in both cases output is static and hence cannot pass through subsequent stage. C. Valve driver stage An output driver stage is required to meet the higher current requirements of a DC solenoid valve. The pulse transformer with a current capacity of ~1 A is chosen for the purpose. Power MOSFET is used to convert 5 V pulse trains into 24 V pulse train. The charging capacitor (C3) delivers the required DC to the solenoid valve. Output transistor short or open will lead to de-energization of solenoid valves. 1200V-μs (24V*50μs) pulse transformer is used at driver stage. Initial inrush in charging the capacitor (C3) is limited with a variable resistor (Rh1), and it is adjusted manually to reach the required capacitor voltage during startup. Thereafter it remains in the same position throughout the steady state operation IV. EXPERIMENTAL VERIFICATION AND RESULTS The fail-safe circuit shown in fig. 3 is designed on Printed Circuit Board (PCB) to verify that it is possible to energize the valve with pulsating logic. Prototype board and experimental setup are shown in fig. 5. Experimental results are shown in fig. 6. Synchronized pulses output is shown in fig.6a. Fig. 6b and 6c shows the output waveforms of pulse transformers corresponding to PI4 and PI6 with respect to pulse input. OR gate output is shown in fig. 6d. The fig. 6e depicts the output of pulse transformer and output capacitor voltage which holds the solenoid valve in energized condition. Voltage of capacitor is shown as 15V, which keeps the solenoid valve in energized, the holding voltage of solenoid being ~13 V.
6
V. FAILURE MODE EFFECT ANALYSIS VERIFICATION A test circuit has been designed to implement inherent fail-safe circuit shown in fig.3 with sufficient provision of jumpers to simulate the failure of every component such as stuck high/low and open/short. Detailed FMEA listed in table II is carried out by considering the different modes as in [10]. Graphs upon failure simulations are selectively shown and referred in table-II. To handle failures leading to over current, the verification is done with an upper current limit on the power source. Protective fuse is blown wherever this limit is observed. VI. UNSAFE FAILURE PROBABILITY ON DEMAND This section shows the PFD (unsafe) calculation for the inherent fail-safe circuit. PFD values are compared to relay logic and inherent fail-safe circuit. A. Unsafe failure probability quantification of inherent fail-safe circuit Quantification of PFD for an inherently fail-safe circuit is quite complicated. Because it is an attempt to systematically analyze the remote chances of failure modes which are not considered in FMEA or combination of those modes which contribute to λDNI (Dangerous Non Inherent failure rate). In pulsating circuit, it has been verified that all single component failures are fail-safe. However, some failures are not immediately detectable, and they are revealed only under certain input combinations. This gives opportunity for multiple failures to accumulate over time and then possibly leading to an unsafe scenario. With this viewpoint, those combinations of failures which have the potential to cause unsafe output is analyzed. To prevent these failures, which contribute to significant unsafe failure probability, the circuit has to be tested with selected test points every PTI. During proof testing, the entire truth table has to be checked. Over and above this, a suspected failure like parameter change in transformers which may remain dormant has to be checked. Because of complexity involved, PTI is assumed as six months. The combinations of failures which lead to unsafe output are analyzed and quantified below. In this calculation failure mode probability distribution is considered from RIAC-91 [10]. Failure rates of components are taken from MIL-HDBK-217F [22]. Though this standard is not updated, for simple components such as transistors, resistors, etc., this will suffice. Case I: (PT1 parameter change) AND (C2 open) AND (PI6stuck at HIGH [OR] Q2 drain to source short) The increase in VT product of PT1 will give output with high duty cycle. Open mode failure of C2 will result in the output of PT1 to appear as an input of PT2. Along with this failure combination, if Q2-drain to source short occurs, then irrespective of PI6, AND stage gives output of PT1. This output is unsafe. a)
Mode probability of “transformer parameter change” is 16%. Failure rate of Low power pulse transformer is 0.0035 Failures/ 106 hours.Thus“PT1 parameter change” failure rate (1) 𝜆 = 0.00056 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠/106 ℎ𝑜𝑢𝑟𝑠 1
Mode probability of “capacitor open” is 35%. Failure rate of Aluminum oxide capacitor is 0.024 Failures/ 106 hours. Thus “C2 open” failure rate (2) 𝜆2 = 0.00084 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠/106 ℎ𝑜𝑢𝑟𝑠 b)
i) Mode probability of “Micro circuit digital”, Bipolar output stuck at HIGH is 28%. Failure rate of timer is 0.032 Failures/ 106 hours.Thus“PI6 stuck at HIGH” failure rate is 7
0.00896 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠
(3)
ii) Mode probability of “FET short” is 51%. Failure rate of Si FET is 0.014 Failures/ 106 hours. Thus“Q2 drain to source short” failure rate is (4) 0.00714 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 Thus, (PI6stuck at HIGH) OR (Q2 drain to source short) failure rate is (3) + (4). Failure rate λ3= 0.0161 Failures/ 106 hours Unsafe failure probability = (1 − 𝑒 −𝜆1 𝑃𝑇𝐼 )(1 − 𝑒 −𝜆2 𝑃𝑇𝐼 )(1 − 𝑒 −𝜆3 𝑃𝑇𝐼 )=0.6104 × 10-15
(I)
Along with the specified test cases, a special case to be tested for determining this combination of failure is by providing pulse input to PI4 and static LOW to PI6. If this test case leads to energizing the valve then it can be concluded that this combination of failures have occurred. Case II: (PT4parameter change) AND (C4 open) AND (G1 output at stuck at HIGH [OR] Q6 drain to source short [OR] PI1stuck at HIGH [OR] PI7 stuck at HIGH) a) “PT4parameter change” failure rate 𝜆4 = 0.00056 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [from (1)] b)
“C2 open” failure rate 𝜆5 = 0.00084 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [from (2)]
c)
i) Mode probability of “Micro circuit, Digital” MOS output stuck at HIGH is 8%. Failure rate of MOS technology gate is 0.0057 Failures/106 hours. Thus “G1 output at stuck at high” failure rate is (5) 0.000456 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 ii) “Q2 drain to source short” failure rate is 0.00714 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [𝑓𝑟𝑜𝑚(4)]
(6)
iii) “PI1 stuck at HIGH” failure rate is 0.00896 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [𝑓𝑟𝑜𝑚 (3)]
(7)
iv) “PI7 stuck at HIGH” failure rate is 0.00896 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [𝑓𝑟𝑜𝑚 (3)]
(8)
Thus, (G1 output at stuck at HIGH) OR (Q6 drain to source short) OR (PI1stuck at HIGH) OR (PI7stuck at HIGH) is (5) + (6) + (7) + (8). Failure rate λ6= 0.02551 Failures/ 106 hours Unsafe failure probability = (1 − 𝑒 −𝜆4 𝑃𝑇𝐼 )(1 − 𝑒 −𝜆5 𝑃𝑇𝐼 )(1 − 𝑒 −𝜆6 𝑃𝑇𝐼 ) = 0.9671×10-15 (II) Thus, PFD (unsafe) for inherent fail-safe circuit is (I) + (II) =0.158×10-14 The PFD result seems to be unrealistic. It can be easily seen that this is achieved because the actual system failure happens only upon a combination of multiple failures (at least three). The components involved are diverse in nature, and hence Common Cause Failures (CCF) is not considered in this calculation. However, the components reside on the same board, and there could be multiple failures in the 8
board which would ultimately dictate the effective PFD. Quantification of CCF is not attempted since it would depend on factors external to the system like power supply, environment, etc. However, the quantitative result serves the purpose of gaining an in-depth insight into the system reliability. Another aspect is that the very low PFD (unsafe) is achieved with additional spurious actuation (opening of dampers when not intended). However, increase in flow can take place only when both inlet and outlet dampers are spuriously opened (as in fig.1). Manual overriding options provided in the dampers when decay heat removal is in progress. These options are utilized by operators to close the failed damper from the field. B. Unsafe probability quantification of relay logic (existing logic) Combinational equation of relay logic (as in fig.2) is I5+I4×I6+I3+I2×I1+I2×I7. Minimal cutset to unsafe failure event is I5+I3. Mode probability of “relay contact” in short is 19%. Failure rate of relay is 0.13 Failures/ 106 hours. Therefore relay in short mode failure rate is 0.0247 Failures/ 106 hours. Failure rate of relay logic λ7= 0.0494 Failures/ 106 hours. A PTI of one week is assumed for relay logic due to simplicity in exercising the system as against six months assumed for an inherent fail-safe circuit. Unsafe failure probability=(1 − 𝑒 −𝜆7 𝑃𝑇𝐼 ) Thus, PFD (unsafe) for relay logic is 0.8299×10-5 This comparison shows that it is possible to build inherent fail-safe solid state circuits as a diverse solution with very high confidence level on unsafe failure probability on demand. VII. PRECAUTIONS AND POSSIBLE IMPROVEMENTS The pulse transformers are to be designed and tested so that any duty cycle increase or decrease leads to loss of energy transmissions. Though PT3 primary to secondary short will lead to fuse blowing in 24 V stage, it has the potential to transmit DC to solenoid valves if secondary is burnt open before fuse, due to improper fuse design. As an additional precaution measures such as isolating PT3 primary and secondary and geometrical separation of primary and secondary with shared core (core being grounded) can be adopted. Internal fuse can be used in every stage to protect the circuit. The fuses have to be carefully rated and response times well tested. The effect of noise on the circuitry has to be further investigated. VIII. CONCLUSION An inherent fail-safe pulsating electronic logic valve drive circuit for safety critical nuclear application is proposed. A detailed failure mode effect analysis for the proposed circuit is presented and verified empirically. Since all perceivable failure modes are shown to result in the fail-safe state, the circuitry can be used as a diverse method for damper control. The method can achieve equivalent or lesser unsafe failure probability compared to relay logic being currently used. The suggested method can be adapted to any industrial application where the combinational circuit is employed. ACKNOWLEDGMENT The authors are greatly thankful to the support and motivation by Dr. A.K.Bhaduri, Director, IGCAR. S. Sravanthi thanks DAE fellowship for a perspective research grant for Ph.D.
