A(

MIa

b

c

d

e

h

••••

a

ARR1A

1

zetphta

aafc

v

0h

Nuclear Engineering and Design 265 (2013) 765– 771

Contents lists available at ScienceDirect

Nuclear Engineering and Design

j ourna l h om epa ge: www.elsev ier .com/ locate /nucengdes

computer based living probabilistic safety assessmentLPSA) method for nuclear power plants

uhammad Zubaira,c,∗, Zhang Zhijianb, Gyunyoung Heoa,ftikhar Ahmedd, Muhammad Aamire

Department of Nuclear Engineering, Kyung Hee University, Yongin-si, Gyeonggi-do 446-701, Republic of KoreaCollege of Nuclear Science and Technology, Harbin Engineering University, PR ChinaDepartment of Basic Sciences, University of Engineering and Technology, Taxila, PakistanCollege of Mathematics and Statics, Chongqing University, 401331, PR ChinaKey Laboratory of Low-grade Energy Utilization Technologies and Systems, Chongqing University, Chongqing 400030, China

i g h l i g h t s

A computer based LPSA method named, online risk monitor system (ORMS) has been proposed.The essential features and functions of ORMS have been described.A case study of emergency diesel generator (EDG) of Daya Bay NPP had carried out.By using ORMS operational failure rate and demand failure probability of EDG has been calculated.

r t i c l e i n f o

rticle history:eceived 19 February 2013

a b s t r a c t

To update PSA (probabilistic safety assessment) model this paper presents a computer based living prob-abilistic safety assessment (LPSA) method named as online risk monitor system (ORMS). The essential

eceived in revised form0 September 2013ccepted 12 September 2013

features and functions of ORMS have been described in this research. A case study of emergency dieselgenerator (EDG) of Daya Bay nuclear power plant (NPP) has been done; operational failure rate anddemand failure probability of EDG has been calculated with the help of ORMS. The results of ORMSare well matched with data obtained from Daya Bay NPP. ORMS is capable of automatically update the

liabilianag

online risk models and reprocess of operator and m

. Introduction

Over the past years, many nuclear power plant (NPP) organi-ations have performed probabilistic safety assessments (PSAs) tonhance the safety level of NPP. These PSA studies is an effectiveool because it assist plant management to get more benefits forlant safety but any PSA used to support decision making mustave a defensible basis therefore it is very important that regula-ory body accept Living PSA. LPSA provides basis for risk informedpproach to decision making.

In the past (Balfanz et al., 1992) suggested a system named safetynalysis and information system (SAIS) to investigate event tree

nd fault tree construction. Poucet (1990) developed software toolor the analysis of reliability and safety (STARS) for hazard identifi-ation and for logic model construction. Even if these systems were

∗ Corresponding author at: Department of Basic Sciences and Humanities, Uni-ersity of Engineering and Technology Taxila, Pakistan. Tel.: +923348610154.

E-mail address: zubairheu@gmail.com (M. Zubair).

029-5493/$ – see front matter © 2013 Elsevier B.V. All rights reserved.ttp://dx.doi.org/10.1016/j.nucengdes.2013.09.017

ty parameters of equipment in time. ORMS can support in decision makinger in nuclear power plant.

© 2013 Elsevier B.V. All rights reserved.

computer based but most of the work needs to be done manually.On other hand ORMS presented in this study is capable to updatereliability data and failure rates in a quick manner by using Baye’stheorem.

In safety analysis, the prime objective is to identify thepotential sources of system failure. These sources belong to thecomponents, process materials, operating procedures, workingpersonnel, process instrumentation, etc. Apart from general engi-neering evaluation, several techniques have been developed forthe identification of potential sources of failures and provideuseful information for fault tree analysis (FTA) and event treeanalysis (ET). Some of the famous techniques include check-lists, preliminary hazard analysis (PHA), failure mode and effectanalysis (FMEA), hazard and operability study (HAZOP), masterlogic diagram (MLD), etc. Some of these procedures have beenimplemented using computers in a much easier, convenient and

interactive way and in some programs there is provision to per-form two or more types of analyses jointly (Kumamoto et al., 1996;Crowl et al., 2002; Venkatasubramanian et al., 1994; Sang et al.,2010).

