- Email: [email protected]
Development of an emergency operation supporting system for nuclear power plants
Reliability Engineering and System Safety 43 (1994) 281-287
Development of an emergency operation supporting system for nuclear power plants Joon-Eon Yang, Kwang-Sub Jeong and Chang K. Park Korea Atomic Energy Research Institute, PO Box 7, Daeduk-Danji, Taejeon, South Korea, 305-353 (Received 19 March 1993; accepted 5 July 1993) In order to support the emergency operation of nuclear power plants (NPPs), Korea Atomic Energy Research Institute (KAERI) has been developing a computerized operation supporting system called KOSSN (KAERI Operation Supporting System for NPP). Artificial intelligence (AI) and probabilistic safety assessment (PSA) techniques have been used in developing KOSSN. KOSSN consists of three parts: In the first part the operator action items for the emergency operation of an NPP are listed. In the second part the success paths of the safety systems which can be used for the operator to restore the challenged safety functions and rank them according to the respective operability are generated. In the last part, according to the present plant status, an appropriate event tree is suggested in order to show possible future courses of accident progression. For efficient man-machine interface, a color graphic display is used. KOSSN is built on a workstation using the IF-Prolog language and the Xll graphic tool.
1 INTRODUCTION
additional information which is required to respond to the emergency situation appropriately. This additional information includes the success paths of the safety systems and the event tree from plant-specific probabilistic safety assessment (PSA). KOSSN has been developed in order to support the decisionmaking of the senior reactor operator (SRO) during an emergency. The system can be installed in the technical supporting center (TSC) so that the information from KOSSN can be transferred to the SRO as an alternative. The success paths are generated by KOSSN using deep knowledge such as the structure description and present status of those systems. The success paths are ranked according to the operability which is defined as the system reliability. The PSA techniques such as the event tree are also used to enhance the capability of KOSSN. The event tree is a logic model in a PSA to show courses of accident progression due to an initiating event. A number of systems which have similar objectives to those of KOSSN have been developed in last few years. The characteristics of those systems are compared with those of KOSSN in Table 1. 4-11 As shown in Table 1, there are two major differences between KOSSN and other systems. One is that KOSSN provides more detailed information and guidance. The other is the use of PSA techniques such
The basis for the emergency operation of nuclear power plants (NPPs) is the emergency operating procedures (EOPs). After the TMI-2 accident, the function-based approach was introduced and this has increased both the breadth and depth of EOPs. As a result, the operator must be aware of the plant status on several levels concurrently to recover from a transient effectively. A human being, however, can consider the changes of plant status only in serial fashion, and therefore may be unable to properly understand the overview of the plant condition. 1,2 Hence, a number of computerized operation supporting systems (COSS) based on EOPs have been developed. Use of the COSS techniques enables the operator to find the appropriate response actions without time stress due to information overload under emergency situations. 3 The Korea Atomic Energy Research Institute ( K A E R I ) has been developing an operation supporting system, KOSSN ( K A E R I Operation Supporting System for NPP) by combining EOPs with the COSS techniques. KOSSN provides the operator with not only a list of action items based on EOPs but also
Reliability Engineering and System Safety 0951-8320/94/$07.00 © 1994 Elsevier Science Limited, England. 281
Joon-Eon Yang, Kwang-Sub Jeong, Chang K. Park
282
Table 1. Characteristics of KOSSN compared with other operation supporting systems Name
Developer
Basis
COMPA 4 EOPTS 5 SPMS~-8
OECD" EPRI h EPRI
EOP, normal operating procedures EOP CSF, success path
OPA" PREDICTOR "~ FORESTER j i KOSSN
Tech. Appl. ~ EG&G KAERI
EOP PSA PSA EOP, PSA, success path
Functions On-line procedure On-line tracking and explanation Monitor the status of CSF and deploy the appropriate success path Task schedule Estimate the likelihood of core-melt Identify particular failure mode On-line procedure, success path and future status
Organization for Economic Corporation and Development. h Electric Power Research Institute. c Technology Application Inc. guide, (2) success path generation, and (3) corresponding event tree suggestion. Each part has its own knowledge base and inference engine. The main part of Fig. 1 controls the information exchanges among the above three parts and provides the man-machine interface to the user. Detailed descriptions for each part are given in the following subsections. It is assumed that the information available in the main control room is also available in KOSSN but in different formats. Note that signal validation is essential for a system of this kind. Up to now, a number of signal validation techniques have been proposed such as petri net. This is, however, another subject to be addressed separately. In this paper, therefore, it is assumed that all signals required during the inference process are inputted by on-line and they are validated.
as the operability and the event tree. The success path with its operability value makes it possible for the operator to select the most reliable recovery action under the present status of a NPP. On the other hand, the event tree makes the operator aware of the courses of accident progression. Such a systematic and detailed guidance enables the operator to respond to the emergency in an NPP more effectively. The overall features of KOSSN will be explained in detail in Section 2. In Section 3, KOSSN is applied to the 'steam generator tube rupture (SGTR)' scenario. Finally, in Section 4, conclusions and future works are given.
2 SYSTEM DESCRIPTION The overall structure of KOSSN is shown in Fig. 1. KOSSN consists of three parts: (1) operator's action
and Future Plant Status
Operators
I Ng. 1. Overall structure of KOSSN.
