#### Abstract

The objective of this study is to find out the impact of instrumentation and control (I&C) components on the availability of I&C systems in terms of sensitivity analysis using Bayesian network. The analysis has been performed on I&C architecture of reactor protection system. The analysis results would be applied to develop I&C architecture which will meet the desire reliability features and save cost. RPS architecture unavailability and availability were estimated to and for failure (0) and perfect (1) states, respectively. The impact of I&C components on overall system risk has been studied in terms of risk achievement worth (RAW) and risk reduction worth (RRW). It is found that circuit breaker failure (TCB), bi-stable processor (BP), sensor transmitter (TR), and pressure transmitter (PT) have high impact on risk. The study concludes and recommends that circuit breaker bi-stable processor should be given more consideration while designing I&C architecture.

#### 1. Introduction

The last two decades are the witnesses of rapid development of digital technology in the nuclear industry. Though instrumentation and control (I&C) architecture of nuclear power plants has been established to a certain level, yet it is design dependent and not standardized for all the industry. Holbert and Lin highlighted the need of improved methods for monitoring, control, and diagnostics due to economic constraints and applied fuzzy logic to enhance plant availability by assessing equipment condition [1]. I&C architecture of safety and protection systems in case of research reactors is also not standardized and research on the reliability is needed to demonstrate an optimized architecture for business as well as standardization. Moreover it is essential to find which architecture will perform better among digital, analog, or hybrid designs. Digital I&C still has to win confidence because advent of digital I&C systems in nuclear power plants has created new challenges for safety analysis and it is necessary to quantify the risk impact of digital systems specially related to software, processing unit (CPU), and common cause failures [2]. Therefore suitable architecture should be identified.

In spite of technical basis, research on I&C architecture of research reactor is also based on social demand. The steadily increasing demand of research reactors by educational and research institutes nationwide as well as international is basis for this research. At present, there are 232 operating research reactors worldwide which differ in design based on objective. There are many types of research reactors, such as pool, tank type, miniature, and so forth, with specific designs. However; the International Atomic Energy Agency (IAEA) performed studies on research reactors and categorized them into two: low power and medium (0.250–2.0 MW) and high power research reactors (2–10 MW) [3, 4]. A national endeavor for commercial standardized design is yet required.

In order to meet this demand, a research reactor project was initiated in Korea with the collaboration of educational and research institutes. The study performed under this project has the objective to develop I&C architecture for low power research reactors, optimized between availability and cost. The level of reliability, which would be sufficient for protection and safety systems in case of research reactors, should be found out under this project. Architecture meeting this level of reliability should fulfill all the regulatory requirements as well as operational demands with optimized cost of construction. The scope of study in this paper is to analyze reliability features like unavailability and component sensitivity, which does not cover the full objective of the project; rather it is a footstep to achieve the main goal. The study presented in this paper will be the basis that will lead towards the optimization between reliability features and cost. This research will help the designers to consider the sensitivity of component while constructing I&C architecture to attain the desired availability.

In this paper, we formulated reactor protection system (RPS) I&C architecture and performed reliability and importance analysis of I&C components and modules of this architecture. Sensitivity study is important to get the insight of risk contribution from each component in a complex system. Kamyab et al. made an endeavor to find the sensitivity of software and software induced common cause failures to digital reactor protection system using fault tree technique [5]. Due to digitization of I&C systems, Yaguang and Russell also proposed a systematic reliability estimation method for digital I&C systems which uses fault tree to find system unreliability, Boolean algebra to get minimal cut sets, and flow networks for software reliability [6]. Contrary to this, we used Bayesian network to model system architecture. We did not generate cut sets because they are usually thousands in numbers depending upon the system complexity and analysis also becomes difficult. Instead of generating cut sets and taking their summation for certain basic event to find importance, it is easy to find importance by taking a node granted failure or success without truncation error. Bobbio et al. showed that fault tree can be directly mapped into a BN and inferred that BNs are more suitable to represent complex dependencies among components and to include uncertainty in modeling [7]. Here reliability block diagram (RBD) was mapped to Bayesian network (BN) model by keeping all functions and logics of operation intact. The generic failure data was used for the reliability study. The risk importance analysis of I&C modules and components like bi-stable processor (BP), coincidence processor (CP), transmitter (TR) is performed based on BN model. The details of technique, description of modeling, and analysis results are presented in succeeding headings with the conclusion.

