- Email: [email protected]
Integrated Defense-in Depth (DiD) Risk Analysis System for Safety Operation of Nuclear Power Plants
10th IFAC Symposium Detection, Supervision and Safetyon forFault Technical Processes 10th IFAC Symposium on Fault Detection, Supervision and Safety Technical Warsaw, Poland, Augustfor 29-31, 2018 Processes Supervision and Safety for Technical Processesonline at www.sciencedirect.com Available Warsaw, August 29-31, 2018 10th IFACPoland, Symposium on Fault Detection, Warsaw, Poland, Augustfor 29-31, 2018 Processes Supervision and Safety Technical Warsaw, Poland, August 29-31, 2018
ScienceDirect
Integrated Defense-in Depth(DiD)Risk Analysis System IFAC PapersOnLine 51-24 (2018) 1364–1367 Integrated Defense-in Depth(DiD)Risk Analysis for Safety Operation of Nuclear Power PlantsSystem Integrated Defense-in Depth(DiD)Risk Analysis System Integrated Defense-in Depth(DiD)Risk Analysis System for Safety Operation of Nuclear Power Plants for Safety Operation of Nuclear Power Plants Integrated Defense-in Depth(DiD)Risk Analysis * * * * System Yuxin , LUOperation Hongxing*,Ming ,Hidekazu Yoshikawa forZhang Safety ofYang Nuclear Power Plants * * * ** forZhang Safety Operation of Nuclear Power Plants Yuxin *, LU Hongxing*,Ming Yang*,Hidekazu Yoshikawa* * *
Yuxin Zhang LU Hongxing ,Mingand Yang ,HidekazuGuangzhou, YoshikawaChina South China, University of Science Technology, * Yuxin Zhang*, LU Hongxing ,Ming Yang*,Hidekazu Yoshikawa* * (e-mail: [email protected]) *South China University of Science and Technology, Guangzhou, China * * * ** *South Yuxin Zhang LU Hongxing ,Ming Yang ,Hidekazu Yoshikawa ** , University China of Science and Technology, Guangzhou, Symbio Community Forum, Kyoto, 606-8202 Japan China (e-mail: [email protected]) *South China University of [email protected]) Science and Technology, Guangzhou, China (e-mail: (Tel:**+81-90-1141-5402, e-mail: [email protected]) Community Forum, Kyoto, 606-8202 Japan China *South China **Symbio (e-mail: [email protected]) University of Science and Technology, Guangzhou, Symbio Community Forum, Kyoto, 606-8202 Japan (Tel:**+81-90-1141-5402, e-mail: [email protected]) Symbio (e-mail: Community Forum,[email protected]) Kyoto, 606-8202 Japan [email protected]) (Tel: +81-90-1141-5402, e-mail: (Tel:**+81-90-1141-5402, Symbio Communitye-mail: Forum,[email protected]) Kyoto, 606-8202 Japan +81-90-1141-5402, e-mail:and [email protected]) Abstract: The nature (Tel: of risks is ambiguity, diversity multilayer for the complicated artificial system which is composed by engineering systems and human organization. Anthe idea of how to organize a new artificial system Abstract: The nature of risks is ambiguity, diversity and multilayer for complicated Abstract: Thesystem natureisofproposed risks is ambiguity, diversity and multilayer for the complicated artificial system risk analysis in this paper by applying IAEA’s five-layer Defense-in Depth which is composed by engineering systems and human organization. An idea of how to organize a(DiD) new artificial system Abstract: The nature risks is ambiguity, diversity and multilayer DiD for complicated which is composed byofengineering systems and human organization. Anthe idea of how system to organize a new safety concept. Concretely, a method of how to configure integrated risk analysis is proposed risk analysis system is proposed in this paper by applying IAEA’s five-layer Defense-in Depth (DiD) which iswith composed byisofengineering and human Anlevels idea of how to organize a(DiD) new Abstract: The nature risks is ambiguity, diversity and multilayer for the complicated artificial system risk analysis system proposed insystems this paper by applying IAEA’s five-layer Defense-in to cope the capability of treating complex of organization. risks of various and modes inDepth the behavior safety concept. Concretely, a method of how tonature configure integrated DiD risk analysis system is proposed risk analysis system is proposed in this paper by applying IAEA’s five-layer Defense-in Depth (DiD) and human organization. An idea of how to organize a which is composed by engineering systems safety concept. Concretely, a method of how to configure integrated DiD risk analysis system is proposed idea will be conducted in future bynew an of cope the artificial system effectively. Application of theofproposed to with the capability of treating complex nature risks of various levels and modes in Depth the behavior safety concept. Concretely, a method of how to configure integrated DiD risk analysis system is proposed risk analysis system is proposed in this paper by applying IAEA’s five-layer Defense-in (DiD) of various levels and modes in the behavior to cope with the capability of treating complex nature of risks example practice of how to design distributed human interface system (HIS) for the support of safety of the proposed idea will be conducted in future by an of the concept. artificial system effectively. to cope with theConcretely, capability of treatingApplication complex risks of various levels and modes in future the behavior safety a method of how tonature configure integrated DiD risk system is proposed of the artificial system effectively. Application of theofproposed idea will beanalysis conducted in by an operation of nuclear power plant. example practice of how to design distributed human interface system (HIS) for the support of safety of the proposed idea will be conducted in future by an of the artificial system effectively. Application to cope with the capability of design treatingdistributed complex nature risks of various in the of behavior example practice of how to humanofinterface system levels (HIS)and for modes the support safety operation of nuclear power plant. © 2018, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. example practice of how to design distributed human interface system (HIS) for the support of safety Keywords: Defense-in depth; risk analysis; risk state estimation; risk monitor; reliability monitor of the artificial system effectively. operation of nuclear power plant. Application of the proposed idea will be conducted in future by an operationpractice ofDefense-in nuclear example of power how toplant. design distributed human interfacerisk system (HIS) for the support Keywords: depth; risk analysis; risk state estimation; monitor; reliability monitor of safety Keywords: depth; risk analysis; risk state estimation; risk monitor; reliability monitor operation ofDefense-in nuclear power plant. configure risk integrated DiD risk analysis system is the subject Keywords: Defense-in depth; risk analysis; risk state estimation; monitor; reliability monitor 1. INTRODUCTION of this study to cope with the capability of treating Keywords: Defense-in depth; risk analysis; risk state estimation; risk monitor; reliability monitor configure integrated DiD risk analysis system is thecomplex subject 1. INTRODUCTION configure integrated DiD risk analysis system is the subject nature of risks of various levels and modes in the behaviour For the operational safety of nuclear power plant (NPP), of this study to cope DiD with risk the capability of treating complex 1. INTRODUCTION configure integrated analysis system is the subject this study to cope with the capability of treating complex of the artificial system effectively. 