A NEURO-FUZZY SYSTEM TO SUPPORT THE ATTENTION AND DIRECTION OF NUCLEAR POWER PLANT OPERATORS

ABEPRO DOI: 10.14488/BJOPM.2015.v12.n1.a1 Accident diagnosis in nuclear power plants (NPPs) is a very hard task for plant operators due to the number of variables they have to deal simultaneously when facing accident situations. The previous identification of possible accident situations is an essential issue for safe operation in NPPs. Artificial intelligence techniques and tools are suitable to identify complex systems accident situations because the system faults and anomalies lead to different pattern evolution in the correlated processes variables. Such patterns can be identified by Artificial Neuron Networks (ANNs). The system developed in this work aims to support operators’ attention and direction during accidents in NPPs using a Neuro-Fuzzy approach for event’s identification forecast. ANNs are used to perform this task. After the NN has done the event type identification, a fuzzy-logic system analyzes the results giving a reliability level of that. The results have shown the system is capable to help the operators to direct their attention and narrow their information search field in the noisy background of the operation during accident situations in nuclear power plants.


INTRODUCTION
Human work, in high risk organizations, is still based on tasks that prescribe the correct (and safer) way to do the work (La Porte and Thomas, 1995;De Terssac and Leplat , 1990;De Terssac, 1992;Hirshhorn, 1993).These tasks are written in procedures that have to be followed to avoid human errors.The main goal of this type of safety management approach is to control (reduce) the variability and autonomy of human agents, through accurate procedures, strong oversight or supervision, and a division of labor with clearly defined roles and responsibilities.According to this view, to follow procedures as a script is the basis for reliable and safe operation in several nuclear power plants around the world (Bourrier, 1999;Carvalho et al, 2005).Under such safety paradigm, human error -the problem to be avoided -is defined as any performance deviation when compared with the action sequence specified in the procedure (Dekker, 2006).In order to perform the sequence of actions exactly as it is written in the procedures, operators need to correct and unambiguous information about the plant's situation.Based on this view, ambiguous response from instrumentation systems, for example: "There is 80% chance to have a Loss of Coolant Accident (LOCA)" may undermine and difficult Operators' work, because it provides uncertain information.In this context, the operator's support systems for accidents diagnosis should provide only the answer when they have 100% certainty about the situation, otherwise for events about which the system has no certainty the response must be: "I do not know".
However, field studies in nuclear power plants (Vicente, 1999, 2001, Carvalho et al., 2005, 2006, 2007;Bourrier, 1999), in other organizations dealing with high risk technology (Vaugahn 1997;Gomes et al. 2009), and in the control and operation of complex systems (Amalberti, 2002a;2006b) have shown that written instructions and procedures almost never can be strict followed, due to variations in situations and processes, and also by the fact that workers are constantly struggling to become more efficient and productive when dealing with time pressure, lack of resources and other work constraints (Woods and Hollnagel, 2006).In these situations, operators constantly deal with uncertain or ambiguous information.
The difficult with the diagnostic of events in nuclear power plants, due the need to deal with hundreds of variables simultaneously in case of accidents, has motivated the development of many diagnostic systems based on artificial intelligence (AI) to support Operator's work.Several researchers have used artificial neural networks (ANN), fuzzy logic (FL) and genetic algorithms (GA) to solve problems related to monitoring a nuclear power plant, especially regarding to the problem of events identification (Bartlet and Uhrig, 1992;Alvarenga, 1997;Pereira et al., 1998;Mol et al., 2006).
One of the first systems for accident identification in NPPs was developed by Bartlett and Uhrig (1992).They used ANNs for accident identification in seven accident scenery.The authors used a multilayer perceptron network in which the ANN identified the type of accident according to a binary encoding of three bits.However, unknown events were not considered.Alvarenga (1997) used artificial neural networks, fuzzy logic and genetic algorithms for the diagnostic of postulated accidents of ANGRA II nuclear power plant, using a set of 17 variables of the plant.This work also did not consider unknown events.
More recently, the system developed by Mol et al. (2006) explored the good performance of multi-ANNs with backpropagation training algorithm for event identification, even when they added noise in the input data.The system also presented a procedure for validation of the diagnosis in order to obtain an output "I do not know" for unknown events (the events outside the scope of ANNs' training).
This work proposes the development of an operator support system for the accidents diagnosis in nuclear power plants, using artificial neural networks working together with fuzzy logic to indicate the possibility of events occurrence, with their degrees of reliability.Using the proposed system, an operator can direct his/her attention and anticipate actions to deal with the situation.The developed system recognizes that operators deal with situations where there is a great level of uncertainty and make decisions without a complete set of information about the state of the systems (Carvalho et al., 2008).The support system aims to help one of the main objectives of the operation team: to update and validate individual and collective situation awareness that allows a resilient and safety operation (Vidal et al., 2009).The support system uses a set of ANNs to identify the events, and a fuzzy logic structure to provide information concerning to how reliable is each of the identifications made by the ANNs.The system aims to direct the operator(s) attention, indicating the type of accident that may be about to happen, besides providing the correct probability of that, allowing the operator to plan their actions in the near future, seeking the information and the support necessary to deal with the accident, before that the indications, coming from the conventional system alarm, occurs.