#### 2. Analysis Technique: Bayesian Network

Bayesian network has a lot of applications in the reliability area. Langseth and Portinale compiled the application of BN in reliability areas and concluded that Bayesian networks (BNs) have become a popular tool for modeling many kinds of statistical problems. They also highlighted the increasing use of BNs by reliability analysis community in reliability applications due to its prominent features and modeling framework [8]. In this research Bayesian network has been selected for the analysis because it has the ability to handle complex models with ease and has well established probabilistic theory. Since the last decade, BN models have been increasingly applied to dependability analyses to find solutions of reliability, availability, and maintainability in aviation and other industries [9]. In one of the previous researches, Boudali and Dugan developed the Bayesian models by transformation of dynamic fault tree (DFT) for probabilistic analysis and showed that BN based reliability formalism is a powerful potential solution to system components behaviors and interactions [10]. But mapping of conventional and dynamic fault trees to BN models requires the development of fault trees.

On the other hand, transformation of RBD or directed acyclic graph (DAG) to BN was also considered in reliability area. Jinhua et al., in this regard, claimed that they proposed a method for reliability modeling and assessment of a multistate system with common cause failure by using graphic DAG representation and uncertainty reasoning of Bayesian network (BN) [11]. In the late nineties, Torres-Toledano and Succar presented work showing the modeling of BN based on reliability block diagrams [12]. But the prerequest of this technique is the identification of path sets of system and this becomes very laborious in case of complex systems like RPS with four channels. In case of complex system, it can produce misleading results because of incorrect identification or insufficient path sets. However, Kim proposed a method by the use of which RBD can be extended to reliability block diagram with general gates (RBDGG) and can easily be mapped to BN models with general “AND,” “OR”, and “K out of N (KooN)” gates [13]. If the system has a limited failure data on failure modes, it is notable to use BN for availability analysis. It is easier to construct a BN model than develop a fault tree and BN also yields exact results based on conditional probabilities. Daemi et al. also did a similar study and presented a method to construct the BN for composite power systems. They recommended that BN can be used to perform different probabilistic assessments such as ranking the criticality and importance of system components from reliability perspective [14]. The use of fault tree instead of BN is good when one is interested to know the detail of failure modes in terms of cut sets but here we are interested in importance of components not in their failure modes, so it is beneficial to use BN, which will reduce the effort and give the reliable numbers for analysis.

We used RBDGG to BN modeling technique by keeping all the logic and function preserved for each node of BN model. This model was used to find the reliability features and sensitivity of each component to overall risk of system and the results of this study would be applied to architecture redesign to achieve aforementioned goals of the project. It is important to note that this type of analysis is performed for the first time, in which component sensitivity is quantified. This impact will be considered during the design phase of I&C architecture.

Application of Bayesian network and theory to I&C systems is explained in the coming paragraph as well as in Section 3. If and are two random occasions with the fact that , then conditional probability of that has happened, can be defined by Bayesian Theorem. We have where is termed as a prior probability. If has states of happening, that is, , then total probability theorem takes the following form: For illustration, an example of reactor protection actuation failure , which is dependent on failure of two channels and , is depicted in Figure 1. The channels are affected by the common cause failure . Arcs among nodes represent the dependence among the nodes. is the input node while has no outgoing arcs and output node. Joint probability distribution for case in Figure 1, using the chain rule of joint probability, can be given as follows: Since the events are dependent on each other within the Bayesian network, the derivation of posterior probability from prior probability is a viable method for reliability assessment of complex system. By the use of BN, it is possible to perform importance and sensitivity analysis of components and modules through a backward analysis.

#### 3. System Architecture and Bayesian Theory

Instrumentation and control (I&C) systems are centralized systems which have interface with almost all systems at the plant. The salient I&C systems are reactor protection system (RPS), engineering safety features actuation system (ESFAS), reactor protection system interlocks, control rod control system, and ex. Core and in Core instrumentation system. In this paper, RPS will be discussed onward. Reactor protection system (RPS) compares the operating parameters with set points and initiates the scram to protect the core by inserting shutdown control rods. It also works in case of external hazard. RPS consists of sensors, analog/digital protection logic, actuation circuit, and circuit breakers. The constituents of RPS components and their interfaces with other systems are described in Figure 2. Sensors are connected to analog/digital circuitry consisting of 2 to 4 redundant monitoring channels for process and in-core and ex-core parameters. They generate either a pulse or easily comparable current/voltage based number. The signals are compared with set points in bi-stable processor (BP) and then it sends signal to coincidence processor (CP) after assessment.