9
REFERENCES [1] U. Parthasarathy, T. Sundararajan, C. Balaji, K. Velusamy, P. Chellapandi, S.C. Chetal, Decay heat removal in pool type fast reactor using passive systems, Nuclear Engineering and Design, Volume 250, September 2012, Pages 480-499. [2] Marvin Rausand, Reliability of Safety Critical Systems; Theory and Applications, 2014, Wiley. [3] AERB/NPP-LWR/SC/D, Design of Light water reactor based power plants, Mumbai, India, Atomic Energy Regulatory Board, 2015. [4] IAEA Safety standard series No. SSR-2/1, Safety of Nuclear Power Plants: Design, Specific Safety Requirements, IAEA, Vienna, 2016, pages 28, 47. [5] C. Senthil Kumar, A. John Arul, S. Athmalingam, Om Pal Singh and K. Suryaprakasa Rao, Reliability analysis of safety grade decay heat removal system of Indian prototype fast breeder reactor, in Annals of Nuclear Energy, Volume 33, issue 2, Pages 180-188, Jan 2006. [6] Modern Instrumentation and Control for Nuclear Power Plants: A Guidebook, TECREPORTS, no.387, IAEA, Vienna, 1999, pages. 37-40, 149-156, 470-480,558-560. [7] Research Reactor Modernization and Refurbishment, TECDOC, no.1625, IAEA, Vienna, 2009, page 109. [8] S. Tikku, G. Raiskums, J. Harber and Phil Foster, Safety System and Control System separation Requirements for ACR-1000TM and operating CANDU reactors,” in Proc. ICONE18, 2010, pages. 883-892. [9] G. Bereznai, Nuclear Power Plant Systems and Operation, Univ. of Ontario Institute of Technology, Oshawa, ON, Canada, Jul. 2005. [10]Failure Mode/Mechanism Distributions, Reliability analysis center, 1991. [11]M. K. Misra, N. Sridhar and D. T. Murthy, Design and Implementation of Safety Logic with Fine Impulse Test System for a Nuclear Reactor Shutdown System,201427th International Conference on VLSI Design and 2014 13th International Conference on Embedded Systems, Mumbai, 2014, pages.198-203. [12] Punekar, Parag, Ramkumar, N., Kulkarni, U.S., Darbhea, M.D., Bharadhwaj, G, Jangra, L.R., Geetha, Patil, Das, Shantanu, Sonnis, S.T., Trevedi, P., Patil, M.B., and Biswas, B.B, Finite impulse testing (FIT) system for Emergency Cooling System (ECS) in Dhruva, National conference on operating experience of nuclear reactors and power plants-2006, Mumbai, 2006, pages.699-707. [13]Anwer Md. Najam, Satheesh N, Nagaraj C.P, and Krishnakumar B, Pulse coded safety logic system for PFBR, First national conference on nuclear reactor technology, Mumbai, 2002, page 304. [14] Sven Ove Hansson, Promoting inherent safety, Process Safety and Environmental Protection, Volume 88, Issue 3, May 2010, Pages 168-172. [15] T.A. Kletz, Inherently Safer Design—Its Scope and Future, Process Safety and Environmental Protection, Volume 81, Issue 6, November 2003, Pages 401-405. [16] Rajagopalan Srinivasan, Sathish Natarajan, Developments in inherent safety: A review of the progress during 2001–2011 and opportunities ahead, Process Safety and Environmental Protection, Volume 90, Issue 5, September 2012, Pages 389-403. [17] IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems, Geneva, Switzerland, International Electrotechnical commission, 1998. [18] Safety Instrumented Functions (SIF) – Safety Integrity Level (SIL) Evaluation Techniques, Part 1: Introduction, 2002. 10
[19]IEC 61511, 2003 Functional Safety –Safety Instrumented Systems for the process industry sector, part 1-3, International Electrotechnical commission, Geneva. [20]T. Businaro, L. Conti and M. Conti, Fail-Safe Circuits for Nuclear Protective Systems, IEEE Transactions on Nuclear Science, vol. 11, no. 2, pages 64-70, April 1964. [21]T. Tsunoda, S. Gotoh and E. Suzuki, A Fail-Safe Reactor Safety System, J.Nucl.Sci. Technol., volume 4, no. 12, pages 614-622, Dec. 1967. [22]Reliability prediction of electronic equipment, MIL-HDBK-217F-notice 2. United States Department of Defense. 1995.
11
Pneumatically operated (Piston driven)
Electrically operated (Motor driven)
Fig.1. Dampers in SGDHR system
12
I7 I1
V6
I3
I7
I2
V2 V1 = I5 I3
I4 I6
V3
I2 I7
I3
V4
I7
V5
I1 to I7 are digital inputs; V1 to V6 are solenoid valves; V3 and V4 de-energization ensures opening of dampers. Fig.2. Logic circuit to drive solenoid valves
13
5V F (100mA) 2
5V F1 (500mA)
Input1 (I1) Timer
R1
SW1
D
R3
R4
SW3
C
PI3
PI5 PT2 D
PI2 PI 4 SW2 Q1 S
D7
Rh1 C3
R6
G S Q3
Q2 S
G2
5V F4
24V F5
C4
Input4 (I4) Timer
PI SW4 4
D
SW5
PI5
Solenoid valve
PT4
PT5 D
G
Input5 (I5) Timer
Solenoid valve
D PT3
R7 PI3
G PI6
D6
D5
PT1
G
Input3 (I3) Timer
R2
C1
D3 D4 C2
R5
D1 22
D2
D
Input2 (I2) Timer
L
PI1
F3 (500mA) 24V
D
G
PI2 Q5 S
PI1
Q6 S PI7
G Q4 S
G1
Input6 (I6) Timer SW6
Input7 (I7) Timer
SW7
Astable multivibrator circuit
Pulse generator circuit
PI6
PI7
AND Logic
Combinational logic circuit
OR Logic
Output stage
Driver circuit
Fig.3. Schematic of fail-safe pulsing circuitry for controlling V3 and V4 valves
14
5V
Y
C
PT1
A
PT2
B
Fig.4. Fail-safe 2 input AND circuit design
15
a
b
Oscilloscope Voltage source
Solenoid valve 24V pulse transformer
24V capacitor
Fig.5. a) Printed circuit board. b) Experimental setup.
Timer pulses
a
b
Voltage
Voltage
Timer pulse
PT1 output
Capacitor voltage
Time Fig.6. During healthy operation outputs waveforms of different stages a) Timer synchronization pulses. b)Time PT 1 output, 5V capacitor voltage output.
c
Timer pulse (PI4)
Voltage
Voltage
Timer pulse (PI6)
d
OR gate Input pulses
OR gate output pulse
Capacitor voltage
AND output
Time
Voltage
e
Time OR gate output pulse
24V Pulse transformer output
16 Capacitor voltage
Fig.6. During healthy operation outputs waveforms of different stages c) AND gate output. d) OR gate output. e) 24V pulse transformer output, 24 V capacitor voltage output.
17
Timer pulse
24V Pulse transformer output
b
Timer pulse
Timer pulse
Voltage
Voltage
a
24V Capacitor voltage 24V Capacitor voltage
24V Pulse transformer output
Time
Time
Fig.7. FMEA results a) Timer discharging resistor (R2) short. b) Timer diode (D1) open
Timer pulse
g
Timer pulse
Timer pulse
Voltage
Voltage
c
Timer pulse
PT1 output
24V Capacitor voltage 24V Capacitor voltage
Time Timer pulse
h
Voltage
Timer pulse
5V Capacitor voltage
Voltage
d
Time
Timer pulse
OR output 24V Capacitor voltage
24V Capacitor voltage
Time
Time
i
Timer pulse
Timer pulse
PT1 output
24V Capacitor voltage
Time
Voltage
Voltage
e
Timer pulse
Timer pulse
Timer pulse PT2 output
24V Capacitor voltage
18
f
Timer pulse
Timer pulse
j
Timer pulse
OR output
Voltage
Voltage
Timer pulse
PT2 output
24V capacitor voltage 24V Capacitor voltage
Time
Time
Fig.7. FMEA results c) PI4 stuck at high. d) PI6 stuck at high. e) MOSFET (Q1) Gate to Source short. f) Capacitor (C2) open. g) Capacitor (C2) short. h) Rectifying diode (D5) short. i) Freewheeling diode (D4) open. j) Freewheeling diode (D4) short.
k
PT2 output
Timer pulse
Voltage
Voltage
Timer pulse
Timer pulse
l
Timer pulse
24V Pulse transformer output
24V Capacitor voltage
24V Capacitor voltage
Time
Time
Voltage
m
Timer pulse
Timer pulse
24V Pulse transformer output
24V Capacitor voltage
Time
19
Fig.7. FMEA results k) Freewheeling diode resistor (R4) short. l) Freewheeling diode (D6) open. m) Rectifying diode (D7) short.
