Reliability Engineering and System Safety 25 (1989) 257-278
Optimal Safety Goal Allocation for Nuclear Power Plants
X. P. Yang, W. E. Kastenberg & D. Okrent
Department of Mechanical, Aerospace, and Nuclear Engineering, University of California, Los Angeles, California 90024-1597, USA
(Received 26 July 1988; accepted 3 November 1988)
A BS TRA C T
This paper is on the development of a methodology for safety goal allocation given cost functions and Probabilistic Risk Assessment (PRA) models. The safety goal allocation problem is formulated as a constrained nonlinear optimization problem. Based on the decomposition principle, the safety goal allocation problem is first reduced to a lower order optimization problem. Then, a set of optimization algorithms is used to solve the decomposed optimization problem. In order to introduce expert opinion, weighting factors are incorporated in the objective function. Computer software was developed to perform the optimization and sensitivity analysis. The proposed method is demonstrated by using an industrially developed PRA model.
As is well known, quantitative safety goals, in terms of limits on the frequency of core melt, acute fatalities and latent fatalities, are generally established at a fairly high level. However, designers, regulators and operators of nuclear power plants have to make decisions concerning system, subsystem and component reliabilities in such a way that their combination will lead to the desired high-level goals. Safety goal allocation is a determination of the reliability (or availability) characteristics of reactor systems, subsystems, major component and plant procedures that are consistent with a set of top-level performance goals such as those mentioned above. It has been shown 1 -6 that risk allocation can be formulated as an
257 Reliability Engineering and System Safety 0951-8320/89/$03.50 1989 Elsevier Science Publishers Ltd, England. Printed in Great Britain
258 X. P. Yang, W. E. Kastenberg, D. Okrent
optimization problem, minimizing the total plant cost subject to the overall plant safety goal constraints. If there were no cost (or other) constraints on the achievability of the various system reliability levels, we might choose the solution that results in the lowest possible consequences. In the limit, this may imply zero consequences achieved through perfect system reliabilities. Obviously, this is unachievable because a particular level of system reliability is achieved through the expenditure of resources and more importantly there are technological constraints on the achievable levels of system reliability.
Reliability constitutes one of the major design factors for the effective operation of commercial nuclear power plants. Of primary importance in the planning and design of such multicomponent systems is the problem of using available resources in the most effective way so as to maximize the overall system reliability/availability, or so to minimize the consumption of resources subject to a set of reliability/availability constraints or quantitative safety goals. The solution of this problem is becoming more important because there is a trend away from the philosophy of overdesign in today's competitive economic environment.
Cave and Kastenberg 7 described quantitative screening criteria for the decay heat removal (DHR) function in light water reactors. Apostolakis 8 proposed a structured approach to goal allocation utilizing the concept of the Master Logic Diagram (MLD). Cho et al. s developed a methodology for goal allocation, in which the technique of multi-objective optimization was used to identify non-inferior designs. Past research work shows that safety goal allocation is complicated by the following difficulties:
1. No unique algorithm can be used for all cases of optimal risk allocation due to the very large and complicated safety systems.
2. There are insufficient data that can be used to determine the reliability cost function precisely.
3. There are uncertainties both in the PRA risk model (model uncertainties) and the individual component failure rates (parameter uncertainties).
4. In practical cases, redundancy, standby, maintenance, common cause failure, human error, etc., should be considered.
Although reliability allocation for nuclear systems is relatively new, considerable effort has been devoted to theoretical reliability allocation techniques.9.1o In order to solve the optimization problem, almost all of the Operations Research techniques have been used so far. However, none of the optimization techniques can handle all of the different optimization problems. Some methods provide exact solutions and others approximate solutions. Exact methods are usually time consuming and sometimes
Optimal safety goal allocation for nuclear power plants 259
become computationally divergent for a large system or when there are more than two or three constraints. The variational method, the least square formulation, and the discrete maximum principle, although versatile, offer only an approximate solution. Geometrical programming also provides an approximate solution after many simplifying assumptions. In most of the approximate methods, the basic assumption remains the same; the decision variables are treated as being continuous and the final integer solution is obtained by rounding off the real solution to the nearest integers. Usually this procedure is satisfactory and fortunately provides a true optimum solution. This occurs because the objective function is usually well-behaved. In practice, therefore, approximate methods are preferred in order to obtain an economical solution. Dynamic programming, integer programming, branch and bound, and the direct search techniques fall under the category of exact methods, but they are generally time consuming or require excessive computer memory. These techniques are good for a small system and can be used effectively with only one or two constraints. For a large scale complex system, it is very difficult to implement optimal safety goal allocation.