A NEW PARADIGM FOR FAILURE MANAGEMENT IN COMPLEX SYSTEMS
As stated above, the current work system in nuclear power plants and in most high risk organizations is based on the assumption that there is always a correct way to do the job.However, in many situations, this approach limits the action possibilities of operators to deal with the system complexity due to the fact that: 1. System designers cannot provide a complete set of actions that are needed in the entire range of plant operational situations because of constraints imposed by the system/environmental variability.
2. Question one clarifies that the operators of nuclear plants may have difficulties to determine if the procedures that they are supposed to follow, are not the best choice to deal with a new situation (Carvalho et al., 2007).
3. In unknown or unfamiliar situations, in which operators do not have the support of written procedures and completely correct (unambiguous) information, such as FAIL or NOT FAIL, RIGHT or WRONG, there is a risk to face situations in which they have no support at all, and have to improvise, searching for ad hoc re-configurations in the plant systems (Carvalho et al., 2006a;2007b).
These factors justify the use of support systems that provide partial information about situations that may be evolving in the plant, to support the cognitive strategies used by humans.The difficulties in actual fault management systems based on information provided by alarm systems currently used in nuclear power plants had already been identified: meaningless alarms, unclear or underspecified alarm messages, alarm inflation, alarms indicating the state of the system rather than abnormalities are only a small part of the difficulties that NPP operators have.The temporal dynamics is also relevant.Because the close correlation between the variables of NPPs processes, the period which a lot of alarms are started is at the beginning of the accident, when operators have to identify what is happening in the plant.It is precisely during this period of high workload that technological artifacts should provide the necessary assistance to the operators on evaluating the situation.However, in most of the nuclear power plants currently available, is in this period that occurs most of meaningless alarms, coming from systems that are not important to solve the problem.Therefore, the alarm system and inadequate diagnostic system distract operators and disrupt their activities, making diagnosis more difficult and hindering the activities of information search and prioritization.These factors constitute the so-called alarm system problem (Woods, 1994a;1995b).
To help accident diagnosis in this complex operational situation the system developed in this work assumes the role of an agent trying to anticipate problems in order to direct the attention of the human observer for potentially more interesting events that are occurring, such as, a situation with a huge number of data, limited time to make decisions, and multiple action selection possibilities.The direction of attention is the essential point to an operator who is planning his/her future actions depending on the type of event occurring in the plant as early as possible, thus reaching a more suitable condition of awareness (Vidal et al. 2009).
The control of attention allows a forecast of action plans in a cognitive system.It occurs when attention driven signals provide important information for action selection, or when the attention driven signals show information that can be ignored, or may be delayed, safely, in accordance with the situation.In general, an attention driven signal says: "there is something I believe you will find interesting or important, so you should check it out."The goal is to allow the operator to decide when the interrupt signal determines an authorization for a change (or not) in the attention focus.The concepts presented above were used to develop the system to help nuclear power plant in the diagnosis of accidents described in this work.It is composed by event identification modules, based on ANNs, and a fuzzy system, which informs how reliable is the event identification made by ANNs.

