PSAM 2013 Topical Conference in Tokyo GS-III : PSA Applications and Software Reliability (#1079) Software Failure Mode and Effects Analysis of Concept Phase for Radiation Monitoring System Digital Replacement Hui-Wen Huang, Tsu-Mu Kao, Wen-wei Kuo, Mao-sheng Tseng, and Yuan-chang Yu Institute of Nuclear Energy Research (INER), Taiwan Hyatt Regency Tokyo, Japan April 16, 2013
Outline Introduction Functional Description FMEA of Computational Module Conclusion Institute of Nuclear Energy Research Page 2
Introduction Due to the obsolescence and spare parts shortage issue, the safetyrelated radiation monitoring system (RMS) of Maanshan Nuclear Power Plant (MSNPP) is under the digital replacement process in Taiwan. Software Failure Mode and Effects Analysis (FMEA) is adopted as Hazard Analysis (HA) of Software Verification and Validation (SV&V) Under the following regulation and standard: Branch Technical Position (BTP) 7-14, "Guide on Software Review for Digital Computer-based Instrumentation and Control System" Regulatory Guide 1.168 Revision 1, "Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" IEEE Std 1012-1998, "IEEE Standard for Software Verification and Validation" Institute of Nuclear Energy Research Page 3
Introduction The life cycle of digital RMS development includes: Concept phase Plant level description Requirement phase System level Software functional description Design phase Logic diagram, Flow chart, or Pseudo code Detailed design Implementation phase Software module development/test Software integration development/test Institute of Nuclear Energy Research Page 4
Introduction Software/hardware integration phase Control card Component level test Validation phase Control cabinet System level test - Factory Acceptance Test (FAT) Installation phase Installed in NPP site Plant level test - Site Acceptance Test (SAT) Institute of Nuclear Energy Research Page 5
Software development life cycle phases combined from BTP 7-14 and IEEE Std 1012 Institute of Nuclear Energy Research Page 6
Introduction 18 RMS stations are safety related in MSNPP Their radiation exposure rate or radiation concentration output signals are sent to safety related interfaces as the initiation basis for Engineered Safety Feature Actuation System (ESFAS). Three types of detectors are included: Geiger-Muller (GM) Counter Ion Chamber (IC) Scintillation Counter (SC). Institute of Nuclear Energy Research Page 7
Functional Description Functional Diagram of Radiation Monitoring System Digital Replacement Institute of Nuclear Energy Research Page 8
Functional Description Internal functions: (1) Conversion Obtaining counting rate by (a) performing pulse shaping and pulse counting, if the detector is a GM tube. (b) performing current/frequency conversion, if the detector is an Ion Chamber. (c) performing analog/digital conversion and pulse counting, if the detector is a Scintillation Counter. (2) Digital Signal Transfer Calculating Exposure rate or Radioactive concentration Exposure rate (mr/hr) = CPM x CF Radioactive concentration(µci/cc) = CPM x CF where CPM denotes Counts per minute CF denotes conversion factor (3) Parameter Storage Storing parameters, such as CF or setpoint. (4) Comparison with Setpoint If the exposure rate or radioactive concentration is greater then setpoint, an alarm Boolean variable will turn to TRUE. Institute of Nuclear Energy Research Page 9
Functional Description Interfaces: (1) with Detectors Receiving signals from detectors. (a) If the detector is a GM tube, the signal type is pulse. (b) If the detector is an Ion Chamber, the signal type is current. (c) If the detector is a Scintillation Counter, the signal type is pulse. (2) with Initiation Module Exposure rate or Radioactive concentration is sent to Initiation Module. Under offline status, the maintenance personnel can modify the parameters in Computation Module via Initiation Module. (3) with Communication Module The following variables are sent to Communication Module with one-way communication. (1) Exposure rate or Radioactive concentration (2) the alarm Boolean variable (4) with Local Alarm If the alarm Boolean variable is TRUE, the local alarm will be initiated. (5) with Local Digital Meter The Exposure rate or Radioactive concentration is sent to a Local Digital Meter continuously. Institute of Nuclear Energy Research Page 10
Functional List of Computation Module, Communication Module, and Initiation Module Computation Module (Safety Related, in the digital replacement scope) Internal Functions Interfaces Conversion with Detectors Digital Signal Transfer with Initiation Module Parameter Storage with Communication Module Comparison with Setpoints with Local Alarm - with Local Digital Meter Historical Records Instant Record Communication Module (Non-safety Related, in the digital replacement scope) Internal Functions Interfaces with Computation Module with Control Console Initiation Module (Safety Related, not in the digital replacement scope) Internal Functions Interfaces Comparison with Setpoints with Computation Module - with SSILS Institute of Nuclear Energy Research Page 11
FMEA of Computational Module Two independent RMS stations with different type of detectors (e.g., GM tube vs. Scintillation Counter) are designed as diverse backup for each other. Each train includes specific detector, Computation Module, and Initiation Module. The two stations are linked together with an OR gate. The signal from OR gate is sent to SSILS for actuating ESF. This design can mitigate the independent/single failure of one of the redundant trains. System level redundant design Institute of Nuclear Energy Research Page 12
FMEA of Computational Module The items in FMEA include: Function, Failure Mode, Failure Mechanism, Failure Effect, Method of Failure Detection, and Resolution. The failures of internal functions and communication failures of the interfaces are addressed in the FMEA. Two kinds of surveillance tests are in the maintenance procedure. The daily surveillance test makes sure that the DMS function is normal. The operator performs the daily surveillance test in main control room. Because the detectors degrade gradually, the threemonthly surveillance test performs calibration of CF value. The maintenance personnel reaches each local DMS to perform the daily surveillance test. Communication failure with Local Alarm is an undetected failure. There is no automatic detection to identify the failure. The three-monthly surveillance test can identify the communication failure manually. Institute of Nuclear Energy Research Page 13
FMEA of Computation Module in Concept Phase Institute of Nuclear Energy Research Page 14
FMEA of Computation Module in Concept Phase Institute of Nuclear Energy Research Page 15
FMEA of Computation Module in Concept Phase Institute of Nuclear Energy Research Page 16
FMEA of Computation Module in Concept Phase Institute of Nuclear Energy Research Page 17
Conclusions This work performed the Software FMEA of Concept Phase for the safety related radiation monitoring system digital replacement. The software functions of safety-related Computation Module have been identified. All the failure modes of these functions have been analyzed. The independent/single failures of safetyrelated functions were addressed with system level redundant design. The common mode failures of safety-related functions were addressed by the period surveillance test. Communication Module and Control Console are non-safety related components, however, their functions are important means for detecting the failure of safety related Computation Module. Institute of Nuclear Energy Research Page 18
Institute of Nuclear Energy Research Page 19