766 M. Zubair et al. / Nuclear Engineering a

Nomenclature

n number of failuresk number of demands

shape parameter˛post posterior value of shape parameter˛prior prior value of shape parameter

scale parameterˇpost posterior value of scale parameterˇprior prior value of scale parametert timeAOT allowed outage timeEFS experience feedback systemd downtime associated with an AOTf downtime frequency or the average yearly fre-

quency of occurrences of the AOTR1 the increased risk level, e.g., increased CDF, when

the component is known to be down or unavailableR0 the reduced risk level, e.g., reduced CDF, when the

component is not down, i.e., down unavailability iszero

�R the increase in the conditional risk level, e.g.,increase in CDF, given the component is down

r single-event AOT riskRy yearly AOT risk� failure rateT1 allowed configuration time as the first type of oper-

ational event happenT2 allowed configuration time as the second type of

dsrtasrmaLam

•

operational event happen

A risk monitor is a plant specific real time analysis tool used toetermine the instantaneous risk based on the actual status of theystems and components. At any given time, the safety monitoreflects the current plant configuration in terms of the known sta-us of the various systems and/or components, e.g. whether therere any components out of service for maintenance or tests. Theafety monitor model is based on the LPSA (IAEA, 1999). The firstisk monitors were put into operation in 1988. The number of riskonitors worldwide has increased to over 150. The risk monitors

re used for quantitative analysis like core damage frequency (CDF),arge early release frequency (LERF) and qualitative analysis suchs safety function, safety system. There are different types of riskeasures like;

Baseline risk which is the numerical value of the risk (CDF, LERF,etc.) calculated by the PSA with all components available to carryout their safety function.

Fig. 1. Average, baseline and point in time risk.

nd Design 265 (2013) 765– 771

• The average risk which is normally calculated by the Living PSAfor full power operation. Average risk is calculated when averagemaintenance unavailability Introduced and it is always greaterthan the baseline risk.

• The point-in-time risk is the level of risk is related to a specificplant. The point-in-time risk will change as the plant config-uration and environmental factors change as shown in Fig. 1(NEA/CSNI/R, 1996).

In this research a methodology for LPSA has been developed.On the basics of this methodology ORMS has been presented inthis article which is capable to calculate changes in configurationand reliability of components in NPP. ORMS is based on full power,internal event Level 1 PSA and update risk models regularly andautomatically.

2. Methodology and structure of online risk monitorsystem (ORMS)

In PSAs, modification of systems with a high level of redundancyis modeled at a system level. This is done by adding basic events tothe system fault trees or Bayesian Network to model all the redun-dant trains and these basic events have fixed probabilities whichhave been determined using a �-factor approach. As an exampleof this for a three train system, the system is modeled as a singlebasic event which represents failure of 3 out of 3 redundant trains.However, when a train of the system is removed for maintenanceor test, the level of redundancy is reduced to a two train system andthe basic event needs to be reduced to failure of 2 out of 2 trains.This reduction in redundancy is recognized in the part of the PSAmodel which represents random failures.

Secondly, the reliability data update module (RDUM), which isa module of ORMS, work in such a way that it uses Bayes’ Theoremand combination of different distributions (beta and gamma) for thecalculation and updating of parameters. As failures occur then oper-ator just need to recognize these failures and provides these valuesto RDUM, as a result parameter values automatically updated. Hereautomatically means that there is no need for operator or expertto recalculate these values instead ORMS has capability to updatethese values.