An emergency operation supporting system for NPPs
2.1 Operator's action guide In KOSSN, the operator action items are derived from EOPs. Two parts of EOPs, i.e. the optimal response procedures (ORPs) and the functional restoration procedures (FRPs), are stored as the knowledge base in the form of the 'IF-THEN-ELSE' rule. The appropriate response actions are derived according to the present plant status. In KOSSN, the EOPs of Kori Units 3,4 are used. Kori Units, 3,4 are Westinghouse-designed three-loop pressurized water reactors (PWRs). The EOP structure is reorganized in KOSSN. During the reorganization process, we have paid attention to the requirement exactly the same guidance should be provided by EOP and KOSSN since we assumed that the contents of the EOP were not changed. By reorganizing the EOP, the operator actions included in EOPs are standardized and classified. These rules for deriving operator action items have a hierarchy of three levels. Level 1 is associated with the general response strategy and is the ultimate purpose of action. Level 2 is related to the operation mode of a specific system or component; in other words, it specifies which system should be turned on or off. Finally, level 3 is associated with the detailed operator's actions. For instance, 'if subcriticality is red state then borate the reactor coolant system (RCS)' is a level 1 rule for a critical safety function (CSF) item, 'subcriticality'. An example of a level 2 rule is: 'if present Level 1 action item is to borate RCS then operate chemical and volume control system (CVCS) for RCS boration'. A level 3 rule is: 'if present level 2 action item is to operate CVCS for RCS boration then start the charging pump'. For the inferred level 2 action item, the success paths are generated, that is, the suggested system in level 2 action is transferred to the 'success path generation part' in order to generate the success path of that system. The rules for level 3 actions are derived during this step.
2.2 Success path generation part In KOSSN, the success paths are generated by applying the general generation algorithm to the structure description of a particular system instead of using the predetermined success paths. The structure descriptions of systems are stored as the knowledge base and are based on the piping and instrumentation diagrams (P&IDs). Most P&IDs consist of two parts: the components that perform their intended function and the connection elements, e.g. pipes. The frame technique is used to represent them and the component and connection elements are assigned to the slots for each of them. An example of knowledge representation form for the structure description is
283
shown below. This example is based on the syntax of Prolog language. component_dB (Name, Type, Capacity, next_Node, State). In the above example, 'Name' represents the specific name of the component, such as component tag number. 'Type' is the type of the component, e.g. check valve, motor-driven pump, etc. 'Capacity' represents the capacity of the component with which KOSSN can consider a partial failure of component during its generation of the success path. 'Next_Node' represents the connection element related to the component, and 'State' is the present state of component. It is assumed that all components have two states: initial and demand states. The initial state represents the present state of the component, e.g. open/close/fail for valves, running/standby/fail for pumps. The demand state is the state of a component in which the particular component can perform its intended function, namely, valve-open, pumprunning, etc. Whenever initial and demand states are different, a level 3 operator action item can be introduced by the level 3 rules. For instance, if a valve is in closed state at present and the demand state of that valve is valve-open, then a level 3 operator action item such as 'open the valve-XXXX' is suggested. The search for success paths is performed by using the structure description of a system, and a set of initial and demand states for each component of the system. For the given starting component, its initial and demand states are compared. If these two states are equal, the same logic is applied to the next connected components. In the case that two states of a component are different, the level 3 action item is derived as mentioned above. This scheme is successively applied from the starting component to the terminal one to obtain one success path. The required capacity of the success path is determined previously from the technical specifications and/or other mechanistic calculations. The capacity of the generated success path is compared with the required capacity. When the capacity of a component is not enough to satisfy the required capacity of the success path due to the partial failure of that component, additional path(s) to compensate for the insufficiency of the capacity are searched for. The combination of these paths is regarded as one success path. Backtracking, the inherent feature of Prolog, is used during the search for success paths. The algorithm for success path generation is based on the first principle, i.e. using deep knowledge like structure description. Therefore, this algorithm can be applied to any system as long as the structure descriptions of those systems are given correctly.
284
Joon-Eon Yang, Kwang-Sub Jeong, Chang K. Park
Each generated success path is ranked according to either its respective reliability or the number of manual operator's actions required to complete the path. The reliability of components in each success path is obtained from the reliability database. The operator can choose either the most reliable success path or one which requires the least number of human actions according to their understanding of the present NPP status. The results of previous PSA show that human error probability is usually higher than the failure probabilities of equipment. In such cases, the success path with the least number of human actions coincides with the most reliable one.13 The values used to calculate operability are obtained from the general PSA database. 14"15 The operability is used to rank the success paths. The selected success path is displayed on a color screen with different colors and the required operator action items are also listed. The operability can be regarded as the heuristic measure for the effectiveness of the generated success paths, i.e. the system availability depends on the selected success path.
2.3 Event tree suggestion part In a PSA, the event trees are used to identify the accident sequences which lead to core melt/core damage. Each system event tree represents a distinct set of accident sequences, each of which consists of an initiating event and a combination of various system successes and failures that lead to an identifiable plant state. In other words, the event tree shows the logical prediction of an accident sequence. There was an attempt to use the event tree in a COSS. ~° In Ref. 10 the event tree was used for the calculation of the estimated likelihood of core melt. In KOSSN, on the other hand, the event tree is used to provide the possible future courses of accident progression to the operator. For KOSSN, only the front line systems which can mitigate an accident or transient, are addressed on the event tree. The event trees are constructed according to the status of CSFs and related supporting systems, hence, the sequence of the operational guidance provided by KOSSN can be regarded as one of the sequenes in the event tree. In KOSSN, the event tree can be used in two different circumstances. If a transient is already identified, i.e. the operation guidance provided by KOSSN is based on the knowledge derived from the ORPs, the corresponding event tree is used to show the possible future courses of accident progression to the operator. When the transient is not identified yet, that is, the operation guidance provided by KOSSN is based on the knowledge derived from the FRPs, a group of event trees which show similar characteristics to the transient are suggested as the candidates. These
groups of event trees are suggested by comparing the headings of the event trees with the operational guidance provided by KOSSN. As the transient progresses, the event trees contained in the candidate group are re-examined and the event trees which show discrepancy are removed from the candidates. In this way the suggested event trees are gradually reduced to a few event trees. This feature also helps the operator to identify the transient.