Event Identification using ANNs
For the event identification, we use the multi-type ANN jump model.The system explores the excellent performance of multilayer ANNs with a backpropagation training algorithm (Haykin, S.,1999).Another important characteristic of the proposed system is that it is independent of the time variable, increasing its robustness.Figure 1 shows the jump network with one input layer, two intermediate layers and one output layer.For jump-type multilayer ANNs, a neuron, in any layer of the network, is connected to all other neurons of the other layers which means there is no feedback.The signal flowed through the network is propagated "forward" from the left to the right going through all the layers.Figure 2 shows a part of the jump, where two types of signals are identified: The "stimulus" or input signals, coming from the first network layer, spreading forward (neuron per neuron) through the network, emerging at the output of the network as the output signal; The "error signal", indicating the error that is originating from one neuron and propagated back (neuron by neuron) through the network.
The "backpropagation" method results in the synapses update rule (Haykin, 1999) (Dw ji (n)) given by the equations: Where k represents any neuron of the subsequent layers to the layer neuron j, d(n) is the local gradient, y i is the output of neuron i, F(.) is the activation function, a j (n) is the activation of neuron j and w ki is the synapse between the neuron k and i.

Method for event identification
To identify what type of event that is occurring in the plant, we use a modular structure consisting of several jump-type ANNs.Each structure form a module, called Independent Identification Module (IIM).Each IIM is composed of four Basic Neural Modules (BNM).A BNM consists of one ANN.Each BNM is responsible to identify a specific event among any others.To made the event identification, each BNM has processed variables as input signals and only two outputs, one that indicates the event by which the module is responsible (trained to indentify, named class A) and the other that indicates all other events (class B).Therefore, it was necessary that the ANN of each BNM was trained with two pattern sets, a set representing the class A and another set representing the class B. The BNM output is 1 for class event A and 0 for class B events. Figure 3 shows the selection process of the BNMs. Figure 4 presents the Independent Identification Module composed by four BNMs.During the system operation, for a given event X, the BNM responsible for the identification of event X presents the output A equals 1 (indicating that the event X is occurring), and the output B equals zero.
The others BNMs have output A equals 0 and the output B equals 1 (indicating that the event in progress is not their responsibility).Under these circumstances, each module IIM is capable of identifying up to four different events.The final structure used to perform the event identification is composed by a set of IIM modules.The number of modules is chosen according to the number of events we want to identify.Figure 5 shows the final structure for event identification of the system.

Events Identification in noisy and dynamic situations
In order to increase the network robustness to deal with the noisy background of the operation in real situations, we need to train the ANNs with a larger set of patterns.This is done by adding noise patterns to the ideal event/accident patterns.During the training phase we force that the neuron networks recognize these new patterns as belonging to their original classes (no noise situations).The outputs of ANNs in response to input patterns that represent the same event with noise should float around the non-noise discrete expected value.In order to measure how the noise influences the identification, we compare the continuous values presented at the output of the network (with noise) to the discrete values that represent each event (without noise).This procedure determines the event deviation (D ev ), which is defined by the difference between the expected value and the output value of the ANN.
Where: ev indicates the event, y ev is the discrete expected value, and ∧ y ev is the value obtained at the ANN output.This deviation will be used later on, to get the reliability's degree of each module identification output.
To deal with the dynamic characteristic of the nuclear power plant variables, we have to use a mobile temporal window at the ANNs input.The mobile temporal window is needed because jump type ANNs does not have recurrence in its internal structure (where there is a direct dependence upon time), and is not able to work directly with dynamic systems.The time dependence was incorporated to the network external architecture by means of the time sequential presentation of the recent history of the state variables used in the event identification (movable temporal window), as presented in Fig. 6.To define the number of window elements, it is necessary to consider that the window must be large enough to identify the dynamic behavior of the system, without affecting the identification of fast events.

Fuzzy System to Calculate the Event Confidence Degree
The basic elements of a fuzzy system are: 1) fuzzification, which converts the input variables (crisp or exact measures) on fuzzy sets to represent uncertainty, 2) base of the rules that guides the knowledge system through the rules governing the relations between variables, 3) inference, the mechanism that decides which exit should be taken by the process, 4) aggregation which are techniques used to obtain an output fuzzy set from one set of rules and inference, 5) defuzzification, that converts the decision taken by the inference engine into a crisp value (numerical value), transforming qualitative information into quantitative one.The fuzzy system adopted to provide the reliability's level of event identification is presented in figure 7. It uses the input D ev as defined by equation (3) to calculate the confidence degree.Each BNM has its own fuzzy module.To determine the reliability's level of a BNM identification, the fuzzy module compares the output of the BNM (D ev ) with the respective outputs of the other BNMs of the same IIM.

