Single Point Vulnerability Analysis of CEDMCS in Advanced PWR using a Systems Engineering Approach

Single Point Vulnerability Analysis of CEDMCS in Advanced PWR using a Systems Engineering Approach

Awwal Mohammed Arigi and Yong-kwan Lee Nuclear Power Plant Engineering Department KEPCO International Nuclear Graduate School Ulsan, South Korea

Abstract Single Point Vulnerability (SPV) refers to any component whose failure will lead to power reduction or reactor trip in a nuclear power plant. The instrumentation and control (I&C) systems have been identified as a major cause of reactor trips. The Control Element Drive Mechanism Control System (CEDMCS) is the I&C system selected for this work. The Advanced Power Reactor 1400MWe (APR1400) can deploy either of two different designs of the CEDMCS. Identifying available SPV components in these systems is a key step to mitigating, bridging or eliminating such components. Systems Engineering is an interdisciplinary approach that can enable the realization of successful processes. This work follows the activity or process modelling technique in systems engineering to show a method of identifying the SPV components in two digital rod control systems. The entire process stages of needs analysis, requirement analysis, functional analysis, system design, and process verification is followed. The results show the potential SPVs in both systems and possible management strategies for the identified SPV components are suggested.

KeywordsSingle Point Vulnerability; CEDMCS; APR1400; Systems Engineering

1. INTRODUCTION

   Nuclear power plants (NPPs) are regarded as one of the safest and most reliable systems yet you can still find some possibilities of failure. No matter how negligible, the possibility of failure always exists and the Advanced Power Reactor 1400MWe (APR1400) is not an exception. Single Point Vulnerability (SPV) is a component whose failure would directly cause an automatic or manual reactor scram or turbine trip [1]. Although the impact of a scram is much greater than that of a power generation reduction, most power plants consider components that cause power reduction as SPVs. While some power plants do not consider the cause of any reduction in power as SPV, others consider components that cause a reduction in power of as low as 2% as SPV. The

   U.S. (United States) Nuclear Industry Scram Trend [2] as shown in Fig.1 indicates the total number of manual and automatic scrams per year in the United States of America. This shows that the unwanted reactor trips in Nuclear Power Plants (NPPs) is still prevalent.

   This research was supported by the 2016 research fund of the KEPCO International Nuclear Graduate School, Republic of Korea and the International Atomic Energy Agency (IAEA).

   Fig. 1. Trend in US Nuclear Industry Shutdowns.

   A proper identification and subsequent management of SPVs should be a priority because they cause plant trip and may also be a reason for reduction in power output. The plant trip will challenge the safety systems, while a reduction or loss of power will ultimately cause revenue loss for the utility.

   Systems Engineering (SE) is an interdisciplinary approach and a means to enable the realization of successful systems. It focuses on defining customer needs and required functionality early in the development cycle, documenting requirements, and then proceeding with design synthesis and system validation while considering the complete problem [3]. It serves as a guide in the application of scientific principles to practically ensure the efficient and economic operation of complex equipment and systems. The Control Element Drive Mechanism Control System (CEDMCS) also referred to as a Digital Rod Control System (DRCS) is an example of a complex system as can be seen in Fig. 2 with several interfacing systems.

   Fig. 2. DRCS interfacing systems [4].

   The CEDMCS /DRCS is one of the three major parts of the power control system (PCS) in the APR1400 NPP design. Other parts are the reactor regulating system (RRS) and the reactor power cutback System (RPCS). The DRCS controls the holding and motive power associated with the control element drive mechanism (CEDM). The DRCS uses either an automatic control element assembly (CEA) motion demand signal from the RRS or manual motion signals from the DRCS soft control. It converts these signals to direct current (DC) pulses that are transmitted to CEDM coils to cause CEA motion. When the CEA motion is demanded, the coils are energized in sequence to cause either insertion or withdrawal of the CEA or control rod. Nuclear reactivity and therefore the power of the NPP can be controlled by these insertion or withdrawal operations. When the under-voltage relays in the DRCS detect that power in the CEDM has been interrupted, the DRCS provides signals to the Turbine Control System (TCS), Steam Bypass Control System (SBCS), and the Feedwater Control System (FWCS). A reactor trip signal removes the motive power from the DRCS which in turn makes the CEAs to be dropped by gravity. Note that in Fig. 2, LPMS=Loose Parts Monitoring System, RSPT=Reed Switch Position Transmitter, QIAS=Qualified Indication and Alarm System and NAPS= Nuclear Application Systems.

