고신뢰컴퓨팅워크샵 (WDCS2013) 2013.08.19 ~ 08.21 제주도 원자력발전소 I&C 시스템을위한안전성분석기법 2013.08.2008 유준범건국대학교 http://dslab.konkuk.ac.kr 1
Contents 안전성분석 안전성분석대상 : 원자력발전소 MMIS 안전성분석기법 사고모델 Chain-of-Event Model vs. STAMP 안전성분석기법 FTA, FMEA, HAZOP vs. STPA Case Study: KNICS APR-1400 ESF-CCS 맺음말 2
안전성분석 3
Hazard Analysis ( 위험요소분석 ) Hazard Analysis 위험요소 (Hazard) 에대한다양한분석 위험요소 (Hazard) 를찾는 (Identification) 위험요소가 사고 (Accident) 의 미치는영향 (Effect) 을분석하는 원인 (Cause) 을찾는 (Identification) 기법 (Techniques) 고장 (Failure) 의 영향을분석및예측하는 4
안전성분석 (Safety Analysis) Safety Analysis 안전성 (Safety) 에대한다양한분석 대상? : 안전성이중요한시스템 안전최우선시스템 (Safety-Critical System) 안전최우선시스템의안전성에대한다양한분석 5
안전성분석의例 동아일보 조종사실수 한국문화의특징 착륙사고의원인은? 외부의방해 ( 섬광등 ) 공항의구조적문제 기타 기체결함 관제탑실수 공항안전장비의유지보수 6
Safety Analysis Hazard Analysis Hazard Analysis 가 Safety Analysis 의많은부분을차지하지만, 전체는아니다! 7
일반적으로, Safety Analysis Hazard Analysis 정확하게는, Safety Analysis Hazard Analysis 8
안전성분석프로세스 분석결과대응서 분석대상확정및정보준비 개발팀 안전성분석요청 안전과관련된심도깊은분석 ( 사고가능성, 안전속성등 ) + 개발팀의추가대응 ( 심사숙고 ) 분석결과보고서 안전성분석수행 분석팀 9
안전성분석의특징 1 안전성분석전문가의경험과능력에전적으로의존한다. 2 안전성분석기법은전문가의체계적인분석을돕는도구이다. 3 분석대상과목적에따라적절한분석기법을선택해야한다. 10
11
안전성분석대상 : 원자력발전소 MMIS 12
원자력발전소구조 안전성분석대상 1 차계통 ( 방사선과직접관련된계통 ) 2 차계통 ( 방사선과관련없는계통 ) 13
MMIS (Man-Machine Interface System) 원자력발전소의감시, 운전, 제어및 1 차적안전을담당하는두뇌와신경망 MMIS = I&C + MMI + HFE Instrumentation & Control (I&C: 계측제어시스템 ) Man-Machine Machine Interface (MMI: 주제어실 ) Human Factors Engineering (HFE: 인간공학 ) MMIS 주제어실전경 14
KNICS I&C 15
원자력발전소안전계통 안전계통 과기부고시 2002-21 호및 ANSI/ANS 51.1 에의거하여다음에해당되는계통 안전등급 3 이상 전기등급 1E 품질등급 Q 전기등급 1E : 원자로비상정지, 원자로건물격리, 노심냉각및원자로건물과원자로열제거에필수적인전기기기및계통과외부환경으로의방사성물질의대량방출을방지하는데필수적인전기기기및계통품질등급 Q : 모든전기등급 1E는 Q 등급 소프트웨어 (KOPEC 기준 ) Safety Critical (Protection) 등급 Important to Safety 등급 소프트웨어 (IEEE Std. 1012 기준 ) SW Level 4 16
원자력발전소안전필수시스템 다음의세가지조건을동시에만족하는시스템 1. 1차계통 2. SW Level 4 (IEEE Std. 1012) 3. SC (Safety-Critical) level (1) RPS (2) ESF-CCS (3) CPCS 17
RPS (Reactor Protection System) 원자로보호계통 (RPS) 목적 : 원자로운전제한치초과방지 기능 : 원자로를신속하고확실하게정지 다수의 PLC(Programmable Logic Controller) 로구현 안전등급으로인증된기기사용 IEEE 603 의요건을만족하는설계구현 IEEE 7-4.3.2의요건을만족하는하드웨어및소프트웨어개발 PLCs in cabinets (RPS) Channel Layout of KNICS RPS 18
ESF-CCS (Engineering Safety Factors Component Control System) 공학적안전설비작동계통 (ESF-CCS) 목적 : 설계기준사고時, 사고결과를허용치이내로유지 기능 : 주요감시변수들이설정치에도달하면작동신호발생 SIAS, CIAS, MSIS, CSAS, AFAS, CREVAS, FHEVAS, CPIAS PLCs in cabinets (ESF-CCS) Ref [1] 19
CPCS (Core Protection Calculator System) 원자로보호계통의일부 CPC 에서핵비등이탈율, 국부출력밀도계산 저-핵비등이탈율, 고-국부출력밀도발생時, DNBR/LPD 계산없이, 원자로트립신호를발전소보호계통으로전송 (2/4논리사용 ) PLCs in cabinets (CPCS) - Westinghouse 20
MMIS SW 등급 분류 ITA ITS General ITS Safety Critical 안전성 분석 대상 21
22
안전성분석기법 23
사고모델 (Accident Models) Traditional model Chain-of-Event 모델 vs. New model STAMP 24