20
Table I Comparison of logics with unsafe failure probability Logic
Option-1
Relay logic
Option-2
Solid State electronics logic with periodic testing
Option-3
Solid State electronics: Inherent fail-safe circuit
PFD (approximate)
𝑃𝑇𝐼 𝜆𝐷 ( ) 2 𝑇𝐼 𝑃𝑇𝐼 𝜆𝐷𝐷 ( ) + 𝜆𝐷𝑈 ( ) 2 2 (Ignoring test circuitry failures) 𝑃𝑇𝐼 𝜆𝐷𝑁𝐼 ( ) 2
How PFD is typically reduced
λD is very small for relays. TI can be in seconds; λDU has to be minimized by improved fault coverage. λDNI has to be shown to approach zero.
21
Stage
Component
Capacitor (C1) Timer
Failure mode Short Open
Timer output is LOW.
Short Open
Timer output is LOW. Timer output is HIGH.
Short
Duty Cycle approaching 1. Pulse transformers are unable to follow the pulse. Results are in Fig. 7a.
Open
Duty cycle is approaching to 0.
Diode (D1)
Short
Same as R2 short.
Open
Inductor (L)
Open Short
Increase in timer pulse duty cycle. Pulse transformers are unable to follow the pulse. Results are in Fig. 7b. Output of timers is HIGH. Loss in pulse synchronization between timers.
Resistor (R1)
Resistor (R2)
AND
Table II Failure Mode Effect Analysis Effect
Timer-4 (Timer output connected to Q1 Gate) Timer6(Output connected to Q2 Gate) Timer-3 (Timer output connected to G2) MOSFET (Q1)
Stuck LOW Stuck HIGH
at
Output of PT2 is LOW.
at
Stuck LOW Stuck HIGH Stuck LOW
at
Output of PT2 is LOW. Output of PT2 is LOW. Results are shown in Fig. 7c when current limiting is enforced in power source. In the absence of current limiting, fuse (F2) will blow. Output of PT2 is LOW.
at at
Stuck at HIGH. Gate/Source open
Output of G2 is HIGH.
Gate to source short
It leads to the reduction in voltage level of timer pulse driving Q1 due to overloading which in turn causes loss in pulse synchronization between timers. Results are shown in Fig. 7e. This failure will cause 5V fuse to blow. This failure draws extra current. Circuit can be protected by having internal fuse. Internal fuse (F2) in AND stage will blow. MOSFET remains in OFF state. Output of PT2 is LOW.
Drain to source short MOSFET source to
Capacitor (C4) is overloaded; it’s not able to charge to 5V. Output of PT2 is LOW. Results are in Fig. 7d. Output of G2 depends on other inputs.
Open
Output of PT1 is LOW.
Consequence De-energization of solenoid valves takes place due to absences of pulses.* De-energization of solenoid valves takes place due to absences of pulses.* De-energization of solenoid valves takes place due to insufficient capacitor voltage. * De-energization of solenoid valves takes place due to absences of pulses.* De-energization of solenoid valves takes place because of insufficient capacitor voltage. * De-energization of solenoid valves will not takes place until one of the input to OR gate (G2) is high. * De-energization of solenoid valves takes place if all the inputs to G2 are low. **
De-energization of solenoid valves takes place if all the inputs to G2 are low. ** De-energization of solenoid valves takes place if all the inputs to G2 are low. **. De-energization of solenoid valves takes place. De-energization of solenoid valves takes place if other inputs to G2 are low. ** Absence of pulses is causing valve de-energization.
De-energization of solenoid valves takes place if all the inputs to G2 are low. **. De-energization of solenoid valves takes place if all the 22
ground resistance (R5) Pulse transformer freewheeling diode (D2)
Short
It will follow the expected results except that an extra current drawn. Internal fuse in AND stage (F2) will blow. This failure over the time may cause damage to MOSFET due to kick back voltage. This failure does not affect the circuit due to freewheeling diode resistance (400Ω) in series except that an extra working current drawn. Same as D2 open Minor distortion in kick voltage transient is observed.
inputs to G2 are low. **.
Pulse transformer freewheeling diode resistor (R3) Rectifying diode (D3)
Open Short
Capacitor C2 cannot be charged since path is open. Capacitor voltage will discharge through pulse transformer (PT1). So capacitor cannot hold 5V. Output of PT2 is LOW. PT1 short duration pulse (10μs) is directly fed to PT 2. If PI6 is present, PT2 gives 10μs pulse output. This pulse duration is not enough to hold the 24V charge on capacitor. Results are in Fig. 7f. It overloads the pulse transformer. No voltage is developed across capacitor. Output of PT 2 is LOW. Results are in Fig. 7g.
De-energization of solenoid valves takes place if other inputs to G2 are low. **
Capacitor (C2)
Open
Gate/Source open
Output of PT2 is LOW.
Gate to source short Drain to source short
Same as Q1 Gate to source short.
Rectifying diode(D5)
Open Short
Pulse transformer freewheeling diode(D4)
Open
Output of PT2 is not connected to OR gate. Over the time it will affect OR gate due to negative voltage at OR input pin. Pulse shape changes to OR gate input. Reduction in OR gate pulse output duration. Results are in Fig. 7h. This failure changes the pulse shape and increase in ON time. This lead to reduction in voltage level from PT3 output. Results are in Fig. 7i. Slight reduction in capacitor (C2) voltage. Minor distortion in PT2 output. Pulse ON time to PT3 is reduced. Results are in Fig. 7j.
De-energization of solenoid valves takes place if other inputs to G2 are low. ** Absence of pulses is causing valve de-energization. De-energization of solenoid valves takes place if all the inputs to G2 are low. **. De-energization of solenoid valves takes place if other inputs to G2 are low.**
Pulse transformer freewheeling diode resistor (R4) OR gate
Open
Same as D4 open
Short
Change is pulse shape and duration. Capacitor (C3) will not be charge sufficiently. Results are in Fig. 7k.
Input open
CMOS family considers open input as logic LOW.
Open Short
Open Short
Short
MOSFET (Q2)
OR
Short
Capacitor cannot charge to 5V. Output of PT 2 is LOW. Internal fuse (F2) in AND stage will blow.
This failure does not cause any change in functionality.
This failure will not cause any change in functionality.
De-energization of solenoid valves takes place if other inputs to G2 are low. **
De-energization of valves takes place.
solenoid
This failure may not cause any change in valve status. Valve may de-energize if ON time sufficiently reduced. ** De-energization of solenoid valves takes place. De-energization of solenoid valves takes place if other inputs to G2 are low. ** De-energization of solenoid 23
(G2)
Input pin to ground resistor (R7)
Output stuck at LOW Output stuck at HIGH Open
Short Driver circuit
MOSFET (Q3)
Pulse transformer freewheeling diode (D6)
Gate/Source open Gate to source short Drain to source short Open
De-energization of valves takes place.
solenoid
This failure will not cause any affect on circuit. This resistor is an extra provision to treat open input as logic low. By design itself proper logic family can be chosen to achieve this. This failure overloads timer. It causes 5V fuse (F1) to blow. Output of PT3 is LOW.
De-energization of solenoid valves takes place if other inputs to G2 are low. **
It causes 24V (F3) fuse to blow.
De-energization of solenoid valves takes place. No immediate loss of functionality. De energization of solenoid valves takes place if input is driven low at gate of Q3.
Output pulse distortion. Failure over the time may cause damage to MOSFET due to kick back voltage. Results are in Fig. 7l. Output pulse distortion.
Pulse transformer freewheeling diode resistor (R6)
Open
Same as D6 open.
Short
Rectifier diode (D7)
Open
Capacitor (C3)
Open Short
Capacitor voltage is not sufficient to hold solenoid valve. Pulse transformer output is not connected to charge the capacitor C3. Capacitor cannot hold the 24V since it discharges through pulse transformer as well as valve. Results are in Fig. 7m. Output pulse of PT3 is directly fed to solenoid valve. No voltage is developed across solenoid valve.
Rheostat (Rh1)
Open
Pulse is not connected to charge capacitor.
Short
Very sharp rise time for capacitor charging when powered ON. Stress on POWER MOSFET and PCB traces.
Primary to secondary short Primary short Secondary short
This shorts power source to ground. This failure blows corresponding source fuse (F1 / F3).
PT1, PT3
valves takes place if other inputs to G2 are low. **
It will cause 24V fuse (F3) to blow.
