DEVELOPMENT OF A METHOD FOR THE ASSESSMENT OF MODERN I&C SYSTEM ARCHITECTURES WITH REGARD TO
2. ANALYSIS 1. Model systems
For the development and validation of the method for the sensitivity analysis, a number of model systems with increasing complexity are used. All model systems are essentially composed of three different types of units:
acquisition units (AUs), processing units (PUs), and voting units (VUs) (Fig. 1 - Fig. 2).
The AUs receive analogue input signals from the transducers (e.g. pressure measurements - “P”), which are monitoring the relevant process parameters for the I&C function. The AUs digitize and subsequently transmit these values via the communication network to the processing units (PUs) as data telegrams. The transmitted signal is marked with a flag. If a signal is detected as faulty, the flag is set to “1” (self-signaling failure (“SF”)).
If the flag is set to “0”, it can be either a true signal (“OK”) or a non-self-signaling failure (“NSF”).
Inside the PUs the valid signals (flag “0”) coming from the AUs are sorted in ascending order and the second maximum is selected from them. If some input signals have self-signaling failures (flag “1”), the second maximum is chosen only from the remaining valid signals (flag “0”). If all but one signal coming from the AUs are flagged with “1”, the remaining input signal is used directly as “second” maximum. The second maximum is then compared with a limit value and, if necessary, a binary control signal is generated and forwarded to the VUs.
Again, the detected failures of the PUs or of the communication network between the PUs and the voting units (VUs) are marked with a flag “1” and are therefore recognized as invalid signals.
C. MUELLER et al.
49 In the VUs, the binary signals from the PUs are evaluated by means of an n-out-of-m voting and, if necessary, a control signal for a component (e.g. motor – “M”) is formed. If only one or two valid inputs are available, the VUs internally switch to a 1-out-of-2 voting so that a single valid signal is sufficient to form a trigger signal. The output signals of the VUs to the analog logic (AL) do not contain error detection information, but self-signaling failures are reported and can be repaired if necessary.
The AL again performs an n-out-of-m voting (as there may be several VUs in an individual model system) and then passes the control signal to the component.
In addition, the following assumptions are made:
— The communication between units is carried out via networks. It is assumed that all hardware failures in the communication networks are always detected and they are therefore always self-signaling. For this reason, the failure rates of the communication paths (for example, between AUs and PUs) are taken into account directly in the failure rates of the corresponding signal-sending components (for example, self-signaling failures of AUs).
— Non self-signaling failed AUs output the minimum possible value.
— Non self-signaling failed PUs output a logical “0”.
— Failed VUs output a logical “0”.
— The software of the AUs, PUs, and VUs is not modeled explicitly so far and the considered failure rates were determined initially only by the possible hardware failures [4].
— Measuring devices, power supplies and interfaces of the I&C system are not explicitly taken into account in the models.
The simplest model system (A222, Fig. 1) consists of two VUs, two PUs and two AUs. The next more complex model systems are A333 (three VUs, three PUs and three AUs, Fig. 3) and A133 (one VU, three PUs and three AUs, Fig. 1). The model system A133B133 (Fig. 4) is composed of two systems, one of the type A133 and one of the type B133. In this case, a distinction is made between diverse sub-systems (A≠B) and non-diverse sub-systems (A=B).
FIG. 1. Model system A222.
C. MUELLER et al.
50
FIG. 2. Model system A333.
FIG. 3. Model system A133.
C. MUELLER et al.
51 FIG. 4. Model system A133B133. The sub-systems can be either diverse (A≠B) or not (A=B).
The system A2MC(1)33 (Fig. 5) consists of two VUs (each with a single master-checker sub-unit), three PUs and three AUs and the system A2MC(2)44 (Fig. 6) consists of two VUs (each with two master-checker sub-units), four PUs and four AUs.
FIG. 5. Model system A2MC(1)33.
C. MUELLER et al.
52
FIG. 6. Model system A2MC(2)44.
