Download pdf - Optimal safety goal allocation for nuclear power plants

Reliability Engineering and System Safety 25 (1989) 257-278

Optimal Safety Goal Allocation for Nuclear Power Plants

X. P. Yang , W. E. Kas t enbe rg & D. O k r e n t

Department of Mechanical, Aerospace, and Nuclear Engineering, University of California, Los Angeles, California 90024-1597, USA

(Received 26 July 1988; accepted 3 November 1988)

A BS TRA C T

This paper is on the development of a methodology for safety goal allocation given cost functions and Probabilistic Risk Assessment (PRA) models. The safety goal allocation problem is formulated as a constrained nonlinear optimization problem. Based on the decomposition principle, the safety goal allocation problem is first reduced to a lower order optimization problem. Then, a set of optimization algorithms is used to solve the decomposed optimization problem. In order to introduce expert opinion, weighting factors are incorporated in the objective function. Computer software was developed to perform the optimization and sensitivity analysis. The proposed method is demonstrated by using an industrially developed PRA model.

1 I N T R O D U C T I O N

As is well known, quantitative safety goals, in terms of limits on the frequency of core melt, acute fatalities and latent fatalities, are generally established at a fairly high level. However, designers, regulators and operators of nuclear power plants have to make decisions concerning system, subsystem and component reliabilities in such a way that their combination will lead to the desired high-level goals. Safety goal allocation is a determination of the reliability (or availability) characteristics of reactor systems, subsystems, major component and plant procedures that are consistent with a set of top-level performance goals such as those mentioned above. It has been shown 1 -6 that risk allocation can be formulated as an

257 Reliability Engineering and System Safety 0951-8320/89/$03.50 © 1989 Elsevier Science Publishers Ltd, England. Printed in Great Britain

258 X. P. Yang, W. E. Kastenberg, D. Okrent

optimization problem, minimizing the total plant cost subject to the overall plant safety goal constraints. If there were no cost (or other) constraints on the achievability of the various system reliability levels, we might choose the solution that results in the lowest possible consequences. In the limit, this may imply zero consequences achieved through perfect system reliabilities. Obviously, this is unachievable because a particular level of system reliability is achieved through the expenditure of resources and more importantly there are technological constraints on the achievable levels of system reliability.

Reliability constitutes one of the major design factors for the effective operation of commercial nuclear power plants. Of primary importance in the planning and design of such multicomponent systems is the problem of using available resources in the most effective way so as to maximize the overall system reliability/availability, or so to minimize the consumption of resources subject to a set of reliability/availability constraints or quantitative safety goals. The solution of this problem is becoming more important because there is a trend away from the philosophy of overdesign in today's competitive economic environment.

Cave and Kastenberg 7 described quantitative screening criteria for the decay heat removal (DHR) function in light water reactors. Apostolakis 8 proposed a structured approach to goal allocation utilizing the concept of the Master Logic Diagram (MLD). Cho et al. s developed a methodology for goal allocation, in which the technique of multi-objective optimization was used to identify non-inferior designs. Past research work shows that safety goal allocation is complicated by the following difficulties:

1. No unique algorithm can be used for all cases of optimal risk allocation due to the very large and complicated safety systems.

2. There are insufficient data that can be used to determine the reliability cost function precisely.

3. There are uncertainties both in the PRA risk model (model uncertainties) and the individual component failure rates (parameter uncertainties).

4. In practical cases, redundancy, standby, maintenance, common cause failure, human error, etc., should be considered.

Although reliability allocation for nuclear systems is relatively new, considerable effort has been devoted to theoretical reliability allocation techniques.9.1o In order to solve the optimization problem, almost all of the Operations Research techniques have been used so far. However, none of the optimization techniques can handle all of the different optimization problems. Some methods provide exact solutions and others approximate solutions. Exact methods are usually time consuming and sometimes

Optimal safety goal allocation for nuclear power plants 259

become computationally divergent for a large system or when there are more than two or three constraints. The variational method, the least square formulation, and the discrete maximum principle, although versatile, offer only an approximate solution. Geometrical programming also provides an approximate solution after many simplifying assumptions. In most of the approximate methods, the basic assumption remains the same; the decision variables are treated as being continuous and the final integer solution is obtained by rounding off the real solution to the nearest integers. Usually this procedure is satisfactory and fortunately provides a true optimum solution. This occurs because the objective function is usually well-behaved. In practice, therefore, approximate methods are preferred in order to obtain an economical solution. Dynamic programming, integer programming, branch and bound, and the direct search techniques fall under the category of exact methods, but they are generally time consuming or require excessive computer memory. These techniques are good for a small system and can be used effectively with only one or two constraints. For a large scale complex system, it is very difficult to implement optimal safety goal allocation.

