Abstract
In this report, probabilistic risk assessment (PRA) modelling studies of digital I&C are conducted as complementary to the OECD/NEA WGRISK’s DIGMAP project. One goal is also to prepare for the PRA modelling work in the WGRISK’s DIGMORE project, which has recently started. In this report, first, the risk contribution of detected failures causing spurious off-signals are studied by extending the PRA model of a fictive reactor protection system (RPS) developed in the DIGMAP project. Second, a fault tree model is developed for a fictive priority unit, which is also connected to the DIGMAP model.
Detected hardware failures causing spurious off-signals for safety functions are added to the DIGMAP model, as they were not included in the original study, whereas they had been found important in the previous DIGREL study. In this case, the detected hardware failures have significance only with regard to spurious off-signals causing initiating event, whereas they have little importance with regard to safety function failures. The importance of detected failures with regard to digital I&C related risk is sensitive to detection coverage parameters and fail-safe behaviour. Also, the diversity (or lack of diversity) between subsystems has significance for this matter.
A fault tree model is developed for a priority unit based on some early design ideas from the DIGMORE project. The priority unit gets its input signals from an RPS, back-up I&C system and operating I&C system. The most important contributors to the analysed safety function failure are specific failures in the priority units, but also spurious off-signals caused by detected hardware and software failures in the RPS are important. Other contributors are almost negligible. Detected RPS failures dominate over undetected failures in this case, because the detected failures can alone cause the safety function failure through the spurious off-signals, whereas undetected RPS failures only “pass the control” to the back-up I&C. However, this depends on the definition of the voting logic and the priorities of signals.
Detected hardware failures causing spurious off-signals for safety functions are added to the DIGMAP model, as they were not included in the original study, whereas they had been found important in the previous DIGREL study. In this case, the detected hardware failures have significance only with regard to spurious off-signals causing initiating event, whereas they have little importance with regard to safety function failures. The importance of detected failures with regard to digital I&C related risk is sensitive to detection coverage parameters and fail-safe behaviour. Also, the diversity (or lack of diversity) between subsystems has significance for this matter.
A fault tree model is developed for a priority unit based on some early design ideas from the DIGMORE project. The priority unit gets its input signals from an RPS, back-up I&C system and operating I&C system. The most important contributors to the analysed safety function failure are specific failures in the priority units, but also spurious off-signals caused by detected hardware and software failures in the RPS are important. Other contributors are almost negligible. Detected RPS failures dominate over undetected failures in this case, because the detected failures can alone cause the safety function failure through the spurious off-signals, whereas undetected RPS failures only “pass the control” to the back-up I&C. However, this depends on the definition of the voting logic and the priorities of signals.
| Original language | English |
|---|---|
| Publisher | VTT Technical Research Centre of Finland |
| Number of pages | 25 |
| Publication status | Published - 14 Dec 2022 |
| MoE publication type | D4 Published development or research report or study |
Publication series
| Series | VTT Research Report |
|---|---|
| Number | VTT-R-00940-22 |
Keywords
- probabilistic risk assessment
- digital I&C
- priority unit
- spurious signal