1. INTRODUCTION International Atomic safety Energyof Agency recommends nature of risks of various levels and modes in the behaviour For the operational nuclear (IAEA) power plant (NPP), nature of this study to cope with the capability of treating complex configure integrated DiD risk system is the subject of risks of various levelsanalysis and modes in the behaviour For the operational safety Depth of nuclear power (NPP), five-layers ofAtomic Defense-in (DiD) safetyplant concept to of 1. INTRODUCTION the artificial system effectively. International Energyof Agency (IAEA) recommends nature of riskstosystem ofcope various levels and modes in the behaviour of this study with the capability of treating complex For the operational safety nuclear power plant (NPP), the artificial effectively. International Atomic Energy countries Agency (IAEA) recommends nuclear power development around world as five-layers ofAtomic Defense-in Depth (DiD) safetythe concept to of the artificial effectively. risks system of various levels and modes in the behaviour International Energy (IAEA) recommends For the IAEA. operational safety of Agency nuclear power (NPP), five-layers of Defense-in Depth (DiD) safetyplant concept to nature2.of INTEGRATED DID RISK ANALYSIS SYSEM you see (1999). Taking notice to IAEA’s DiD safety nuclear power development countries around the world as of the artificial system effectively. five-layers Defense-in Depth (DiD) safety concept to International Energy Agency (IAEA) recommends nuclear power development countries around world as concept, theofAtomic authors this paper have beenthe studying to 2. INTEGRATED DID RISK ANALYSIS SYSEM you see power IAEA. (1999).ofTaking notice toaround IAEA’s DiD safety nuclear development countries theconcept world as five-layers ofthey Defense-in Depth (DiD) safety to The requirement 2. INTEGRATED RISK ANALYSIS SYSEM you see what IAEA. (1999). Taking notice to risk IAEA’s DiD safety and theDID systematic configuration method of develop called integrated DiD analysis system concept, the authors of this paper have been studying to 2. INTEGRATED DID RISKsystem ANALYSIS SYSEMin this you see IAEA. (1999). Taking notice to IAEA’s DiD safety nuclear power development around the world as concept, the authors of this countries paperH. have been studying to the integrated DiD risk analysis is proposed for NPPs as you see Yoshikawa, (2015), Ma, Z., et al.. The requirement and theDID systematic configuration method of develop what they called integrated DiD analysis system concept, theMa, authors ofal. this paper have been studying to The 2. INTEGRATED RISK ANALYSIS SYSEM you see and IAEA. (1999). Taking notice to risk IAEA’s DiD safety requirement and the systematic configuration method of develop what they called integrated DiD risk analysis system Z., etYoshikawa, (2017). Those authors’ researches chapter. ThreeDiD core systems ofsystem the integrated DiD (2016), the integrated risk analysis is proposed in risk this for NPPs as you see H. (2015), Ma, Z., et al.. requirement andrisk the analysis systematic configuration method of develop what theysee called integrated risk analysis concept, the authors of this paperH.DiD have been studying to The the integrated DiD system is while proposed in this for NPPs asproceeded you Yoshikawa, (2015), Ma, Z., system et al.. in 2.2, the have been by bottom-up approach depending on analysis system are first described in 2.1, and Ma, Z., etYoshikawa, al.integrated (2017). H. Those authors’ researches chapter. ThreeDiD core systems ofsystem the integrated DiD risk (2016), the integrated risk analysis is proposed in this for NPPs as you see (2015), Ma, Z., et al.. The requirement and the systematic configuration method of develop what they called DiD risk analysis system and Ma, Z., et al. (2017). Those authors’ researches chapter. Three core systems of the integrated DiD core risk (2016), supporting toolkit be used for designing the three the level of proceeded DiD. have been by bottom-up approach depending on the analysis system areto first described in 2.1, while inDiD 2.2, the and Ma, Z., et al. (2017). Those authors’ researches chapter. Three core systems of the integrated risk (2016), integrated DiD risk analysis system is proposed in this for NPPs as you see Yoshikawa, H. (2015), Ma, Z., et al.. while in system. 2.2, the have been proceeded by bottom-up approach depending on analysis system first them described in 2.1,artificial systems andtoolkit thenareapply for designing actual the three the supporting tofirst be used for st DiD. rd while inDiD 2.2,core the have been approach depending on chapter. analysis system areto described in 2.1, to operational support systems have For level the 1of and Ma,3 Z.,layers, etby al.bottom-up (2017). Those authors’ researches Three core systems of the integrated risk (2016), supporting toolkit be used for designing the three core the level of proceeded DiD. systems and then apply them for actual artificial system. supporting toolkit to be used for designing the three core the level of DiD. been developed the reliability and safety of st proceeded rdto enhance while in 2.2, the have been by bottom-up approach depending on analysis system are first described in 2.1, systems and then apply them for actual artificial system. For the 1st to 3rd layers, operational support systems have 2.1 Core systems of integrated risk analysis system to 3plant layers, operational support abnormal systems have For level the power 1of DiD. systems and then apply them for actual artificial system. nuclear operation from normal, and supporting toolkit to be used for designing the three core the been developed enhance the reliability and safetyhave of to 3rdto layers, support systems For the 1st states. Core systems integrated system system. been developed toFor enhance reliability and safety of 2.1 layer, formation method accidental theoperational 4th the systems thenof themrisk foranalysis actual artificial nuclear power plant operation from normal, abnormal and 2.1 Core and systems ofapply integrated risk analysis system st rdto enhance been developed the reliability and safety of A unified methodology of integrated DiD risk analysis to 3plant layers, operational support systems have For the power 1management nuclear operation from normal, abnormal and accident within NPP site has been proposed to th 2.1 Core systems of integrated risk analysis system layer, formation method of system accidental states. Forenhance the 4th the nuclear power plant operation from normal, abnormal and will be composed by three core systems: (A) DiD risk been developed to reliability and safety of formation method accidental states. For the into 4 layer, prevent from developing serious core melt accident unified methodology of integrated risk analysis 2.1 Core systems of integrated risk analysisDiD system accident power management within NPP sitenormal, has been proposed to A th A unified methodology of integrated DiD risk analysis layer, formation method of accidental states. For the 4 th state estimation and scenario generator, (B) plant DiD risk nuclear plant operation from abnormal and accident management NPP site hasmethod been proposed to system will be composed by three core systems: (A) DiD risk For developing the 5 within layer, formation of accident nuclear situation. prevent serious core melt A unified of integrated DiD risk analysis system will be composed by three core systems: (A) DiD risk accident from management within site formation has been proposed to state monitor, andmethodology (C) reliability monitor. layer, method of accidental states. For the into 4thNPP prevent from developing serious core melt accident disaster management been also proposed of prompt th has into estimation and scenario generator, (B) plant DiD risk For the 5 layer, formation method of nuclear situation. system will be composed by three core systems: (A) DiD risk A unified methodology of integrated DiD risk analysis th within state estimation and scenario generator, (B) plant DiD risk prevent from developing into serious core melt accident accident management NPP site has been proposed to For the 5 layer, formation methodliving of nuclear situation. evacuation of personnel of NPP and the citizen in the monitor, andbe (C) reliability monitor. th has been also proposed of prompt disaster management state estimation and scenario generator, (B) plant DiD risk system will composed by three core systems: (A) DiD monitor, and (C) reliability monitor. For the layer, formation method of accident nuclear situation. The meaning of “DiD risk state” in A is that the risk state of a prevent of from developing into serious core melt disaster management has been alsomaterials proposed of prompt vicinity NPP site 5when would release evacuation of personnel ofradioactive NPP and theproposed citizen living in the certain monitor, and (C) system reliability monitor. th has state estimation and scenario generator, (B)several plant DiD risk disaster management been also of prompt will be divided into levelsof ofa artificial For the 5 layer, formation method nuclear situation. evacuation of personnel of NPP and the citizen living in the from accident-committed NPP. The meaning of “DiD risk state” in A is that the risk state vicinity of NPP site when