CHAIN-OF-EVENT MODEL & TRADITIONAL HAZARD ANALYSIS 25
Chain-of-Event 모델 연속적인이벤트 (chains of events) 로인과관계를구성한다. 이이벤트의체인을끊을수있다면, 사고를막을수있다. 사고 (Accident) 를방지하기위해서는특정원인이벤트를제거한다. 또는 이벤트체인의중간을끊는다. 26
Ref [2] 27
Chain-of-Event 모델의기본가정 사고는컴포넌트의고장으로인해발생한다. Therefore, safety is increased by reducing component failures (i.e., increasing reliability). If components don t fail, accidents will not occur. 사고는고장이벤트의연속적인체인으로인해발생한다. We can understand accidents and assess risk by looking only at the direct relationships between the events leading to the loss. 대부분의사고는운영자의실수에의해발생한다. Better training, rewarding good behavior and punishing bad behavior will eliminate accidents or reduce them significantly. 이벤트체인에기반한확률적위험분석 (Probabilistic risk analysis) 이안전성을분석 (communicate) 하고평가 (assess) 하기위한가장좋은방법이다. 대부분의사고는랜덤한이벤트들이동시에발생함에기인한다. Assigning 질책 is necessary to learn from and prevent accidents or incidents. 주된원인 (Root Cause) 을찾을수있다면, 미래의사고를예방할수있다. 28
Chain-of-Event 모델기반안전성분석기법들 매우오래됨 (30년이상 ) 대부분시스템을대상으로 다양한적용단계 다양한장단점및특징 Ref [3] 29
Fault Tree Analysis (FTA) 고장또는사고 결과 다양한논리게이트 원인들 사고의원인들 Ref [3] 30
Failure Mode and Effect Analysis (FMEA) 원인 Ref [3] 고장모드 사고의영향 결과들 효과 원인 31
HAZard and OPerability (HAZOP) Guide Word Ref [3] 사고의영향 고장위험 (Hazard) 결과들 효과 원인들 32
Hazard Analysis 의적용사례 (KNICS 사업 ) 33
Chain-of-Events 모델의한계점 Claimed by Prof. N. Leverson, MIT 원인관계 (Causality) 를너무간단하게생각한다. Chain-of-Event 모델은아래의사항들을다루지않는다. Component interaction accidents (vs. component failure accidents) Indirect or non-linear interactions and complexity Systemic factors in accidents Human errors System design errors (including software errors) Adaptation and migration toward states of increasing risk 34
STAMP & STPA 35
STAMP (System-Theoretic Accident Model and Processes) Systems theory 에기반하여, (not reliability theory) 사고를 dynamic control problem (vs. a failure problem) 관점에서접근한다. STAMP 는다음을포함한다. Entire socio-technical system (not just technical part) Component interaction accidents Software and system design errors Human errors 36
Safety As A Control Problem Safety is an emergent property that arises when system components interact with each other within a larger environment A set of constraints related to behavior of system components (physical, human, social) enforces that property Accidents occur when interactions violate those constraints (i.e., a lack of appropriate constraints on the interactions) Goal is to control the behavior of the components and systems as a whole to ensure that safety constraints are enforced in the operating system. 37
STAMP Treat safety as a dynamic control problem rather than a component failure problem Events are the result of inadequate control Result from lack of enforcement of safety constraints in system design and operations 38