3 IMPLEMENTATION TEST KOSSN is applied to a SGTR transient. When the transient begins, the corresponding response guidelines derived from E-0 of the ORPs are provided to the operator. The operator action item with the success path of a system is displayed in Fig. 2. In this case, the level 1 action guide is to 'verify automatic action as initiated by protection and safeguard systems', the level 2 action item is to 'check if safety injection (SI) is actuated'. The success paths of SI, hence, are generated. Among the generated success paths, the most operable success path is displayed on the simplified P&ID as shown in Fig. 2. The derived level 3 action items to accomplish above level 2 action items are 'open L V l l 5 D ' and 'open BH-HV20'. The intended function by an initially selected level 2 action item may not be achieved for various reasons. When a selected item cannot perform its function, an alternative level 2 action item, then, will be automatically suggested. For instance, if it is confirmed that SI does not perform its function by the operator, then 'Establish secondary heat removal' will be suggested as an alternative level 2 action item and a new set of success paths to complete this action item will be generated for the corresponding safety systems. Note that KOSSN is currently off-line and the plant response to a level 3 action item should be determined outside KOSSN. While the operator performs the suggested action items, another CSF may be challenged. Usually, the newly challenged CSF has a higher priority. If this happens, the present CSF status and the CSF status tree of the challenged CSF item are displayed on the screen as shown in Fig. 3. In such case, a new set of action items is derived from FRPs. In Fig. 3, the level 1 action item is to 'attempt restoration of feed flow to SGs', and the level 2 action item is to 'check if secondary heat sink is required'. The required conditions to achieve above level 2 action item is that RCS pressure should be higher than any intact SG pressure. In this example, it is assumed that the transient is identified as a SGTR by the diagnosis procedures of E-0, hence, the SGTR event tree is selected and displayed to the operator. An example of an event tree display is shown in Fig. 4. The display shows the
An emergency operation supporting system for NPPs
285
ACTION GUIDE
CSF's STATUS
Level 1 Actions
SUBORITICAL]TY
CORECOOLING
IHTEGRITY
CONTAINMENT INVENTORY
HEAT-SINK ,,.
Perfof'll E-O : Remctor Trip or $afet~ Inject
Verifg
ion
s Initiated tion
Rutomati c Rcti on R
and
b9 t h e P r o t e c
Safeguard System
s
Level 2 Actions Check i f
SI
is
Rctuated
Level 3 Actions BH-HV2B
USER INPUT Change State Stop Stop
Fig. 2. Example display of operational guidelines with success path.
ACTION GUI DE
CSF's STATUS SUBCRITICALITY
CORECOOLING
INTEGRITY
CONTAINMENT INVENTORY
HEAT-SINK
Perform FR-H.I : Response to Loss of Second ar H Heat Sink
Level 1 Actions R t t e m p t R e s t o r a t i on of
Fe
ed FI ow t o SGs
irota~ v~
Level 2 Actions
"..-'..'.'""'"'"C.
Check i f
$eeondarLj Heat S
i nl< i s Requi r e d at I~t
~
...............@ Level 3 Actions RCS PRESS > Any I n t a c t SG PRESS ? %
,,~,
.""<9
USER
I NPUT
No Return to EOP Oemo ET
Fig. 3. Example display of CSF status tree.
Joon-Eon Yang, Kwang-Sub Jeong, Chang K. Park
286
CSF's SUBCRITICALITY INTEGRITY
CORECOOLING
HEAT-SINK
CONTAINMENT
INVEHTORY
COSMOS RESPONSES
STATUS
!I
Isolation ol F a u l t e d S O
Perform E-3
: Steam
Generator
Tube Rupture
ET D E S C R I P T I O N S
KORI-3,4 SGTR ET Olsplay SGTR
RPS
HP$1
2rid
Feed
I$OL
Cool
RelOvii
81¢ed
Fault $G
Oepr$
ACCUN L P S I
Cold
RHR
fi'#ST
Event
CTNT
~tqu~nce$ &
IR
"
S-2
O.K.
Assumption : SGTR Occurre0 I i l. 2. 3. 4.
O p e r a t i o n ol R P 3 O p e r a t i o n o l HPSI Secondary Heat Removal Um~d a n d Bleed
S-30.K
j
.
m
I
[
S-4
CN
S-S
OK.
S-S
CN
S-7
O.k.
S-8
CN
S-9
cN
S-lO
CN
S-ll
O.K.
S-120.K.
r -t
[
F
S-13
CM
S-14
CN
S-IS
CN
S-16
CN
$-17
CN
USER
INPUT
Return Return Return
C o p y r i g h t (c) 1989-1992
K.S. Jeong,
R e a c t o r Safety Asse.~sment D e p L ,
KAERI.
m
Fig. 4. Example display of event tree.
present status of the plant. That is, after the SGTR is initiated, the reactor is tripped successfully and the high-pressure injection system fails. The secondary heat removal succeeds, hence, the feed and bleed operation is not necessary. Currently, the operator is trying to isolate the faulted steam generator according to the operational guidance provided by KOSSN. According to the success or failure of isolation procedures, the plant state should follow one of those sequences between sequence 11 and sequence 16 of Fig. 4. From this event tree display, the operator can recognize that the required future actions are cool down and depressurization of RCS, the actuation of the low-pressure safety injection (LPSI) or the residual heat removal system (RHRS). The operator, hence, can concentrate his efforts on the operation of these systems. When the transient cannot be identified at the initial stage, the challenged CSFs and the corresponding safety systems to restore that CSFs are recorded and compared with the predefined headings of various event trees. A group of the event trees which show similar characteristics are suggested to the operator, that is, even though the accident progress is not matched exactly with the headings of the event trees and/or the order of headings, the event trees which show the most similar characteristics are suggested to the operator. For instance, when the first four safety systems used to restore the transient are 'the reactor protection system', 'HPSF, 'the secondary heat
removal' and 'feed and bleed operation', the event trees of the small LOCA (loss of coolant accident) and SGTR can be suggested as the candidates for this transient. If the next used safety system is 'the isolation of faulted SG', then the event tree of SGTR is suggested as the final one.
