Reliability Modeling of Digital Control Systems Using the
Markov/Cell-to-Cell Mapping Technique
The Ohio State University – Nuclear Engineering Program
Diego MandelliMaster Thesis Defense
Diego Mandelli – Master Thesis Defense
Overview•Introduction•Objectives•System description•Markov/Cell-to-Cell Mapping Technique (CCMT)
Failure Modes and Effect Analysis (FMEA)Finite State Machine modelingMarkov Modeling
Cell-To-Cell Mapping Technique •Example Initiating Event (EIE)•Conclusions
Diego Mandelli – Master Thesis Defense
Introduction• Instrumentation and control systems (I&C) are widely used in
nuclear power plants for:MonitoringControlProtection
• Since 1940s analog systems have accomplished these tasks satisfactorily, however:
inaccurate design specificationssusceptibility to certain environmental conditions effects of aging such as mechanical failures environmental degradation.
Diego Mandelli – Master Thesis Defense
Introduction• Digital systems are essentially free of drift that afflicts analog
systems (they maintain their calibration better):Self testingSignal validationProcess system diagnosticsFault toleranceHigher data handling Storage capabilities
• Nuclear power plants are replacing/upgrading obsolete I&Cs
Transition from analog to digital technology
Diego Mandelli – Master Thesis Defense
Introduction
The replacement with a new component affects the safety and the reliability of the overall system.
Considerations:1. Probability Risk Assessment (PRA) is a commonly used tool to
examine the safety and reliability of specific systems2. Conventional PRA tools are based on Fault Trees and Event
Trees (FT and ET)
Diego Mandelli – Master Thesis Defense
The starting point….Are ET/FT able to model I&C?
What if we have the following:• The presence of phenomena which dictates the system’s response
(e.g. depending on threshold of process variable values)• The effect of process dynamics on the hardware component failure
behavior• Interactions between controller’s components• Multiple failure modes which affects differently the system
response
In these cases the answer is NO.
Diego Mandelli – Master Thesis Defense
What do we need?
A type of PRA able to perform also the simulation of both the controller and the process
A “Dynamic PRA”
What are the goals?
• show how it is possible to model digital I&C systems for PRA purposes using dynamic methodologies
• How can I fit the information coming from these methodologies to actual PRA?
The starting point….
Diego Mandelli – Master Thesis Defense
What did we chose to model digital I&Cs? The Markov/Cell-to-Cell Mapping Technique
Objectives
What will be the output? 1. CDF of the Top Events2. Event sequences or Dynamic Event Trees (DET)
What are the requirements? • dependence of the control action on system history,• dependence of system failure modes on exact timing of
failures,• functional as well as intermittent failures,• error detection capability,• possible system recovery from failure modes
Diego Mandelli – Master Thesis Defense
Simple Event Tree:
Event Trees and Dynamic Event Trees
Initiating event
Large LOCA
Reactor Trip
Success
Failure
Yes
No
Yes
Core damageECCS
Success
Failure
Diego Mandelli – Master Thesis Defense
Dynamic Event tree:
Initiating Event
t = 0 t = Δt
Success
Failure State 1
Failure State 2
t
Success
Failure 2
t = 2·Δt
Failure 1
t = Δt
Event Trees and Dynamic Event Trees
EventSequence
Diego Mandelli – Master Thesis Defense
Controller
Process
Sensor n
Controller 1Actuator 1
Controller 2
Actuator 2
Actuator 3
Sensor 1
…..