For the analysis of the model systems a mission time of one year was chosen and the failure rates for the respective components (AUs, PUs, VUs, Table 1) within all models were determined from the model described in [4] using RiskSpectrum PSA [5]. It was assumed that self-signaling failures are repaired within eight hours and that non-self-signaling failures are detected in weekly rotating inservice inspections of the redundancies (the AL being respectively assigned to the redundancy 1 in all model systems) and then repaired within eight hours, too.
In addition, it was assumed that 2.5 % of the non self-signaling failures of a component type (e.g. AUs) and further 2.5 % of non self-signaling failures of all components of a sub-system (a diversity, e.g. “A”) are CCFs (which are detected by the inservice inspections in any redundancy).
TABLE 1. FAILURE RATES (FR) OF COMPONENTS
Failure Rate Remarks
FR AL NSF 1E-10 h-1
FR AU SF 2,09832E-05 h-1 including communication with PUs
FR AU NSF 8,26472E-08 h-1
FR PU SF 1,57295E-05 h-1 including communication with VUs
FR PU NSF 8,26472E-08 h-1
FR VU SF 6,97175E-06 h-1
FR VU NSF 8,26472E-08 h-1
FR AU CCF 2,17493E-9 h-1 CCF of all AUs
FR PU CCF 2,17493E-9 h-1 CCF of all PUs
FR VU CCF 2,17493E-9 h-1 CCF of all VUs
FR ALL CCF 2,17493E-9 h-1 CCF of all components of A
For the VUs of the two model systems A2MC(1)33 and A2MC(2)44, different failure rates apply due to their modified internal structure (see Fig. 5 and Fig. 6). These failure rates were determined in an adapted version of the model described in [4]. In particular, the master-checker-configuration causes all single failures of the VUs to be self-signaling (SF), but all other failure rates remain the same (Table 2).
C. MUELLER et al.
53 TABLE 2. FAILURE RATES (FR) OF COMPONENTS (VU-SUB-UNITS WITH MASTER-CHECKER-CONFIGURATION)
Failure Rate Remarks
FR AL NSF 1E-10 h-1
FR AU SF 2,09832E-05 h-1 including communication with PUs
FR AU NSF 8,26472E-08 h-1
FR PU SF 1,57295E-05 h-1 including communication with VUs
FR PU NSF 8,26472E-08 h-1
FR VU SF 1,0288E-05 h-1 no NSF due to Master-Checker
FR AU CCF 2,17493E-09 h-1 CCF of all AUs
FR PU CCF 2,17493E-09 h-1 CCF of all PUs
FR VU CCF 2,17493E-09 h-1 CCF of all VUs
FR ALL CCF 2,17493E-09 h-1 CCF of all components of A
2.2. FMEA
First of all, an FMEA was carried out for all model systems. Since each signal from each unit of a level (e.g. all AUs) is transmitted to each unit of the subsequent level (e.g. to all PUs, see Fig. 1 – Fig. 6) within all model systems, the results of the FMEA can be presented in separate tables for each level. Tables 3-6 show this representatively for the model system A133.
TABLE 3. OUTPUT SIGNALS OF AL OF THE MODEL SYSTEM A133 AL (1oo1)
Output, Quality 1, OK
0, NSF
The analog logic (AL) is not part of the digital I&C system, therefore failures can only be non-self-signaling (Table 3). The output of the AL also depends on the input signals coming from the voting unit VU1.A, e.g. a non-self-signaling failure (NSF) of the VU1.A leads to a NSF of the output of the AL (Table 4).
TABLE 4. OUTPUT SIGNALS OF VU1.A OF THE MODEL SYSTEM A133
VU1.A AL (1oo1)
Output, Quality Flag Output, Quality
1, OK 0 1, OK
0, SF 1 0, SF*)
0, NSF 0 0, NSF
*) the transferred signal to the AL does not contain error detection information, but self-signaling failures of VU1.A are reported and can be repaired.
This scheme can be transferred analogously to the other components. For example, line 1 of Table 5 can be read as following: If the output signals of the three PUs (PUx.A, x = 1, 2, 3) are correct and valid (“1, OK”), the VU1.A has three valid inputs (“1; 1; 1”, flag “0”). Therefore the 2-out-of-3 voting (“2oo3”) leads to a correct output of the VU1.A (“1, OK”) if the VU has not failed itself.