This paper presents the development of a methodology for safety goal allocation of large scale systems given the cost functions and the PRA models. We assume that the costs of the nuclear power plant are a function of the frequencies of the plant damage states. The safety goal allocation problem is formulated as a constrained nonlinear optimization problem. The plant cost function is used as the objective function. The constraints are a set of inequality equations which represent the relationship between the global safety goal and the frequencies of the plant damage states. Based on the decomposition principle, the safety goal allocation problem is first decentralized into a lower order optimization problem. Then, a set of standard optimization algorithms is provided to solve the decomposed optimization problem. As a useful way of introducing expert opinion in the optimal decision process, weighting factors are incorporated in the objective function. In order to implement the safety goal allocation, a computer program is coded to accomplish the optimization and sensitivity analysis. The proposed method has been demonstrated by using the SAFR PRA model. 6
2 METHODOLOGY FOR SAFETY GOAL ALLOCATION
2.1 Formulization of the safety goal allocation
Most reliability allocation problems are formulated as either minimizing resources subject to the reliability goals or maximizing the system reliability/
260 X. P. Yang, W. E. Kastenberg, D. Okrent
availability subject to the resources available to the designers. In this paper, the safety goal allocation problem is formulated as a constrained nonlinear optimization problem. The objective (cost) function includes (but is not limited to) reliability improvement cost and plant availability cost. Safety goals are used as the constraints of the optimization problem. Therefore, we have the following optimization problem:
min F(X)= V W~F~(X~) x L..a
i=1 subject to
A(X) = RMV(X) < B X c S (technological constraints) (1)
where Xr= IX x, .]~z2, . . . , Xn]. Xi is the frequency of the ith initiating event or the frequency of the ith
plant damage state.
F(X) is the objective function. W~ is the ith weighting factor. F~(X~) is the ith cost function. RMVr(X) = [RMV,(X), RMV2(X) . . . . . RMB.,(X)] RMVi is the ith risk measure function in the PRA model. AT(X) = [AI(X), As(X) . . . . . Am(X)] A~ is the ith constraint function. B T = [B I , B2 . . . . . Bm]
B i is the ith safety goal.
The optimal safety goal allocation problem can be stated as follows: determine the frequencies of the initiating events or the frequencies of the plant damage states such that they satisfy the safety goal constraints in some optimum way, while minimizing the cost.
Let Gi(X) = RMVi(X) - Bi Eqn (1) becomes
minx F(X)= ~2 W~F~(X~)
G~(X) _< 0 i = 1, 2 . . . . . m X c S (2)
The Lagrangian function associated with this problem is n l
L(X, U) = F(X) + y , U,G,(X) = F(X) + UrG(X) U, > 0 (3) i= l
Optimal safety goal allocation for nuclear power plants 261
where U r = [UI, U2 .... , U,,] contains the Lagrangian multipliers and G r = I-G1, G2,..., G,,] is the constraint vector.
In order to get the optimal solution X* of the optimization problem, we introduce the following theorems: 11
Theorem 1: Let U* > 0 and X* = S, then (X*, U*) is a saddle point a for L if and only if
(a) X* minimizes L(X, U*) over S (b) Gi(X*) < 0, i= 1, 2,..., m (c) U*GI(X* ) = 0 i= 1, 2,..., m.
Theorem 2: If (X*, U*) is a saddle point for L, then X* is the optimal solution of the optimization problem.
2.2 Decomposition of large scale safety goal allocation
When the dimension of the decision vector X and the number of constraints (GI(X)) are very large, it is very difficult to obtain optimal solution X* by using conventional optimization algorithms, which are usually time and memory consuming and even computionally divergent. Decomposition is a proper way to deal with a large scale optimization problem with some condition satisfied. The principle of the decomposition method is first to decentralize the formulated master problem into a number of independent subproblems, which have a much smaller dimension; then, the optimization process involves iteration between the subproblems whose objective functions contain variable parameters (Lagrangian multipliers), and the master problem. The subproblems receive a set of parameters (Lagrangian multipliers) from the master problem, which combines these with previous solutions in an optimal way and computes new Lagrangian multipliers. These are again sent to the subproblems, and the iteration proceeds until an optimality test is passed.