Type I and II Interactions
The classical “Controller + Process” system:
Type I Interactions Type II Interactions
Diego Mandelli – Master Thesis Defense
Stochastic description of the system evolution:
• Dynamic interactions between physical process variables (e.g., temperature, pressure, etc.) and the I&C systems that monitor and manage the process
• Dynamic interactions within the I&C system itself due to the presence of software/firmware (e.g., multi-tasking and multiplexing)
The Markov/CCMT methodology
Diego Mandelli – Master Thesis Defense
An overview of the Markov/CCMT
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
Diego Mandelli – Master Thesis Defense
System description
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
Diego Mandelli – Master Thesis Defense
System descriptionDigital Feedwater Control System (DFWCS)
• Main Feedwater System Components: Main Feedwater Valve (MFV) Bypass Flow Valve (BFV) Feedwater Pump (FP)
• The purpose is to maintain the water level inside each of the SGs optimally within ± 2 inches
• The controller is regarded as failed if water level in a SG is: above 2.5 ft (+30 inches) → High Failure below 2 ft (-24 inches) → Low Failure
Diego Mandelli – Master Thesis Defense
System description
Digital Feedwater Control System (DFWCS)
• 5 Pairs of sensors• 2 Computers (MC,BC)• MFV Controller• BFV Controller• FP Controller• PDI Controller
Diego Mandelli – Master Thesis Defense
System description
1 Low power automatic mode(Power < 15%)
2 High power automatic mode (15% < Power < 100%)
3 Automatic transfer from Low to High power mode
4 Automatic transfer from High to Low power mode
BFV (MFV closed)FP (minimum speed)
MFV (BFV closed)FP
Operating modes:
Diego Mandelli – Master Thesis Defense
Control laws
The control logic and the control laws and have been derived from the code of DFWCS of an existing plant written in C++
Diego Mandelli – Master Thesis Defense
Control laws
Control laws determine the feedwater flow demand which is translated into position (MFV) and speed (FP) through look-up tables.
Diego Mandelli – Master Thesis Defense
Control logic
The position and the speed of the actuated devices may depend on the status of the MC and BC.
Otherwise
0S~ 0)( Mn
BnFn tS
FP:
MFV:
BFV:
PDI:
Diego Mandelli – Master Thesis Defense
Control Laws
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
Diego Mandelli – Master Thesis Defense
Simulink model
The control logic and the control laws and have been implemented in a Simulink in order to tune and to verify the control laws
Diego Mandelli – Master Thesis Defense
Simulink model: an example scenario
The control logic and the control laws and have been implemented in a Simulink model in order to tune and to verify the control laws.
The scenario is a power transient from 70% to 72.5%. This has been modeled thorugh a sequence of finite ramps of 0.5% each.
The purposes were the following:1. Obtain a stable response of the controller2. Obtain a reasonable response of the actuated devices
Diego Mandelli – Master Thesis Defense
Simulink model: an example scenario
Results:
Diego Mandelli – Master Thesis Defense
Simulink model: an example scenario
MFV response:
Diego Mandelli – Master Thesis Defense
Failure Modes and Effect Analysis
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
Diego Mandelli – Master Thesis Defense
FMEA and Finite State MachineFailure Modes and Effect Analysis (FMEA): tool to analyze the possible failure modes and their consequences on the dynamic of the system 1. Failure type
2. Detection of the failure3. Effect of the failure on the controller4. Effect on the process
Finite State Machine: is a model of behavior composed of a finite number of states, transitions between these states, and actions.
1. Transition Conditions2. Transition3. Actions
Diego Mandelli – Master Thesis Defense
Computer FMEA
•Input from sensorsLoss of one or both inputsSensor out of range or impossible rate of change
•Output to the controllers
•Communications:
•Loss of Power
•Internal Failures
Roundoff/truncation/sampling rate errorsUnable to meet needed response requirementsWatchdog timer fails to activateWatchdog timer activates when computer has not failedArbitrary value output
Define the intra-computer and computer-computer interactions
Loss of output
Diego Mandelli – Master Thesis Defense
Intra-Computer interactions
A. Operating: Computer is operating correctly
B. Loss of One Input: Computer is operating correctly but data are not received from one of the two sensors (for each measured quantity).
C. Loss of Both Inputs: Computer is operating correctly but data are not received from both sensors (for each measured quantity).
D. Computer Down: Computer itself recognizes loss of input(s) or input(s) being out of range and takes itself down. The other computer takes the control of the process automatically (if it is operating correctly) .
E. Arbitrary output: Computer does not realize input(s) out of range or error in processing data. Random data are generated.