4 DISCUSSION A N D FUTURE WORK
A computerized operation supporting system, KOSSN, is developed to support the operator's response to any abnormal state in an NPP. The combination of EOPs with the concept of success path and the event tree allows a more effective and systematic response to the emergency situation of a NPP. It is, therefore, expected that the use of KOSSN enhances the capability of operators in coping with an emergency situation in an NPP. KOSSN enables the operator to find appropriate responsive actions based on the understanding of overall plant status. It provides operational guidance based on the current EOPs. Operational guidance details, such as success paths, are derived from P&IDs and the reliability data. The general success path generation algorithm allows the flexibility of modification. When the structure of a system is changed, only a modification of the database is required. In addition, event trees are used in KOSSN in order to show the course of accident progression to the
A n emergency operation supporting system for NPPs operator. For the identified transient, the corresponding event tree is suggested. The operator, hence, can understand the overall response strategy more clearly. For the transient which cannot be identified at an initial stage, a group of event trees which show similar trends are suggested as the candidates. As the transient progresses, the event trees contained in the candidate group are re-examined and the event trees which show discrepancy are removed. Therefore, it is expected that the operator's burden in diagnosing the transient will be lessened. The use of the event tree can also give additional information which is not included in EOPs such as the operation of passive systems. KOSSN is being built on a HP9000/835 workstation, using an IF-Prolog language and X l l graphic tools. At the present stage, the number of rules stored in the knowledge base of KOSSN is about 200. The total size of knowledge and database is about 70 kbytes. It takes a few seconds for success path generation and display, which seems to be short enough to give timely response guides. The verification of rules is required as a future work. The validation is also necessary, for instance, by using a full scope simulator. The structure and representation technique of the database are being continuously updated and the contents of the database will be extended for use in real plants. As a supplementary future work, the design of an effective man-machine interface such as the color graphic display based on human factors engineering is desirable. KOSSN is currently written in English. A Korean interface module will be developed. Another problem to be solved is the familiarization of the system with the operator, i.e. the real user of the system. It requires a number of factors, such as control room design, the incorporation of the system during operator training, etc. The most important way to solve this problem, however, is to involve the operator in the development stage of the system. At present, several demonstrations of KOSSN have been given to different groups of reactor operators, SROs and plant managers. Their comments are being incorporated in KOSSN. We think that it will be helpful to incorporate the operator during the improvement stage of KOSSN in order to solve the problems mentioned above.
287
REFERENCES
1. Corcoran, W. R., Porter, N. J., Church, J. F., Cross, M. T. & Guinn, W. M., The critical safety functions and plant operation. Nuclear Technology, 55 (3) (1981) 690-712. 2. Dekens, J. P., Bastien, R. & Prokopovich, S. R., The emergency response guidelines for the Westinghouse pressurized water reactor. IAEA-TECDOC-334, Proceedings of Seminar on Diagnosis and Response to Abnormal Occurrences at NPP, IAEA, Vienna, 1985. 3. Long, A. B., Computerized operator decision aids. Nuclear Safety, 25 (4) (1984) 512-24. 4. Majumdar, D. (ed.), AI application in the nuclear industry. DOE/ID-10191, US Department of Energy, Idaho Fall, October, 1988. 5. Petrick, W., Ng, K., Stuart, C., Shen, D., Cain, D., Sun, B. & Christensen, C., Emergency procedures tracking system for nuclear power plants. In A I and Other Innovative Computer Applications in the Nuclear Industry, ed. M. C. Majumdar, D. Majumdar & J. L. Sackett. Plenum Press, New York, 1988, pp. 689-96. 6. On-line success path monitoring: aid to restoring and maintaining plant safety. EPRI NP-3954, Electric Power Research Institute, August, 1984. 7. Guadio Jr., P. J. & Jamison, D. S., Computerized diagnostic aid--success path monitor. EPRI NP-5088, Project 2402-2, Electric Power Research Institute, 1987. 8. Baker, S. C., Marshall, E. C., Reiersen, C. S., Owre, F. & Guadio Jr., P. J., The experimental evaluation of the success path monitoring system. In Proceedings of the 1988 IEEE 4th Conference on Human Factors and Power Plants, ed. IEEE, E. W. Hagen, New York, 1988. 9. Mampaey, L. et al., OPA: operator advisor, an emergency response guidance and monitoring system. In AI and Other Innovative Computer Applications in the Nuclear Industry, ed. M. C. Majumdar et al. Plenum Press, New York, 1988, pp. 185-8. 10. Touchton, R. A., Gunter, A. D. & Subramanyan, N., Automated reasoning with dynamic event trees: a real-time, knowledge-based decision aide. Reliability Engineering and System Safety, 22 (1988) 333-53. 11. Dixon, B. W. & Ferns, K. G., Using risk based tools in emergency response. In A I and Other Innovative Computer Applications in the Nuclear Industry, ed. M. C. Majumdar, D. Majumdar & J. L. Sackett. Plenum Press, New York, 1988, pp. 799-806. 12. Kori-3,4 Emergency Operating Procedures, Korea Electric Power Corp., 1990. 13. Kim, T. W., Han, S. H. & Yoo, K. J., Optimal success path generation system based on integrated reliability rules. Nuclear Technology, 86 (1) (1989). 14. ALWR requirement document, App.A, PRA key assumptions and ground rules. EPRI, 1990. 15. Bell, B. J. & Swain, A. D., A procedure for conducting a HRA for NPPs. NUREG/CR-2554, 1983.