Safety Control Structure 의예 Ref [4] 39
An Accident Occurs When A. when models do not match actual processes or / and B. Control actions have problems such as 1. Required control commands are not given 2. Incorrect (unsafe) ones are given 3. Correct commands given at wrong time (too early, too late) 4. Control action stops too soon or applied too long 40
STPA (System Theoretic Process Analysis) STAMP accident model 에기반한 safety analysis 기법 1. Identify a hazard 2. Construct a control structure for the hazard 4. Identify causes of unsafe control actions 3. Identify unsafe control actions 41
Main Step 1 : Identify Unsafe Control Actions 1. A required control action is not provided or not followed 2. An incorrect or unsafe control action is provided Control Action 1. Not given or not followed 2. Given incorrectly 3. Wrong timing or order 4. Stopped too soon 3. A potentially safe control action is provided too early or too late, that is, at the wrong time or in the wrong sequence 4. A correct control action is stopped too soon 42
Main Step 2 : Identify Causes of Unsafe Control Actions A. 각 Controller 에대한 Model of Process 를만든다. 43
Main Step 2 : Identify Causes of Unsafe Control Actions B. 각 unsafe control action 이 hazard 의원인이될수있는지잘살펴본다. Ref [4] 44
Main Step 2 : Identify Causes of Unsafe Control Actions C. Consider how the designed controls could degrade over time and build in protection, including a. Management of change procedure b. Performance audit c. Accident and incident analysis 45
46
CASE STUDY: KNICS APR-1400 ESF-CCS 47
ESF-CCS (Engineered Safety Features - Component Control System) PPS 와 RMS 로부터개시되는 8 개의기능으로구성 - SIAS, CIAS, MSIS, CSAS, AFAS, CREVAS, FHEVAS, CPIAS) ESF-CCS PPS : Plant Protection System RMS : Radiation Monitoring System Ref [1] 48
Control Structure (High-Level) Operator 압력조절 MCR/RSR Manual Trip? (to PPS) 수동 ESF 개시신호 IPS ESF 신호 ESF-CCS ESF 개시신호 PPS/RMS Information ESF- Actuation Field System SIAS state Sensors Coolant Reactor Temperature, pressure 49
Control Structure (Low-Level) Operator MCR/RSR IPS CREVAS 의동작 ESF-CCS Manual ESF Initiation GC OR Trip State Signals Diverse Manual LC CIM COM ESF initiation Set(on) / Reset(off) PPS/RMS Reactor info. ESF Actuation Filed System SIAS, CSAS의동작 Release coolant / Block coolant ( 냉각수공급 (C B ): a boric acid solution) ESF state Reactor Sensors (temperature, pressure, etc.) Reactor s state 50
Control Structure (Final Version) Operator Manual Control Reactor, ESF status CREVAS Operation Manual lcontrol lsignals MCR/RSR IPS MCR: Main Control Room RSR: Remote Shutdown Room IPS: Information Processing System PPS: Plant Protection System RMS: Radiation Management System Set (on)/ Reset(off) ESF-CCS ESF Actuation ti Filed ESF initiationiti System PPS/RMS SIAS valves CSAS valves CREVAS valves ESF state Reactor info. SIAS, CSAS Operation Reactor Sensors (temperature, pressure, etc.) 원자로 격납용기 Reactor s state 51