The basic methodology of ORMS consists of five modules knownas;

• Reliability data update module (RDUM)• Running time update• Redundant system unavailability update• Engineered safety function (ESF) unavailability update• General system update

These five modules are shown in Fig. 2. The first two modulesRDUM and running time update receive information from D–I&C(digital instrumentation and control) system, analyzed data quanti-tatively and supply feed back to reliability data base. The remainingthree modules receive information from monitoring unit & systemdesign change unit and analyzed data qualitatively. The qualita-tive and quantitative output of these three modules in combinationwith reliability data base module is provided to Living PSA model,respectively. After getting information the online risk model makesa quick calculation of following factors;

• Core damage frequency• Importance factor• Allowed configuration time• Qualitative risk information

M. Zubair et al. / Nuclear Engineering and Design 265 (2013) 765– 771 767

Reliability DataBase

Living PSA Model

Online-Risk modelcalculation

Over-Risk limit

Shut Down

Redundant Sys.unavailabilityupdate

ESF Unav. update

General sys update

RDUM

D-I&C

Running TimeUpdate

Record -Unit

Record-Unit

OSSRCMYes

No

Monitoring unit

Monitoring unit

Sys. Designchange

cture of ORMS.

titFTa

gtccpn

3

3

aut

(

RDUM

Bayes’ Theorem

Gamma and PoissonDistribution

Use of combinedistribution

Beta and BinomialDistribution

Calculation andUpdating of parameters

Fig. 2. Stru

In view of calculation, the online risk model makes it possibleo shut down plant if risk exceed over a limit and continue updat-ng process if risk levels liaise within limits. The online assessingo I&C system and getting the configuration information of NPP.ig. 3 describes the automatically updating of online risk models.he reliability parameters of the equipment and other informationre calculated at this stage.

To prevent failures reliability centered maintenance (RCM)athered and compares all updated data for analysis. RCM is condi-ion based, with maintenance intervals based on actual equipmentriticality and performance data (IAEA, 2007). The purpose ofomparison in RCM is to identify needed changes in the existingrogram and thereby optimize the facility’s preventive mainte-ance program.

. Specification of modules in ORMS

.1. RDUM and running time update

The RDUM work in such a way that it uses Bayes’ Theoremnd combination of different distributions for the calculation andpdating of parameters, Fig. 4 describe this concept clearly. Twoypes of distributions have been used.

1) Beta distribution with binomial likelihood function for thecalculation of demand failure probability. Eqs. (1) and (2)explain the key results of these distributions and the calculation

Fig. 3. ORMS online features.

Fig. 4. Function of RDUM.

process or steps can be seen as described by Zubair and Zhijian(2011).

˛post = k + ˛prior (1)

ˇpost = n − k + ˇprior (2)

(2) Gamma distribution with Poisson likelihood function to updaterunning time, Eqs. (3) and (4) explain final results.

˛post = x + ˛prior (3)

ˇpost = t + ˇprior (4)

The updating of parameters can be achieved according to PSAmodel requirement. The failure rates of components changes withthe passage of time. So to represent these changes and unavailabil-ity of components become a question mark for safety engineersto update models as a result RDUM start its operation till comple-tion of updating. If there are no changes in plant configuration thenRDUM make one calculation per hour, but if configurations changesthen RDUM starts immediately and makes calculation once everytwo minutes in one hour.

Table 1 represents allowed configuration time as operationalevent happens, where T1 denotes allowed configuration time as thefirst type of operational event happen and T2 represents Allowedconfiguration time as the second type of operational event happen.

768 M. Zubair et al. / Nuclear Engineering a

Table 1Allowed configuration time as operational event happen.

T2/T1 T2 ≤ 8 h 8 h ≤ T2 ≤ 24 h T2 ≥ 24 h

T1 ≤ 8 h 1 h 1 h 1 h8 h ≤ T1 ≤ 24 h 1 h 8 h 8 hT1 ≥ 24 h 1 h 8 h 24 h

Determine theCondition ofSevere accident

Plant InternalInformation

Availability ofInstruments

Monitoring

Fault ProtectionDevice (Valve or

Pump)

SignalGeneration

Transmitter

Decision

3

arusstbsdtm

(

i

TT

System

Fig. 5. Logical configuration of monitoring system.