   However, one of the major functions of the DRCS is to provide control signals and interlock signals (switch contacts designed to prevent a control system from taking two incompatible actions at once) to the CEDM. These control signals are initiated by the RRS. The DRCS also provides interfacing signals to the Information Processing System (IPS). These control limits and interlocks prevents abnormal power and temperature conditions that may be caused by excessive control rod withdrawal due to control system malfunction or wrong action from the operator.

   Systems engineering is used in this work because it is focused on the system as a whole. These include the identification of customer needs, system operational environment, interfacing systems, logistics support requirements, capabilities of operating personnel, and such other factors as must be correctly reflected in system requirements documents and accommodated in the system design. Dealing with risks is one of the essential tasks of systems engineering, requiring a broad knowledge of the total system and its critical elements. In particular, systems engineering is central to the decision of how to achieve the best balance of risks [5]. These risks are evident in the existing SPVs of the CEDMCS.

2. SYSTEMS ENGINEERING APPROACH DEVELOPMENT

   The top-level perspective of the entire process design is depicted in Fig.3. It starts with an adequate articulation of the process needs with a needs analysis through to the design and verification stages. The rounded rectangular boxes represent the major stages of the process while the rectangle shaped boxes connected to them are the identified activities at each stage of the process. Arrows indicate the sequence of the process. There is a feedback arrow when a change request is demanded at the verification stage.

   1.0 Needs Analysis

   Fig. 4 illustrates the yearly frequency of reported reactor trip events in Korean NPPs between 2000 and 2016 [6]. The various causes of reactor trips considered were External effects, I&C components, Electrical components, Mechanical components, and Human factors. Sixty-six (25.2%) out of a total of 262 events resulted from instrumentation and control (I&C) systems. This shows that I&C systems are the highest source of reactor trips.

   Fig. 3. SPV analysis process stages (where SRAM refers to sudden shutdown of reactor by rapid insertion of control rods)

   Fig. 4. Yearly reactor trip events in korean NPPs by cause

   The data in Fig.4 suggests that over the course of 16

   years, the trend in I&C induced reactor trips has barely abated (i.e. year 2000, 33%, year 2005, 19%, year 2010, 37% up to year 2016, 25.2%). When I&C systems fail, they can cause unplanned reactor trips, turbine trips or a violation of technical specifications and by so doing cause unavailability and reduction in plant reliability. The CRDMCS is one of the most important I&C systems in the NPP as it is directly related to the power control system. Almost any failure in the CEDMCS could have similar consequences as previously stated for I&C systems failure. Failures will likely emanate from component parts of a system. Hence the need to properly identify any SPVs in the CEDMCS so that further actions can be taken to mitigate the failure of such components.

   The APR1400 is an advanced pressurized water reactor (PWR) type. There are two rod control systems that will each be deployed to this (APR1400) power plant type and therefore they are both analyzed in this paper. They are referred to as System A and System B in this work.

   2.0 Requirement Analysis

   It is necessary to translate the identified needs into clear requirements. Based on E. Halls [7] description of the problem and solutions domain, table 1. shows the problem and solution spaces for this work. For the sake of unambiguity, the requirements analysis is approached as the requirements for identification of SPVs. According to reference [1], the SPV program must have a clear direction for identifying what is an SPV. In this work, SPV identification will be qualitative. Only those components that cause reactor trip to be initiated would be considered and only the parts within the CEDMCS would be considered. The following are examples of sources that could be used in the review include: system or component function description; system or component loop, logic, or circuit drawings; Final Safety Analysis Reports and Technical Specifications [1].

   TABLE I. PROBLEM AND SOLUTION SPACES

   Requirements Layer	Domain	View	Role
   Stakeholder Requirements	Problem Domain	Stakeholders View	Determine causes of Reactor Trip in APR1400
   System Requirements	Solution Domain	Analyst View	Determine SPVs within the CEDMCS
   Architectural Design	Solution Domain	Designers view	-Develop FMEA of Systems A&B -Derive SPV analysis of Systems A&B

   1. Functional Analysis

      The process functions in this work is shown in Fig. 5, where attention is paid to the particular deliverables of the process designed. The first step is the thorough examination of existing design (system A) and the new design (system B). This is done to understand the workings of the systems. This first step is accomplished with the aid of digital rod control system (DRCS) descriptions, operating manuals, and the Standard Safety Assessment Report (SSAR) of the APR1400. The system B is examined with the aid of System descriptions and publication papers. In the second step a Failure Mode Effect and Analyses (FMEA) was developed for both systems A and B. This is based on the understanding of the unique designs of both systems. In the third step, a qualitative SPV analysis of both systems is derived while considering previous FMEA evaluations of the systems.