D – Computerdown
B – Loss of one input
C – Loss of both inputs
E – Arbitrary Output
A – Computer operating
Diego Mandelli – Master Thesis Defense
Two types of failure have been identified:
1. Recoverable (e.g., Loss of input)
2. Not recoverable (e.g., Watchdog timer fails to activate)
Inter-Computer interactions
By this, it is more convenient to talk about primary and secondary computer:
• Primary computer: computer sending output to the controllers
• Secondary computer: computer in stand-by
Diego Mandelli – Master Thesis Defense
Inter-Computer interactions
B C
D
E
A
B C
D
E
A
B C
D
E
A
3 Macro States (MS)
2: 1:Operating with 2 computersOperating with 1 computer, possible recovery 3: Operating with 1 computer, no
recovery
Diego Mandelli – Master Thesis Defense
Controller FMEA
•Internal FailuresHigh OutputLow OutputArbitrary Value Output
•Loss of Power
Define the Computer-Controller-Actuated Device interactions
• Input from computer (Loss of input): included in the Computer-Computer interactions
•Communications
•Error in the communications
Computer erroneously reported failed
Computer erroneously reported not failed
MFV, BFV, FP controllers do not agree from which computer to accept input.
•Output to the actuated Device
Loss of output
Diego Mandelli – Master Thesis Defense
Computer-Controller-Actuated device interaction
0 vdc output
Output High
OutputLow
Arbitrary Output
Freeze
Device Stuck
Diego Mandelli – Master Thesis Defense
The Markov/CCMT Approach
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
Diego Mandelli – Master Thesis Defense
The Markov/CCMT Approach
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
Recall: Stochastic description of the system evolutionBut, so far the system modeling has given a deterministic description of the system.The Markov/CCMT approach convert the information contained in the system modeling step from a deterministic to a statical view point
Diego Mandelli – Master Thesis Defense
Cell-to-Cell Mapping Technique
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
Diego Mandelli – Master Thesis Defense
CCMT
CCMT is a technique used to represent the dynamics of the system
• The state space (CVSS) is an n-dimensional space (one dimension for each internal variable)
• CVSS is divided into cells Vj (possibility to capture uncertainties and errors in the monitoring phase of the process)
• Setpoints must fall on the boundary of Vj and not within Vj
• Note: coupling between the discretization of the CVSS and the time step (Δt) of the simulation
• Top Events (Fail High or Fail Low) are modeled as sink cells
Diego Mandelli – Master Thesis Defense
CCMT
• the dynamic behavior of the system• control logic of the control system• hardware/firmware/software states
The algorithm:
t t = (k+1)·Δt t = (k)·Δt
j
j’
j”
j’
g(j|j’,n’,t)
The goal is to determine the probability at time t to transit from cell j’ to j given component state combination n’.
Diego Mandelli – Master Thesis Defense
Markov modeling
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
Diego Mandelli – Master Thesis Defense
Markov modeling
Goal: determine a probabilistic model which can describe the evolution of all the components of the controller
Markov transition diagrams have been chosenWhat do I need?
•a set of mutually exclusive and exhaustive states•probability of transitions between states has been determined
Markov transition diagrams have been deducted from the Finite State Machine description.
Diego Mandelli – Master Thesis Defense
Markov modeling
For each component, a Markov transition diagram has been determined
Diego Mandelli – Master Thesis Defense
The goal is to determine:
h(n|n’,j’→j) or h(n|n’,j’→j,k)
Probability that a component state combination change from n’ to n during a transition from j to j’.