.2. Redundant, ESF and general system unavailability update

The function of these three modules is to make qualitativenalysis of data and provide this information to LPSA model. Theedundant and ESF modules receive information from monitoringnit, while general system module updated as changes occur inystem design. The logical configuration of monitoring system ishown in Fig. 5. In ORMS system updated module is necessary sohat it reflects the current design and operation of the plant which isased on the most up to date analysis (thermal-hydraulic analysis,evere accident analysis, etc.) of how the plant behaves in fault con-itions, uses data derived from plant operating experience wherehis is available and takes account of improvements made in PSA

odeling techniques.There are three main steps in Fig. 5.

(i) Signal generation process which includes human operator’sjudgment and proper action (push button), normal operationof command generation equipment.

(ii) Success of command transmission through electrical wire orpressure sensing line.

iii) Normal response of the actuating device to a given command.The Fault tree analysis is made to find the unreliability (failure

probability) in the control command generation process.

The system unavailability increase risk level. If R1 is thencreased risk level in core damage frequency (CDF) with the

able 2en year’s data of EDG.

Time (years) Operation time (h) Failure time

Operationalfailure

Demandfailure

1997 187.5 0 1

1998 99 1 1

1999 48.22 0 3

2000 44.65 1 2

2001 62.95 2 0

2002 57 0 2

2003 66.3 1 2

2004 50.2 1 0

2005 63 1 1

2006 59.7 0 0

nd Design 265 (2013) 765– 771

component assumed down or the component unavailability equalto 1 (NURGE/CR-6141, 1994). R0 is the reduced CDF with the com-ponent assumed up, i.e. the component unavailability equal to zero(means component available). In terms of R1 and R0 the increase �Rin risk level associated with the allowed outage time (AOT) then;

�R = R1 − R0

Using the above expression, the single-event AOT risk and theyearly AOT risk can be expressedas, r = single-event AOT risk

= (R1 − R0) × dAndRy = yearly AOT risk contribution= f.r= f. (R1 − R0) × dR1 can be calculated by setting the component down event to a

true state in the PSA. Similarly, R0 can be calculated by setting thecomponent down event to a false state in the PSA.

The AOTs for components and system trains are the times givenin the plant technical specifications for typical/bounding plant con-figurations and are mandatory requirements that need to be metby the plant operators. These requirements have traditionally beenbased on deterministic criteria but now are often based in part onrisk information obtained from the Living PSA. The single-eventAOT risk and the yearly AOT risk contribution, as well as the basiccontributing factors, can be calculated from the PSA using standardPSA codes.

4. Case study of emergency diesel generator (EDG)

The data for EDG considered here has been collected fromJanuary 1997 to December 2006 as shown in Table 2. The failurerates in Table 1 have been calculated by using classical method.

The equipment failure data is sample from EFS (experiencefeedback system). Each nuclear power generating units of dieselgenerator system consists of two identical entities separate andindependent series A (LHP) and series B (LHQ) component, eachdiesel generator sets and related auxiliary equipment installed in aSeparated factories. In case of electricity loss, EDG supplies 6.6 kevpower to both A and B series. Each diesel generator set includes thefollowing equipment:

(i) Two diesel engines and its immediate installation of equipment.(ii) A generator and the excitation and protection equipment.

4.1. EDG failure rate calculations with ORMS

The ORMS enables a user to calculate and update data within afew minutes. The login screen and main page is shown in Fig. 6.

When logged on as an Operator, the user is allowed to view thecurrent risk, assess the safety of some hypothetical configurations,

Failure rate (�) Start time

Operational failure rate(per hour)

Demand failureprobability (per day)

0.00E+00 5.33E−03 761.01E−02 1.01E−02 550.00E+00 6.22E−02 522.23E−02 4.47E−02 483.17E−02 0.00E+00 590.00E+00 3.50E−02 571.50E−02 3.01E−02 623.98E−02 0.00E+00 531.58E−02 1.58E−02 600.00E+00 0.00E+00 51

M. Zubair et al. / Nuclear Engineering and Design 265 (2013) 765– 771 769

vtcit

Table 3Failure rates obtained from ORMS.