Short
Short
Pulse transformer
Even when input is taken as HIGH, the output transformer (PT3) will block energy transfer to solenoid valve. MOSFET Q3 remains OFF. PT3 output is zero.
Loss of 5V supply to board. Absence of pulses causes solenoid valves de-energization.
No immediate loss of functionality. De energization of solenoid valves takes place if input is driven low at gate of Q3. De-energization of solenoid valves takes place. De-energization of solenoid valves takes place.
De-energization of valves takes place.
solenoid
De-energization of solenoid valves takes place. No immediate loss of functionality. In due course of time, this failure may cause deenergization of solenoid valves. De-energization of solenoid valves takes place.
Same as Primary to secondary short. This failure is similar to capacitor in short mode failure. 24
PT2
PT1,PT2,PT3
Primary to secondary short Primary short Secondary short Primary/ Secondary Coil Open
Capacitor is unable to charge to 5V. Output of PT 2 is LOW.
De-energization of solenoid valves takes place if other inputs to G2 are low. **
Output of PT2 is not 5V pulse. Based on number of windings shorted peak of pulse will be decided.
Pulse cannot be transmitted to next component
De-energization of solenoid valves takes place provided the particular transformer is involved in energization.
*This fault will be revealed only when there is an attempt to energize solenoid valve with ANY input. However, any attempt to de-energize solenoid valve will always be honored and hence it is a safe failure. **This fault will be revealed only when there is an attempt to energize solenoid valve with THIS input. However, any attempt to de-energize solenoid valve will always be honored and hence it is a safe failure.
25
S0957-5820(17)30222-7 http://dx.doi.org/doi:10.1016/j.psep.2017.07.008 PSEP 1110
To appear in:
Process Safety and Environment Protection
Received date: Revised date: Accepted date:
11-2-2017 16-3-2017 6-7-2017
Please cite this article as: Sravanthi, Srikantam, Dheenadhayalan, R., Devan, K., Madhusoodanan, K., An Inherently Fail-Safe Electronic Logic Design for a Safety Application in Nuclear Power Plant.Process Safety and Environment Protection http://dx.doi.org/10.1016/j.psep.2017.07.008 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
An Inherently Fail-Safe Electronic Logic Design for a Safety Application in Nuclear Power Plant
Srikantam Sravanthi*, 1, 2, R. Dheenadhayalan2, K. Devan2 and K. Madhusoodanan2 Homi Bhabha National Institute1 Indira Gandhi Centre for Atomic Research2 Kalpakkam, Tamilnadu-603102, India. *[email protected] Highlights Inherently fail-safe electronic logic circuit is proposed and implemented with very low unsafe failure probability. It is achieved by processing the inputs as synchronized pulses rather than static digital levels. A prototype circuit is built to verify Failure Mode Effect Analysis and results are presented in paper. Unsafe failure probability is calculated. This method can be extended to similar industrial control involving combinational circuits
Abstract: In this paper, an inherently fail-safe electronic logic circuit is proposed. Further, it’s investigated for safety critical application in a nuclear power plant with a very low unsafe failure probability requirement. The application involves control circuit for operation of solenoid valves based on the plant state, wherein the de-energization of certain solenoid valves is considered as a safe state. The inherent failsafeness is achieved by processing the inputs as synchronized pulses rather than static digital levels. Pulse transformers are used at specific locations in the circuit so that energy transition to subsequent stages of the circuit is seized in case of a failure in the previous stage. Such pulse processing is selectively applied to those parts of the circuit for which fail-safe behavior of final control elements is expected. A Failure Mode Effect Analysis (FMEA) is performed for the circuit to systematically ensure that failure of components in postulated modes will result in the fail-safe state. A prototype circuit is built to verify the results obtained from FMEA. The inherency in the circuit is shown to possess a very low unsafe failure probability and quantitatively it is shown. The proposed technique is suggested as a diverse method to control, redundant instrumentation provisions usually provided for safety critical application. This method can be easily extended to similar industrial control involving combinational circuits with modifications. Keywords-Inherently fail-safe, pulse processing and unsafe failure probability. I. INTRODUCTION The Prototype Fast Breeder Reactor (PFBR) is (500MWe sodium cooled) under construction at Kalpakkam, India. During normal operation, the heat generated in the core is removed with dedicated heat exchangers and converted to electrical energy. After the reactor is shut down, the decay heat is removed with Operation Grade Decay Heat Removal (OGDHR) system predominantly using normal heat removal path. During the unavailability of OGDHR, the decay heat is removed with Safety Grade Decay Heat Removal (SGDHR) system. The reactor core is immersed in a large sodium pool. SGDHR consists of four sodium loops each with 8 MWt capacity. In each loop, the heat transfer from sodium pool to the SGDHR loop takes place through a sodium to sodium heat exchanger dipped into the pool (DHX). This heat will be
1
dissipated to the atmosphere (ultimate heat sink) through sodium to air exchangers (AHX). To achieve very high reliability, the sodium flow in the SGDHR loop and air flow through AHX is by natural circulation. Dampers are provided to control air flow through AHX to control the heat removal from the reactor core. System description is in [1]. When the reactor shuts down, the dampers are to be designed to open reliably. The opening action is to be automatic, and it should have very low probability of failure on demand. Both inlet and outlet air flow path have two dampers, each controlling one half of the available flow area. As shown in fig.1 the one damper is pneumatically driven and the other damper is electrically driven (motor operated). This arrangement is provided for diversity in design. The pneumatic damper is controlled using a set of solenoid valves. Both the damper systems deploy relay logic to control opening and closing of dampers. Solid state electronics was not preferred due to unsafe mode failure. The control logic for pneumatic dampers receives seven digital inputs and drives six solenoid valves. The equivalent combinational logic circuit is shown in fig. 2. Notwithstanding the status of all other valves, the opening of valves V3 and V4 will drive the dampers to open fully. Thus, de-energization of valves V3 and V4 are crucial in ensuring fail- safe operation of the dampers. Since both pneumatic and electrical damper control is through relay logic, a study has been initiated to diversify the control logic with same/equal unsafe failure probability for future fast breeder reactor designs. After careful consideration, an “inherently failsafe” solid state logic to control dampers has been designed and discussed in this paper. The inherent fail-safe is achieved by processing the inputs in terms of synchronized pulses rather than static digital levels. Pulse transformers are used at specific locations in the circuit, so that energy transition to subsequent stages is seized in case of a failure in the previous stage. Such pulse processing is selectively applied only to those parts of the circuit for which fail-safe behavior of final control elements is expected. The proposed method, with due modifications, can be extended to similar industrial control involving combinational circuits. The approach towards reducing Probability of Failure on Demand (PFD) using various technologies is explained in Section II. An inherently fail-safe electronic logic circuit is proposed and investigated for a decay heat removal application in a sodium cooled pool type fast reactor in Section III. Experimental results are discussed in Section IV. The technique uses a minimum number of components and all probable failure modes are experimentally verified. The detailed Failure Mode Effect Analysis (FMEA) is given Section V. Unsafe failure probability calculations are presented in Section VI. Future possible improvements are discussed in Section VII. Finally, conclusions are drawn in Section VIII.
II.