C. MUELLER et al.
54
TABLE 5. OUTPUT SIGNALS OF PUX.A OF THE MODEL SYSTEM A133
PU1.A PU2.A PU3.A VU1.A
„~“ - any signal (self-signaling failed signals (SF) are not used any further)
Finally, Table 6 shows how the combinations of the output signals of the AUs affect the output signals of the PUs. Again, the first line is used to illustrate how this table can be read: If the output signals of all three AUs are correct and higher than the observed limit inside the PUs (“> limit, OK”) there are three valid (flag “0”) inputs into the PUs (“> limit; > limit; > limit”). So the 2nd maximum is above the limit and the PUs output correctly a logical “1” (“1, OK”).
TABLE 6. OUTPUT SIGNALS OF AUX.A OF THE MODEL SYSTEM A133
AU1.A AU2.A AU3.A PUx.A (x = 1, 2, 3)
C. MUELLER et al.
55
AU1.A AU2.A AU3.A PUx.A (x = 1, 2, 3)
Output, Quality
Flag Output, Quality
Flag Output, Quality
Flag Inputs 2nd Max (Flag 0)
2nd Max Output, Quality
~, SF 1 > limit, OK 0 ~, SF 1 > limit Max 1, OK
> limit, OK 0 ~, SF 1 ~, SF 1 > limit Max 1, OK
~, SF 1 < limit, NSF 0 > limit, OK 0 < limit; > limit 2nd Max 0, NSF
~, SF 1 > limit, OK 0 < limit, NSF 0 > limit; < limit 2nd Max 0, NSF
< limit, NSF 0 ~, SF 1 > limit, OK 0 < limit; > limit 2nd Max 0, NSF
> limit, OK 0 ~, SF 1 < limit, NSF 0 > limit; < limit 2nd Max 0, NSF
< limit, NSF 0 > limit, OK 0 ~, SF 1 < limit; > limit 2nd Max 0, NSF
> limit, OK 0 < limit, NSF 0 ~, SF 1 > limit; < limit 2nd Max 0, NSF
< limit, NSF 0 < limit, NSF 0 > limit, OK 0 < limit; < limit; > limit 2nd Max 0, NSF
< limit, NSF 0 > limit, OK 0 < limit, NSF 0 < limit; > limit; < limit 2nd Max 0, NSF
> limit, OK 0 < limit, NSF 0 < limit, NSF 0 > limit; < limit; < limit 2nd Max 0, NSF
< limit, NSF 0 < limit, NSF 0 ~, SF 1 < limit; < limit 2nd Max 0, NSF
< limit, NSF 0 ~, SF 1 < limit, NSF 0 < limit; < limit 2nd Max 0, NSF
~, SF 1 < limit, NSF 0 < limit, NSF 0 < limit; < limit 2nd Max 0, NSF
< limit, NSF 0 < limit, NSF 0 < limit, NSF 0 < limit; < limit; < limit 2nd Max 0, NSF
~, SF 1 ~, SF 1 < limit, NSF 0 < limit Max 0, NSF
~, SF 1 < limit, NSF 0 ~, SF 1 < limit Max 0, NSF
< limit, NSF 0 ~, SF 1 ~, SF 1 < limit Max 0, NSF
~, SF 1 ~, SF 1 ~, SF 1 ~ ~ 0, SF
2.3. FTA
The results of the FMEAs can be directly translated into fault trees. The figures 7 to 12 show the entire fault trees created with RiskSpectrum PSA for the model system A133 based on the FMEA results in the tables 3 to 6.
FIG. 7. Top-event in the fault tree for the model system A133: motor does not start on demand.
FIG. 8. Failures of VU1.A output signals in the fault tree for the model system A133.
C. MUELLER et al.
56
FIG. 9. Failures of PUs output signals in the fault tree for the model system A133.
FIG. 10. Failures of AUs output signals in the fault tree for the model system A133.
C. MUELLER et al.
57 FIG.11. Failures of AUs output signals in the fault tree for the model system A133 (continued).
FIG.12. AU3.A is “OK” if it has no self-signaling failure and no non-self-signaling failure (“NOR”).