Although the decomposition principle has been applied to several other fields, 11 it is necessary to point out that not every master problem can be decomposed into a set of independent subproblems, depending on the structure of the objective function and the constraint equations. The process of minimizing the Lagrangian L(X, U) over X c S for fixed U can lead to a set of independent subproblems whenever L is additively separable in X for fixed U and when S can be written as a Cartesian product. In our formulated
a The definition of saddle point is as follows: A point (X*, U*) with U* > 0 and X* c S is said to be a saddle point for L if it satisfies
(a) L(X*, U*) < L(X, U*) for all X c S (b) L(X*, U*) < L(X*, U) for all U >_ 0
262 X. P. Yang, W. E. Kastenberg, D. Okrent
safety goal allocation problem, the cost function F(X) is additively separable, and the matrix formalism G(X) is also additively separable. Therefore, L is additively separable. In addition, because X c [0, 1] (constraints for probability or frequency), S can be written as a cartesian product. Hence, in the previous problem, let X be partitioned as
X = (Y1, Y2 . . . . . Yp)=Y p
Optimal safety goal allocation for nuclear power plants 263
The weighting factor W~ determines how much weight is attached to the ith component of the cost function. By adjusting W~, we can weight the relative importance of the ith component in the cost function. When Wi = W2 = . . . . I4,',, no expert opinion is used. If W i 4: Wj (for any i 4:j), event i and j have a different degree of importance, which affects the safety goal allocation results.
Because F/(XI) oc 1/Xi, increasing ~ in the cost function F(X) = ~i WiFi(Xi) leads to larger X* which is the solution of the optimal risk allocation problem. On the other hand, when we decrease W~, the decision variable X* will decrease also. As a simple example, we explain this statement as follows: Let n = 2. Then, eqn (9) becomes:
F(X)= W1F(X1) + W:F(Xz)= W, F(X,) +.-;-;-, F(X2)
w: Wl F(Xl) = [W 2 + F(X2) 1
It is obvious that minimizing F(X) is equal to minimizing F(X1)+ (W2/W1)F(X2) or (W1/W2)F(X1) + F(X2). If we choose W 1 >> W 2, the ratio W2/W 1 is very small. Therefore, (W2/WOF(X2) is small for any F(X2) 4: ~ . Then, minimizing F(X) is mainly dependent on the minimization of F(XO. This leads to a requirement of a smaller F(XO, which means a larger X~ because F(X1)w. 1/XI. On the other hand, if we choose Wt
264 X. P. Yang, W. E. Kastenberg, D. Okrent
associated with achieving a particular level of reliability for safety related systems. Cost functions (cost-reliability data) are essential for the solution of the safety goal allocation problem. A general mathematical formulation for such a function, which is valid for all kinds of components, may not be feasible. The concept of'life cycle cost' (LCC) has successfully evolved in the 'design to cost' philosophy of a highly reliable system. It is the sum of acquisition cost (AC) and logistics support cost (LSC).12 Thus
LCC --- AC + LSC where
LCC = LCC(X,-)AC = AC(X~)LSC = LSC(X~)
In the hitherto published literature, what is referred to as cost is really the acquisition cost only, and hence the logistics support cost has been neglected altogether. We can make this approximation when dealing with nuclear safety goal allocation because in the high reliability region, LSC is very small compared with AC. Therefore, in this study we just consider the acquisition cost. The basic requirements of any model for AC are as follows: ~2
(1) Acquisition cost of a low reliability system is very low. (2) Acquisition cost of a high reliability system is very high. (3) Acquisition cost is a monotonic increasing function of reliability. (4) Derivatives of acquisition cost with respect to reliability is a
monotonic increasing function of reliability.
These properties express intuitively appealing characteristics of the cost function, supported by experience, which, in addition, result in some analytical convenience. The cost functions for systems existing in the real world do not necessarily satisfy these properties. Some of the reliability cost functions used in the reliab...