radioactive materials would release monitor, and (C) reliability monitor. The meaning of “DiD risk state” in A is that the risk state of a evacuation of personnel of NPP and the citizen living in the state with the ranking by severity and urgency. Each disaster ofmanagement hasradioactive been alsomaterials proposed of prompt vicinity NPP site when would release risk certain artificial systemrisk will be divided into the several levelsofofa from accident-committed NPP. The meaning of “DiD state” in A is that risk state system will be divided into several levels of certain artificial vicinity of NPP site when radioactive materials would release In this paper, the authors of this paper turn their standpoint level of thus divided risk state has the barrier of defense so evacuation of personnel of NPP and the citizen living in the risk state with the ranking by severity and urgency. Each from accident-committed NPP. system will be into several levels certain artificial The meaning of the “DiD risk state” incan A isbethat risk protected state ofofa risk state with ranking by divided severity andthe urgency. Each NPP. from their bottom-up studies to overlook the their whole problem the expansion of risk state explicitly vicinity of NPP siteauthors when radioactive materials would release that In thisaccident-committed paper, the of this paper turn standpoint level ofartificial thus divided risk state has the barrier of defense so risk state with the ranking by severity and urgency. Each system will be divided into several levels of certain In paper, authors of problem this paperofturn their standpoint level ofeach thuslevel divided riskstate. state On hasthe theother barrier of of defense so of of risk hand DiD risk andthis define it astherisk analysis the artificial system within from accident-committed NPP. from their bottom-up studies to overlook the whole problem that the expansion risk state can be explicitly protected In this paper, the authors of this paper turn their standpoint level of thus divided risk state has the barrier of defense so risk state with the ranking by severity and urgency. Each from their bottom-up studies to overlook the whole problem that the expansion risk state in canCbeis explicitly protected system (machine) and the state, which is composed by engineering the meaning reliability thehand degree of how within each level of of risk state. On the other of DiD risk andthis define it astherisk analysis problem ofturn the artificial system from their bottom-up studies to overlook the wholestandpoint problem that the expansion risk state can be explicitly protected In paper, authors ofsafety this paper their level ofaeach thus divided risk state has the barrier ofequipped defense so within level of of risk state. On the other hand of DiD risk and define it to as manage risk analysis problem ofthe the artificial system surely organization the with person to operate certain system, subsystem or component to system (machine) and the which is composed by engineering state, the meaning of reliability in C is the degree of how within each level of risk state. On the other hand of DiD risk and define it as risk analysis problem of the artificial system from their bottom-up studies to overlook the whole problem that the expansion of risk state can be explicitly protected system (machine) and which is composed by(human). engineering state, thethemeaning reliability in C istothe degree of how the machine system Concretely speaking for the prevent risk state from expanding more serious risk organization the safety with person to and operate surely a certain system, subsystem or component equipped to system (machine) the which is composed by engineering state, the meaning of is the of how withinwill levelits ofexpected riskreliability state. Oninthe other hand of DiD risk and define it to as manage risk analysis problem ofthe artificial system organization to manage the safety with the person to aeach certain system, subsystem orC component equipped to safety of nuclear power plant operation, athe method of operate how to surely function when itmore isdegree needed. state fulfill the machine system (human). Concretely speaking for the prevent the risk state from expanding to serious risk organization to manage the safety with the (machine) person to and operate surely a the certain subsystem equipped to system which is composed by(human). engineering state, the meaning of reliability inorCcomponent istothe degree of how the machine system Concretely speaking for the prevent risksystem, state from expanding more serious risk safety of nuclear power plant operation, a method of operate how to prevent state will fulfill expected function is needed. the machine system (human). Concretely speaking for the riskits state from expanding to it serious organization to manage the safety with the person to a the certain system, subsystem orwhen component equippedrisk to safety of nuclear power plant operation, a method of how to surely its expected function when itmore is needed. state will fulfill Copyright 2018 IFAC safety of ©nuclear power plant operation, a method of how to1364prevent expected when is needed. state willthe fulfill the machine system (human). Concretely speaking for the riskitsstate from function expanding to itmore serious risk safety of ©nuclear power plant operation, a method of how to1364state will fulfill its expected function when it is needed. Copyright 2018 IFAC Copyright © 2018, 2018 IFAC 1364Hosting by Elsevier Ltd. All rights reserved. 2405-8963 © IFAC (International Federation of Automatic Control) Copyright 2018 responsibility IFAC 1364Control. Peer review©under of International Federation of Automatic 10.1016/j.ifacol.2018.09.557 Copyright © 2018 IFAC 1364
IFAC SAFEPROCESS 2018 Warsaw, Poland, August 29-31, 2018
Yuxin Zhang et al. / IFAC PapersOnLine 51-24 (2018) 1364–1367
The function and method used in the core systems A, B, and C are summarized in Table 1. Table 1. Functions and methods of three core systems for integrated DiD risk analysis system. Core systems
A. DiD risk state estimation and scenario generator
B. Plant DiD risk monitor
C. Reliability monitor
Function and method
This core system A will estimate in what DiD risk state the artificial system is situated at a certain time point, and then generate plausible scenario which the artificial system will develop further from the present situation by the environmental condition set by both internal and external factors. This core system B will simulate multiple branching scenario of state transition of artificial system which is composed by engineering systems and human organizations by using a proper state transition model which described the behaviors of individual elements and their mutual interactions. This core system C will estimate the reliability of a system, subsystem and element which will exhibit their expected functions to suppress the occurrence of various risk state.
Firstly for A in case of nuclear power plant, the transition scenario of different risk states will be reduced from the result of many cases of accident simulation by accident analysis code. For example, Ma, Z., Yoshikawa, H., Nakagawa, T., Yang, M. (2017) had been made to reduce the plausible scenario of SBLOCA in AP1000 by several cases of accident simulation by using RELAP5 code as seen in Fletcher, C.D., Schultz, R.R.(1995). Secondly for B, such transition scenario of different DiD risk states can be simulated by the authors’ developed plant DiD risk monitor software. See Ma, Z., et al. (2016). And thirdly for C, the reliability of the safety systems to be initiated at the necessary timing to avoid further worse risk situation will be estimated by FTA/ETA and GO-FLOW. See Matsuoka, T. (1996). Those reliability data of various safety systems will give the branching probability of risk state transition in accident scenario which is described by plant DiD risk monitor software. 2.2 Supporting toolkit for integrated DiD risk analysis system As has been explained partly in 2.1, many different kinds of supporting toolkit will be used for the designing of three core systems and their application for artificial systems. In Table 2, various kinds of toolkit which would be utilized effective for that purpose are listed up in Table 2, with their objective and use.