      Fig. 5. SPV analysis process functions.

   2. System A

      This is the existing Control Rod Control System. The major parts of System A are the Power Cabinets (PC), Logic Cabinet (LC), and Remote I/O cabinets (see Fig.6). The control cabinet consists of input modules, power supplies, communication devices and others. It generates the CEDM coil commands to step the rods during startup, shutdown, and power maneuvering operations. It also coordinates all operations within the DRCS including communication with the Nuclear Application System (NAPS) of Information Processing System (IPS) and providing alarm outputs for detectable failures in some DRCS parts.

      The power cabinet consists of 13 selecting cabinets and 6 moving cabinets. The selecting cabinets delivers power to the Upper Gripper (UG) and Lower Gripper (LG) coils while the moving cabinets delivers power to the Upper Lift (UL) and Lower lift (LL) coils (see Fig. 7).

      The major components of the power cabinet are; power conversion circuit, multiplexing, power regulator, alternative DC hold power, and DC power supplies.

      Fig. 6. DRCS configuration of (existing) system A [4].

      Fig. 7. System A power cabinet configuration [4].

   3. System B

   The new DRCS shown in Fig. 8 consists of two major parts; Control cabinet and Power cabinet. There is only one control cabinet, and a minimum of 3 power cabinets. The number of power cabinets in the APR1400 plant would be eight. The assumption is that at least 93 CEAs are needed in the APR1400 design with 3 CEA groups per Power cabinet (12 CEAs).

   The control cabinet receives command signals form the RRS, MCR or other interfacing systems and sends the signals to the appropriate power cabinet. The Main control unit (MCU) and the Local operator Module (LOM) are the major parts of the Control cabinet. The MCU functions to develop the signals received from external interface systems like the RRS, PPS, Reactor operator or etcetera. The power cabinet has the major parts as; the power control unit (PCU) and the power converter module (PCM). The Power cabinet has 3 sets of hardware to control each CEDM group except for the PCM Lift Coil (LC) which is only one per cabinet as shown in Fig. 9.

   Fig. 8. DRCS configuration of (new) system B [8].

   Fig. 9. System B power cabinet configuration [8]

   4.0 Process Design Synthesis

   This stage involves the system or process developers analysis. For this work, this is the process outputs of FMEA and SPV analysis. For failure mode and effect analysis, the system or component function description; system or component logic and power circuit drawings; SSAR and Technical specifications; Industry experience on equipment- related scrams; and Vendor recommendations are utilized. A summary of the FMEA result for both systems are shown in the tables II and III.

   A qualitative SPV analysis is done at this stage based on the results of the FMEA while paying particular attention to components without redundancy and their operational functions. Only the components strictly within the CEDMCS are considered. Results are shown on tables IV and V. The number (No.) of SPVs for each component type are also indicated.

   TABLE II. FMEA FOR SYSTEM A.

   Component Name	Failure Mode	Failure Effect
   PC- PCC (Power conversion circuit)	Spurious actuation	Lift or Gripper latches of one group close. Control rods drop
   PC – Digital Out	Malfunction	Causes turbine trip signal which stops the generator
   PC- Current Regulation Card	Fail to operate	No drive signals generated for PCC. Reactor trips due to RPS signal (LO- DNBR/HI-LPD)
   PC – Digital Signal buffer Card	Malfunction	No drive signals generated for PCC. Reactor trips due to RPS signal.
   PC – Gate firing driver Card	Malfunction	Reactor trips due to control rods drop.
   PC -Multiplexing Error Detector	Failto operate	Related CEA groups are inoperable
   PC – Backplane Card	Malfunction	No control signal transmission to PCC. Reactor trips due to control rod drop.
   PC – Power supply Card	Fail to operate	Reactor shutdown due to RPS signal
   PC – Power Regulator	Malfunction	Reactor shutdown due to RPS signal
   PC – Phase control	Malfunction	Coils are energized out of sequence. Reactor trips due to control rods drop.
   PC -Fuse	Fuse cut	Causes Reactor shutdown due to RPS signal
   PC -Circuit Breaker	Breaker open	Causes Reactor shutdown due to RPS signal
   LC -communication card	Failure to transmit or receive data	No manual control of CEAs. The RPS initiates reactor trip
   LC -sequence logic of bank & group	Malfunction	Causes Reactor shutdown due to RPS signal
   LC -sequence order generator	Malfunction	Causes Reactor shutdown due to RPS signal
   LC -data store& diagnostic	Malfunction	No drive signals failure detection.
   LC – I/O manager	Malfunction	No drive signals. Rector shutdown due to RPS signal
   Master Cycler	Malfunction	Related CEA groups are inoperable
   Slave Cycler	Malfunction	Related CEA groups are inoperable

   (WHERE DNBR=DEPARTURE FROM NUCLEATE BOILING, LPD=LOCAL POWER DENSITY)

   TABLE III. FMEA FOR SYSTEM B.