8
In order to make the comparison between the outputs of the BNMs, it has been defined the input linguistic variable Module_Event, for testing the relevance degree of the current event in the BNM, and the linguistic variables Event_1, Event_2 and Event_3 for testing the relevance of the same event in the other BNMs of the same IIM.As output variable, the linguistic variable Confidence_Degree was defined.To illustrate the variable definition process, the variables Module_Event and Confidence_Degree were defined as follows: Module_Event: this variable checks the current event relevance in five fuzzy sets: very_module_event (VME), module_event (ME), medium_module_event (MME), weak _module_event (WME) no_module _ event (NME).It used as input to calculate deviation of the event module, Dev (equation 3). Figure 8 shows the fuzzy sets for the linguistic variable Module_Event.The other event variables are defined in the same way.Reliability's degree: this variable determines reliability's degree of the current event in five fuzzy sets: not reliable (NC), little reliable (lC), medium reliable (MC), reliable (C), very reliable (VC).Figure 9 shows the fuzzy sets for the linguistic variable reliability's degree.The fuzzy logic rules for determining the identification reliability degree are empirical, based on logic.Table 1 illustrates the formation of these rules.

RESULTS
The system was tested in the PWR simulator of the Human System Interface Laboratory of the Nuclear Engineering Institute (Carvalho et al., 2007).Four plant conditions has been trained by the NNs: the Normal plant condition, and the accidents (LOCA (loss of coolant accident), SGTR (Steam Generator Tube Rupture), and MFW (main feedwater malfunction).Another accident type, the turbine trip (TRIPTUR), an automatic shutdown of the turbine, was not trained by the NNs and remain as the unknown accident.The parameters that most contribute to each accident characterization were considered in order to determine which input variables must be chosen to proceed with the analysis.They are: flow and temperature in hot leg (the output of the reactor vessel), cold leg temperature (input if the reactor vessel), level in the steam generator, wide range indication of the level in the steam generator, narrow range indication of the pressure in the steam generator, feed water flow rate of steam in the pressurizer, narrow range temperature margin of the coolant, pressure of the pressurizer.
The ANNs were trained for identification of the LOCA, MFW and STGR with the power plant operating at 100% power.The TRIPTUR accident was not trained.During the NNs training, we use Four hundred twenty-eight patterns without noise, and 2140 patterns with 1,5 and 10% of white noise (a total of 6848 patterns).To set the size and parameters of the ANNs and the numbers of elements of the mobile window several tests were performed, because there is no general and well-defined criteria for the choice of these parameters.After these tests, the ANNs that provided the best results had the following configuration: • an input layer consisting of sixty neurons with linear activation functions (twelve mobile windows with five members each); • one intermediate layer with one hundred three neurons with logistic activation function; • one output layer with 2 neurons with the logistic activation function.
After the training phase, during the operation phase take turns.At this stage were developed more five hundred thirty-five patterns that represent the accidents (LOCA, MFW, STGR) and the NORMAL condition.Moreover, other five hundred thirty-five patterns for the TRIPTUR accident were generated.For each accident the maximum value (Dev) was calculated and sent to the fuzzy system to give the reliability degree of each identification.
The system was tested with several levels of noise (1%, 15% and 20%) to simulate the real conditions of operation in a NPP.To evaluate the time response of the system tests of the transition between NORMAL conditions to accident conditions were performed.Table 4, 5, 6 and 7 present the results of the transition between NORMAL condition to LOCA to LOCA, MFW, SGTR, and TRIPTUR, respectively.

