Reliability Engineering 16 (1986) 265-276
A Safety Prediction Technique for Nuclear Power Plants
C. D. Henry III and D. C. Brauer
Reliability Technology Associates, 700 Ravinia Place, Orland Park, Illinois 60462, USA
(Received: 27 February 1986)
This paper presents a Safety Prediction Technique (SPT) for nuclear power plants. SPT is used to develop models which calculate criticality as the product o f failure~error probability for a component~action, which can be estimated from failure~error data, and the sensitivity of the component~action, which is the conditional probability that the plant will be unsafe given that a failure~error has occurred. These models are described in terms of both functional block diagrams as well as computer data format following procedures and codes developed in the paper.
Safety Prediction Technique (SPT) provides a new computerized method- ology by which the effect of component failure or procedural, software, or human error on nuclear power plant safety can be measured. It provides a viable alternative to the traditional performance of a costly and cumbersome probability risk assessment (PRA).
The authors have tailored an analysis technique, originally developed by ARINC Research Corporation, which they have applied extensively in developing safety models for many US Air Force aircraft under the aegis of Mr H. Cheesman of Kelly Air Force Base, USA. 1 It was through this experience that the application of SPT to nuclear power plants was realized and consequently developed.
265 Reliability Engineering 0143-8174/86/$03.50 Elsevier Applied Science Publishers Ltd, England, 1986. Printed in Great Britain
266 C. D. Henry II1, D. C. Brauer
The overall objectives of SPT are:
(1) to predict unsafe situations so that corrective actions can be taken before accidents occur;
(2) to quantify the impact of equipment malfunction or procedural, software, or human error on safety and thereby establish priorities for proposed modifications; and
(3) to provide a means of evaluating proposed changes for their impact on safety prior to implementation and to provide a method of tracking implemented changes.
Implementation of the new technique ultimately provides a quanti- fication called 'criticality', which is proportional to the probability that a given component or procedural/human action will cause the plant to operate in a hazardous mode. A hazardous mode is characterized by the fact that there has been a failure/error and the plant, its operating crew, and the public are exposed to danger. Whether the event results in an accident, an incident, or merely the exposure to danger is dependent upon the skill and reaction of the operating crew as well as external influences.
2 SPT METHOD APPROACH
Criticality of a component or a procedural/human action is defined as follows:
Criticality = P(A O fail)
where 'fail' designates the event that a particular failure/error has occurred and 'A' designates the event that the plant is operating in a hazardous mode. P(A O fail) expressed verbally is the probability that the events 'A' and 'fail' will occur simultaneously.
From elementary probability theory it can be shown that
P(A O fail)= P(AI fail) e(fail) (1)
This equation means that the probability that a particular component/ action will cause the plant to operate in an unsafe mode is the product of two probabilities, first the conditional probability that the plant will be unsafe given that a failure/error has occurred, and secondly the prob- ability that the failure/error will occur.
A safety prediction technique for nuclear power plants 267
Equation (1) is used for criticality calculations in SPT. P(fail) can be estimated from failure/error data. The value of P(A I fail), the sensitivity, is calculated for each component/action from data input to SPT safety assessment models. To match failure/error data to sensitivity, a five- or seven-digit code, where the digits can be numbers or letters, is assigned to each component or action and is used to identify the component/action in both the failure data and the safety assessment model.
The sensitivity of a component/action then is a measure of the importance of that component/action to plant safety. It is the likelihood that the plant will enter a hazardous mode if the component fails or an error occurs in the action. Sensitivity values are always between 0 and 1, inclusive. A value of 0 means that failure of the component or error in the action never has an effect on safety or has a negligible effect. A value of 1 means that failure of the component or error in the action always has an effect on safety (or nearly always). A typical sensitivity value is neither 0 nor 1 but some value between. Factors which must be considered in the assessment of sensitivity values include the design of the particular component, the relationship of the component/action to other components/actions in the plant, and the effect of certain operating conditions. In actual practice these factors are treated individu- ally by the engineers who are developing SPT models. The combined effect of the individual factors is calculated in the SPT computer program.
3 SPT IMPLEMENTATION
SPT is implemented through the application of a 9-step process as outlined below.
Step 1: Identify major nuclear power plant functions. Step 2: Construct functional diagram per function. Step 3: Assign alpha codes to functions, subfunctions, etc. down to
the component/action level. Step 4: Identify operational phases. Step 5: Assess functional sensitivity by phase. Step 6: Assign provisory factors. Step 7: Determine link dependencies by phase. Step 8: Enter/edit data. Step 9: Computer processing.
268 C. D. Henry Ill, D. C. Brauer
Each of these steps is an integral part of the SPT engineering process. Application of this process and the resultant SPT model ensure that nuclear power plants remain in good condition and, consequently, are able to fully support safety requirements.
3.1 Step 1: identify major nuclear power plant functions
The SPT model is initiated by identifying the functions performed by the plant and how these functions are interrelated. Tabulating each identified plant function, the equipment/human actions necessary for its performance and all outputs required from other systems are required for a systematic accounting procedure. The major functions related to plant safety are listed in Table 1. The alpha designator in the first column is an identification code for computer use.