   Component Name	Failure Mode	Failure Effect
   PCM-MGC (movable gripper control)	Spurious actuation	MG latches of one group close. Control rods drop
   	Fail to operate	MG latches of one group are inoperable
   PCM-SGC (stationary gripper control)	Spurious actuation	SG latches of one group close. Control rods drop.
   	Fail to operate	SG latches of one group are inoperable
   PCM-LD (Lift disconnect ) switch	Fail to ON/OFF	Related group or individual rods are inoperable. Eventual RPS signal is initiated.
   PCM-Lift Coil circuit	Spurious actuation	Improper voltage to CEDM coils. Related CEA groups are inoperable
   	Fail to operate	Related CEA groups are inoperable
   Power Control Unit (PCU)	Fail to operate	No drive signals generated for PCM. Reactor trips due to control rods drop.
   Backplane board	Malfunction	No control signal transmission to PCM. Reactor trips due to control rod drop.
   LOM communication card	Malfunction	No manual control of CEAs. The RPS initiates reactor trip
   MCU-speed pulser	Malfunction	The RPS initiates reactor trip
   MCU-sequence logic of bank & group	Malfunction	The RPS initiates reactor trip
   MCU- sequence order generator	Malfunction	The RPS initiates reactor trip
   MCU-data and diagnostic.	Malfunction	The RPS initiates reactor trip
   MCU- I/O manager	Malfunction	No sequence logic signals generated. The reactor condition remains same. Eventual Reactor trip

   TABLE IV. SPV COMPONENTS FOR SYSTEM A.

   Device Name	No.	Failure Mode	Failure Effect
   Digital Out (Under-Voltage Relay)	26	Malfunction	Causes turbine trip signal which stops the generator
   Current Regulation Control card	13	Malfunction	No drive signals generated for PCC. Reactor trips due to control rods drop.
   DRCS Digital Signal buffer Card	13	Malfunction	Reactor shutdown due to RPS signal
   Gate firing driver Card	13	Malfunction	Reactor trips due to control rods drop
   Backplane Card	13	Malfunction	Reactor shutdown due to RPS signal
   Power supply Card	13	Fails to operate	Reactor shutdown due to RPS signal
   Power Cabinet Fuse	13	Fuse cut	Reactor shutdown due to RPS signal
   Power Cabinet Circuit Breaker	13	Breaker open	Reactor shutdown due to RPS signal
   Total Number of SPVs	117

   TABLE V. SPV COMPONENTS FOR SYSTEM B.

   The PCM (Power Conversion Module) is a prospective SPV part of the CEDMCS in system B, as they have no redundancy. All its major sections including the Lift Coils Module, Stationary Gripper Coil Module, Movable Gripper Coil Modules, and the Lift Disconnect Switches may individually cause reactor scrams. When the Lift Coil PCM fails to operate, three CEDM groups will be non-functional, and thus cause the LO-DNBR or HI-LPD setpoints to be exceeded. This will make the Reactor Protection System Trigger an automatic reactor trip.

   1. Process Verification

      Verification encompasses the tasks, actions, and activities performed to evaluate the progress and effectiveness of the evolving system solutions (people, products, and process) and to measure compliance with requirements [3]. The primary purpose of verification is to determine that this process and products are compliant with the earlier assigned requirements. When it is found that the process is defective or fails to meet its initial requirements, a change request may be issued. However we have applied the process to effectively determine the SPV components in the CEDMCS as shown in tables IV and V.

   2. Management of SPV

   The preventive maintenance basis database developed by the Electric Power research Institute (EPRI) can be an effective tool in the successful management of SPVs. This is because the database is being continuously updated to provide component failure modes, mitigation of such failure modes, and sometimes may also include the effectiveness of those mitigation strategies.

   The best method for eliminating these SPV components shown in this work would be by changing trip logic or adding parallel circuits. However, considering the recent deployment of these CEDMCS systems, management (mitigation) of these

   components will be appropriate for now. A strong mitigation strategy includes actions for prevention, detection, and correction but a mitigation strategy can be effective only for modes of failures that can be prevented or have degradation modes that can be detected [1].