2.4. Pseudo semi-Markov process
At present, the analyses are extended using semi-Markov processes. Semi-Markov processes describe the model systems by means of (time-dependent) transition graphs, which elements represent the overall state of the system and are connected with transition arrows with certain transitional probabilities. The work on this is ongoing.
2.5. Preliminary Results
Table 7 lists the probabilities of failures on demand for all model systems obtained by fault tree analyses.
Since, for example, software failures have not yet been explicitly taken into account so far, the values given are not regarded as absolute probabilities. However, since the same characteristics were used for all model systems, the results are well comparable.
The model systems A222 and A133 have a comparatively low reliability. In case of A222, this is obviously a consequence of the relatively low degree of redundancy and in case of A133, this results from the use of only one single VU.
At a certain degree of redundancy, more redundant components do not lead to significantly higher reliability. Thus the failure probabilities of the more complex model systems A2MC(1)33 and A2MC(2)44 (with very high degrees of redundancy) lie in the same range as the failure probabilities of the model systems A333 and A133B133 (A=B). All are in the order of 3E-06.
A significant increase in reliability can only be achieved by the use of diverse sub-systems. For example, the failure probability of the model system A133B133 (A≠B) is about two orders of magnitude less than the failure probability for the model system A133B133 (A=B).
C. MUELLER et al.
58
TABLE 7. TOP-EVENT (FAILURE ON DEMAND) PROBABILITIES FOR THE MODEL SYSTEMS Model System Probability
A222 1,151E-04
A333 3,206E-06
A133 1,429E-04
A133B133 (A=B) 3,040E-06 A133B133 (A≠B) 5,483E-08
A2MC(1)33 3,154E-06
A2MC(2)44 3,020E-06
3. CONCLUSIONS
At present a method for the sensitivity analysis of failure effects on digital I&C systems is being developed at GRS. Therefore, a combination of failure mode and effect analyses (FMEA) and fault tree analyses (FTA) has already been applied to a series of model systems.
Although the project has not yet been finalized, the influence of diversity can already be compared with the effect of a mere increase in redundancy. Especially due to the influence of common cause failures (CCF) on the reliability of I&C systems, a significant increase of the reliability can only be achieved by adding diversity from a certain degree of redundancy.
The next step will be to combine the FTA with semi-Markov processes and the application of the complete methodology on all model systems. Through the variation of different I&C architectures and parameters, the influence of these architectures and parameters on the reliability of the I&C systems will be determined.
In conclusion, it can be noted that the developed methodology for the sensitivity analysis presented in this paper can support the verification and validation of digital I&C systems regarding potential safety deficiencies in design and operation even at an early stage.
ACKNOWLEDGEMENTS
The authors want to acknowledge the support provided by the German Federal Ministry for the Environment, Nature Conservation, Building and Nuclear Safety for funding the GRS development of the methodological approach to the sensitivity analysis of failure effects in modern digital I&C systems in the frame of the R&D project 3615R01343.
REFERENCES
[1] INTERNATIONAL ELECTRONICAL COMMISSION, Analysis Techniques for System Reliability - Procedure for Failure Mode and Effects Analysis (FMEA), IEC 60812:2006, Switzerland (2006).
[2] NUCLEAR REGULATORY COMMISSION, Fault Tree Handbook, NUREG-0492, Washington, DC (1981).
[3] ROEWEKAMP, M., et al., Development and Test Application of Methods and Tools for Probabilistic Safety Analyses, Gesellschaft fuer Anlagen- und Reaktorsicherheit (GRS) gGmbH, GRS-A-3558, Cologne (2010).
[4] PILJUGIN, E., et al., Anpassung und Erprobung von Methoden zur probabilistischen Bewertung digitaler Leittechnik, Gesellschaft fuer Anlagen- und Reaktorsicherheit (GRS) gGmbH, GRS-A-3258, Cologne (2004).
[5] LLOYD’S REGISTER CONSULTING – ENERGY AB, RiskSpectrum PSA, Sweden, www.riskspectrum.com
I. GARCIA
59