IEEE Transactions on Nuclear Science, Vol. NS-28, No. 5, October 1981 A MICROPROCESSOR-BASED, ON-LINE DECISION AID FOR RESOLVING CONFLICTING NUCLEAR REACTOR INSTRUMENTATION* Harry P. Alesso Lawrence Livermore National Laboratory Livermore, California 94550 Submitted to IEEE, April 9, 1981. Abstract We describe one design for a microprocessor- based, on-line decision aid for identifying and resolving false, conflicting, or misleading instrument indications resulting from certain systems interactions for a pressurized water reactor. The system processes sensor signals from groups of instruments that track together under nominal transient and certain accident conditions, and alarms when they do not track together. We examine multiple-casualty systems interaction and formulate a trial grouping of variables that track together under specified conditions. A two-of- three type redundancy check of key variables provides alarm and indication of conflicting information when one signal suddenly tracks in opposition due to multiple casualty, instrument failure, and/or locally abnormal conditions. Since a vote count of two of three variables in conflict as inconclusive evidence, the system is not designed to provide tripping or corrective action, but improves the operator/instrument interface by providing additional and partially digested information. 1. Introduction Nuclear power plants have a complex array of instrumentation designed to provide the operator with accurate information about essential plant conditions. The well-trained operator uses these instruments to operate the reactor under normal conditions and to react properly to accidents, but he may be less prepared to react upon receiving false, conflicting, or misleading information. The vital importance of operator/instrument interfacing was clearly demonstrated during the accident at Three Mile Island-2 (TMI-2) on May 28, 1979. There, the operators received numerous false and conflicting bits of information from their instrumentation and, as a result of incorrectly resolving this information, took action which compounded the casualty. Operator training, appropriate instrumenting, and operator/instrument interfacing all proved to be inadequate.1 A breakdown of six major items contributed to the accident: * water level indication in the reactor, * electromatic relief valve (ERV) operat-ion, * auxiliary feedwater (AFW) flow indication, * containment isolation, * extended range instrumentation, * computer readout. But the severity of the accident was a direct result of incorrectly diagnosing reactor pressure vessel water level. *This work was supported by the United States Nuclear Regulatory Commission under a Memorandum of Understanding with the United States Department of Energy. Manuscript received by NPSS April 9, 1981. Within the first 15 min of the accident, the following major conflicting bits of information were present: * the ERV console valve position indicator read closed but the ERV tail pipe temperature remained high, * the AFW pump automatically turned on indicating flow to the steam generator but steam generator level was dropping rapidly, * pressurizer water level indicated increasing but main coolant pressure was dropping rapidly, * pressurizer water level was increasing but the high pressure backup injection system actuated, * pressurizer water level was increasing but reactor contairLment pressure was increasing. All but the second conflict explicitly related to reactor water level or pressure. Unfortunately, the operator was not completely aware of all of these conflicts and he resolved those conflicts he was aware of by assuming that pressurizer water level was correct and that conflicting information was false. Indeed, it was not until over two hours later that the real conditions of a small loss-of-coolant accident were identified. By that time, a substantial fraction of the core had been uncovered so that overheating of the zirconium clad and the evolution of hydrogen resulted. The false pressurizer water level indication was a result of loop seals forming at low points of the primary system piping and a differential pressure into the pressurizer from the stuck-open ERV. Proposed solutions to such problems include direct instrumenting of the core water level. However, an important lesson from TMI-2 is the need to become aware of and to correctly resolve conflicting information by an on-line decision aid as a first, simple step toward reactor accident diagnostics. Clearly, the cost of an on-line computer system to diagnose all plant variables and conditions and to decide on a proper course of action is presently prohibitive. However, there are alternative, intermediate steps that are reasonable in terms of cost and effort and that can be immediately implemented. This paper discusses such an intermediate step that will not diagnose plant accidents, but will partially digest the instrument information presented to the operator in an effort to provide him with an awareness and resolution of conflicting information. We describe the design architecture for a microprocessor based, on-line decision aid for resolvinq wihich instruments, if any, are supplying false, conflicting, or misleading information as a result of certain systems interactions for a Pressurized Water Reactor (PWR). Two of three instruments supplying conflicting information would sound an alarm and form a check to resolve the conflict. The system cou]ld potentially be extended to perform further diagnosis of the accident and recommend corrective actions. Microprocessors are becoming increasingly important in a variety of nuclear control U. S. Government work not protected by U. S. copyright. 3919

This document was prepared as an account of work sponsored by an agency ofthe United States Government. Neither the United States Government nor theUniversity of Califomis nor any of their employees, makes any warranty, ex-press or implied, or assumes any legal liability or responsibility for the ac-curacy, completeness, or usefulness of any information, apparatus, product, orprocess disclosed, or represents that its use would not infringe privately ownedrights. Reference herein to any speciric commercial products, process, or serviceby trade name, trademark, manufacturer, or otherwise, does not necessarilyconstitute or imply its endorment, recommendation, or favoring by the UnitedStaten Government or the University of California. The views and opinions ofauthors expressed herein do nt necessarily state or reflect those of the UnitedStates Govemment thernf, and shall not be used for advertising or product en-dorsement purposes.

Mr. H. P. Alesso graduated from the U.S. Naval Academy in 1970, receiving

his B.S. degree in Mathematics. He served as a nuclear engineer aboard

nuclear submarines for a period of three and one-half years. He graduated

from Massachusetts Institute of Technology in 1978 at which time he received

his M.S. degree in Nuclear Engineering and an advanced special degree of

Nuclear Engineer. Currently, he is employed in the Nuclear Systems Group at

Lawrence Livermore National Laboratory.