Development of an emergency operation supporting system for nuclear power plants Joon-Eon Yang, Kwang-Sub Jeong and Chang K. Park Korea Atomic Energy Research Institute, PO Box 7, Daeduk-Danji, Taejeon, South Korea, 305-353 (Received 19 March 1993; accepted 5 July 1993) In order to support the emergency operation of nuclear power plants (NPPs), Korea Atomic Energy Research Institute (KAERI) has been developing a computerized operation supporting system called KOSSN (KAERI Operation Supporting System for NPP). Artificial intelligence (AI) and probabilistic safety assessment (PSA) techniques have been used in developing KOSSN. KOSSN consists of three parts: In the first part the operator action items for the emergency operation of an NPP are listed. In the second part the success paths of the safety systems which can be used for the operator to restore the challenged safety functions and rank them according to the respective operability are generated. In the last part, according to the present plant status, an appropriate event tree is suggested in order to show possible future courses of accident progression. For efficient man-machine interface, a color graphic display is used. KOSSN is built on a workstation using the IF-Prolog language and the Xll graphic tool.
1 INTRODUCTION
additional information which is required to respond to the emergency situation appropriately. This additional information includes the success paths of the safety systems and the event tree from plant-specific probabilistic safety assessment (PSA). KOSSN has been developed in order to support the decisionmaking of the senior reactor operator (SRO) during an emergency. The system can be installed in the technical supporting center (TSC) so that the information from KOSSN can be transferred to the SRO as an alternative. The success paths are generated by KOSSN using deep knowledge such as the structure description and present status of those systems. The success paths are ranked according to the operability which is defined as the system reliability. The PSA techniques such as the event tree are also used to enhance the capability of KOSSN. The event tree is a logic model in a PSA to show courses of accident progression due to an initiating event. A number of systems which have similar objectives to those of KOSSN have been developed in last few years. The characteristics of those systems are compared with those of KOSSN in Table 1. 4-11 As shown in Table 1, there are two major differences between KOSSN and other systems. One is that KOSSN provides more detailed information and guidance. The other is the use of PSA techniques such
The basis for the emergency operation of nuclear power plants (NPPs) is the emergency operating procedures (EOPs). After the TMI-2 accident, the function-based approach was introduced and this has increased both the breadth and depth of EOPs. As a result, the operator must be aware of the plant status on several levels concurrently to recover from a transient effectively. A human being, however, can consider the changes of plant status only in serial fashion, and therefore may be unable to properly understand the overview of the plant condition. 1,2 Hence, a number of computerized operation supporting systems (COSS) based on EOPs have been developed. Use of the COSS techniques enables the operator to find the appropriate response actions without time stress due to information overload under emergency situations. 3 The Korea Atomic Energy Research Institute ( K A E R I ) has been developing an operation supporting system, KOSSN ( K A E R I Operation Supporting System for NPP) by combining EOPs with the COSS techniques. KOSSN provides the operator with not only a list of action items based on EOPs but also
Reliability Engineering and System Safety 0951-8320/94/$07.00 © 1994 Elsevier Science Limited, England. 281
Joon-Eon Yang, Kwang-Sub Jeong, Chang K. Park
282
Table 1. Characteristics of KOSSN compared with other operation supporting systems Name
Developer
Basis
COMPA 4 EOPTS 5 SPMS~-8
OECD" EPRI h EPRI
EOP, normal operating procedures EOP CSF, success path
OPA" PREDICTOR "~ FORESTER j i KOSSN
Tech. Appl. ~ EG&G KAERI
EOP PSA PSA EOP, PSA, success path
Functions On-line procedure On-line tracking and explanation Monitor the status of CSF and deploy the appropriate success path Task schedule Estimate the likelihood of core-melt Identify particular failure mode On-line procedure, success path and future status
Organization for Economic Corporation and Development. h Electric Power Research Institute. c Technology Application Inc. guide, (2) success path generation, and (3) corresponding event tree suggestion. Each part has its own knowledge base and inference engine. The main part of Fig. 1 controls the information exchanges among the above three parts and provides the man-machine interface to the user. Detailed descriptions for each part are given in the following subsections. It is assumed that the information available in the main control room is also available in KOSSN but in different formats. Note that signal validation is essential for a system of this kind. Up to now, a number of signal validation techniques have been proposed such as petri net. This is, however, another subject to be addressed separately. In this paper, therefore, it is assumed that all signals required during the inference process are inputted by on-line and they are validated.
as the operability and the event tree. The success path with its operability value makes it possible for the operator to select the most reliable recovery action under the present status of a NPP. On the other hand, the event tree makes the operator aware of the courses of accident progression. Such a systematic and detailed guidance enables the operator to respond to the emergency in an NPP more effectively. The overall features of KOSSN will be explained in detail in Section 2. In Section 3, KOSSN is applied to the 'steam generator tube rupture (SGTR)' scenario. Finally, in Section 4, conclusions and future works are given.
2 SYSTEM DESCRIPTION The overall structure of KOSSN is shown in Fig. 1. KOSSN consists of three parts: (1) operator's action
and Future Plant Status
Operators
I Ng. 1. Overall structure of KOSSN.