This paper presents the development of a methodology for safety goal allocation of large scale systems given the cost functions and the PRA models. We assume that the costs of the nuclear power plant are a function of the frequencies of the plant damage states. The safety goal allocation problem is formulated as a constrained nonlinear optimization problem. The plant cost function is used as the objective function. The constraints are a set of inequality equations which represent the relationship between the global safety goal and the frequencies of the plant damage states. Based on the decomposition principle, the safety goal allocation problem is first decentralized into a lower order optimization problem. Then, a set of standard optimization algorithms is provided to solve the decomposed optimization problem. As a useful way of introducing expert opinion in the optimal decision process, weighting factors are incorporated in the objective function. In order to implement the safety goal allocation, a computer program is coded to accomplish the optimization and sensitivity analysis. The proposed method has been demonstrated by using the SAFR PRA model. 6

2 METHODOLOGY FOR SAFETY GOAL ALLOCATION

2.1 Formulization of the safety goal allocation

Most reliability allocation problems are formulated as either minimizing resources subject to the reliability goals or maximizing the system reliability/


availability subject to the resources available to the designers. In this paper, the safety goal allocation problem is formulated as a constrained nonlinear optimization problem. The objective (cost) function includes (but is not limited to) reliability improvement cost and plant availability cost. Safety goals are used as the constraints of the optimization problem. Therefore, we have the following optimization problem:

n

min F(X)= V W~F~(X~) x L..a

i=1 subject to

A(X) = RMV(X) < B X c S (technological constraints) (1)

where X r = IX x, .]~z2, . . . , Xn]. Xi is the frequency of the ith initiating event or the frequency of the ith

plant damage state.

F(X) is the objective function. W~ is the ith weighting factor. F~(X~) is the ith cost function. RMVr(X) = [RMV,(X), RMV2(X) . . . . . RMB.,(X)] RMVi is the ith risk measure function in the PRA model. AT(X) = [AI(X), As(X) . . . . . Am(X)] A~ is the ith constraint function. B T = [ B I , B2 . . . . . Bm]

B i is the ith safety goal.

The optimal safety goal allocation problem can be stated as follows: determine the frequencies of the initiating events or the frequencies of the plant damage states such that they satisfy the safety goal constraints in some optimum way, while minimizing the cost.

Let Gi(X) = RMVi(X) - Bi

Eqn (1) becomes

subject to

minx F(X)= ~2 W~F~(X~)

i=l

G~(X) _< 0 i = 1, 2 . . . . . m X c S (2)

The Lagrangian function associated with this problem is n l

L(X, U) = F(X) + y , U,G,(X) = F(X) + UrG(X) U, > 0 (3)

i = l


where U r = [UI, U2 . . . . , U,,] contains the Lagrangian multipliers and G r = I-G1, G2,..., G,,] is the constraint vector.

In order to get the optimal solution X* of the optimization problem, we introduce the following theorems: 11

Theorem 1: Let U* > 0 and X* = S, then (X*, U*) is a saddle point a for L if and only if

(a) X* minimizes L(X, U*) over S (b) Gi(X*) < 0, i = 1, 2, . . . , m (c) U*GI(X* ) = 0 i = 1, 2, . . . , m.

Theorem 2: If (X*, U*) is a saddle point for L, then X* is the optimal solution of the optimization problem.