CP receives signals from BPs of other channels and confirms the voting logic before initiating the ESFAS and scram relays. The functioning of RPS at plant is depicted in Figure 3, in which it is shown that RPS receives operating parameters from core (in-core) to distribution grid and keeps eye on their variation.

Ex-core parameters are indirectly used for scram. These parameters are used to calculate departure from nucleate boiling (DNBR) and linear power density (LPD) in core protection calculator system (CPCS). These are basically fuel acceptable design limits. When these limits exceed the design criteria, RPS inserts reactor trip through reactor breaker system (RBS) and ESFAS actuates safety system valves and pumps using component control system (CCS). This process is described in Figure 3.

The design of reactor protection system varies from plant to plant. The concept of redundancy to fulfill single failure criteria and other design requirements is implemented in the architecture design. RPS consists of four channels in high power reactors with trip logic of 2/4 (2 out of 4) with dual intra channel redundancy. On contrary to this, three-channel architecture with dual intrachannel redundancy or four-channel configuration with single intrachannel redundancy may perform well for all kinds of research reactors. This proposed architecture will meet the requirement of physical separation and single failure criteria.

The RPS I&C system architecture was transformed to reliability block diagram (RBD) for modeling ease in Bayesian network, as shown in Figure 4. I&C system consists of four channels, which are represented here with , where varies from 1 to 4, representing the number of channels. The variation of index from 1 to 4 indirectly shows the channels , , , and , respectively (, , , and ).

Each channel consists of components and modules which have their names but for ease of analysis these are represented by . In this notation, and represent Transmitter and sensor (TR A) of channel A and circuit breaker (TCBD) of channel D, respectively.

Two failure states for each component are considered in this study, which are 0 and 1. State 0 represents the failure state and 1 represents the perfect operational state. The capital letters, in further analysis, will just represent the node and small letters would show the failure states of that node.

Before detail modeling of RPS, it is first converted into simple model consisting of four channels and a final trip failure, as shown in Figure 5. The failure of each channel (train) is based on the failure of each component of the channel as follows: The failure and perfect states of RPS I&C architecture are denoted by and are explained by the relation shown in (5). The numbers of combinations are , where 2 represents the number of states and shows the number of channels. In this case, combinations are 16 based on four channels.

The operational logic of RPS I&C systems is 3 out of 4 (3oo4). Based on this logic, 5 combinations out of 16 would belong to success state (1) while the rest are leading to failure state (0) as follows:

The conditional probabilities for each state of four channels can be described mathematically. The channel would surely be in failure state, if all or directly affecting components are in failure state (0) and channel would be in perfect state if all components are perfect as follows: Reactor trip states would be dependent on the availability of channels and can be described as follows: On contrary to this, if 3 out of 4 (3oo4) logic is satisfied by the four channels, then final failure state is decided with the failure probability () of reactor trip CRDM and perfect state would be as follows:

#### 4. Bayesian Network Model and Failure Data

The function of RPS I&C architecture is to initiate a scram signal, if the input parameters from digital and/or analogue sensor exceed the set point parameters. It compares and assesses the input from various channels and if the voting logic is satisfied, then it performs the trip. Since this system has input from 15 to 20 parameters from plant field, it can be described as a random process. That is why Bayesian network is selected for this analysis. BN is a suitable choice for characterizing the dependency and uncertainty of random process [15]. For this purpose, RBD of proposed I&C architecture was developed by preserving all the functions and logics of the system. RBD was converted into BN model using AgenaRisk Professional, as shown in Figure 6.

The model shows the propagation of failure from transmitter and sensor to final trip failure. The components and modules which constitute a channel are Sensor (TR), pressure/level transmitter (PT), analog input (AI), digital input (DI), bi-stable processor (BP), coincidence processor (CP), digital output (DO), shunt circuit (ST), under voltage circuitry (UV), and circuit breaker (TCB). The subscripts A, B, C, and D show the channel ID. Finally the reactor trip (Rx Trip), also shown as is the scram failure through CRDM. Two states, 0 and 1 representing failure and perfect, respectively, were assigned to each component in the model. Node probability table for each node representing a component is prepared based on the analysis shown in the relation between (7) and (8). The conditional probability table for a node with four inputs with a success logic of 3 out of 4 (3oo4) is shown in Table 1. The failure state, in Table 1, is represented by and perfect (success) state is denoted by . The failure probability is a demand base failure. Generic failure data of electronic as well as nuclear industry were surveyed for I&C component failures. The well-known generic failure data bases are IAEA reliability data source, component failure data for research reactors, and USNRC industry averaged failure data [16, 17].