1365
Table 2. Objective and use of supporting toolkit for integrated DiD risk analysis system. Kind of toolkit FMEA (failure mode and effect analysis) MFM(Multilevel Flow Model) 3D CAD with attributes
model parts
KB for proactive trouble prevention FTA/ETA(fault tree analysis/event tree analysis) GO-FLOW (dynamic system reliability analysis method) Colored Petri Net
Various transient/accident simulation codes for NPPs
Objective and use Describe modes and the generating mechanism of failure in the artificial systems, propagating influence of failure and the countermeasures by usig formatted table. Graphical method of functional relationship of function and structure and the hierarchical goal of control by noticing the flow of mass, energy and information in process system. 3D computer-aided design model of the physical object which is composed by multiple parts with their attributes database of material, geometry, physical properties, defect mode, etc. Knowledge base for proactive prevention of the failure of artificial system such as failure mode, detection method, preventing method and repair method. Basic methods used in probabilistic risk assessment which is based on binary logic functions for failure occurrence and event progression of the artificial system. A methodology of analyzing system dynamic reliability, where the logical configuration of artificial system is represented by the combination of basic operators. State and event changes of artificial system is represented by graphical state transition model where temporal change of state is traced by the movement of colored markers which are driven by the occurrence of events.. Computer codes for transient and accident analysis of nuclear power plant by the numerical simulation of the mathematical models of physical and chemical phenomena in the nuclear reactor.
3. CONFIGURATION OF INTEGRATED DID RISK ANALYSIS SYSTEM The integrated DiD risk analysis system itself as was presented in the previous chapter 2 will be effectively utilized as many supportive toolkits for each layer of DiD to generate appropriate software system of either (i)offline analysis for designing and evaluation of a specific application, or (ii)online real-time processing for HIS (human system interface) for monitoring, diagnosis and procedure presentation. As the example of the above case of (ii), the authors of this paper had proposed an idea that the integrated DiD risk analysis system can be applied to configure the effective distributed Human Interface System (HIS) of a nuclear power plant as the 1st to 3rd layers of DiD. See Yoshikawa, H. (2015). In this chapter, the result of preliminary study will be presented on several points to be considered as mentioned below, in order to apply the proposed integrated DiD risk analysis system for the distributed HIS for effective operator support for the safety operation of nuclear power plant.
1365
IFAC SAFEPROCESS 2018 1366 Warsaw, Poland, August 29-31, 2018
Yuxin Zhang et al. / IFAC PapersOnLine 51-24 (2018) 1364–1367
3.1 How the tree core systems should be designed for 1st to 3rd layers? The first issue is on what point the risk analysis should be focused so that the tree core systems should become effective tool as the 1st to 3rd layers of DiD. The resultant point of risk analysis is shown in Table 3 for realizing three core systems which are effective as the 1st to 3rd layers of DiD Table 3. The points of risk analysis aimed at realizing three core systems to the effective 1st to 3rd layers of DiD. Function of each layer of DiD DiD risk state estimation and scenario generator
Plant DiD risk monitor
Reliability monitor
Layer 1 DiD Prevention of abnormal operation and failure Estimation of various probable anomalies and failures in normal plant operation modes such as steady state power operation, startup a/shutdown and testing both in steadystate operation and plant shutdown state. Prediction of various risk state and its degree of occurrence in above-stated operation mode and the plausible scenario of risk state progression. Estimation of reliability of a system, subsystem, element of risk generated artificial system as stated in the above row.
Layer 2 DiD Control of abnormal operation and detection of failure Estimation of various risk state when some abnormalities occur of the artificial system in the operation mode stated in the lefthand column.
Layer 3 DiD Control of accidents within the design basis
Same as lefthand column.
Same as lefthand column.
Estimation of various risk state when the artificial system in the abnormal operation mode as stated in the lefthand column commit a certain design basis accident.
The second issue is what should be considered for the design of distributed HIS to become effective 1st to 3rd layers. For the 1st layer, it should support the cooperative works between the operators in main control room and the maintenance works at local places in the plant during on-power testing and shutdown maintenance and testing. For both 2nd and 3rd layers, it should support cooperative work between operators in main control room and the safety engineer at the technical support center. Support information to the workers should be easy to understand by seeing the workers with online real time processing and communication. 3.3 How accident simulation should be utilized for designing effective operator support? The authors of this paper had conducted on a preliminary study about how to utilize accident simulation of nuclear power plant for the design of operator support HIS. They conducted on several cases of SBLOCA simulation in AP1000 by using a safety analysis program for light water reactor plant RELAP5/MOD4 which was developed by Idaho National Laboratory (INL) in U.S.A.and used those calculated result for designing plant DiD risk monitor and the graphic display for the support to operator. See Ma, Z., et al. (2017). This experience of the authors would be the starting point toward the future direction. For the designing of the layers 2 and 3, it will be inevitable to conduct on very many runs of accident simulation for different types of accident with changing many parameters of plant conditions by best estimate accident analysis code such as RELAP5/MOD4 in order to reduce the design data for the proper operator support such as detection of anomaly or accident, right diagnosis and proper procedure to avoid serious consequence by accident progression. A new approach will be necessary to rationalize the abundant computation works of accident simulation and integrated risk analysis system in order to reduce many kind of knowledge bases for the effective operator support functions. 4. CONCLUSIONS
Same as lefthand column.
Same as lefthand column.
3.2 What should be considered for distributed HIS as the 1st to the 3rd layers?
In this paper, a new risk analysis system was proposed by applying IAEA’s five-layer Defense-in Depth (DiD) safety concept for the complicated artificial system which is composed by engineering systems and human organization, where ambiguity, diversity and multilayer nature of risks is taken into account. Concretely, a method of configuring integrated DiD risk analysis system was first proposed in order to deal with the complex nature of risks of various levels and modes in the behaviour of the artificial system effectively. Then, the proposed method was applied for the preliminary study of how to design distributed human interface system (HIS) for the support of safety operation of nuclear power plant in order to become the effective barriers of the 1st to 3rd layers of DiD. 1366
IFAC SAFEPROCESS 2018 Warsaw, Poland, August 29-31, 2018
Yuxin Zhang et al. / IFAC PapersOnLine 51-24 (2018) 1364–1367
As the next step of this study, the authors will proceed to an example practice for designing distributed HIS for a real nuclear power plant AP1000 with the extensive simulation experiment by using a light water reactor safety analysis code RELAP5/MOD3. REFERENCES Fletcher, C.D., Schultz, R.R.(1995). RELAP5/MOD4 Code Manual Volume V: User’s Guideline, NUREG/CR-5535, INEL-95/0174. IAEA. (1999). INSAG-12 Basic safety principles for nuclear power plants, IAEA,Vienna. Ma, Z., Yoshikawa, H., Nawaz, A., Yang, M. (2016). Developmental study of advanced human system interface design method for digital I&C+HMIT – a preliminary study for passive safety PWR AP1000,” International Journal of Nuclear Safety and Simulation, 7(2),177-186. Ma, Z., Yoshikawa, H., Nakagawa, T., Yang, M. (2017). Knowledge-based software design for Defense-in-Depth Risk monitor system and application for AP1000, Journal of Nuclear Science and Technology, 54(5), 552568. Matsuoka, T. (1996). System Reliability Analysis Method GO-FLOW for probabilistic safety assessment, CRC Sogo Kenkyusho, Tokyo. (In Japanese) Nakagawa, T., Terashita, N., Yoshikawa, H. (2017). Methodological basis of plant DiD risk monitor development and its prospective application for NPPs, International Journal of Nuclear Safety and Simulation, 8(2), 91-100. Yoshikawa, H. (2015). Designing of comprehensive risk analysis system for multiple layers of defense-in depth concept. International Journal of Nuclear Safety and Simulation, 6(2),116-125.