SIAS 에대한 STPA 52
Hazards Identification Accident 노심손상사고 Safety Constraints t 4 가지사고時, SIS 가반드시동작해야한다. Hazards SIS 가동작해야하는상황에서 SIS 가동작하지않는다. Functional Requirements 원자로냉각재상실사고 (LOCA) 時,SIS 작동이차측열제거원 ( 급수 ) 상실 (2ry Heat Sink Loss) 時,SIS 작동증기관또는급수관파열時,SIS 작동제어봉집합체인출사고 (Rod Ejection Accident) 時,SIS 작동 SIS : Safety Injection System 53
Control Structure Manual Control Signal ESF state ESF-CCS SIAS Initiation PPS SIAS On/ Off ESF Actuation Field System ESF state Sensors (temperature, pressure, etc.) Reactor info. Release coolant / Block coolant Reactor Reactor s state PPS 에서취득되는안전주입작동변수에의한안전주입작동개시신호발생및안전주입작동신호발생 54
STPA Step 1: Identify Unsafe Control Actions Control Action A control action required for safety is not provided or is not followed An unsafe control action is provided that leads to a hazard A potentially safe control action is provided too late, too early, or out of sequence LOCA 관련 A safe control action is stopped too soon LOCA 시 SIAS On 이 ESF 로전송되지않음 (a1) LOCA 가발생시 SIASOff 가전송됨 (b1) LOCA 발생전 / 후에 SIAS On 이전송됨 SIAS On (From ESF-CCS to ESF-AFS) 이차측열제거원상실시 SIAS On이 ESF로전송되지않음 (a2) 증기관또는급수관파열시 SIAS On 이 ESF 로전송되지않음 (a3) 제어봉집합체인출시 SIAS On 이 ESF로전송되지않음 (a4) 이차측열제거원이상실시 SIAS Off가전송됨 (b2) 증기관또는급수관이파열시 SIAS Off 가전송됨 (b3) 제어봉집합체인출시 SIAS Off 가전송됨 (b4) 이차측열제거원상실전 / 후에 SI On이전송됨 증기관또는급수관파열전 / 후에 SIAS On 이전송됨 제어봉집합체인출사고전 / 후에 SIAS On이전송됨 냉각수가충분히공급되지않았는데 SIAS On 이멈춤 Manual SIAS 발생시 SIAS On 이 ESF 로전송되지않음 (a5) Manual SIAS 발생시 SIAS Off 가전송됨 (b5) Manual SIAS 발생전 / 후에 SIAS On 이전송됨 LOCA발생하지않았을때SIAS On 가전송됨 SIAS Off (From ESF-CCS - to ESF-AFS) 이차측열제거원이상실되지않았을때 SIAS On 가전송됨 증기관또는급수관이파열되지않았을때 SIAS On 가전송됨 제어봉집합체가인출되지않았을때 SIAS On 가전송됨 Manual SIAS 발생되지않았는데, SIAS On이전송됨 Reactor의온도가충분히내려가지않은상황에서 SIAS Off 가전 - 송됨 55
Safety Constraints, Created Unsafe Control Action Safety Constraints 냉각재상실시 SIAS On 이 ESF 로전송되지않아노심이손상됨 냉각재상실시에는반드시 SIAS On 이전송되어야함 이차측열제거원상실시 SIAS On이 ESF로전송되지않음 이차측열제거원상실시에는반드시 SIAS On이전송되어야함 증기관또는급수관파열시 SIAS On이 ESF로전송되지않음 증기관또는급수관파열시에는반드시 SIAS On이전송되어야함 제어봉집합체인출시 SIAS On이 ESF로전송되지않음 제어봉집합체인출시에는반드시 SIAS On이전송되어야함 Manual SIAS 발생시 SIAS On이 ESF로전송되지않음 Manual SIAS 발생시 SIAS On이반드시 ESF로전송되어야함 LOCA발생시 SIAS Off 신호가전송됨 LOCA시 SIAS Off가전송되면안됨 이차측열제거원상실시 SIAS Off가전송됨 이차측열제거원상실시 SIAS Off가전송되면안됨 증기관또는급수관파열시 SIAS Off 가전송됨 증기관또는급수관파열시 SIAS Off 가전송되면안됨 제어봉집합체인출시 SIAS Off가전송됨 제어봉집합체인출시 SIAS Off가전송되면안됨 Manual SIAS 발생시 SIAS Off가전송됨 Manual SIAS 발생시 SIAS Off가전송되면안됨 LOCA 발생전 / 후에 SI On 이됨 LOCA 발생즉시 SI On 이되어야함 이차측열제거원상실시발생전 / 후에 SI On이전송됨 이차측열제거원발생즉시 SI On이되어야함 증기관또는급수관파열시발생전 / 후에 SIAS On이전송됨 증기관또는급수관파열발생즉시 SI On이되어야함 제어봉집합체인출시발생전 / 후에 SIAS On이전송됨 제어봉집합체인출발생즉시 SI On이되어야함 Manual SIAS 발생전 / 후에 SIAS On이전송됨 Manual SIAS 발생즉시 SIAS On이전송되어야함 냉각재가충분히제공되지않은시점에서 SIAS Off가전송됨 냉각재가충분히제공될때까지 SIAS Off가전송되어서는안됨 56