APPROACHING PROBABILITY OF FAILURE ON DEMAND WITH INHERENT FAIL-SAFE DESIGN
Safety Instrumented Function (SIF) is performed by safety loop consisting of a sensor(s), logic solver(s) and final control element(s). Electromagnetic relays and valves are commonly used final control elements. Safety Instrumented Systems (SIS) use Built-In Self Testing (BIST) and proof testing to detect failures and drive plant to safe state. Fail-safe is the design attribute that causes the SIS to go to a predetermined safe state in the event of specific failure [2]. Safety criteria for Nuclear Power Plant (NPP) demand online testing of shutdown systems right from the sensor to final control elements [3]. Another criterion in [3] is that systems and components related to safety shall be designed for fail-safe behavior so that failure does 2
not prevent the performance of the intended safety function. The requirement in [4] states that design techniques such as testability, fail-safe design and diversity shall be used in instrumentation and control for high functional reliability. In an NPP, decay heat removal function after reactor shutdown demand very low failure frequency in the order of 10-6 to 10-7 per reactor year. Such an order of reliability can only be achieved with a failsafe design. For instance, [5] shows reliability analysis of SGDHR in PFBR. The nuclear industry has seen a slow transition from relay based logics to solid state electronics and then computer based logic execution [6]. Relay logics are still in use for important safety applications like the execution of voting logic in shutdown systems and actuation of final control elements in decay heat removal systems [7-9]. Relay logics are desired for their very low failure probability in unsafe mode (stuck close) (19% as per RAC FMD-91) [10], immunity to EMI/EMC disturbances and a very rich industrial experience. However, they are not amenable for BIST, and only a periodic black-box type testing is done as part of surveillance. When solid state electronics is employed for such applications, they are designed with continuous online self-diagnostics and a provision to drive final control elements to the fail-safe state to achieve the desired level of unsafe failure probability [11&12]. In solid state electronics, time delays are much shorter than conventional systems employing relays. Inherent fail-safe circuits do not require diagnostics since any of the failures in the circuit will automatically lead to a safe state of the final control element. It is possible to prove that such circuits have a lower unsafe failure probability since the periodicity of self-test is tending to zero and the issues arising out of failures in diagnostic circuitry does not exist [13]. However, the improved reliability comes with increased spurious actions. Moreover, it has to be proved that circuit is fail-safe under all permissible failure cases. Practices of inherent safety have also been developed in the chemical industry. These designs will eliminate adverse events even though their probabilities are small. Some of the factors considered in inherent safety designs are higher loads than those foreseen, worse properties of materials, imperfect theory of the failure mechanism and possibly unknown failure mechanism and human error [14]. Inherent safer designs are not easily adopted as other process safety features and also often ignored in recommendations made after accidents [15]. It also gives a brief summary of major accidents such as Bhopal, Chernobyl and Spads etc. [16] paper reviews progress in inherent safety. Basic concepts and its incorporation into regulation and accident investigation are introduced. A System can fail either in safe or dangerous mode. As per IEC 61508 dangerous failure is a failure which has the potential to put the SIS in a hazardous or fail-to-function state. Safe failure is a failure which does not have the potential to put the SIS in dangerous or fail to-function state [17]. The total failure rate (λ) of a component is given by λ = λD + λS where λD and λS are respectively the dangerous and safe failure rates. λD can be then subdivided into λDD and λDU. λDD is the dangerous detected failure rate for a system (fail in a direction that would defeat the purpose of the SIS) and these failures are detected by online tests. λDU is the dangerous undetected failure rate for a system, and these failures are undetected by online tests [18]. λDNI (Dangerous Non Inherent failure rate)is the failure rate which refers to those combinations of 3
dangerous failures in inherent fail-safe circuitry that do not take the system to automatic safe state. TI is the time interval between two subsequent automatic tests done on the logic to reveal dangerous failures. The proof test is conducted manually to reveal all undetected failures (if any). PTI is the time interval between subsequent proof tests. Special test points are to be provided in the circuit to ensure complete fault coverage. IEC 61511 indicates that PFD is the appropriate measure to be used for low demand mode [19]. It is appropriate dependability parameter for such systems since the system is normally idle, and is expected to operate with a very high probability during an infrequent demand. Table I compares various approaches to reduce PFD such as relay logic, solid state electronics logic with periodic testing and inherent fail-safe circuit. The basic equation to calculate PFD is
1 𝑇 𝑃𝐹𝐷𝐴𝑣𝑔 (𝑡) = ∫ 1 − 𝑒 −𝜆𝐷𝑡 𝑇 0
=
𝜆𝐷 𝑇 2
For 𝜆𝐷 𝑇 ≪ 1
From the table I, it can be seen that relay logic relies on the low unsafe mode failure of electromagnetic relays (contacts getting welded), whereas PFD is reduced in solid state electronics by incorporating periodic testing. This helps in detection of dangerous failures. PFD can also be reduced with inherent failsafe logic by designing a circuit with λDNI as minimal as possible. For diversity sake, either option-2 or 3 has to be chosen. Option-3 has the potential to deliver very low PFD compared to option-2. However, option-2 is ubiquitous in NPP safety systems since it is not easy to design/prove complex systems with very low λDNI. However, considering the simplicity of the combinational logic for the given application, option-3 is attempted by anticipating lower PFD than option-2. From discussions in subsequent sections, it would be clear that the success of this attempt depends on the fail-safe design of AND GATE. After extensive literature survey, recent work on fail-safe LOGIC GATES is not found. Because the general industry trend is moving towards FPGA/CLPD based designs and option-2 would be the natural choice for performing self-diagnostics. However, for nuclear industry with emphasis on very low PFD and simplicity in specific applications, it is thought that option-3 can be pursued. The work in [20&21] presents various fail-safe logic blocks for safety systems. Fail-safe performance is achieved by converting clock pulse to high frequency oscillation and reshaping back to pulse in every stage. The reactor safety system with these blocks has been tested in test reactor. A high frequency pulse (in MHz) will be generated during ON pulse duration. However, the AND logic is not completely fail-safe. In this paper, a fail-safe AND logic design is proposed with safe outputs guaranteed for the failure of every component in the block. Dependability is demonstrated in terms of confidence on very low λDNI using FMEA. Quantitative analysis for such inherent systems is required only for certain combinations of dormant failures accumulated over time and is also described in subsequent sections. 4
III. INHERENTLY FAIL-SAFE PULSATING LOGIC A fail-safe valve driver circuit for controlling valve energization and de-energization comprising of pulse generators, combinational logic and driver circuit is shown in fig. 3. The idea is to generate synchronized pulses from static digital inputs, perform AND, OR operations on pulses and charging the capacitor to the holding voltage of solenoid valves. A. Pulse generator Each digital input from the field has a corresponding pulse generator with a common charging and discharging circuit. The pulse generator generates 5 V rectangular pulses at its output. Based on remote switch position (SW1-SW7 in the field) output of pulse generators are connected to further stages. Pulses from pulse generators have to be time synchronized, for correct truth table execution. The frequency and duty cycle of rectangular pulses have to be chosen in line with the Voltage-Time (VT) product of pulse transformers and the charging/discharging capacities used in subsequent stages. Pulse circuit has been built with conventional 555 timers in astable multivibrator mode. Pulses are fed to next stage in control with remote switches (SW1-SW7). The multivibrators share a common charging and discharging circuit as shown in fig. 3 for time synchronization. Timer output pulse with TON of 50μs and TOFF of 150μs is chosen to match pulse transformer VT product. Minor trigger voltage variations in 555 timers can drive the multivibrators out of synchronization. Hence, a low magnitude inductor (L) in series with the charging path is used. L will not allow sudden changes in current direction and this time gap allows all timers to come into trigger level during a charging cycle. B. Combinational logic circuit In this stage is AND, OR operations are performed on timer output pulses as shown in fig.3. i. Fail-safe AND gate A fail-safe AND gate should prevent transmission of pulses to downstream stages when anyone of the input is not pulse, even under one or more of its input stuck at LOW/HIGH/OPEN and under the failure of its internal components. This cannot be achieved using commercially available gates. Fig. 4 depicts fail-safe design of 2- input AND gate. The basic idea is that energy is extracted from first input (A) pulses through a pulse transformer and stored as DC in a capacitor (C). This, in turn, provides required current for the second input (B) pulses to get transmitted further.
5
A pulse transformer PT1 with VT product of 50V-μs (5V*10μs) and PT2 with VT product of 250V-μs (5V*50μs) is chosen in AND stage. This variation in VT product is chosen such that a stuck at HIGH in A will not pass through the pulse transformer (PT1) whereas a stuck at HIGH in B will only switch a DC and hence does not pass through the pulse transformer (PT2). During the open mode of failure of C (C2 in fig.3), output (Y) is 10μs ON (as against 50 μs when normal), which is not sufficient to charge a 24V capacitor (C3 in fig.3). All other failures like transistor short and open are automatically taken care by PT 1 and PT2.Failures (like timer resistor or timer diode failures) which lead to pulse duty cycle change are seized with appropriate VT product pulse transformers. AND logic truth table is verified with this design. ii. OR gate A fail-safe OR gate should not produce pulses at the output when none of its input receive pulses. Thus, fail-safe is achieved inherently by pulse logic execution and no special OR gate circuitry is required. Hence, commercially available OR gate is used. A logic family which treats any OPEN input as LOW is preferable so as to accommodate signals which are directly connected to OR gate. Alternatively a pull down resistor can be connected to input pins when a logic family which treats any OPEN input as HIGH is used. Pull down resistor SHORT or OPEN does not affect safety, since in both cases output is static and hence cannot pass through subsequent stage. C. Valve driver stage An output driver stage is required to meet the higher current requirements of a DC solenoid valve. The pulse transformer with a current capacity of ~1 A is chosen for the purpose. Power MOSFET is used to convert 5 V pulse trains into 24 V pulse train. The charging capacitor (C3) delivers the required DC to the solenoid valve. Output transistor short or open will lead to de-energization of solenoid valves. 1200V-μs (24V*50μs) pulse transformer is used at driver stage. Initial inrush in charging the capacitor (C3) is limited with a variable resistor (Rh1), and it is adjusted manually to reach the required capacitor voltage during startup. Thereafter it remains in the same position throughout the steady state operation IV. EXPERIMENTAL VERIFICATION AND RESULTS The fail-safe circuit shown in fig. 3 is designed on Printed Circuit Board (PCB) to verify that it is possible to energize the valve with pulsating logic. Prototype board and experimental setup are shown in fig. 5. Experimental results are shown in fig. 6. Synchronized pulses output is shown in fig.6a. Fig. 6b and 6c shows the output waveforms of pulse transformers corresponding to PI4 and PI6 with respect to pulse input. OR gate output is shown in fig. 6d. The fig. 6e depicts the output of pulse transformer and output capacitor voltage which holds the solenoid valve in energized condition. Voltage of capacitor is shown as 15V, which keeps the solenoid valve in energized, the holding voltage of solenoid being ~13 V.