Time (years) Failure time

Operational failurerate (per hour)

Demand failureprobability (per day)

1997 0.00E+00 4.02E−031998 1.03E−02 1.02E−021999 0.00E+00 5.70E−022000 1.00E−03 4.35E−022001 2.25E−02 0.00E+002002 0.00E+00 2.90E−022003 1.03E−02 3.00E−022004 3.21E−02 0.00E+002005 1.80E−02 1.43E−02

Fig. 6. Login screen and main page of ORMS.

iew plant’s current configuration data, failure data, etc. However

he Operator has no permission to make changes in current plantonfiguration, failure data, etc. Administrators have no limitationsn using the risk monitor. They are the only group that can changehe account type or password and compare current risk level with

Fig. 7. Working ste

2006 0.00E+00 0.00E+00

existing data. The demand failure probability and operational fail-ure rate has been calculated with ORMS by using beta and gammaprior distributions, respectively as shown in Table 3

After providing user name and password the main page of ORMSopen. Now at this stage if user wants to calculate operational failurerate than after assign the values of number of failures and number of

demands, RDUM-1 will provide required results and if it is neededto update running time than RDUM-2 execute updating process,these steps are shown in Fig. 7. In case of demand failure probability

ps of ORMS.

770 M. Zubair et al. / Nuclear Engineering a

0.00E +005.00E-031.00E-021.50E-022.00E-022.50E-023.00E-023.50E-024.00E-024.50E-02

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

Ope

ra�o

nalfailre

rate

(Per

Hour)

Time (y ears )

Data from Da ya Ba y NPPData from ORMS

Fig. 8. Comparison of operational failure rate.

0.00E+ 00

1.00E-02

2.00E-02

3.00E-02

4.00E-02

5.00E-02

6.00E-02

7.00E-02

1997 199 8 19 99 2000 200 1 2002 2003 20 04 2005 2006Deman

dfailu

reprob

ability

(Per

Day)

Time (ye ars )

Data from Da ya Bay Npp

Data from ORM S

Fig. 9. Comparison of demand failure probability.

Fig. 10. Comparison of data

nd Design 265 (2013) 765– 771

the beta prior value is fixed (0.5), but in case of operational failurerate beta prior is calculates with this formula;

Beta prior = alpha prior/mean data value

So in this case beta prior is not fixed and program calculates itsvalue by using above formula.

A comparison of failure rates of EDG specific data obtained fromDaya Bay NPP and data calculated with ORMS has been done asshown in Figs. 8 and 9. The results showed that the operationalfailure rate and demand failure probability decreases when datacalculated with ORMS.

ORMS also enables a user to compare generic data with specificdata of NPP. If generic data is coming from two or more sources(Mil Hand book-217, 1995; Wash-1400, 1975; IEEE-500, 1984;NUREG/CR-2300, 1983; T-Book: Reliability data of components inNordic NPP, 1992; The German ZEDB, 2000) than user can also ana-lyze these values by making graphical pattern and choose best forupdating components or equipments (Fig. 10).

5. Conclusion

To achieve safety standards the utilization of LPSA in decisionmaking process seems obvious. In this research a methodology forLPSA and ORMS has been developed, with the help of ORMS theoperator can update PSA model to LPSA model. By using ORMS oper-ational failure rate and demand failure probability of EDG in Daya

Bay NPP has been calculated. The results showed that the failurerates obtained from ORMS are low as compare to specific data atDaya Bay NPP. In future the use of ORMS will make it easy to updatePSA data, which provides better understanding with LPSA.

from different sources.

ring a

A

paar

R

B

C

I

I

I

K

MNN

N

core.