An emergency operation supporting system for NPPs
2.1 Operator's action guide In KOSSN, the operator action items are derived from EOPs. Two parts of EOPs, i.e. the optimal response procedures (ORPs) and the functional restoration procedures (FRPs), are stored as the knowledge base in the form of the 'IF-THEN-ELSE' rule. The appropriate response actions are derived according to the present plant status. In KOSSN, the EOPs of Kori Units 3,4 are used. Kori Units, 3,4 are Westinghouse-designed three-loop pressurized water reactors (PWRs). The EOP structure is reorganized in KOSSN. During the reorganization process, we have paid attention to the requirement exactly the same guidance should be provided by EOP and KOSSN since we assumed that the contents of the EOP were not changed. By reorganizing the EOP, the operator actions included in EOPs are standardized and classified. These rules for deriving operator action items have a hierarchy of three levels. Level 1 is associated with the general response strategy and is the ultimate purpose of action. Level 2 is related to the operation mode of a specific system or component; in other words, it specifies which system should be turned on or off. Finally, level 3 is associated with the detailed operator's actions. For instance, 'if subcriticality is red state then borate the reactor coolant system (RCS)' is a level 1 rule for a critical safety function (CSF) item, 'subcriticality'. An example of a level 2 rule is: 'if present Level 1 action item is to borate RCS then operate chemical and volume control system (CVCS) for RCS boration'. A level 3 rule is: 'if present level 2 action item is to operate CVCS for RCS boration then start the charging pump'. For the inferred level 2 action item, the success paths are generated, that is, the suggested system in level 2 action is transferred to the 'success path generation part' in order to generate the success path of that system. The rules for level 3 actions are derived during this step.
2.2 Success path generation part In KOSSN, the success paths are generated by applying the general generation algorithm to the structure description of a particular system instead of using the predetermined success paths. The structure descriptions of systems are stored as the knowledge base and are based on the piping and instrumentation diagrams (P&IDs). Most P&IDs consist of two parts: the components that perform their intended function and the connection elements, e.g. pipes. The frame technique is used to represent them and the component and connection elements are assigned to the slots for each of them. An example of knowledge representation form for the structure description is
283
shown below. This example is based on the syntax of Prolog language. component_dB (Name, Type, Capacity, next_Node, State). In the above example, 'Name' represents the specific name of the component, such as component tag number. 'Type' is the type of the component, e.g. check valve, motor-driven pump, etc. 'Capacity' represents the capacity of the component with which KOSSN can consider a partial failure of component during its generation of the success path. 'Next_Node' represents the connection element related to the component, and 'State' is the present state of component. It is assumed that all components have two states: initial and demand states. The initial state represents the present state of the component, e.g. open/close/fail for valves, running/standby/fail for pumps. The demand state is the state of a component in which the particular component can perform its intended function, namely, valve-open, pumprunning, etc. Whenever initial and demand states are different, a level 3 operator action item can be introduced by the level 3 rules. For instance, if a valve is in closed state at present and the demand state of that valve is valve-open, then a level 3 operator action item such as 'open the valve-XXXX' is suggested. The search for success paths is performed by using the structure description of a system, and a set of initial and demand states for each component of the system. For the given starting component, its initial and demand states are compared. If these two states are equal, the same logic is applied to the next connected components. In the case that two states of a component are different, the level 3 action item is derived as mentioned above. This scheme is successively applied from the starting component to the terminal one to obtain one success path. The required capacity of the success path is determined previously from the technical specifications and/or other mechanistic calculations. The capacity of the generated success path is compared with the required capacity. When the capacity of a component is not enough to satisfy the required capacity of the success path due to the partial failure of that component, additional path(s) to compensate for the insufficiency of the capacity are searched for. The combination of these paths is regarded as one success path. Backtracking, the inherent feature of Prolog, is used during the search for success paths. The algorithm for success path generation is based on the first principle, i.e. using deep knowledge like structure description. Therefore, this algorithm can be applied to any system as long as the structure descriptions of those systems are given correctly.
284
Joon-Eon Yang, Kwang-Sub Jeong, Chang K. Park
Each generated success path is ranked according to either its respective reliability or the number of manual operator's actions required to complete the path. The reliability of components in each success path is obtained from the reliability database. The operator can choose either the most reliable success path or one which requires the least number of human actions according to their understanding of the present NPP status. The results of previous PSA show that human error probability is usually higher than the failure probabilities of equipment. In such cases, the success path with the least number of human actions coincides with the most reliable one.13 The values used to calculate operability are obtained from the general PSA database. 14"15 The operability is used to rank the success paths. The selected success path is displayed on a color screen with different colors and the required operator action items are also listed. The operability can be regarded as the heuristic measure for the effectiveness of the generated success paths, i.e. the system availability depends on the selected success path.
2.3 Event tree suggestion part In a PSA, the event trees are used to identify the accident sequences which lead to core melt/core damage. Each system event tree represents a distinct set of accident sequences, each of which consists of an initiating event and a combination of various system successes and failures that lead to an identifiable plant state. In other words, the event tree shows the logical prediction of an accident sequence. There was an attempt to use the event tree in a COSS. ~° In Ref. 10 the event tree was used for the calculation of the estimated likelihood of core melt. In KOSSN, on the other hand, the event tree is used to provide the possible future courses of accident progression to the operator. For KOSSN, only the front line systems which can mitigate an accident or transient, are addressed on the event tree. The event trees are constructed according to the status of CSFs and related supporting systems, hence, the sequence of the operational guidance provided by KOSSN can be regarded as one of the sequenes in the event tree. In KOSSN, the event tree can be used in two different circumstances. If a transient is already identified, i.e. the operation guidance provided by KOSSN is based on the knowledge derived from the ORPs, the corresponding event tree is used to show the possible future courses of accident progression to the operator. When the transient is not identified yet, that is, the operation guidance provided by KOSSN is based on the knowledge derived from the FRPs, a group of event trees which show similar characteristics to the transient are suggested as the candidates. These
groups of event trees are suggested by comparing the headings of the event trees with the operational guidance provided by KOSSN. As the transient progresses, the event trees contained in the candidate group are re-examined and the event trees which show discrepancy are removed from the candidates. In this way the suggested event trees are gradually reduced to a few event trees. This feature also helps the operator to identify the transient.