   Device Name	No.	Failure Mode	Failure Effect
   PCM-MGC	24	Spurious actuation Fail to operate	MG latches of one group close/ inoperable. Control rods drop.
   PCM-SGC	24	Spurious actuation Fail to operate	SG latches of one group close/inoperable. Control rods drop.
   PCM-LD switch	24	Fail to ON/OFF	Related group or individual rods are inoperable. RPS signal initiated.
   PCM-Lift Coil circuit	8	Spurious actuation Fail to operate	Improper voltage to CEDM coils. Related CEA groups are inoperable.
   Total Number of SPVs	80

   Device Name	No.	Failure Mode	Failure Effect
   PCM-MGC	24	Spurious actuation Fail to operate	MG latches of one group close/ inoperable. Control rods drop.
   PCM-SGC	24	Spurious actuation Fail to operate	SG latches of one group close/inoperable. Control rods drop.
   PCM-LD switch	24	Fail to ON/OFF	Related group or individual rods are inoperable. RPS signal initiated.
   PCM-Lift Coil circuit	8	Spurious actuation Fail to operate	Improper voltage to CEDM coils. Related CEA groups are inoperable.
   Total Number of SPVs	80

   Mitigation strategies for the CEDMCS may include maintenance mitigation and supply chain mitigation. In maintenance mitigation, a preventive maintenance (PM) program should be established to address the identified failure modes. This program should be within the scope and frequency of already approved PM template of the NPP. CEDMCS is classified as a non-safety system and therefore the current procurement policies may not be stringent enough. Supply chain mitigation can be implemented for the identified SPVs by improving the quality of procurement process, post- manufacturing testing, and testing before and after installation.

3. CONCLUSION

This paper has shown the application of systems engineering process to achieve SPV analysis. By implementing an SE approach in the CEDMCS design, we could get a broad perspective of the process at the early stages. The process and activities to be performed were identified at the budding stage enabling, the schedule and investment to be optimized.

System A design has employed a fail-safe concept to its design with less redundancies while System B design provides redundancy and design change although this comes at a high price for the Utility. System B design has improved reliability but not necessarily eliminating the SPV items. The total number of SPVs is found to have reduced from 117 components in system A to 80 components in system B. Naturally, the cost of a new redundant system will be more. However, future work may examine the economic effect of the new system considering the operating experiences of power plants on the CEDMCS (i.e. SCRAM rates and power outage cost).

A limiting factor for this work is that none of the APR1400 NPPs have gone into commercial operation as at the time of writing this paper. Therefore SCRAM analysis for other operating NPPs in Korea have been used in the needs analysis stage of this work.

Further work on this subject may also attempt to produce a risk ranking of the potential SPVs. This will help utilities in determining the kind of maintenance strategy that should be applied to individual SPVs components.

REFERENCES

1. Single Point Vulnerability (SPV) Process Guide. EPRI, Palo Alto, CA: 2015.3002005419. pp.2.2 – 3.10.

2. Trend in US Nuclear Industry Shutdowns [Internet]. [Cited 2016 Aug 29] Available from: http://www.nei.org/Knowledge-Center/Nuclear- Statistics/US-Nuclear-Power-Plants/US-Nuclear-Industry-Scram- Trend.

3. INCOSE, Systems Engineering Handbook, version 3.2.2., INCOSE-

   TP 2003-002-03.2.2., October 2011. pp. 129-365

4. NPP Systems Textbook Control and Protection Systems, Rev.2, KHNP-HRDI, BNP-FU-COM-SYS-TB-DRCS. pp.9-16.

5. Alexander Kossiakoff, William N. Sweet, Samuel J. Seymour, and Steven M. Biemer, Systems Engineering Principles and Practice, 2nd Ed. Wiley & Sons, Inc. 2011. pp.7.

6. KINS-OPIS, Nuclear event evaluation database: recent nuclear events [Internet]. [Cited 2016 Aug 29] Available from: http://opis.kins.re.kr/opis

7. Elizabeth Hull, Ken Jackson, and Jeremy Dick, Requirements Engineering, Springer, 2011 pp.20-21.

8. Chae-Ho Nam, Jung-Han Nam, Sim-Kyun Yook, and Chang-Ho Cho, Design and Implementation of Advanced Digital CRCS for Pressurised Water Reactors, (European Nuclear Conference) ENC 11- 14 Dec, 2005.