1367
1367
ScienceDirect
Integrated Defense-in Depth(DiD)Risk Analysis System IFAC PapersOnLine 51-24 (2018) 1364–1367 Integrated Defense-in Depth(DiD)Risk Analysis for Safety Operation of Nuclear Power PlantsSystem Integrated Defense-in Depth(DiD)Risk Analysis System Integrated Defense-in Depth(DiD)Risk Analysis System for Safety Operation of Nuclear Power Plants for Safety Operation of Nuclear Power Plants Integrated Defense-in Depth(DiD)Risk Analysis * * * * System Yuxin , LUOperation Hongxing*,Ming ,Hidekazu Yoshikawa forZhang Safety ofYang Nuclear Power Plants * * * ** forZhang Safety Operation of Nuclear Power Plants Yuxin *, LU Hongxing*,Ming Yang*,Hidekazu Yoshikawa* * *
Yuxin Zhang LU Hongxing ,Mingand Yang ,HidekazuGuangzhou, YoshikawaChina South China, University of Science Technology, * Yuxin Zhang*, LU Hongxing ,Ming Yang*,Hidekazu Yoshikawa* * (e-mail: [email protected]) *South China University of Science and Technology, Guangzhou, China * * * ** *South Yuxin Zhang LU Hongxing ,Ming Yang ,Hidekazu Yoshikawa ** , University China of Science and Technology, Guangzhou, Symbio Community Forum, Kyoto, 606-8202 Japan China (e-mail: [email protected]) *South China University of [email protected]) Science and Technology, Guangzhou, China (e-mail: (Tel:**+81-90-1141-5402, e-mail: [email protected]) Community Forum, Kyoto, 606-8202 Japan China *South China **Symbio (e-mail: [email protected]) University of Science and Technology, Guangzhou, Symbio Community Forum, Kyoto, 606-8202 Japan (Tel:**+81-90-1141-5402, e-mail: [email protected]) Symbio (e-mail: Community Forum,[email protected]) Kyoto, 606-8202 Japan [email protected]) (Tel: +81-90-1141-5402, e-mail: (Tel:**+81-90-1141-5402, Symbio Communitye-mail: Forum,[email protected]) Kyoto, 606-8202 Japan +81-90-1141-5402, e-mail:and [email protected]) Abstract: The nature (Tel: of risks is ambiguity, diversity multilayer for the complicated artificial system which is composed by engineering systems and human organization. Anthe idea of how to organize a new artificial system Abstract: The nature of risks is ambiguity, diversity and multilayer for complicated Abstract: Thesystem natureisofproposed risks is ambiguity, diversity and multilayer for the complicated artificial system risk analysis in this paper by applying IAEA’s five-layer Defense-in Depth which is composed by engineering systems and human organization. An idea of how to organize a(DiD) new artificial system Abstract: The nature risks is ambiguity, diversity and multilayer DiD for complicated which is composed byofengineering systems and human organization. Anthe idea of how system to organize a new safety concept. Concretely, a method of how to configure integrated risk analysis is proposed risk analysis system is proposed in this paper by applying IAEA’s five-layer Defense-in Depth (DiD) which iswith composed byisofengineering and human Anlevels idea of how to organize a(DiD) new Abstract: The nature risks is ambiguity, diversity and multilayer for the complicated artificial system risk analysis system proposed insystems this paper by applying IAEA’s five-layer Defense-in to cope the capability of treating complex of organization. risks of various and modes inDepth the behavior safety concept. Concretely, a method of how tonature configure integrated DiD risk analysis system is proposed risk analysis system is proposed in this paper by applying IAEA’s five-layer Defense-in Depth (DiD) and human organization. An idea of how to organize a which is composed by engineering systems safety concept. Concretely, a method of how to configure integrated DiD risk analysis system is proposed idea will be conducted in future bynew an of cope the artificial system effectively. Application of theofproposed to with the capability of treating complex nature risks of various levels and modes in Depth the behavior safety concept. Concretely, a method of how to configure integrated DiD risk analysis system is proposed risk analysis system is proposed in this paper by applying IAEA’s five-layer Defense-in (DiD) of various levels and modes in the behavior to cope with the capability of treating complex nature of risks example practice of how to design distributed human interface system (HIS) for the support of safety of the proposed idea will be conducted in future by an of the concept. artificial system effectively. to cope with theConcretely, capability of treatingApplication complex risks of various levels and modes in future the behavior safety a method of how tonature configure integrated DiD risk system is proposed of the artificial system effectively. Application of theofproposed idea will beanalysis conducted in by an operation of nuclear power plant. example practice of how to design distributed human interface system (HIS) for the support of safety of the proposed idea will be conducted in future by an of the artificial system effectively. Application to cope with the capability of design treatingdistributed complex nature risks of various in the of behavior example practice of how to humanofinterface system levels (HIS)and for modes the support safety operation of nuclear power plant. © 2018, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. example practice of how to design distributed human interface system (HIS) for the support of safety Keywords: Defense-in depth; risk analysis; risk state estimation; risk monitor; reliability monitor of the artificial system effectively. operation of nuclear power plant. Application of the proposed idea will be conducted in future by an operationpractice ofDefense-in nuclear example of power how toplant. design distributed human interfacerisk system (HIS) for the support Keywords: depth; risk analysis; risk state estimation; monitor; reliability monitor of safety Keywords: depth; risk analysis; risk state estimation; risk monitor; reliability monitor operation ofDefense-in nuclear power plant. configure risk integrated DiD risk analysis system is the subject Keywords: Defense-in depth; risk analysis; risk state estimation; monitor; reliability monitor 1. INTRODUCTION of this study to cope with the capability of treating Keywords: Defense-in depth; risk analysis; risk state estimation; risk monitor; reliability monitor configure integrated DiD risk analysis system is thecomplex subject 1. INTRODUCTION configure integrated DiD risk analysis system is the subject nature of risks of various levels and modes in the behaviour For the operational safety of nuclear power plant (NPP), of this study to cope DiD with risk the capability of treating complex 1. INTRODUCTION configure integrated analysis system is the subject this study to cope with the capability of treating complex of the artificial system effectively. 1. INTRODUCTION International Atomic safety Energyof Agency recommends nature of risks of various levels and modes in the behaviour For the operational nuclear (IAEA) power plant (NPP), nature of this study to cope with the capability of treating complex configure integrated DiD risk system is the subject of risks of various levelsanalysis and modes in the behaviour For the operational safety Depth of nuclear power (NPP), five-layers ofAtomic Defense-in (DiD) safetyplant concept to of 1. INTRODUCTION the artificial system effectively. International Energyof Agency (IAEA) recommends nature of riskstosystem ofcope various levels and modes in the behaviour of this study with the capability of treating complex For the operational safety nuclear power plant (NPP), the artificial effectively. International Atomic Energy countries Agency (IAEA) recommends nuclear power development around world as five-layers ofAtomic Defense-in Depth (DiD) safetythe concept to of the artificial effectively. risks system of various levels and modes in the behaviour International Energy (IAEA) recommends For the IAEA. operational safety of Agency nuclear power (NPP), five-layers of Defense-in Depth (DiD) safetyplant concept to nature2.of INTEGRATED DID RISK ANALYSIS SYSEM you see (1999). Taking notice to IAEA’s DiD safety nuclear power development countries around the world as of the artificial