3 IMPLEMENTATION TEST KOSSN is applied to a SGTR transient. When the transient begins, the corresponding response guidelines derived from E-0 of the ORPs are provided to the operator. The operator action item with the success path of a system is displayed in Fig. 2. In this case, the level 1 action guide is to 'verify automatic action as initiated by protection and safeguard systems', the level 2 action item is to 'check if safety injection (SI) is actuated'. The success paths of SI, hence, are generated. Among the generated success paths, the most operable success path is displayed on the simplified P&ID as shown in Fig. 2. The derived level 3 action items to accomplish above level 2 action items are 'open L V l l 5 D ' and 'open BH-HV20'. The intended function by an initially selected level 2 action item may not be achieved for various reasons. When a selected item cannot perform its function, an alternative level 2 action item, then, will be automatically suggested. For instance, if it is confirmed that SI does not perform its function by the operator, then 'Establish secondary heat removal' will be suggested as an alternative level 2 action item and a new set of success paths to complete this action item will be generated for the corresponding safety systems. Note that KOSSN is currently off-line and the plant response to a level 3 action item should be determined outside KOSSN. While the operator performs the suggested action items, another CSF may be challenged. Usually, the newly challenged CSF has a higher priority. If this happens, the present CSF status and the CSF status tree of the challenged CSF item are displayed on the screen as shown in Fig. 3. In such case, a new set of action items is derived from FRPs. In Fig. 3, the level 1 action item is to 'attempt restoration of feed flow to SGs', and the level 2 action item is to 'check if secondary heat sink is required'. The required conditions to achieve above level 2 action item is that RCS pressure should be higher than any intact SG pressure. In this example, it is assumed that the transient is identified as a SGTR by the diagnosis procedures of E-0, hence, the SGTR event tree is selected and displayed to the operator. An example of an event tree display is shown in Fig. 4. The display shows the
An emergency operation supporting system for NPPs
285
ACTION GUIDE
CSF's STATUS
Level 1 Actions
SUBORITICAL]TY
CORECOOLING
IHTEGRITY
CONTAINMENT INVENTORY
HEAT-SINK ,,.
Perfof'll E-O : Remctor Trip or $afet~ Inject
Verifg
ion
s Initiated tion
Rutomati c Rcti on R
and
b9 t h e P r o t e c
Safeguard System
s
Level 2 Actions Check i f
SI
is
Rctuated
Level 3 Actions BH-HV2B
USER INPUT Change State Stop Stop
Fig. 2. Example display of operational guidelines with success path.
ACTION GUI DE
CSF's STATUS SUBCRITICALITY
CORECOOLING
INTEGRITY
CONTAINMENT INVENTORY
HEAT-SINK
Perform FR-H.I : Response to Loss of Second ar H Heat Sink
Level 1 Actions R t t e m p t R e s t o r a t i on of
Fe
ed FI ow t o SGs
irota~ v~
Level 2 Actions
"..-'..'.'""'"'"C.
Check i f
$eeondarLj Heat S
i nl< i s Requi r e d at I~t
~
...............@ Level 3 Actions RCS PRESS > Any I n t a c t SG PRESS ? %
,,~,
.""<9
USER
I NPUT
No Return to EOP Oemo ET
Fig. 3. Example display of CSF status tree.
Joon-Eon Yang, Kwang-Sub Jeong, Chang K. Park
286
CSF's SUBCRITICALITY INTEGRITY
CORECOOLING
HEAT-SINK
CONTAINMENT
INVEHTORY
COSMOS RESPONSES
STATUS
!I
Isolation ol F a u l t e d S O
Perform E-3
: Steam
Generator
Tube Rupture
ET D E S C R I P T I O N S
KORI-3,4 SGTR ET Olsplay SGTR
RPS
HP$1
2rid
Feed
I$OL
Cool
RelOvii
81¢ed
Fault $G
Oepr$
ACCUN L P S I
Cold
RHR
fi'#ST
Event
CTNT
~tqu~nce$ &
IR
"
S-2
O.K.
Assumption : SGTR Occurre0 I i l. 2. 3. 4.
O p e r a t i o n ol R P 3 O p e r a t i o n o l HPSI Secondary Heat Removal Um~d a n d Bleed
S-30.K
j
.
m
I
[
S-4
CN
S-S
OK.
S-S
CN
S-7
O.k.
S-8
CN
S-9
cN
S-lO
CN
S-ll
O.K.
S-120.K.
r -t
[
F
S-13
CM
S-14
CN
S-IS
CN
S-16
CN
$-17
CN
USER
INPUT
Return Return Return
C o p y r i g h t (c) 1989-1992
K.S. Jeong,
R e a c t o r Safety Asse.~sment D e p L ,
KAERI.
m
Fig. 4. Example display of event tree.
present status of the plant. That is, after the SGTR is initiated, the reactor is tripped successfully and the high-pressure injection system fails. The secondary heat removal succeeds, hence, the feed and bleed operation is not necessary. Currently, the operator is trying to isolate the faulted steam generator according to the operational guidance provided by KOSSN. According to the success or failure of isolation procedures, the plant state should follow one of those sequences between sequence 11 and sequence 16 of Fig. 4. From this event tree display, the operator can recognize that the required future actions are cool down and depressurization of RCS, the actuation of the low-pressure safety injection (LPSI) or the residual heat removal system (RHRS). The operator, hence, can concentrate his efforts on the operation of these systems. When the transient cannot be identified at the initial stage, the challenged CSFs and the corresponding safety systems to restore that CSFs are recorded and compared with the predefined headings of various event trees. A group of the event trees which show similar characteristics are suggested to the operator, that is, even though the accident progress is not matched exactly with the headings of the event trees and/or the order of headings, the event trees which show the most similar characteristics are suggested to the operator. For instance, when the first four safety systems used to restore the transient are 'the reactor protection system', 'HPSF, 'the secondary heat
removal' and 'feed and bleed operation', the event trees of the small LOCA (loss of coolant accident) and SGTR can be suggested as the candidates for this transient. If the next used safety system is 'the isolation of faulted SG', then the event tree of SGTR is suggested as the final one.
