IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making. System Analysis. Lecturer. Workshop Information IAEA Workshop

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making

System Analysis System Analysis

Workshop Information Workshop Information

Lecturer Lesson IV 3_2.3

Lecturer Lesson IV 3_2.3

Principal Objective of System Analysis Principal Objective of System Analysis

Task in a PSA of NPP Task in a PSA of NPP

– To develop system models for safety functions intervening in the accident sequence headers.

– Fault Tree Analysis is the technique most broadly used for system modelling.

– Event Trees and Fault Trees of frontal systems (normally those directly performing safety functions) are linked together.

Frontal systems usually depend on support systems, such as power supply or cooling water, to perform their function.

Systems Usually Modelled in a PSA Systems Usually Modelled in a PSA

PWR Front line systems BWR

Support systems

• High pressure safety injection (and/or charging pumps)

• Low pressure safety injection (and/or RHR)

• Accumulators

• Primary and Secondary pressure control

• Isolation of steam generators.

• Containment spray

• Safety injection or spray to the vessel:

HPCS, LPCI, LPCS, RHR

• Containment Spray

• Core isolation cooling (RCIC)

• Emergency boration (SBLC)

• Steam isolation

• Safety/relief valves, ADSL

• Reactor scram systems

AC,DC power supplies, including Diesel Generators.

Component cooling water, Service water, Ventilation,

Fault Trees Fault Trees

– A fault tree is a Boolean reliability model, since all the elements in the fault tree, from the elementary or basic events to the top event (e.g. representing the system failure) have 2 only possible states: the event occurs (e.g. the component fails) or does not occur (the component fulfils its mission perfectly).

A Boolean variable is assigned to each element of the fault tree – A fault tree is a graphical representation of the logical

relationship existing between an undesired event or a failure of a system (top event) and the possible causes leading to it. These causes are recursively analysed until the undesired event is related to combinations of elementary events in the system, such as component failure or a human failures

Boolean Algebra Boolean Algebra

–

The negative logic used in fault trees, they correspond respectively to:

failure, event happens / success, event doesn’t happen

–

They can take only 2 different values. Several sets of value names can be used:

TRUE / FALSE

1 / 0

Yes / No

Boolean Operators and Laws Boolean Operators and Laws

“OR” Disjunction: (∨), frequently, the arithmetic addition symbol is used instead: +

“AND” Conjunction: (∧); frequently, the arithmetic multiplication symbols are used instead: x, ·, *

“NOT” Negation: Several symbols added to the Boolean variable are used, such as: “/”, “ ’ ”: /A, A’

Boolean laws or properties: Commutative, Associative, Distributive, Idempotent, Absorption, Morgan’s laws, ...

MATHEMATICAL NOT. USUAL NOTATION LAW NAME

X∧Y = Y∧X X•Y = Y•X COMMUTATIVE LAW

X∨Y = Y∨X X+Y = Y+X

X∧(Y∧Z)=(X∧Y)∧Z X•(Y•Z)=(X•Y)•Z ASSOCIATIVE LAW

X∨(Y∨Z)=(X∨Y)∨Z X+(Y+Z)=(X+Y)+Z

X∧(Y∨Z)=(X∧Y)∨(X∧Z) X•(Y+Z)=X•Y + X•Z DISTRIBUTIVE LAW

X∧X = X X•X = X IDEMPOTENT LAW

X∨(X∧Y) = X X+(X•Y) = X ABSORPTION LAW

X∧X'= 0 X•X'= 0 COMPLEMENTATION LAW

X∨X' = 1 X+X' = 1

(X')' = X (X')' = X

(X∧Y)' = X'∨Y' (X•Y)' = X'+Y' MORGAN’S LAWS

(X∨Y)' = X'∧Y' (X+Y)' = X'•Y'

0∧X = 0 0•X = 0

1∧X = X 1•X = X

1∨X = 1 1+X = 1

0∨X = 0 0+X = 0

Boolean Laws

Boolean Laws

Structure Function of the System Structure Function of the System

– The structure function relates the state of the system to the state of the components or basic events.

