Failure Mode and Effect Analysis for a Programmable Logic Controller-Based Control Unit for a Miniature Neutron Source Reactor Pneumatic Transfer System

The Pneumatic Transfer System (PTS) is an auxiliary system of Ghana Research Reactor-1 (GHARR-1) used to transfer the sample capsule in and out of the reactor irradiation sites. The PTS′ controller unit design and construction was carried out because the original transfer system was not designed to operate in Cyclic Neutron Activation Analysis (CNAA). To address these situations, a Programmable Logic Controller (PLC) has been used to design and construct a control unit to facilitate a CNAA application for GHARR-1. The design has been simulated successfully using LOGO! Soft Comfort software, version 8. A Failure Mode and Effect Analysis (FMEA) was conducted on the PTS Control Unit (PTSCU) to evaluate and document, by item failure mode analysis, the potential impact of each functional or hardware failure of the control unit, personnel and system safety, system performance, maintainability, and maintenance requirements. Each potential failure is ranked by the severity of its effect so that appropriate corrective actions can be taken to eliminate or control the high-risk items. The result obtained upon the analysis shows that the likelihood of occurrence of failures, detection, and severity on the control unit is low per the risk priority number. The paper outlines the severity classification and description used in FMEA, the likelihood of detecting various failures of components, and failure causes and effect.


Introduction
Ghana Research Reactor-1 (GHARR-1) is a Miniature Neutron Source Reactor (MNSR) used mainly for Neutron Activation Analysis (NAA), education, and training [1,2]. e Pneumatic Transfer System (PTS) is an experimental facility of the reactor. It is meant for the transfer of sample capsules into the reactor for irradiation [3]. e new control unit is designed to replace the existing one to facilitate cyclic mode neutron activation analysis which the existing design did not consider. Another reason is that the components for the previous design could not be found on the local market, making it difficult to maintain the facility. e newly designed control unit uses a computer-based Programmable Logic Controller (PLC) with a LOGO! Soft Comfort version 8 software to program the PLC using the Function Block Diagram (FBD) programmable language or method [4]. A Failure Mode and Effect Analysis (FMEA) study is conducted on the PTS control unit to primarily identify known and potential failure modes, causes, and effects of each failure mode and prioritize the identified failure modes according to the Risk Priority Number (RPN). FMEA is a reliability and risk analysis procedure by which each potential failure mode in a system is analyzed to determine the results or effects, thereof, on the system and to classify each potential failure mode according to its level of severity. Each potential failure is categorized by the severity of its effect, in order that applicable corrective actions may be taken to eliminate or control the high-risk items. A qualitative overview of accident sequences could be derived from the FMEA tables looking at consequences' descriptions and preventive and corrective actions. Furthermore, the analysis generates a rich store of record data that satisfy the requirement to prove compliance to standard criteria and as a store of information for future reference by designers, engineers, and quality assurance analysts. e design program could be simulated for its functionality before integration and implementation. FMEA provides valuable descriptive information about the system design and operation, by identifying in a concise manner the failure modes and compensation actions, as well as recommended actions, to mitigate against these failures. Severity considers the worst potential consequence of a failure, determined by the degree of injury, property damage, or system damage that could ultimately occur. e frequency of occurrence, severity, and detection of failure of a component is determined to ensure that any failure of a component will not damage the controller or affect the personnel or the PTS. Compensated actions are provided for any problem and corrective action to reliability and maintainability [4]. e analysis is used to assess high-risk components and provide corrective actions. e FMEA also defines special test considerations, quality inspection points, preventive maintenance actions, operational constraints, useful life, and other pertinent information and activities necessary to minimize failure risk [5]. Nuclear facility system designers must design SSCs to standards. To determine if a SSC's design complies with government and regulatory criteria, a manufacturer can analytically test a designed system [6]. One of such analytical tools is the FMEA. Compliance with these criteria provides reasonable assurance that nuclear facilities can be operated without undue risk to the health and safety of the public [7]. Nuclear-related thermal-hydraulic passive systems, protective systems, and computerbased safety digital instrumentation and control systems have been extensively analyzed with FMEA [8]. e International Atomic Energy Agency (IAEA) recommends that FMEA be performed for common cause failure (CCF) in SSCs [9]. It requires that a single failure not render the reactor system incapable of performing its required function which can increase the nuclear facility unavailability period. e purpose of this paper is to use the FMEA methodology to provide the reliability of the PTS Control Unit (PTSCU) designed to ensure system quality assurance and feedback to the designed activities.

