Probabilistic risk assessment modeling of digital instrumentation and control systems using two dynamic methodologies

The Markov/cell-to-cell mapping technique (CCMT) and the dynamic flowgraph methodology (DFM) are two system logic modeling methodologies that have been proposed to address the dynamic characteristics of digital instrumentation and control (I&C) systems and provide risk-analytical capabilities that supplement those provided by traditional probabilistic risk assessment (PRA) techniques for nuclear power plants. Both methodologies utilize a discrete state, multi-valued logic representation of the digital I&C system. For probabilistic quantification purposes, both techniques require the estimation of the probabilities of basic system failure modes, including digital I&C software failure modes, that appear in the prime implicants identified as contributors to a given system event of interest. As in any other system modeling process, the accuracy and predictive value of the models produced by the two techniques, depend not only on the intrinsic features of the modeling paradigm, but also and to a considerable extent on information and knowledge available to the analyst, concerning the system behavior and operation rules under normal and off-nominal conditions, and the associated controlled/monitored process dynamics. The application of the two methodologies is illustrated using a digital feedwater control system (DFWCS) similar to that of an operating pressurized water reactor. This application was carried out to demonstrate how the use of either technique, or both, can facilitate the updating of an existing nuclear power plant PRA model following an upgrade of the instrumentation and control system from analog to digital. Because of scope limitations, the focus of the demonstration of the methodologies was intentionally limited to aspects of digital I&C system behavior for which probabilistic data was on hand or could be generated within the existing project bounds of time and resources. The data used in the probabilistic quantification portion of the process were gathered partially from fault injection experiments with the DFWCS, separately conducted under conservative assumptions, partially from operating experience, and partially from generic data bases. The purpose of the quantification portion of the process was, purely to demonstrate the PRA-updating use and application of the methodologies, without making any particular claim regarding the specific validity and predictive value of the data utilized to illustrate the quantitative risk calculations produced from the qualitative information analytically generated by the models. A comparison of the results obtained from the Markov/CCMT and DFM regarding the event sequences leading to DFWCS failure modes show qualitative and quantitative consistency for the risk scenarios and sequences under consideration. The study also shows that: (a) the risk significance of the timing of system component failures may depend on factors that include the actual variability of initiating conditions of a dynamic transient, even within the nominal control range and (b) the range of dynamic outcomes may also be dependent on the choice of the assumed basic system-component failure modes included in the models, regardless of whether some of these would or would not be considered to have direct safety implications according to the traditional safety/non-safety equipment classifications. (C) 2010 Elsevier Ltd. All rights reserved.