system effectively. five-layers Defense-in Depth (DiD) safety concept to International Energy Agency (IAEA) recommends nuclear power development countries around world as concept, theofAtomic authors this paper have beenthe studying to 2. INTEGRATED DID RISK ANALYSIS SYSEM you see power IAEA. (1999).ofTaking notice toaround IAEA’s DiD safety nuclear development countries theconcept world as five-layers ofthey Defense-in Depth (DiD) safety to The requirement 2. INTEGRATED RISK ANALYSIS SYSEM you see what IAEA. (1999). Taking notice to risk IAEA’s DiD safety and theDID systematic configuration method of develop called integrated DiD analysis system concept, the authors of this paper have been studying to 2. INTEGRATED DID RISKsystem ANALYSIS SYSEMin this you see IAEA. (1999). Taking notice to IAEA’s DiD safety nuclear power development around the world as concept, the authors of this countries paperH. have been studying to the integrated DiD risk analysis is proposed for NPPs as you see Yoshikawa, (2015), Ma, Z., et al.. The requirement and theDID systematic configuration method of develop what they called integrated DiD analysis system concept, theMa, authors ofal. this paper have been studying to The 2. INTEGRATED RISK ANALYSIS SYSEM you see and IAEA. (1999). Taking notice to risk IAEA’s DiD safety requirement and the systematic configuration method of develop what they called integrated DiD risk analysis system Z., etYoshikawa, (2017). Those authors’ researches chapter. ThreeDiD core systems ofsystem the integrated DiD (2016), the integrated risk analysis is proposed in risk this for NPPs as you see H. (2015), Ma, Z., et al.. requirement andrisk the analysis systematic configuration method of develop what theysee called integrated risk analysis concept, the authors of this paperH.DiD have been studying to The the integrated DiD system is while proposed in this for NPPs asproceeded you Yoshikawa, (2015), Ma, Z., system et al.. in 2.2, the have been by bottom-up approach depending on analysis system are first described in 2.1, and Ma, Z., etYoshikawa, al.integrated (2017). H. Those authors’ researches chapter. ThreeDiD core systems ofsystem the integrated DiD risk (2016), the integrated risk analysis is proposed in this for NPPs as you see (2015), Ma, Z., et al.. The requirement and the systematic configuration method of develop what they called DiD risk analysis system and Ma, Z., et al. (2017). Those authors’ researches chapter. Three core systems of the integrated DiD core risk (2016), supporting toolkit be used for designing the three the level of proceeded DiD. have been by bottom-up approach depending on the analysis system areto first described in 2.1, while inDiD 2.2, the and Ma, Z., et al. (2017). Those authors’ researches chapter. Three core systems of the integrated risk (2016), integrated DiD risk analysis system is proposed in this for NPPs as you see Yoshikawa, H. (2015), Ma, Z., et al.. while in system. 2.2, the have been proceeded by bottom-up approach depending on analysis system first them described in 2.1,artificial systems andtoolkit thenareapply for designing actual the three the supporting tofirst be used for st DiD. rd while inDiD 2.2,core the have been approach depending on chapter. analysis system areto described in 2.1, to operational support systems have For level the 1of and Ma,3 Z.,layers, etby al.bottom-up (2017). Those authors’ researches Three core systems of the integrated risk (2016), supporting toolkit be used for designing the three core the level of proceeded DiD. systems and then apply them for actual artificial system. supporting toolkit to be used for designing the three core the level of DiD. been developed the reliability and safety of st proceeded rdto enhance while in 2.2, the have been by bottom-up approach depending on analysis system are first described in 2.1, systems and then apply them for actual artificial system. For the 1st to 3rd layers, operational support systems have 2.1 Core systems of integrated risk analysis system to 3plant layers, operational support abnormal systems have For level the power 1of DiD. systems and then apply them for actual artificial system. nuclear operation from normal, and supporting toolkit to be used for designing the three core the been developed enhance the reliability and safetyhave of to 3rdto layers, support systems For the 1st states. Core systems integrated system system. been developed toFor enhance reliability and safety of 2.1 layer, formation method accidental theoperational 4th the systems thenof themrisk foranalysis actual artificial nuclear power plant operation from normal, abnormal and 2.1 Core and systems ofapply integrated risk analysis system st rdto enhance been developed the reliability and safety of A unified methodology of integrated DiD risk analysis to 3plant layers, operational support systems have For the power 1management nuclear operation from normal, abnormal and accident within NPP site has been proposed to th 2.1 Core systems of integrated risk analysis system layer, formation method of system accidental states. Forenhance the 4th the nuclear power plant operation from normal, abnormal and will be composed by three core systems: (A) DiD risk been developed to reliability and safety of formation method accidental states. For the into 4 layer, prevent from developing serious core melt accident unified methodology of integrated risk analysis 2.1 Core systems of integrated risk analysisDiD system accident power management within NPP sitenormal, has been proposed to A th A unified methodology of integrated DiD risk analysis layer, formation method of accidental states. For the 4 th state estimation and scenario generator, (B) plant DiD risk nuclear plant operation from abnormal and accident management NPP site hasmethod been proposed to system will be composed by three core systems: (A) DiD risk For developing the 5 within layer, formation of accident nuclear situation. prevent serious core melt A unified of integrated DiD risk analysis system will be composed by three core systems: (A) DiD risk accident from management within site formation has been proposed to state monitor, andmethodology (C) reliability monitor. layer, method of accidental states. For the into 4thNPP prevent from developing serious core melt accident disaster management been also proposed of prompt th has into estimation and scenario generator, (B) plant DiD risk For the 5 layer, formation method of nuclear situation. system will be composed by three core systems: (A) DiD risk A unified methodology of integrated DiD risk analysis th within state estimation and scenario generator, (B) plant DiD risk prevent from developing into serious core melt accident accident management NPP site has been proposed to For the 5 layer, formation methodliving of nuclear situation. evacuation of personnel of NPP and the citizen in the monitor, andbe (C) reliability monitor. th has been also proposed of prompt disaster management state estimation and scenario generator, (B) plant DiD risk system will composed by three core systems: (A) DiD monitor, and (C) reliability monitor. For the layer, formation method of accident nuclear situation. The meaning of “DiD risk state” in A is that the risk state of a prevent of from developing into serious core melt disaster management has been alsomaterials proposed of prompt vicinity NPP site 5when would release evacuation of personnel ofradioactive NPP and theproposed citizen living in the certain monitor, and (C) system reliability monitor. th has state estimation and scenario generator, (B)several plant DiD risk disaster management been also of prompt will be divided into levelsof ofa artificial For the 5 layer, formation method nuclear situation. evacuation of personnel of NPP and the citizen living in the from accident-committed NPP. The meaning of “DiD risk state” in A is that the risk state vicinity of NPP site when radioactive materials would release monitor, and (C) reliability monitor. The meaning of “DiD risk state” in A is that the risk state of a evacuation of personnel of NPP and the citizen living in the state