M. Zubair et al. / Nuclear Enginee

cknowledgements

The authors would like to thank the reviewers for the com-rehensive and thoughtful comments and suggestions. The firstuthor is also grateful to Prof. Zhang Zhijian, Prof. Gyunyoung Heond National Research Foundation (NRF) for providing peacefulesearch environment.

eferences

alfanz, H.P., et al., 1992. Safety analysis and information system (SAIS) a living PSAcomputer system to support NPP safety management and operators. Reliab. Eng.Syst. Saf. 38, 181–191.

rowl, A., et al., 2002. Chemical Process Safety: Fundamentals with Applications,2nd ed. Prentice Hall Inc., Upper Saddle River, NJ, USA.

EEE Std 500, 1984. IEEE Guide to the Collection and Presentation of Electrical,Electronic, Sensing Component, and Mechanical Equipment Reliability Data forNuclear-Power Generation Stations.

AEA, 1999. Living Probabilistic Safety Assessment (LPSA). International AtomicEnergy Agency, TECDOC-1106.

AEA, 2007. Application of Reliability Centred Maintenance to Optimize Operationand Maintenance in Nuclear Power Plants. International Atomic Energy Agency,TECDOC-1590.

umamoto, H., et al., 1996. Probabilistic Risk Assessment and Management for Engi-neers and Scientists, 2nd ed. IEEE Press, USA.

il Hand book-217, 1995. Reliability Predictions of Electronic Equipment.UREG/CR 2300, 1983. Human Reliability Analysis, vol. I (Chapter 4).

URGE/CR-6141, 1994. Hand Book of Methods for Risk-Based Analysis of Technical

Specifications.EA/CSNI/R, 1996. Living PSA development and application in member countries.

Nuclear energy agency committee on the safety of nuclear installation.NEA/CSNI/R 2 (95), 1–31.

nd Design 265 (2013) 765– 771 771

Poucet, A., 1990. STARS: Knowledge based tools for safety and reliability analysis.Reliab. Eng. Syst. Saf. 30, 379–397.

Sang, H., et al., 2010. AIMS-PSA: A Software for Integrating Various Types of PSAs.Integrated Safety Assessment Division, Korea Atomic Energy Research Institute,Korea.

T-book, 1992. Reliability Data of Components in Nordic Nuclear Power Plants. ATVOffice, Vallingby, Sweden.

The Centralized Reliability and Events Database (ZEDB), 2000. Zuverlässigkeitsken-ngrößenfürKernkraftwerkskomponenten – Auswertung, VGB PowerTech e.V.,VGB-TW 80.

Venkatasubramanian, V., et al., 1994. A knowledge-based framework for automatingHAZOP analysis. AIChE J. 40, 496–505.

Wash-1400, 1975. Reactor safety study, An Assessment of Accident Risk inU.S. Commercial Nuclear Power Plants, Appendix-III, Failure Data (Table-III4-2).

Zubair, M., Zhijian, Z., 2011. Calculation and updating of reliability parametersinprobabilistic safety assessment. J. Fusion Energy 30, 13–15.

Muhammad Zubair is a Post Doc. Fellow & Assistant Professor in Kyung Hee Uni-versity South Korea. He is also working as Assistant Professor at University ofEngineering and Technology Taxila, Pakistan. He is Ph.D. approved supervisor bythe Higher Education Commission (HEC), Pakistan. He has been engaged in teach-ing as well as in research mainly focused on nuclear energy. His research interestincludes safety and reliability of nuclear power plants, probabilistic safety assess-ment, living probabilistic safety assessment, risk monitoring, digital I&C system. Hehas been working on projects related with monitoring methods for safety compo-nents. He is also conducting research on designing and simulation of nuclear reactor

He taught at Master and Undergraduate level the core subjects of nuclear engi-neering. He worked as Researcher, Lecturer and Assistant Professor in differentuniversities and institutes. He has many international journal and conference arti-cles to his credit.