STPA Step 2: Identify Causal Factors Manual SIAS ESF state SIAS On SIAS Off Inappropriate, ineffective or missing control action Controller & process model (ESF-CCS) a. Causal Factors Process Model ESF state - 냉각수공급상태 Reactor state - 냉각제, 이차측열제거원, 증기관 / 급수관, 제어봉집합체상태 SIAS Initiation Inadequate or missing signals feedback signals ( 기본적인 Control Structure) PPS Inadequate or missing feedback Reactor s state info feedback delays Actuator (ESF Actuation Filed System) Inadequate or missing feedback feedback delays Sensor(Sensors) Delayed operation Release coolant/ Block coolant ( 냉각수공급 (C B ): a boric acid solution) Reactor Inadequate or missing feedback feedback delay Sensing 57
(a1) LOCA 시 SIAS On 이 ESF로전송되지않음 Manual SIAS ESF state SIAS On SIAS On 이전송되었지만 Actuator 에서받을수없음 Controller & process model (ESF-CCS) a. 2/4 논리수행이정상적으로이루어 SIAS Initiation PPS 지지않음 b. 개별기기제어논리가정상적으로수행되지않음 c. Manual SIAS 와의 OR 연산오류 안전주입개시신호전송되지않음 안전주입작동변수취득실패 안전주입개시신호가전송되었지만 ESF-CCS에서받을수없음 Reactor s state info LOCA 감지신호를전송하지않음 ESF-AFS failure Control action에영향을주는 Feedback인가? 어쩌면 LOCA 가발생장소가 ESF-AFS 일수도.. Sensor failure 냉각수공급이지연됨 Release coolant/ Block coolant ( 냉각수공급 (C B ): a boric acid solution) Reactor LOCA 발생 LOCA 발생을감지하지못함 (LOCA 발생지가 Reactor가맞는지?) Sensing 58
a2 ~ a4 도유사한분석을수행 59
Causal Factors (a1-a4) 발생위치, 신호명칭 Causal Factors 1-a4) 봉집합체인출 ) 송되지않음 (a 수관파열, 제어봉 On 이 ESF 로전송기관또는급수 OCA 시 SIAS O 제거원상실, 증기 LO ( 이차측열제 Manual SIAS (To ESF-CCS) 들어온다고해서위험상황이발생하지않음 2/4논리수행이정상적으로이루어지지않음 ESF-CCS 개별기기제어논리가정상적으로수행되지않음 Manual SIAS와의 OR연산오류 SIAS On(ESF-CCS to ESF-AFS) SIAS On 신호가전송되지않음 ESF-AFS ESF-AFS (Valves open) 가정상동작하지않음 Release Coolant (ESF-AFS to Reactor) 냉각수공급이지연됨 Reactor - Sensing (Reactor to Sensor) LOCA가발생했지만전송되지않음 Sensor LOCA 발생을감지하지못함 LOCA 감지신호를전송하지않음 Reactor s state (Sensor to PPS) LOCA 감지신호전송이지연됨 PPS 안전주입작동변수취득을하지못함안전주입개시신호가전송되지않음 SIAS Initiation (PPS to ESF-CCS) 안전주입개시신호가전송되었지만 ESF-CCS에서받을수없음 60
61
맺음말 62
Hazard Analysis 위험요소 (Hazard) 에대한다양한분석 Safety Analysis 안전성에대한다양한분석 Safety Analysis Hazard Analysis 안전성분석전문가의경험과능력에전적으로의존한다. 안전성분석대상 (Target) 을잘알아야한다. Accident Model Chain-of-Event vs. STAMP Accident Model 에따라다른분석기법을사용한다. FTA, FMEA, HAZOP 등다수 vs. STPA 63
참고문헌 [1] 한국형표준원전계통실무 ( 교육자료 ), 한국원자력연구원원자력교육센터 (KNTC), http://www.kntc.re.kr/openlec/nuc/atomicpile/index.htm kr/openlec/nuc/atomicpile/index htm [2] SAFEWARE: System Safety and Computers, Nancy G. Leveson [3] Hazard Analysis Techniques for System Safety, Clifton A. Ericson [4] Engineering a Safer World: Systems Thinking Applied to Safety, Nancy G. Leveson 64
감사합니다!!! http://dslab.konkuk.ac.kr ac kr 65