– It is a Boolean function (time dependent) containing therefore Boolean variables and Boolean operators:

S ( t ) =

ϕ

– The gates of a fault tree represent Boolean operators. The structure function is defined by the fault tree logic.

– The fault tree itself is a model of the system and contains valuable information. However, the structure function is the basis for the estimation of system failure probability

OR gate “O”

S=A+B+C+…

represents disjunction

Fault Tree Symbols Fault Tree Symbols

AND gate “Y”

S=A·B·C·…

represents conjunction

Basic Event

Event to be developed in other fault tree

TW

Simple Case Example 1 Simple Case Example 1

System structure function:

S = A ∧∧^B

Reliability block diagram Plant drawing

A B

S

Failure to deliver flow to point S

Valve A fails

to open Valve B fails

to open

Fault tree A

B

S A B 0 0 0 0 1 0 0 0 1 1 1 1

(AND gate)

∧ ∧

Simple Case Example 2 Simple Case Example 2

System structure function:

S = A ∨∨ ^B Reliability block diagram

Plant drawing A B

S

Failure to cut flow to point S

+

Valve A fails

to close Valve B fails

to close

Fault tree

A B

S A B 0 0 0 1 1 0 1 0 1 1 1 1

(OR gate)

∨∨

– Acquisition of deep knowledge of system design and operation

– Obtaining modelling requirements, success criteria and boundary conditions

– Definition of system boundaries and interfaces

– Constructing simplified diagrams. Support simplification assumptions.

– Document the study and define needs for other models and reliability data in:

Phases of System Analysis Phases of System Analysis

A V VM

• Dependency matrix

• Instrumentation matrix

• Maintenance matrix

• Test matrix

– Document modelling assumptions

– DEVELOP FAULT TREE MODEL. Check model validity.

Fault Tree Example Fault Tree Example

70 71 88

Failure of steam suply from Steam generator C to the auxiliary feed water turbine driven

pump

36K05-36P01

“Loss of flow in piping segment D2”

Fault Tree solution Fault Tree solution

Minimal cut sets Minimal cut sets

EQ1 = EQ2 · EQ3 EQ2 = SB1 + SB2 EQ3 = SB1 + SB3

EQ1 = (SB1+SB2)·(SB1+SB3)

(original structure function)

EQ1 = SB1·SB1 + SB1·SB3 + SB2·SB1 + SB2·SB3

EQ1 = SB1 +

SB1·SB3 + SB2·SB1 + SB2·SB3

EQ1 = SB1 + SB2·SB3

(Disjunctive normal form, suitable for quantification) EQ2

SB1 SB2

EQ3

SB1 SB3 EQ1

Accident Sequence Equations Accident Sequence Equations

A-05 = A · /F · /I · D1

D1 = GD11 · GD12 GD11 = GD111 · GD112 + ...

GD12 = GD121 + GD122 · ...

...

...

GDxxx= Basic1 +Basic2 + ... + ...

Dependent Boolean variable

Final Objective: Core damage equation >> Core damage Final Objective: Core damage equation >> Core damage

frequency and dominant risk contributors frequency and dominant risk contributors

• Initiating event

• Basic events

Different codes for:

• Human errors

• Hardware failures

• Component outages

They are

independent Boolean variales

Summary Summary

– The event tree headers representing failures of safety systems must be developed by fault tree analysis until the failure of the header can be represented in terms of independent basic events.

– In the System Analysis Task of a PSA the Fault Trees of all the intervening systems for accident mitigation are obtained and linked together

– The Boolean models associated to the fault tree structure are developed to obtain the Minimal Cut sets. These cut sets represent minimal combinations of basic events that are enough to cause a system failure. For a system failure to occur is necessary that at least all the basic events of one minimal cut set have occurred.

These minimal cut sets are the basis for obtaining the system failure probability, and later on the core damage frequency.