with the ranking by severity and urgency. Each disaster ofmanagement hasradioactive been alsomaterials proposed of prompt vicinity NPP site when would release risk certain artificial systemrisk will be divided into the several levelsofofa from accident-committed NPP. The meaning of “DiD state” in A is that risk state system will be divided into several levels of certain artificial vicinity of NPP site when radioactive materials would release In this paper, the authors of this paper turn their standpoint level of thus divided risk state has the barrier of defense so evacuation of personnel of NPP and the citizen living in the risk state with the ranking by severity and urgency. Each from accident-committed NPP. system will be into several levels certain artificial The meaning of the “DiD risk state” incan A isbethat risk protected state ofofa risk state with ranking by divided severity andthe urgency. Each NPP. from their bottom-up studies to overlook the their whole problem the expansion of risk state explicitly vicinity of NPP siteauthors when radioactive materials would release that In thisaccident-committed paper, the of this paper turn standpoint level ofartificial thus divided risk state has the barrier of defense so risk state with the ranking by severity and urgency. Each system will be divided into several levels of certain In paper, authors of problem this paperofturn their standpoint level ofeach thuslevel divided riskstate. state On hasthe theother barrier of of defense so of of risk hand DiD risk andthis define it astherisk analysis the artificial system within from accident-committed NPP. from their bottom-up studies to overlook the whole problem that the expansion risk state can be explicitly protected In this paper, the authors of this paper turn their standpoint level of thus divided risk state has the barrier of defense so risk state with the ranking by severity and urgency. Each from their bottom-up studies to overlook the whole problem that the expansion risk state in canCbeis explicitly protected system (machine) and the state, which is composed by engineering the meaning reliability thehand degree of how within each level of of risk state. On the other of DiD risk andthis define it astherisk analysis problem ofturn the artificial system from their bottom-up studies to overlook the wholestandpoint problem that the expansion risk state can be explicitly protected In paper, authors ofsafety this paper their level ofaeach thus divided risk state has the barrier ofequipped defense so within level of of risk state. On the other hand of DiD risk and define it to as manage risk analysis problem ofthe the artificial system surely organization the with person to operate certain system, subsystem or component to system (machine) and the which is composed by engineering state, the meaning of reliability in C is the degree of how within each level of risk state. On the other hand of DiD risk and define it as risk analysis problem of the artificial system from their bottom-up studies to overlook the whole problem that the expansion of risk state can be explicitly protected system (machine) and which is composed by(human). engineering state, thethemeaning reliability in C istothe degree of how the machine system Concretely speaking for the prevent risk state from expanding more serious risk organization the safety with person to and operate surely a certain system, subsystem or component equipped to system (machine) the which is composed by engineering state, the meaning of is the of how withinwill levelits ofexpected riskreliability state. Oninthe other hand of DiD risk and define it to as manage risk analysis problem ofthe artificial system organization to manage the safety with the person to aeach certain system, subsystem orC component equipped to safety of nuclear power plant operation, athe method of operate how to surely function when itmore isdegree needed. state fulfill the machine system (human). Concretely speaking for the prevent the risk state from expanding to serious risk organization to manage the safety with the (machine) person to and operate surely a the certain subsystem equipped to system which is composed by(human). engineering state, the meaning of reliability inorCcomponent istothe degree of how the machine system Concretely speaking for the prevent risksystem, state from expanding more serious risk safety of nuclear power plant operation, a method of operate how to prevent state will fulfill expected function is needed. the machine system (human). Concretely speaking for the riskits state from expanding to it serious organization to manage the safety with the person to a the certain system, subsystem orwhen component equippedrisk to safety of nuclear power plant operation, a method of how to surely its expected function when itmore is needed. state will fulfill Copyright 2018 IFAC safety of ©nuclear power plant operation, a method of how to1364prevent expected when is needed. state willthe fulfill the machine system (human). Concretely speaking for the riskitsstate from function expanding to itmore serious risk safety of ©nuclear power plant operation, a method of how to1364state will fulfill its expected function when it is needed. Copyright 2018 IFAC Copyright © 2018, 2018 IFAC 1364Hosting by Elsevier Ltd. All rights reserved. 2405-8963 © IFAC (International Federation of Automatic Control) Copyright 2018 responsibility IFAC 1364Control. Peer review©under of International Federation of Automatic 10.1016/j.ifacol.2018.09.557 Copyright © 2018 IFAC 1364
IFAC SAFEPROCESS 2018 Warsaw, Poland, August 29-31, 2018
Yuxin Zhang et al. / IFAC PapersOnLine 51-24 (2018) 1364–1367
The function and method used in the core systems A, B, and C are summarized in Table 1. Table 1. Functions and methods of three core systems for integrated DiD risk analysis system. Core systems
A. DiD risk state estimation and scenario generator
B. Plant DiD risk monitor
C. Reliability monitor
Function and method
This core system A will estimate in what DiD risk state the artificial system is situated at a certain time point, and then generate plausible scenario which the artificial system will develop further from the present situation by the environmental condition set by both internal and external factors. This core system B will simulate multiple branching scenario of state transition of artificial system which is composed by engineering systems and human organizations by using a proper state transition model which described the behaviors of individual elements and their mutual interactions. This core system C will estimate the reliability of a system, subsystem and element which will exhibit their expected functions to suppress the occurrence of various risk state.
Firstly for A in case of nuclear power plant, the transition scenario of different risk states will be reduced from the result of many cases of accident simulation by accident analysis code. For example, Ma, Z., Yoshikawa, H., Nakagawa, T., Yang, M. (2017) had been made to reduce the plausible scenario of SBLOCA in AP1000 by several cases of accident simulation by using RELAP5 code as seen in Fletcher, C.D., Schultz, R.R.(1995). Secondly for B, such transition scenario of different DiD risk states can be simulated by the authors’ developed plant DiD risk monitor software. See Ma, Z., et al. (2016). And thirdly for C, the reliability of the safety systems to be initiated at the necessary timing to avoid further worse risk situation will be estimated by FTA/ETA and GO-FLOW. See Matsuoka, T. (1996). Those reliability data of various safety systems will give the branching probability of risk state transition in accident scenario which is described by plant DiD risk monitor software. 2.2 Supporting toolkit for integrated DiD risk analysis system As has been explained partly in 2.1, many different kinds of supporting toolkit will be used for the designing of three core systems and their application for artificial systems. In Table 2, various kinds of toolkit which would be utilized effective for that purpose are listed up in Table 2, with their objective and use.
