Development of a Hardware-in-the-loop Simulation Platform for Safety Critical Control System Evaluation

During the lifetime of a nuclear power plant (NPP) safety electronic control system components become obsolete [7]. It is difficult to find replacement components qualified for nuclear applications [50]. Due to strict regulations, replacement components undergo extensive verification and operational analysis [70]. Therefore, the need for a platform to evaluate replacement safety control systems in a non-intrusive manner is evident. Verifying the operation or functionality of potential replacement electronic control systems is often performed through simulation [71]. To enable simulation, a physical interface between potential control systems and computer based simulators is developed. System connectivity is establish using Ethernet and standard industrial electrical signals. The interface includes a National Instruments (NI) virtual instrument (VI) and data acquisition system (DAQ) hardware. The interface supports simulator controlled transmission and receipt of variables. The transmission of simulated process variables to and from an external control system is enabled. This is known as hardware-in-the-loop (HIL) simulation [49]. Next, HIL interface performance is verified and the following are identified; a measure of availability; the effect of varied configurations; and limitations. Further, an HIL simulation platform is created by connecting a NPP simulator and a programmable logic controller (PLC) to the interface, Canadian Deuterium Uranium (CANDU) reactor training simulator and Invensys Tricon version nine (v9) safety PLC respectively. The PLC is programmed to operate as shutdown system no. 1 (SDSl) of a CANDU reactor. Platform availability is verified and the response of the PLC as SDSl and is monitored during reactor shutdown. Proper execution of the steam generator level low (SGLL) logic on the PLC and variable transmission are observed. Thus, a platform and procedure for the evaluation of replacements for obsolete electronic control system components is demonstrated

An Approach to Using Non Safety-Assured Programmable Components in Modest Integrity Systems

Programmable components (like personal computers or smart devices) can offer considerable benefits in terms of usability and functionality in a safety-related system. However there is a problem in justifying the use of programmable components if the components have not been safety justified to an appropriate integrity (e.g. to SIL 1 of IEC 61508). This paper outlines an approach (called LowSIL) developed in the UK CINIF nuclear industry research programme to justify the use of non safety-assured programmable components in modest integrity systems. This is a seven step approach that can be applied to new systems from an early design stage, or retrospectively to existing systems. The stages comprise: system characterisation, component suitability assessment, failure analysis, failure mitigation, identification of additional defences, identification of safety evidence requirements, and collation and evaluation of evidence. In the case of personal computers, there is supporting guidance on usage constraints, claim limits on reliability, and advice on “locking down” the component to maximise reliability. The approach is demonstrated for an example system. The approach has been applied successfully to a range of safety-related systems used in the nuclear industry

Risk analysis and reliability of the GERDA Experiment extraction and ventilation plant at Gran Sasso mountain underground laboratory of Italian National Institute for Nuclear Physics

The aim of this study is the risk analysis evaluation about argon release from the GERDA experiment in the Gran Sasso underground National Laboratories (LNGS) of the Italian National Institute for Nuclear Physics (INFN). The GERDA apparatus, located in Hall A of the LNGS, is a facility with germanium detectors located in a wide tank filled with about 70 m3 of cold liquefied argon. This cryo-tank sits in another water-filled tank (700 m3) at atmospheric pressure. In such cryogenic processes, the main cause of an accidental scenario is lacking insulation of the cryo-tank. A preliminary HazOp analysis has been carried out on the whole system. The risk assessment identified two possible top-events: explosion due to a Rapid Phase Transition - RPT and argon runaway evaporation. Risk analysis highlighted a higher probability of occurrence of the latter top event. To avoid emission in Hall A, the HazOp, Fault Tree and Event tree analyses of the cryogenic gas extraction and ventilation plant have been made. The failures related to the ventilation system are the main cause responsible for the occurrence. To improve the system reliability some corrective actions were proposed: the use of UPS and the upgrade of damper opening devices. Furthermore, the Human Reliability Analysis identified some operating and management improvements: action procedure optimization, alert warnings and staff training. The proposed model integrates the existing analysis techniques by applying the results to an atypical work environment and there are useful suggestions for improving the system reliability