6
V. FAILURE MODE EFFECT ANALYSIS VERIFICATION A test circuit has been designed to implement inherent fail-safe circuit shown in fig.3 with sufficient provision of jumpers to simulate the failure of every component such as stuck high/low and open/short. Detailed FMEA listed in table II is carried out by considering the different modes as in [10]. Graphs upon failure simulations are selectively shown and referred in table-II. To handle failures leading to over current, the verification is done with an upper current limit on the power source. Protective fuse is blown wherever this limit is observed. VI. UNSAFE FAILURE PROBABILITY ON DEMAND This section shows the PFD (unsafe) calculation for the inherent fail-safe circuit. PFD values are compared to relay logic and inherent fail-safe circuit. A. Unsafe failure probability quantification of inherent fail-safe circuit Quantification of PFD for an inherently fail-safe circuit is quite complicated. Because it is an attempt to systematically analyze the remote chances of failure modes which are not considered in FMEA or combination of those modes which contribute to λDNI (Dangerous Non Inherent failure rate). In pulsating circuit, it has been verified that all single component failures are fail-safe. However, some failures are not immediately detectable, and they are revealed only under certain input combinations. This gives opportunity for multiple failures to accumulate over time and then possibly leading to an unsafe scenario. With this viewpoint, those combinations of failures which have the potential to cause unsafe output is analyzed. To prevent these failures, which contribute to significant unsafe failure probability, the circuit has to be tested with selected test points every PTI. During proof testing, the entire truth table has to be checked. Over and above this, a suspected failure like parameter change in transformers which may remain dormant has to be checked. Because of complexity involved, PTI is assumed as six months. The combinations of failures which lead to unsafe output are analyzed and quantified below. In this calculation failure mode probability distribution is considered from RIAC-91 [10]. Failure rates of components are taken from MIL-HDBK-217F [22]. Though this standard is not updated, for simple components such as transistors, resistors, etc., this will suffice. Case I: (PT1 parameter change) AND (C2 open) AND (PI6stuck at HIGH [OR] Q2 drain to source short) The increase in VT product of PT1 will give output with high duty cycle. Open mode failure of C2 will result in the output of PT1 to appear as an input of PT2. Along with this failure combination, if Q2-drain to source short occurs, then irrespective of PI6, AND stage gives output of PT1. This output is unsafe. a)
Mode probability of “transformer parameter change” is 16%. Failure rate of Low power pulse transformer is 0.0035 Failures/ 106 hours.Thus“PT1 parameter change” failure rate (1) 𝜆 = 0.00056 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠/106 ℎ𝑜𝑢𝑟𝑠 1
Mode probability of “capacitor open” is 35%. Failure rate of Aluminum oxide capacitor is 0.024 Failures/ 106 hours. Thus “C2 open” failure rate (2) 𝜆2 = 0.00084 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠/106 ℎ𝑜𝑢𝑟𝑠 b)
i) Mode probability of “Micro circuit digital”, Bipolar output stuck at HIGH is 28%. Failure rate of timer is 0.032 Failures/ 106 hours.Thus“PI6 stuck at HIGH” failure rate is 7
0.00896 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠
(3)
ii) Mode probability of “FET short” is 51%. Failure rate of Si FET is 0.014 Failures/ 106 hours. Thus“Q2 drain to source short” failure rate is (4) 0.00714 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 Thus, (PI6stuck at HIGH) OR (Q2 drain to source short) failure rate is (3) + (4). Failure rate λ3= 0.0161 Failures/ 106 hours Unsafe failure probability = (1 − 𝑒 −𝜆1 𝑃𝑇𝐼 )(1 − 𝑒 −𝜆2 𝑃𝑇𝐼 )(1 − 𝑒 −𝜆3 𝑃𝑇𝐼 )=0.6104 × 10-15
(I)
Along with the specified test cases, a special case to be tested for determining this combination of failure is by providing pulse input to PI4 and static LOW to PI6. If this test case leads to energizing the valve then it can be concluded that this combination of failures have occurred. Case II: (PT4parameter change) AND (C4 open) AND (G1 output at stuck at HIGH [OR] Q6 drain to source short [OR] PI1stuck at HIGH [OR] PI7 stuck at HIGH) a) “PT4parameter change” failure rate 𝜆4 = 0.00056 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [from (1)] b)
“C2 open” failure rate 𝜆5 = 0.00084 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [from (2)]
c)
i) Mode probability of “Micro circuit, Digital” MOS output stuck at HIGH is 8%. Failure rate of MOS technology gate is 0.0057 Failures/106 hours. Thus “G1 output at stuck at high” failure rate is (5) 0.000456 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 ii) “Q2 drain to source short” failure rate is 0.00714 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [𝑓𝑟𝑜𝑚(4)]
(6)
iii) “PI1 stuck at HIGH” failure rate is 0.00896 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [𝑓𝑟𝑜𝑚 (3)]
(7)
iv) “PI7 stuck at HIGH” failure rate is 0.00896 𝐹𝑎𝑖𝑙𝑢𝑟𝑒𝑠 / 106 ℎ𝑜𝑢𝑟𝑠 [𝑓𝑟𝑜𝑚 (3)]
(8)
Thus, (G1 output at stuck at HIGH) OR (Q6 drain to source short) OR (PI1stuck at HIGH) OR (PI7stuck at HIGH) is (5) + (6) + (7) + (8). Failure rate λ6= 0.02551 Failures/ 106 hours Unsafe failure probability = (1 − 𝑒 −𝜆4 𝑃𝑇𝐼 )(1 − 𝑒 −𝜆5 𝑃𝑇𝐼 )(1 − 𝑒 −𝜆6 𝑃𝑇𝐼 ) = 0.9671×10-15 (II) Thus, PFD (unsafe) for inherent fail-safe circuit is (I) + (II) =0.158×10-14 The PFD result seems to be unrealistic. It can be easily seen that this is achieved because the actual system failure happens only upon a combination of multiple failures (at least three). The components involved are diverse in nature, and hence Common Cause Failures (CCF) is not considered in this calculation. However, the components reside on the same board, and there could be multiple failures in the 8
board which would ultimately dictate the effective PFD. Quantification of CCF is not attempted since it would depend on factors external to the system like power supply, environment, etc. However, the quantitative result serves the purpose of gaining an in-depth insight into the system reliability. Another aspect is that the very low PFD (unsafe) is achieved with additional spurious actuation (opening of dampers when not intended). However, increase in flow can take place only when both inlet and outlet dampers are spuriously opened (as in fig.1). Manual overriding options provided in the dampers when decay heat removal is in progress. These options are utilized by operators to close the failed damper from the field. B. Unsafe probability quantification of relay logic (existing logic) Combinational equation of relay logic (as in fig.2) is I5+I4×I6+I3+I2×I1+I2×I7. Minimal cutset to unsafe failure event is I5+I3. Mode probability of “relay contact” in short is 19%. Failure rate of relay is 0.13 Failures/ 106 hours. Therefore relay in short mode failure rate is 0.0247 Failures/ 106 hours. Failure rate of relay logic λ7= 0.0494 Failures/ 106 hours. A PTI of one week is assumed for relay logic due to simplicity in exercising the system as against six months assumed for an inherent fail-safe circuit. Unsafe failure probability=(1 − 𝑒 −𝜆7 𝑃𝑇𝐼 ) Thus, PFD (unsafe) for relay logic is 0.8299×10-5 This comparison shows that it is possible to build inherent fail-safe solid state circuits as a diverse solution with very high confidence level on unsafe failure probability on demand. VII. PRECAUTIONS AND POSSIBLE IMPROVEMENTS The pulse transformers are to be designed and tested so that any duty cycle increase or decrease leads to loss of energy transmissions. Though PT3 primary to secondary short will lead to fuse blowing in 24 V stage, it has the potential to transmit DC to solenoid valves if secondary is burnt open before fuse, due to improper fuse design. As an additional precaution measures such as isolating PT3 primary and secondary and geometrical separation of primary and secondary with shared core (core being grounded) can be adopted. Internal fuse can be used in every stage to protect the circuit. The fuses have to be carefully rated and response times well tested. The effect of noise on the circuitry has to be further investigated. VIII. CONCLUSION An inherent fail-safe pulsating electronic logic valve drive circuit for safety critical nuclear application is proposed. A detailed failure mode effect analysis for the proposed circuit is presented and verified empirically. Since all perceivable failure modes are shown to result in the fail-safe state, the circuitry can be used as a diverse method for damper control. The method can achieve equivalent or lesser unsafe failure probability compared to relay logic being currently used. The suggested method can be adapted to any industrial application where the combinational circuit is employed. ACKNOWLEDGMENT The authors are greatly thankful to the support and motivation by Dr. A.K.Bhaduri, Director, IGCAR. S. Sravanthi thanks DAE fellowship for a perspective research grant for Ph.D.