1365
Table 2. Objective and use of supporting toolkit for integrated DiD risk analysis system. Kind of toolkit FMEA (failure mode and effect analysis) MFM(Multilevel Flow Model) 3D CAD with attributes
model parts
KB for proactive trouble prevention FTA/ETA(fault tree analysis/event tree analysis) GO-FLOW (dynamic system reliability analysis method) Colored Petri Net
Various transient/accident simulation codes for NPPs
Objective and use Describe modes and the generating mechanism of failure in the artificial systems, propagating influence of failure and the countermeasures by usig formatted table. Graphical method of functional relationship of function and structure and the hierarchical goal of control by noticing the flow of mass, energy and information in process system. 3D computer-aided design model of the physical object which is composed by multiple parts with their attributes database of material, geometry, physical properties, defect mode, etc. Knowledge base for proactive prevention of the failure of artificial system such as failure mode, detection method, preventing method and repair method. Basic methods used in probabilistic risk assessment which is based on binary logic functions for failure occurrence and event progression of the artificial system. A methodology of analyzing system dynamic reliability, where the logical configuration of artificial system is represented by the combination of basic operators. State and event changes of artificial system is represented by graphical state transition model where temporal change of state is traced by the movement of colored markers which are driven by the occurrence of events.. Computer codes for transient and accident analysis of nuclear power plant by the numerical simulation of the mathematical models of physical and chemical phenomena in the nuclear reactor.
3. CONFIGURATION OF INTEGRATED DID RISK ANALYSIS SYSTEM The integrated DiD risk analysis system itself as was presented in the previous chapter 2 will be effectively utilized as many supportive toolkits for each layer of DiD to generate appropriate software system of either (i)offline analysis for designing and evaluation of a specific application, or (ii)online real-time processing for HIS (human system interface) for monitoring, diagnosis and procedure presentation. As the example of the above case of (ii), the authors of this paper had proposed an idea that the integrated DiD risk analysis system can be applied to configure the effective distributed Human Interface System (HIS) of a nuclear power plant as the 1st to 3rd layers of DiD. See Yoshikawa, H. (2015). In this chapter, the result of preliminary study will be presented on several points to be considered as mentioned below, in order to apply the proposed integrated DiD risk analysis system for the distributed HIS for effective operator support for the safety operation of nuclear power plant.
1365
IFAC SAFEPROCESS 2018 1366 Warsaw, Poland, August 29-31, 2018
Yuxin Zhang et al. / IFAC PapersOnLine 51-24 (2018) 1364–1367
3.1 How the tree core systems should be designed for 1st to 3rd layers? The first issue is on what point the risk analysis should be focused so that the tree core systems should become effective tool as the 1st to 3rd layers of DiD. The resultant point of risk analysis is shown in Table 3 for realizing three core systems which are effective as the 1st to 3rd layers of DiD Table 3. The points of risk analysis aimed at realizing three core systems to the effective 1st to 3rd layers of DiD. Function of each layer of DiD DiD risk state estimation and scenario generator
Plant DiD risk monitor
Reliability monitor
Layer 1 DiD Prevention of abnormal operation and failure Estimation of various probable anomalies and failures in normal plant operation modes such as steady state power operation, startup a/shutdown and testing both in steadystate operation and plant shutdown state. Prediction of various risk state and its degree of occurrence in above-stated operation mode and the plausible scenario of risk state progression. Estimation of reliability of a system, subsystem, element of risk generated artificial system as stated in the above row.
Layer 2 DiD Control of abnormal operation and detection of failure Estimation of various risk state when some abnormalities occur of the artificial system in the operation mode stated in the lefthand column.
Layer 3 DiD Control of accidents within the design basis
Same as lefthand column.
Same as lefthand column.
Estimation of various risk state when the artificial system in the abnormal operation mode as stated in the lefthand column commit a certain design basis accident.
The second issue is what should be considered for the design of distributed HIS to become effective 1st to 3rd layers. For the 1st layer, it should support the cooperative works between the operators in main control room and the maintenance works at local places in the plant during on-power testing and shutdown maintenance and testing. For both 2nd and 3rd layers, it should support cooperative work between operators in main control room and the safety engineer at the technical support center. Support information to the workers should be easy to understand by seeing the workers with online real time processing and communication. 3.3 How accident simulation should be utilized for designing effective operator support? The authors of this paper had conducted on a preliminary study about how to utilize accident simulation of nuclear power plant for the design of operator support HIS. They conducted on several cases of SBLOCA simulation in AP1000 by using a safety analysis program for light water reactor plant RELAP5/MOD4 which was developed by Idaho National Laboratory (INL) in U.S.A.and used those calculated result for designing plant DiD risk monitor and the graphic display for the support to operator. See Ma, Z., et al. (2017). This experience of the authors would be the starting point toward the future direction. For the designing of the layers 2 and 3, it will be inevitable to conduct on very many runs of accident simulation for different types of accident with changing many parameters of plant conditions by best estimate accident analysis code such as RELAP5/MOD4 in order to reduce the design data for the proper operator support such as detection of anomaly or accident, right diagnosis and proper procedure to avoid serious consequence by accident progression. A new approach will be necessary to rationalize the abundant computation works of accident simulation and integrated risk analysis system in order to reduce many kind of knowledge bases for the effective operator support functions. 4. CONCLUSIONS
Same as lefthand column.
Same as lefthand column.
3.2 What should be considered for distributed HIS as the 1st to the 3rd layers?
In this paper, a new risk analysis system was proposed by applying IAEA’s five-layer Defense-in Depth (DiD) safety concept for the complicated artificial system which is composed by engineering systems and human organization, where ambiguity, diversity and multilayer nature of risks is taken into account. Concretely, a method of configuring integrated DiD risk analysis system was first proposed in order to deal with the complex nature of risks of various levels and modes in the behaviour of the artificial system effectively. Then, the proposed method was applied for the preliminary study of how to design distributed human interface system (HIS) for the support of safety operation of nuclear power plant in order to become the effective barriers of the 1st to 3rd layers of DiD. 1366
IFAC SAFEPROCESS 2018 Warsaw, Poland, August 29-31, 2018
Yuxin Zhang et al. / IFAC PapersOnLine 51-24 (2018) 1364–1367
As the next step of this study, the authors will proceed to an example practice for designing distributed HIS for a real nuclear power plant AP1000 with the extensive simulation experiment by using a light water reactor safety analysis code RELAP5/MOD3. REFERENCES Fletcher, C.D., Schultz, R.R.(1995). RELAP5/MOD4 Code Manual Volume V: User’s Guideline, NUREG/CR-5535, INEL-95/0174. IAEA. (1999). INSAG-12 Basic safety principles for nuclear power plants, IAEA,Vienna. Ma, Z., Yoshikawa, H., Nawaz, A., Yang, M. (2016). Developmental study of advanced human system interface design method for digital I&C+HMIT – a preliminary study for passive safety PWR AP1000,” International Journal of Nuclear Safety and Simulation, 7(2),177-186. Ma, Z., Yoshikawa, H., Nakagawa, T., Yang, M. (2017). Knowledge-based software design for Defense-in-Depth Risk monitor system and application for AP1000, Journal of Nuclear Science and Technology, 54(5), 552568. Matsuoka, T. (1996). System Reliability Analysis Method GO-FLOW for probabilistic safety assessment, CRC Sogo Kenkyusho, Tokyo. (In Japanese) Nakagawa, T., Terashita, N., Yoshikawa, H. (2017). Methodological basis of plant DiD risk monitor development and its prospective application for NPPs, International Journal of Nuclear Safety and Simulation, 8(2), 91-100. Yoshikawa, H. (2015). Designing of comprehensive risk analysis system for multiple layers of defense-in depth concept. International Journal of Nuclear Safety and Simulation, 6(2),116-125.
1367
1367