Since BN analysis is performed with AgenaRisk Professional, Agena Ltd., which has capability to perform multi-state failure, time dependent analysis with continuous, integer or discrete intervals. Regarding the use of failure data in BN analysis, Marquez et al. concluded that BN framework has the ability to solve any configuration of static and dynamic gates with general time-to-failure distributions [18] and hybrid Bayesian networks (HBNs) can be used to find availability by taking credit of logistics delay times, scheduled maintenance time distributions, and time-to-failure distributions [19]. The researchers recommend that it is good to use failure distributions to get reliable results for time dependent analysis, dynamic features, or maintenance study using/finding time-to-failure.

Instead of failure distribution, mean failure demands/rates have been used in this BN model because this analysis is static and we had intention to find the risk contribution of components, which is less dependent on time. In order to make test and surveillance of systems of research reactor independent of time and make it demand failure, a time interval of 30 days is considered. The failure of the components reported in terms of failure rate is made demand failure using (9), assuming that failure rate remains constant over a time interval. The failure data for each component with its failure mode is given in Table 2. We have where, is demand failure probability and is a failure rate of component. is the average time span for the surveillance & test interval of the component.

#### 5. Importance Measures and Criteria

Risk importance measure is a sensitivity study which identifies impact of a single failure or combination of failures of components on the overall failure of the system. There are many kinds of importance measures which are selected based on the type of analysis and system. In this regard, Vasseur and Llory [20] recommended risk reduction worth (RRW) and risk achievement worth (RAW) parameters as a merit of PSA along with core damage frequency and large early release frequency. Ramirez-Marquez and Coit [21] also recommended that RRW, RAW, and FV are most valuable and commonly used importance measures for the system and system components which exhibit binary functioning behavior (i.e., either fully functional or fully failed).

In order to get the deep insight, importance analysis for measures RRW and RAW is performed using Bayesian network. Eventually, risk measures would give understanding to differentiate basic events and components into high risk significant and low risk significant components after comparing with American Society of Mechanical Engineers (ASME) criteria, given in Table 3. These importance measures give insight of component failure contribution and plant designer can utilize this information to modify and upgrade desire system architecture. The utilities may also get benefits to manage surveillance and maintenance schedule with optimization of cost [5].

#### 6. Risk Achievement Worth (RAW)

Risk achievement worth is a factor which indicates the amount by which the unavailability will increase, if the failure of component or basic event is granted. The failure probability of all components is given in the node probability table and the final unavailability of reactor trip is calculated. But for the determination of RAW, the failure probability for th component is set equal to 1 (granted failure) and system unavailability is calculated as follows: where (channel index) varies from 1 to 4 and (component index) varies from 1 to 10. The term is failure probability of in state 0 (system unavailability), when th component failure probability is set to 1 instead of . While is system unavailability based on the demand failures of all components , and it is estimated by inserting in conditional probability table of BN model.

RAW helps to identify the most crucial and critical components or failure modes, which are significant with respect to risk.

#### 7. Risk Reduction Worth (RRW)

Risk reduction worth is an indicator showing the extent by which risk will decrease, if the component or basic event never fails. The higher the RRW measure is, the more sensitive the component to risk would be. It is calculated by taking the ratio of system basic unavailability to the system unavailability with granted success of that component as follows: where (channel index) varies from 1 to 4 and (component index) varies from 1 to 10. The term is unavailability of in state 0, when th component failure probability is set to 0 . While is system unavailability estimated using the demand failures of all components in BN model.

RRW identifies the critical components or failure modes, which can be focused for modification and upgrade because system reliability would increase if these components become more reliable.

#### 8. Results and Discussion

Probabilistic availability analysis of RPS I&C architecture has been performed using Bayesian network. I&C architecture for RPS, consisting of 4 channels, has been proposed for research reactor and its Bayesian network model has been constructed for reliability analysis. BN result for reactor trip () states turned out to be 6.1276E-05 and 9.9994E-01 for failure (0) and perfect (1) states, respectively, as shown in Table 4. The unavailability of reactor trip is of an interest parameter and will be used for importance analysis; it will be denoted by .