Methodology
In this study, an FMEA based on the conceptual design of the PTS Control Unit (PTSCU) is presented. e methodology used consists firstly the definition of a functional block diagram for the Control Unit (CU) device as well as a conceptual full-scale diagram for implementation. ese diagrams show the main systems and subsystems associated with the implementation of the PTSCU. An FMEA has been developed for the major components of the CU in order to identify the most critical components of the system as well as to identify the various failure modes that might affect the effective operation of the CU based on procedures outlined in [4,5]. FMEA provides valuable descriptive information about the system design and operation, by identifying in a concise manner the failure modes and compensation actions, as well as recommend actions, to mitigate against these failures. e failure effect of a component on the CU operation and other systems were the main consideration for the analysis performed. In classifying the severity of system failure modes, a numerical code is used which ranks from 1 to 10. A higher number indicates the criticality of the component that must be evaluated for each component failure mode. is index is classified into the following main severity levels: none (1), low (2 and 3), medium (4 and 5), high (6 and 7), critical (8 and 9), and catastrophic (10). A description of these indices and their effects is presented in Table 1 [5].
e likelihood of occurrence of various failure modes is presented and described in Table 2. e information presented on the likelihood of occurrence in the FMEA is mainly based on experience gained from the various components associated with the CU and manufacturer's recommendations.
In Table 3, the likelihood of detecting various failures is presented. is information presented in this section of the FMEA was also based on the experience in using such components in the CU device and manufacturer's information. Figure 1 shows the block diagram of the conceptual full-scale integration of the CU in the existing PTS. e orange color is the controller unit which consists of electrical and electronic components. e green color is the fluid flow side (the pressurized air). e gray color is where neutrons collide with nuclei causing one of the following reactions: inelastic scattering, elastic scattering, radiative capture, or fission. e blue color represents the gamma spectrometry system for analysis. e controller unit in Figure 2 consists of three main components: a high-current dual regulated voltage power supply, PLC device, and 8-way relay bank. e power supply designed and constructed have a dual voltage of +24 VDC and +12 VDC and could be regulated from their internal reference voltage minimum of 1.25 to a safe maximum voltage of 30 VDC at a safe operating current of 5 Amps. Figure 3 shows the flow chart for cyclic mode analysis with the conventional mode option with the CU incorporated. e phototransistors (PT1 and PT2) on top of the reactor and the detector serve as sensors. ey detect the presence of a sample and switch from logic low level to high level, giving out a positive pulse signal to the PLC to act. e block diagram number representation is as follows: 1-dual regulated power supply, 2-PLC, 3-8-way relay bank, 4solenoid valves, 5-air-compressor, 6-reactor, 7-HPGe detector, and 8-analytical unit. PT �phototransistor. CC � compressor control. Figure 2 shows the designed CU to replace the existing control unit. Figures 1 and 2 show the block diagram of a conceptual full-scale integration of the CU with the existing PTS.

Effect
System functionality Rating Catastrophic Totally incapacitates the system and fails to satisfy the design intent 10 Critical Significantly reduces the effectiveness of the system such that it would have little or no benefit and fails to satisfy the design intent 9 8 High Significantly reduces the effectiveness of the system such that it would fail to satisfy the design intent. However, the system would still operate and significant benefit would be gained from its operation 7 6 Medium Reduces the level of redundancy that is built into the system. e effectiveness of the system would not be significantly reduced, and the design intent would still be satisfied 5 4 Low Reduces the effectiveness of the system such that it is outside normal operating limits. However, the design intent would still be satisfied No effect 1 Remote Very unlikely to occur 1-5 3 2 None Will not occur 0 1 Uncertain that failure will be detected 10 Low Low chance that failure will be detected 9 8 Moderate Moderate chance that failure will be detected 7 6 High High chance that failure will be detected 5 4 Very high Very high chance that failure will be detected 3 2 Certain Certain that failure will be detected 1 e description of various blocks and their functions, as well as likely effects of the CU on other systems, can be found in related documents [10]. e inputs used in completing the analysis include mainly data of various components from the designed CU document [10]. Definitions important for understanding various items in Table 4 are presented in Appendix A.

Results and Discussion
e results from the FMEA conducted on the PTS control unit designed and constructed for cyclic neutron activation analysis were found to be reliable and fit for the intended task as shown in Table 5. e compensation actions analysis have brought up the idea of incorporating additional components to enhance the compensation actions, such as electrical circuit breaker and suppressing diodes to augment the functions of the fuse. Failure mode analysis is a systematic approach to quantify the failure modes, failure rate, and root causes of known failures. Usually, the FMA is based on historical information. e LOGO! version PLCs have their outputs to be shortcircuit, proof and overload, proof [11]. e LM 317 voltage regulator used in the power supply also has overcurrent and      Journal of Electrical and Computer Engineering overtemperature protection that shut down the device against overload or damage from operating in excessive heat [12]. ese are some of the safety measures to enhance the compensation actions of the system. Details of the FMEA performed for the CU are presented in Table 5. e inputs used in completing the analysis include mainly manufacturing data for various components [12] and experience acquired in using the components.