Note:• failure rates may depend on process variables like
temperature, pressure….• failure rates may depend on time
Markov modeling
Diego Mandelli – Master Thesis Defense
System Analysis
System Description
Type I Interactions Analysis
Control Laws: Simulink Model
FMEA
Type II Interactions Analysis
Finite State Machine Description
CCMT Markov/CCMT ApproachMarkov modeling
System Analysis
System Modeling
Diego Mandelli – Master Thesis Defense
• Markov Modeling: h(n|n’,j’→j) • CCMT: g(j|j’,n’,t)
System Analysis
Since these two transition probabilities are independent:
q(n, j|n’, j’,t) = h(n|n’,j’→j) · g(j|j’,n’,t)
Diego Mandelli – Master Thesis Defense
CCMTg(j|j’,n’,t)
System Analysis
N
J
j’
j
n’ n
q(n, j|n’, j’,t) = h(n|n’,j’→j) · g(j|j’,n’,t)
Markov Modelingh(n|n’,j’→j)
Graphically:
q(n, j|n’, j’,t)
Diego Mandelli – Master Thesis Defense
Markov/CCMT and Dynamic Event Trees
t
(N, J)
(1, j0)1
2
(1, j0)
(2, j2)(2, j2)
(2, j2)
(1, j3)(1, j3)
(2, j2)
(1, j3)
(2, j2)
(1, j3)(1, j0)
(2, j2)
(1, j0)
Diego Mandelli – Master Thesis Defense
1. Turbine trips2. Reactor is shutdown3. Power P(t) is generated from the decay heat4. Reactor power and steam flow rate decay from 6.6% of initial
power and the analysis starts 10 second after reactor shutdown5. Feedwater flow and level are initially at nominal value6. Off-site power is available7. Main computer is failed
An Example Initiating Event
Most of the analysis performed for Level 2 PRA assumes that the reactor is shutdown in all the initiating events.Assumptions:
Diego Mandelli – Master Thesis Defense
The Example Initiating Event: considerations
• DFWCS is working in Low Power mode• MFV is not used• FP set at minimum speed• BFV only is able to change the feedwater flow• 5 internal variables: CVSS is 4-D
Diego Mandelli – Master Thesis Defense
Hypothesis:• Only Loss of both inputs can occur (and not possibly one)• Loss of communications between the sensors and BC and
between BC and BFV controller cannot be recovered.• Only the BFV controller failure can generate arbitrary output.
If BC generates arbitrary output due to internal failure, it is recognized by the BC.
• The BFV controller cannot fail in Output High mode.• FP cannot fail
The Example Initiating Event
Only one controller is considered: BFV controller
Diego Mandelli – Master Thesis Defense
The Example Initiating Event
Arbitrary Output
0 vdcOutput
Freeze
DeviceStuck
Cont
rolle
r/Dev
ice C
omm
unica
ting
Diego Mandelli – Master Thesis Defense
The Example Initiating Event
Ad-hoc program has been built in Java:
1. The simulator:
1. solve the set of 4 different differential equation using Runge-Kutta
2. Implement control laws
2. Generate event sequences
3. Determine probability of Low Failure and High Failure at each time step
Diego Mandelli – Master Thesis Defense
The Example Initiating Event: Results
An example of Event Sequence:
Diego Mandelli – Master Thesis Defense
The Example Initiating Event: Results
The importance of the failure timing: the Freeze state.
Diego Mandelli – Master Thesis Defense
The Example Initiating Event: Results
Diego Mandelli – Master Thesis Defense
The Example Initiating Event: Results
What is the effect of changing the Markov time step (Δt) on the Cdf of the Top Events (High Failure and Low Failure)?
3 different Markov time steps have been chosen:• 4 hours• 8 hours• 12 hours
Diego Mandelli – Master Thesis Defense
The Example Initiating Event: results
Diego Mandelli – Master Thesis Defense
The Example Initiating Event: results
Diego Mandelli – Master Thesis Defense
ConsiderationPower behavior affect the behavior of the Cdf of the Top Events.
The number of event sequences strictly depend on:1. The number of time steps2. The number of component state combinations N
Given a mission time (e.g., 24 hours) it is possible to decrease the the number of time steps increasing the Markov time (Δt).N can be reduced:
• Reducing the number of components by merging two or more components together
• Reducing the number of states of a component by merging two or more states together (e.g., merge all states that have the same impact on the dynamics of the system)
Diego Mandelli – Master Thesis Defense
Conclusions
• The Markov/CCMT methodology has been presented.
• The modeling of digital control systems (DFWCS) through Markov/CCMT has been shown:
Type I interaction have been modeled using CCMT
Type II interactions have been modeled using Markov Transition diagrams
• The output of the analysis are:
Generation of Event sequences
Evaluation of the Cdf of the Top Events
Diego Mandelli – Master Thesis Defense