To perform importance analysis, the failure probability was set to 1 for each component and or was determined using BN model. The detailed results for each component in terms of are given in Table 5. RAW for th component using the results of Tables 4 and 5 can be determined by the relation given by the following equation: Similarly, the failure probability was set to 0 for each component and or was determined using BN model. These results are given in Table 6 and are used for calculation of RRW as follows RAW and RRW results in Tables 5 and 6 show that these measures vary with respect to component but some of the components have equal importance. The variation and comparison of RAW measure of each component with respect to ASME criteria can be observed in Figure 7. This figure shows that four components which are bi-stable processor (BP), sensor (TR), circuit breaker (TCB), and pressure transmitter (PT) are highly sensitive to risk whereas two components coincidence processor (CP) and digital output (DO) are comparatively less sensitive to overall failure, as they lie very near to the criteria.

The rest of RAW measures are below the red line, showing less importance. RAW of TCB gives indication that risk will increase by more than 120 times, if it fails, while the failure of BP, TR, and PT will lead the risk to increase by 60-fold, approximately.

On the other hand, Figure 8 shows the importance of components in terms of RRW. TCB, CRDM, TR, and BP came out to be very sensitive components according to RRW analysis. The criteria of RRW are logical and related with Fussell-Vesely (FV) importance, as given by (14) [22]. If RRW of component is less than or equal to 1.005, this component will either have no impact or very low effect. It shows that system has same unavailability whether the component has failure or granted success. We have The components which were identified less sensitive to risk by RAW measure are ruled out by RRW impact. For instance, CP and DO were highlighted as sensitive components by RAW factor at lower bound but these have no or less impact based on RRW analysis, because their RRW values are 1.

Conclusively, one of the following criteria can be applied for selection of components with respect to importance measures.(a)Components which are highlighted as sensitive by both parameters are really important and would be considered during design of architecture.(b)Alternatively, the highlighted components can be categorized as less sensitive, medium sensitive, and high sensitive components in the architecture and they can be focused accordingly based on need, reliability, and cost.

TCB, BP, and TR are the components, which are highlighted by both importance measures. These components must be targeted during the design of architecture to enhance reliability or redundancy and reduce risk. The availability of TCB should be increased to reduce risk by 120-fold.

#### 9. Summary and Conclusions

Bayesian networks were applied to perform the unavailability and sensitivity analysis of RPS I&C architecture.

It is the first time to perform such a study, in which it is attempted to find the component and module based sensitivity study that will give a direct impact of components in terms of RRW and RAW on the system unavailability. The results of this study would be applied to architecture redesign to achieve aforementioned goals of the project.

BN was preferred to be used for importance analysis over conventional methods and tools, because it can give more reliable results with less effort of modeling compared to fault tree analysis. Fault tree is used to get detail of failure modes, which happens in the format of cut sets. Truncation of cut sets introduces the approximation in the final results. Moreover importance analysis using cut sets becomes complicated because one basic event may belong to many cut sets and it is always probable to miss some of the cut sets. Contrary to FT, BN model can be used easily for sensitivity studies with certain failures and successes, as discussed in Section 5.

As per objectives of the study, circuit breaker failure (TCB), bi-stable processor (BP), sensor transmitter (TR), and pressure transmitter (PT) turned out to be highly sensitive components according to risk achievement worth. This importance index for these components shows that risk will increase by a factor of 122.18 if TCB fails completely and increment would be almost more than 60-fold if anyone of BP, TR, or PT fails. RRW also highlighted that some of the components such as TCB, BP, and TR are sensitive in the way that risk will decrease by 1.43 times if TCB never fails and reduction would happen by 1.03 or 1.04 times if BP or TR remain available all the time.

It is concluded that components which are highlighted sensitive by both parameters RAW, and RRW, are really important and should be considered during design of architecture. This insight would be used to design an optimized architecture for research reactors, which will give desire availability and save cost. The study would be extended for reactor control and monitoring I&C systems in the future.

#### Acknowledgment

This work was supported by Advanced Research Center for Nuclear Excellence (ARCNEX) program funded by the Ministry of Education, Science and Technology of the Republic of Korea (Grant no.: 2011-0031773).