Conclusions
is study has presented an FMEA conducted for the conceptual CU design to be possibly integrated with the existing PTS. e risk analysis produced in this report has provided recommended actions to be incorporated into the design. It is expected that when the recommended actions are implemented, the RPN will reduce to a significant level to facilitate successful implementation of the modification. e analysis of failure and effects of the control unit does not have any effect on the reactor safety. e PTS is an auxiliary system of GHARR-1 and not important to reactor safety, as per safety classification of the IAEA [13]. Instrumentation and control functions, systems, and components are classified into two categories: items important to reactor safety and items not important to reactor safety [13]. Functions, systems, and components important to reactor safety are those which contribute to safely shutting down the reactor and maintaining it in a safe shutdown condition in and after operational states and accident conditions.
In general, the implementation of the CU in an existing PTS is not expected to pose any significant risks in view of the outlined compensation actions and recommended actions. e study would serve as a valuable tool for subsequent analysis to be conducted in the future. e maintenance program developed for the PTSCU [14] is divided into two: routine maintenance, during which preventive and predictive maintenance would be carried out, and corrective maintenance [14] to ensure continuous operation when it is implemented.

A.
1. Item no.: Unique line item for each identified component under review.
2. Component: Name or description of the item or system function being analyzed.
3. Function: A concise statement of the function performed by the hardware item shall be listed. 4. Failure mode: All predictable failure modes for each indenture level analyzed shall be identified and described. Additional information concerning the context of the failure mode may be included such as i. e mode of operation ii. e time constraints iii. e environmental stresses iv. e operational stresses 5. Failure cause: e most likely causes for each potential failure mode should be identified and described. Since a failure mode may have more than one cause, so all probable independent causes should be identified and entered.
6. Failure effects (local): Local failure effects identify the impact of the failure mode on the operation and functionality of the system item/ equipment under consideration. e purpose of defining the local effects is to provide a basis for evaluating compensating provisions and for recommending corrective actions. It is possible for the "local" effect to be the failure mode itself.
7. Failure effects (system): System-level failure effect describes the total impact of the failure mode on the operation, function, and status on the system level which the item/equipment is operating.
For example, the local failure effect of a control solenoid valve failing open will have a system effect of transferring a sample capsule.
8. System failure mode detection: Description of how the failure mode is detected by the system or operator shall be determined. Means of detection may be carried out by methods such as annunciations, operator procedures such as visual inspection, or other preventive, predictive, and corrective maintenance activities.
9. Compensating action: A listing of the compensating actions which mitigate the effect of the failure mode on the system shall be documented. e actions can be either design related (e.g., design redundancy) or operator procedural actions. Any operator procedural actions used as a compensating action shall reference the governing operating manual or procedure utilized by the operator.
10. Risk analysis-severity (SEV): A qualitative measure of severity is assigned to each failure mode to represent the worst potential consequences from that failure on the system level.
11. Risk analysis-occurrence (OCC): A qualitative measure of occurrence is assigned to each failure mode to represent the probability of the failure mode and its particular effect over a defined time period.

Risk analysis-detection (DET):
A qualitative measure of detection is assigned to each failure mode to represent the ability of the design to detect the failure mode before the resultant effect reaches a systemlevel failure.
13. Risk analysis-RPN: As per Section 3, the risk priority number is the product of the Severity (S), Occurrence (O), and Detection (D): 14. Recommended action: Review of the risk attributes requires caution and good judgment. A thorough review of the values of severity, occurrence, and detection is required before forming any opinions and deciding if undertaking corrective actions is required.
e following decision options are available: i. Implement corrective actions in order to reduce the associated failure mode risk.
ii. Try to eliminate the failure mode.
iii. Minimize severity of the failure. iv. Reduce the occurrence of the failure mode. v. Improve the detection. vi. Accept the failure mode risk without change to the design. Documenting the justification for accepting the associated risk is required.
15. Action taken: If implementation of corrective action (s) is required, then we document the corrective action changes made to the design which were required to reduce the associated failure mode risk. Any previous corrective actions to the design shall be retained if previous attempts to reduce failure mode risk were attempted.
16. Action result-severity (SEV): e new severity ranking value based on the any corrective action taken for the failure mode.
17. Action result-occurrence (OCC): e new likelihood of occurrence ranking value based on the any corrective action taken for the failure mode.
18. Action result-detection (DET): e new likelihood of detection ranking value based on the any corrective action taken for the failure mode.
19. Action result-RPN: e new RPN value resulting from any corrective action taken for the failure mode.

Data Availability
All data used are those obtained from our own research work and those obtained somewhere have approval from the source.

Conflicts of Interest
e authors declare no conflicts of interest.