4 DISCUSSION A N D FUTURE WORK
A computerized operation supporting system, KOSSN, is developed to support the operator's response to any abnormal state in an NPP. The combination of EOPs with the concept of success path and the event tree allows a more effective and systematic response to the emergency situation of a NPP. It is, therefore, expected that the use of KOSSN enhances the capability of operators in coping with an emergency situation in an NPP. KOSSN enables the operator to find appropriate responsive actions based on the understanding of overall plant status. It provides operational guidance based on the current EOPs. Operational guidance details, such as success paths, are derived from P&IDs and the reliability data. The general success path generation algorithm allows the flexibility of modification. When the structure of a system is changed, only a modification of the database is required. In addition, event trees are used in KOSSN in order to show the course of accident progression to the
A n emergency operation supporting system for NPPs operator. For the identified transient, the corresponding event tree is suggested. The operator, hence, can understand the overall response strategy more clearly. For the transient which cannot be identified at an initial stage, a group of event trees which show similar trends are suggested as the candidates. As the transient progresses, the event trees contained in the candidate group are re-examined and the event trees which show discrepancy are removed. Therefore, it is expected that the operator's burden in diagnosing the transient will be lessened. The use of the event tree can also give additional information which is not included in EOPs such as the operation of passive systems. KOSSN is being built on a HP9000/835 workstation, using an IF-Prolog language and X l l graphic tools. At the present stage, the number of rules stored in the knowledge base of KOSSN is about 200. The total size of knowledge and database is about 70 kbytes. It takes a few seconds for success path generation and display, which seems to be short enough to give timely response guides. The verification of rules is required as a future work. The validation is also necessary, for instance, by using a full scope simulator. The structure and representation technique of the database are being continuously updated and the contents of the database will be extended for use in real plants. As a supplementary future work, the design of an effective man-machine interface such as the color graphic display based on human factors engineering is desirable. KOSSN is currently written in English. A Korean interface module will be developed. Another problem to be solved is the familiarization of the system with the operator, i.e. the real user of the system. It requires a number of factors, such as control room design, the incorporation of the system during operator training, etc. The most important way to solve this problem, however, is to involve the operator in the development stage of the system. At present, several demonstrations of KOSSN have been given to different groups of reactor operators, SROs and plant managers. Their comments are being incorporated in KOSSN. We think that it will be helpful to incorporate the operator during the improvement stage of KOSSN in order to solve the problems mentioned above.
287
REFERENCES
1. Corcoran, W. R., Porter, N. J., Church, J. F., Cross, M. T. & Guinn, W. M., The critical safety functions and plant operation. Nuclear Technology, 55 (3) (1981) 690-712. 2. Dekens, J. P., Bastien, R. & Prokopovich, S. R., The emergency response guidelines for the Westinghouse pressurized water reactor. IAEA-TECDOC-334, Proceedings of Seminar on Diagnosis and Response to Abnormal Occurrences at NPP, IAEA, Vienna, 1985. 3. Long, A. B., Computerized operator decision aids. Nuclear Safety, 25 (4) (1984) 512-24. 4. Majumdar, D. (ed.), AI application in the nuclear industry. DOE/ID-10191, US Department of Energy, Idaho Fall, October, 1988. 5. Petrick, W., Ng, K., Stuart, C., Shen, D., Cain, D., Sun, B. & Christensen, C., Emergency procedures tracking system for nuclear power plants. In A I and Other Innovative Computer Applications in the Nuclear Industry, ed. M. C. Majumdar, D. Majumdar & J. L. Sackett. Plenum Press, New York, 1988, pp. 689-96. 6. On-line success path monitoring: aid to restoring and maintaining plant safety. EPRI NP-3954, Electric Power Research Institute, August, 1984. 7. Guadio Jr., P. J. & Jamison, D. S., Computerized diagnostic aid--success path monitor. EPRI NP-5088, Project 2402-2, Electric Power Research Institute, 1987. 8. Baker, S. C., Marshall, E. C., Reiersen, C. S., Owre, F. & Guadio Jr., P. J., The experimental evaluation of the success path monitoring system. In Proceedings of the 1988 IEEE 4th Conference on Human Factors and Power Plants, ed. IEEE, E. W. Hagen, New York, 1988. 9. Mampaey, L. et al., OPA: operator advisor, an emergency response guidance and monitoring system. In AI and Other Innovative Computer Applications in the Nuclear Industry, ed. M. C. Majumdar et al. Plenum Press, New York, 1988, pp. 185-8. 10. Touchton, R. A., Gunter, A. D. & Subramanyan, N., Automated reasoning with dynamic event trees: a real-time, knowledge-based decision aide. Reliability Engineering and System Safety, 22 (1988) 333-53. 11. Dixon, B. W. & Ferns, K. G., Using risk based tools in emergency response. In A I and Other Innovative Computer Applications in the Nuclear Industry, ed. M. C. Majumdar, D. Majumdar & J. L. Sackett. Plenum Press, New York, 1988, pp. 799-806. 12. Kori-3,4 Emergency Operating Procedures, Korea Electric Power Corp., 1990. 13. Kim, T. W., Han, S. H. & Yoo, K. J., Optimal success path generation system based on integrated reliability rules. Nuclear Technology, 86 (1) (1989). 14. ALWR requirement document, App.A, PRA key assumptions and ground rules. EPRI, 1990. 15. Bell, B. J. & Swain, A. D., A procedure for conducting a HRA for NPPs. NUREG/CR-2554, 1983.