9
REFERENCES [1] U. Parthasarathy, T. Sundararajan, C. Balaji, K. Velusamy, P. Chellapandi, S.C. Chetal, Decay heat removal in pool type fast reactor using passive systems, Nuclear Engineering and Design, Volume 250, September 2012, Pages 480-499. [2] Marvin Rausand, Reliability of Safety Critical Systems; Theory and Applications, 2014, Wiley. [3] AERB/NPP-LWR/SC/D, Design of Light water reactor based power plants, Mumbai, India, Atomic Energy Regulatory Board, 2015. [4] IAEA Safety standard series No. SSR-2/1, Safety of Nuclear Power Plants: Design, Specific Safety Requirements, IAEA, Vienna, 2016, pages 28, 47. [5] C. Senthil Kumar, A. John Arul, S. Athmalingam, Om Pal Singh and K. Suryaprakasa Rao, Reliability analysis of safety grade decay heat removal system of Indian prototype fast breeder reactor, in Annals of Nuclear Energy, Volume 33, issue 2, Pages 180-188, Jan 2006. [6] Modern Instrumentation and Control for Nuclear Power Plants: A Guidebook, TECREPORTS, no.387, IAEA, Vienna, 1999, pages. 37-40, 149-156, 470-480,558-560. [7] Research Reactor Modernization and Refurbishment, TECDOC, no.1625, IAEA, Vienna, 2009, page 109. [8] S. Tikku, G. Raiskums, J. Harber and Phil Foster, Safety System and Control System separation Requirements for ACR-1000TM and operating CANDU reactors,” in Proc. ICONE18, 2010, pages. 883-892. [9] G. Bereznai, Nuclear Power Plant Systems and Operation, Univ. of Ontario Institute of Technology, Oshawa, ON, Canada, Jul. 2005. [10]Failure Mode/Mechanism Distributions, Reliability analysis center, 1991. [11]M. K. Misra, N. Sridhar and D. T. Murthy, Design and Implementation of Safety Logic with Fine Impulse Test System for a Nuclear Reactor Shutdown System,201427th International Conference on VLSI Design and 2014 13th International Conference on Embedded Systems, Mumbai, 2014, pages.198-203. [12] Punekar, Parag, Ramkumar, N., Kulkarni, U.S., Darbhea, M.D., Bharadhwaj, G, Jangra, L.R., Geetha, Patil, Das, Shantanu, Sonnis, S.T., Trevedi, P., Patil, M.B., and Biswas, B.B, Finite impulse testing (FIT) system for Emergency Cooling System (ECS) in Dhruva, National conference on operating experience of nuclear reactors and power plants-2006, Mumbai, 2006, pages.699-707. [13]Anwer Md. Najam, Satheesh N, Nagaraj C.P, and Krishnakumar B, Pulse coded safety logic system for PFBR, First national conference on nuclear reactor technology, Mumbai, 2002, page 304. [14] Sven Ove Hansson, Promoting inherent safety, Process Safety and Environmental Protection, Volume 88, Issue 3, May 2010, Pages 168-172. [15] T.A. Kletz, Inherently Safer Design—Its Scope and Future, Process Safety and Environmental Protection, Volume 81, Issue 6, November 2003, Pages 401-405. [16] Rajagopalan Srinivasan, Sathish Natarajan, Developments in inherent safety: A review of the progress during 2001–2011 and opportunities ahead, Process Safety and Environmental Protection, Volume 90, Issue 5, September 2012, Pages 389-403. [17] IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems, Geneva, Switzerland, International Electrotechnical commission, 1998. [18] Safety Instrumented Functions (SIF) – Safety Integrity Level (SIL) Evaluation Techniques, Part 1: Introduction, 2002. 10
[19]IEC 61511, 2003 Functional Safety –Safety Instrumented Systems for the process industry sector, part 1-3, International Electrotechnical commission, Geneva. [20]T. Businaro, L. Conti and M. Conti, Fail-Safe Circuits for Nuclear Protective Systems, IEEE Transactions on Nuclear Science, vol. 11, no. 2, pages 64-70, April 1964. [21]T. Tsunoda, S. Gotoh and E. Suzuki, A Fail-Safe Reactor Safety System, J.Nucl.Sci. Technol., volume 4, no. 12, pages 614-622, Dec. 1967. [22]Reliability prediction of electronic equipment, MIL-HDBK-217F-notice 2. United States Department of Defense. 1995.
11
Pneumatically operated (Piston driven)
Electrically operated (Motor driven)
Fig.1. Dampers in SGDHR system
12
I7 I1
V6
I3
I7
I2
V2 V1 = I5 I3
I4 I6
V3
I2 I7
I3
V4
I7
V5
I1 to I7 are digital inputs; V1 to V6 are solenoid valves; V3 and V4 de-energization ensures opening of dampers. Fig.2. Logic circuit to drive solenoid valves
13
5V F (100mA) 2
5V F1 (500mA)
Input1 (I1) Timer
R1
SW1
D
R3
R4
SW3
C
PI3
PI5 PT2 D
PI2 PI 4 SW2 Q1 S
D7
Rh1 C3
R6
G S Q3
Q2 S
G2
5V F4
24V F5
C4
Input4 (I4) Timer
PI SW4 4
D
SW5
PI5
Solenoid valve
PT4
PT5 D
G
Input5 (I5) Timer
Solenoid valve
D PT3
R7 PI3
G PI6
D6
D5
PT1
G
Input3 (I3) Timer
R2
C1
D3 D4 C2
R5
D1 22
D2
D
Input2 (I2) Timer
L
PI1
F3 (500mA) 24V
D
G
PI2 Q5 S
PI1
Q6 S PI7
G Q4 S
G1
Input6 (I6) Timer SW6
Input7 (I7) Timer
SW7
Astable multivibrator circuit
Pulse generator circuit
PI6
PI7
AND Logic
Combinational logic circuit
OR Logic
Output stage
Driver circuit
Fig.3. Schematic of fail-safe pulsing circuitry for controlling V3 and V4 valves
14
5V
Y
C
PT1
A
PT2
B
Fig.4. Fail-safe 2 input AND circuit design
15
a
b
Oscilloscope Voltage source
Solenoid valve 24V pulse transformer
24V capacitor
Fig.5. a) Printed circuit board. b) Experimental setup.
Timer pulses
a
b
Voltage
Voltage
Timer pulse
PT1 output
Capacitor voltage
Time Fig.6. During healthy operation outputs waveforms of different stages a) Timer synchronization pulses. b)Time PT 1 output, 5V capacitor voltage output.
c
Timer pulse (PI4)
Voltage
Voltage
Timer pulse (PI6)
d
OR gate Input pulses
OR gate output pulse
Capacitor voltage
AND output
Time
Voltage
e
Time OR gate output pulse
24V Pulse transformer output
16 Capacitor voltage
Fig.6. During healthy operation outputs waveforms of different stages c) AND gate output. d) OR gate output. e) 24V pulse transformer output, 24 V capacitor voltage output.
17
Timer pulse
24V Pulse transformer output
b
Timer pulse
Timer pulse
Voltage
Voltage
a
24V Capacitor voltage 24V Capacitor voltage
24V Pulse transformer output
Time
Time
Fig.7. FMEA results a) Timer discharging resistor (R2) short. b) Timer diode (D1) open
Timer pulse
g
Timer pulse
Timer pulse
Voltage
Voltage
c
Timer pulse
PT1 output
24V Capacitor voltage 24V Capacitor voltage
Time Timer pulse
h
Voltage
Timer pulse
5V Capacitor voltage
Voltage
d
Time
Timer pulse
OR output 24V Capacitor voltage
24V Capacitor voltage
Time
Time
i
Timer pulse
Timer pulse
PT1 output
24V Capacitor voltage
Time
Voltage
Voltage
e
Timer pulse
Timer pulse
Timer pulse PT2 output
24V Capacitor voltage
18
f
Timer pulse
Timer pulse
j
Timer pulse
OR output
Voltage
Voltage
Timer pulse
PT2 output
24V capacitor voltage 24V Capacitor voltage
Time
Time
Fig.7. FMEA results c) PI4 stuck at high. d) PI6 stuck at high. e) MOSFET (Q1) Gate to Source short. f) Capacitor (C2) open. g) Capacitor (C2) short. h) Rectifying diode (D5) short. i) Freewheeling diode (D4) open. j) Freewheeling diode (D4) short.
k
PT2 output
Timer pulse
Voltage
Voltage
Timer pulse
Timer pulse
l
Timer pulse
24V Pulse transformer output
24V Capacitor voltage
24V Capacitor voltage
Time
Time
Voltage
m
Timer pulse
Timer pulse
24V Pulse transformer output
24V Capacitor voltage
Time
19
Fig.7. FMEA results k) Freewheeling diode resistor (R4) short. l) Freewheeling diode (D6) open. m) Rectifying diode (D7) short.
20
Table I Comparison of logics with unsafe failure probability Logic
Option-1
Relay logic
Option-2
Solid State electronics logic with periodic testing
Option-3
Solid State electronics: Inherent fail-safe circuit
PFD (approximate)
𝑃𝑇𝐼 𝜆𝐷 ( ) 2 𝑇𝐼 𝑃𝑇𝐼 𝜆𝐷𝐷 ( ) + 𝜆𝐷𝑈 ( ) 2 2 (Ignoring test circuitry failures) 𝑃𝑇𝐼 𝜆𝐷𝑁𝐼 ( ) 2
How PFD is typically reduced
λD is very small for relays. TI can be in seconds; λDU has to be minimized by improved fault coverage. λDNI has to be shown to approach zero.