3.2 Step 2: construct functional diagram per function
Functional block diagrams are constructed for each of the major functions. In functional diagrams, functions of equal level are arranged in rows such that proceeding from the major function down the page (across rows) leads to progressively lower levels until the end of the path is reached. In contrast to other analysis techniques, the functional diagram is a 'success tree' which describes the intra-relationships of the components/actions within a subfunction as well as the relation between a component/action and a subfunction. A sample functional diagram is shown in Fig. 1. Some of the terms on the legend are defined later in this paper.
TABLE 1 Major Nuclear Power Plant Functions
Alpha designator Function
A Containment B Power production C Control D Instrumentation and display E Environmental control F Fire protection S Balance of plant support U Utilities X Auxiliaries
270 C. D. Henry III, D. C. Brauer
3.3 Step 3: assign alpha codes to functions, subfunctions, etc. down to the component/action level
To identify function relationships in the computer program, an alpha code is assigned to each function, subfunction, etc., down to the component/action level. There are only three restrictions placed on these assignments: (1) all characters in a code must be a letter of the alphabet; (2) the maximum number of characters in one code is seven; (3) codes assigned to major functions must be in accordance with the alpha designators in Table 1. To facilitate accounting procedures, subordinate function codes begin with the parent function code. However, the computer will accept any arrangement of alphanumeric characters. A character is generally not added to the code at each lower level. When a function is required by more than one higher level function (or when a component/action is required by more than one function and for the same purpose), the same alpha code is used in each application. When a component/action is required for more than one purpose, different alpha codes are assigned.
3.4 Step 4: identify operational phases
The function of some components/actions, as well as the importance of the failure of a function, is not constant throughout plant operation. Unlike other analysis techniques, SPT deals with the problems of changing roles by dividing plant operation into nine distinct phases, as listed in Table 2. These phases allow plant component criticality variances to be recognized and analyzed as to their impact on plant safety.
TABLE 2 Phases of Nuclear Power Plant Operation
1. Start up 2. Approach to criticality 3. Power ascension to turbine synchronization 4. Power ascension to steady state power 5. Steady state power 6. Power reduction to turbine disconnect 7. Power reduction to reactor shutdown 8. Post-criticality cooling 9. Shutdown
A safety prediction technique for nuclear power plants 271
3.5 Step 5: assess functional sensitivity by phase
The sensitivity of a function is defined as the probability that loss of the function will cause the plant to enter a hazardous mode. The actual numerical values assigned are proportional rather than absolute and increments no smaller than 0.1 are assigned. Increments smaller than 0.1, when required, are assigned by defining a quasi-function one level below the function of interest. The value assigned to the quasi-function is such that the product of the two sensitivities is equal to the desired sensitivity. Any number of quasi-functions, each at a successively lower level, can be used. This method of attenuation allows for assignment of sensitivities at the highest degree of accuracy which can be assessed. In some cases, the sensitivity is made at the major function level; in other instances, it is made at the next lower level. The levels at which sensitivities are assigned are designated by ellipses on functional diagrams.
3.6 Step 6: assign provisory factors
The significance of certain functions is dependent on external influences, for which cases 'provisory factors' have to be identified. For such functions, the procedure used is to always assign the worst case sensitivity or link dependency which would then be modified by the provisory factor. In general, provisory factors represent the probability of the existence of external conditions influencing the sensitivity of the function. Table 3 is a list of standard provisory factor codes and descriptions used in SPT. Values suitable to the particular plant under study must be assigned.
Provisory factors make SPT a powerful and unique tool. Other analysis techniques, fault tree analysis for example, require that a new model be developed to evaluate the impact of each external influence. SPT, using provisory factors, requires only that a single model be developed to evaluate the impact of all external influences. This increases analysis efficiency and cost-effectiveness.
3.7 Step 7: determine link dependencies by phase
Link dependency is the probability that the loss of a function will cause loss of the next higher level function which is dependent upon it. The
272 C. D. Henry III, D. C. Brauer
TABLE 3 Provisory Factors
Code Description Code Description
A Icing conditions K Normal system failed B Backup system inoperative L Loss of cooling C Cold weather S Unscheduled scram D Power blackout T Unscheduled turbine trip E Earthquake X Fire F Overpower transient 2 1 of 3 units required G Tornado/hurricane/high wind 3 2 of 3 units required H Hot weather 4 1 of 4 units required I Loss of function for which 5 2 of 4 units required
indicator is provided 6 3 of 4 units required J Function present only part
assignment of link dependency requires only a knowledge of the system operation because it is concerned only with function levels below those assigned a function sensitivity. The evaluation of the impact on plant safety of the loss of a given component or of an error in a human action is made by the computer, which multiplies each successive link dependency times the 'sensitivity' of the top-level function to arrive at a sensitivity for each component/action and each subfunction. The link dependency between two functions A and B, where B is dependent on A, is defined as the probability that the loss of function A will result in the loss of function B. Like sensitivities, link dependency values are assigned in increments of 0.1. The method of attenuation can be applied to link dependencies, as in assigning sensitivity values. However, the quasi-function is usually placed one level above the function rather than below the function as in sensitivity attenuation. Link dependency values are operation-phase dependent in that a function's importance to a successor function may depend on the phase of operation.
Redundancy in functional block diagrams can be either active or stand-by. However, from the point of view of nuclear power plant safety, situations involving true active redundancy are rare. Careful analysis of cases of apparent active redundancy will inevitably reveal that failure of one of the redundant units will degrade plant safety. When a case of true active redundancy does occur, it can be handled effectively by careful assignment of link dependency values, that is, by
A safety prediction technique for nuclear power plants 2...