DISCUSSION
The system output (Table 2) shows the correct event identification, even in situations of high uncertainty at the input (simulated by the 15% noise level added in the input).In all analyzed situations, each of the proposed accident was identified correctly after 15s (more than 50% of certainty).Based on this information, an operator may quickly direct (fifteen seconds after the start of the event) his/her attention to the most likely event, even in a noisy background, reducing his/her information search field.According to it, the operator would have more time to test and validate his/her action options, resulting in a faster and more effective way to fight against the events.Table 3 shows that the independent identification module (IIM) was able to identify the TRIPTUR accident, as an unknown accident (this accident was not trained), indicating that the system presents a suitable response level for an event that did not belong to the training scope of neural modules.
The results presented in Tables 4, 5 and 6 show that the accident identification module was able to successfully handle with the transition from the NORMAL condition for the accident condition.The system identifies the LOCA accident in 2s and the other accidents in 6s.This quickly accident identification allows the operators to direct their attention to the most probable situations.Furthermore, it can improve the operators' dynamic failure management during accidents, having into account that in such moments (the beginning of accidents) dozens of alarms occur simultaneously competing for the operators' attention.A previous and reliable indication about what is to happen in the plant, provided by the diagnostic system, will help the operators to decide which procedure will lead to better results in a shorter time, thus directing their course of actions during these important moments of the plant operation.
Table 7 shows the transition from NORMAL condition to the TRIPTUR accident that was not part of the neural modules training scope.The system, in the first few seconds, tries to classify this event as one of the previous accidents trained by the identification module training set.After 6s, the system shows that this possibility is close to zero.Even in a situation of unknown event, the system indicates signs of possible abnormalities in the plant (4.5% LOCA, 6,9% SGTR, different from the 0% indication expected in the normal condition).These weak abnormalities indications would be enough to alert operators that something unusual (and different from the accidents that the system can identify) is already taking place.
An important feature of the system is the fact that it is not dependent of a signal indicating the beginning of the accident, such as the REACTOR TRIP (automatic reactor shutdown) event as observed in most event identification systems.To make the process of accidents' identification be independent from initiator signals improves the response time of the system and has been achieved due to the robustness of the system in relation to noise.It allows the system to make a distinction between a noisy condition of normality and a condition outside the normal operation range.It is due to the use of the mobile time window, which turns the system able to identify events considering the dynamic characteristics of the environment.

CONCLUSIONS
This work proposes an operator support system which aims to direct the attention of the operators during the diagnosis of accidents in nuclear power plants using techniques and concepts of Artificial Intelligence, particularly Artificial Neural Networks and Fuzzy Logic.The objective is to help the operator during the assessment of accidents, indicating in advance and in a reliable way what type of accident may be occurring in the plant, and allowing the operators to direct their attention by narrowing the information search field in the noisy background of the operation during accident situations in nuclear power plants.Focusing their attention in the most likely event, the proposed system aims to contribute on reducing the cognitive overload of the operators during accident diagnosis besides on increasing their availability for the execution of appropriate corrective actions to bring the plant to a safe operating condition.
The method uses artificial neural networks to identify the accident which are occurring in the plant, based on the correlation among selected process variables and uses fuzzy logic to identify the degree of reliability of the identification.
By observing the results presented in the training phase, it was found that the jump type ANN, with backpropagation training is able to quickly diagnose the accidents that have been postulated for a PWR nuclear reactor, even with addition of noise that simulates the noisy background of real conditions of operation at the facility.
The developed system was evaluated in the LABIHS-IEN simulator to test the proposed method for event identification.It was able to provide reliable results allowing a quick and accurate way to perform the identification of accidents, and can be easily implemented in a real nuclear power plant, towards the addition of more identification accidents modules, always following the same implementation method.

Figure 3 -
Figure 3-BNM with two possible outputs: class A and class B.

Figure 4 -
Figure 4 -Four basic neuron modules with A and B outputs.

Figure 5 -
Figure 5 -A set of Independent Identification Modules (IIM), each IIM is formed by for BNMs.

Figure 6 -
Figure 6 -Block diagram of the dynamic identification system with mobile temporal windows.

Figure 7 -
Figure 7 -System to provide the confidence level of the event identification.Each BNM is specialized in one type of event.

Figure 8 -
Figure 8 -Fuzzy sets for the linguistic variable Module Event

Table 1 .
Some examples of rule formation

Table 2 .
Results for NORMAL condition and accidents, LOCA, MFW and STGR.

Table 3
presents the result for the TRIPTUR accident which is not trained by the ANNs.

Table 4 .
Transition from NORMAL to LOCA for t=1s, 2s and 3s.

Table 5 .
Transition from NORMAL to MFW in time 2s, 4s and 6s.

Table 6 .
Transition from NORMAL to SGTR in time 2s, 4s and 6s.