21
Stage
Component
Capacitor (C1) Timer
Failure mode Short Open
Timer output is LOW.
Short Open
Timer output is LOW. Timer output is HIGH.
Short
Duty Cycle approaching 1. Pulse transformers are unable to follow the pulse. Results are in Fig. 7a.
Open
Duty cycle is approaching to 0.
Diode (D1)
Short
Same as R2 short.
Open
Inductor (L)
Open Short
Increase in timer pulse duty cycle. Pulse transformers are unable to follow the pulse. Results are in Fig. 7b. Output of timers is HIGH. Loss in pulse synchronization between timers.
Resistor (R1)
Resistor (R2)
AND
Table II Failure Mode Effect Analysis Effect
Timer-4 (Timer output connected to Q1 Gate) Timer6(Output connected to Q2 Gate) Timer-3 (Timer output connected to G2) MOSFET (Q1)
Stuck LOW Stuck HIGH
at
Output of PT2 is LOW.
at
Stuck LOW Stuck HIGH Stuck LOW
at
Output of PT2 is LOW. Output of PT2 is LOW. Results are shown in Fig. 7c when current limiting is enforced in power source. In the absence of current limiting, fuse (F2) will blow. Output of PT2 is LOW.
at at
Stuck at HIGH. Gate/Source open
Output of G2 is HIGH.
Gate to source short
It leads to the reduction in voltage level of timer pulse driving Q1 due to overloading which in turn causes loss in pulse synchronization between timers. Results are shown in Fig. 7e. This failure will cause 5V fuse to blow. This failure draws extra current. Circuit can be protected by having internal fuse. Internal fuse (F2) in AND stage will blow. MOSFET remains in OFF state. Output of PT2 is LOW.
Drain to source short MOSFET source to
Capacitor (C4) is overloaded; it’s not able to charge to 5V. Output of PT2 is LOW. Results are in Fig. 7d. Output of G2 depends on other inputs.
Open
Output of PT1 is LOW.
Consequence De-energization of solenoid valves takes place due to absences of pulses.* De-energization of solenoid valves takes place due to absences of pulses.* De-energization of solenoid valves takes place due to insufficient capacitor voltage. * De-energization of solenoid valves takes place due to absences of pulses.* De-energization of solenoid valves takes place because of insufficient capacitor voltage. * De-energization of solenoid valves will not takes place until one of the input to OR gate (G2) is high. * De-energization of solenoid valves takes place if all the inputs to G2 are low. **
De-energization of solenoid valves takes place if all the inputs to G2 are low. ** De-energization of solenoid valves takes place if all the inputs to G2 are low. **. De-energization of solenoid valves takes place. De-energization of solenoid valves takes place if other inputs to G2 are low. ** Absence of pulses is causing valve de-energization.
De-energization of solenoid valves takes place if all the inputs to G2 are low. **. De-energization of solenoid valves takes place if all the 22
ground resistance (R5) Pulse transformer freewheeling diode (D2)
Short
It will follow the expected results except that an extra current drawn. Internal fuse in AND stage (F2) will blow. This failure over the time may cause damage to MOSFET due to kick back voltage. This failure does not affect the circuit due to freewheeling diode resistance (400Ω) in series except that an extra working current drawn. Same as D2 open Minor distortion in kick voltage transient is observed.
inputs to G2 are low. **.
Pulse transformer freewheeling diode resistor (R3) Rectifying diode (D3)
Open Short
Capacitor C2 cannot be charged since path is open. Capacitor voltage will discharge through pulse transformer (PT1). So capacitor cannot hold 5V. Output of PT2 is LOW. PT1 short duration pulse (10μs) is directly fed to PT 2. If PI6 is present, PT2 gives 10μs pulse output. This pulse duration is not enough to hold the 24V charge on capacitor. Results are in Fig. 7f. It overloads the pulse transformer. No voltage is developed across capacitor. Output of PT 2 is LOW. Results are in Fig. 7g.
De-energization of solenoid valves takes place if other inputs to G2 are low. **
Capacitor (C2)
Open
Gate/Source open
Output of PT2 is LOW.
Gate to source short Drain to source short
Same as Q1 Gate to source short.
Rectifying diode(D5)
Open Short
Pulse transformer freewheeling diode(D4)
Open
Output of PT2 is not connected to OR gate. Over the time it will affect OR gate due to negative voltage at OR input pin. Pulse shape changes to OR gate input. Reduction in OR gate pulse output duration. Results are in Fig. 7h. This failure changes the pulse shape and increase in ON time. This lead to reduction in voltage level from PT3 output. Results are in Fig. 7i. Slight reduction in capacitor (C2) voltage. Minor distortion in PT2 output. Pulse ON time to PT3 is reduced. Results are in Fig. 7j.
De-energization of solenoid valves takes place if other inputs to G2 are low. ** Absence of pulses is causing valve de-energization. De-energization of solenoid valves takes place if all the inputs to G2 are low. **. De-energization of solenoid valves takes place if other inputs to G2 are low.**
Pulse transformer freewheeling diode resistor (R4) OR gate
Open
Same as D4 open
Short
Change is pulse shape and duration. Capacitor (C3) will not be charge sufficiently. Results are in Fig. 7k.
Input open
CMOS family considers open input as logic LOW.
Open Short
Open Short
Short
MOSFET (Q2)
OR
Short
Capacitor cannot charge to 5V. Output of PT 2 is LOW. Internal fuse (F2) in AND stage will blow.
This failure does not cause any change in functionality.
This failure will not cause any change in functionality.
De-energization of solenoid valves takes place if other inputs to G2 are low. **
De-energization of valves takes place.
solenoid
This failure may not cause any change in valve status. Valve may de-energize if ON time sufficiently reduced. ** De-energization of solenoid valves takes place. De-energization of solenoid valves takes place if other inputs to G2 are low. ** De-energization of solenoid 23
(G2)
Input pin to ground resistor (R7)
Output stuck at LOW Output stuck at HIGH Open
Short Driver circuit
MOSFET (Q3)
Pulse transformer freewheeling diode (D6)
Gate/Source open Gate to source short Drain to source short Open
De-energization of valves takes place.
solenoid
This failure will not cause any affect on circuit. This resistor is an extra provision to treat open input as logic low. By design itself proper logic family can be chosen to achieve this. This failure overloads timer. It causes 5V fuse (F1) to blow. Output of PT3 is LOW.
De-energization of solenoid valves takes place if other inputs to G2 are low. **
It causes 24V (F3) fuse to blow.
De-energization of solenoid valves takes place. No immediate loss of functionality. De energization of solenoid valves takes place if input is driven low at gate of Q3.
Output pulse distortion. Failure over the time may cause damage to MOSFET due to kick back voltage. Results are in Fig. 7l. Output pulse distortion.
Pulse transformer freewheeling diode resistor (R6)
Open
Same as D6 open.
Short
Rectifier diode (D7)
Open
Capacitor (C3)
Open Short
Capacitor voltage is not sufficient to hold solenoid valve. Pulse transformer output is not connected to charge the capacitor C3. Capacitor cannot hold the 24V since it discharges through pulse transformer as well as valve. Results are in Fig. 7m. Output pulse of PT3 is directly fed to solenoid valve. No voltage is developed across solenoid valve.
Rheostat (Rh1)
Open
Pulse is not connected to charge capacitor.
Short
Very sharp rise time for capacitor charging when powered ON. Stress on POWER MOSFET and PCB traces.
Primary to secondary short Primary short Secondary short
This shorts power source to ground. This failure blows corresponding source fuse (F1 / F3).
PT1, PT3
valves takes place if other inputs to G2 are low. **
It will cause 24V fuse (F3) to blow.
Short
Short
Pulse transformer
Even when input is taken as HIGH, the output transformer (PT3) will block energy transfer to solenoid valve. MOSFET Q3 remains OFF. PT3 output is zero.
Loss of 5V supply to board. Absence of pulses causes solenoid valves de-energization.
No immediate loss of functionality. De energization of solenoid valves takes place if input is driven low at gate of Q3. De-energization of solenoid valves takes place. De-energization of solenoid valves takes place.
De-energization of valves takes place.
solenoid
De-energization of solenoid valves takes place. No immediate loss of functionality. In due course of time, this failure may cause deenergization of solenoid valves. De-energization of solenoid valves takes place.
Same as Primary to secondary short. This failure is similar to capacitor in short mode failure. 24
PT2
PT1,PT2,PT3
Primary to secondary short Primary short Secondary short Primary/ Secondary Coil Open
Capacitor is unable to charge to 5V. Output of PT 2 is LOW.
De-energization of solenoid valves takes place if other inputs to G2 are low. **
Output of PT2 is not 5V pulse. Based on number of windings shorted peak of pulse will be decided.
Pulse cannot be transmitted to next component
De-energization of solenoid valves takes place provided the particular transformer is involved in energization.
*This fault will be revealed only when there is an attempt to energize solenoid valve with ANY input. However, any attempt to de-energize solenoid valve will always be honored and hence it is a safe failure. **This fault will be revealed only when there is an attempt to energize solenoid valve with THIS input. However, any attempt to de-energize solenoid valve will always be honored and hence it is a safe failure.
25