2.2 Decomposition of large scale safety goal allocation

When the dimension of the decision vector X and the number of constraints (GI(X)) are very large, it is very difficult to obtain optimal solution X* by using conventional optimization algorithms, which are usually time and memory consuming and even computionally divergent. Decomposition is a proper way to deal with a large scale optimization problem with some condition satisfied. The principle of the decomposition method is first to decentralize the formulated master problem into a number of independent subproblems, which have a much smaller dimension; then, the optimization process involves iteration between the subproblems whose objective functions contain variable parameters (Lagrangian multipliers), and the master problem. The subproblems receive a set of parameters (Lagrangian multipliers) from the master problem, which combines these with previous solutions in an optimal way and computes new Lagrangian multipliers. These are again sent to the subproblems, and the iteration proceeds until an optimality test is passed.

Although the decomposition principle has been applied to several other fields, 11 it is necessary to point out that not every master problem can be decomposed into a set of independent subproblems, depending on the structure of the objective function and the constraint equations. The process of minimizing the Lagrangian L(X, U) over X c S for fixed U can lead to a set of independent subproblems whenever L is additively separable in X for fixed U and when S can be written as a Cartesian product. In our formulated

a The definition of saddle point is as follows: A point (X*, U*) with U* > 0 and X* c S is said to be a saddle point for L if it satisfies

(a) L(X*, U*) < L(X, U*) for all X c S (b) L(X*, U*) < L(X*, U) for all U >_ 0


safety goal allocation problem, the cost function F(X) is additively separable, and the matrix formalism G(X) is also additively separable. Therefore, L is additively separable. In addition, because X c [0, 1] (constraints for probability or frequency), S can be written as a cartesian product. Hence, in the previous problem, let X be partitioned as

X = (Y1, Y2 . . . . . Yp)=Y p<_n (4)

F, S, and the vector, of the constraint function G can be written as P

F(X) = F(Y) = ) ' F~(Yi) (S)

i = 1

P

G(X) = G(Y) = ) , Gi( Y,) (6) i = l

S = S I × S 2 × ' " × S p Y i c S i i = 1 , 2 . . . . . p

where × denotes the Cartesian product and each G i (i = 1, 2,...,p) is an m vector function. This is the important special case where the objective F and constraint function Gj (j = 1, 2,..., m) are additively separable, and when the constraints determining S consist of subsets of constraints involving the subvectors Y~ separately.

Then P P P

L(Y, U) ~- ~ Fi( Yi) + UT ~ Gi( Yi) : ~ [FI( Yi) + UTGi( Yi) ] (7)

i = l i = l i = l

Therefore, the Lagrangian is additively separable in the Y~ and P

min L(Y, U) = ) ',min [F~(Y~) + UTGi(Yi) ] (8) /,,..,.,,d i = 1

Hence, the master problem L(X, U) is decomposed into a set of independent subproblems Li(Yi, U) = Fi(Yi)+ UTGi(Yi) (i = 1, 2 . . . . . p), which have a much smaller dimension.

2.3 Use of weighting factors

In order to incorporate expert opinion into the safety goal allocation process, we introduce weighting factors into the cost function as follows:

n

F(X) = y , W~F~(X~) (9)

i = 1


The weighting factor W~ determines how much weight is attached to the ith component of the cost function. By adjusting W~, we can weight the relative importance of the ith component in the cost function. When Wi = W2 = . . . . I4,',, no expert opinion is used. If W i 4: Wj (for any i 4:j), event i and j have a different degree of importance, which affects the safety goal allocation results.

Because F/(XI) oc 1/Xi, increasing ~ in the cost function F(X) = ~i WiFi(Xi) leads to larger X* which is the solution of the optimal risk allocation problem. On the other hand, when we decrease W~, the decision variable X* will decrease also. As a simple example, we explain this statement as follows: Let n = 2. Then, eqn (9) becomes:

F(X)= W1F(X1) + W:F(Xz)= W, F(X,) +.-;-;-, F(X2)

w: Wl F(Xl) = [W 2 + F(X2) 1

(lo)

It is obvious that minimizing F(X) is equal to minimizing F(X1)+ (W2/W1)F(X2) o r (W1/W2)F(X1) + F(X2). If we choose W 1 >> W 2, the ratio W2/W 1 is very small. Therefore, (W2/WOF(X2) is small for any F(X2) 4: ~ . Then, minimizing F(X) is mainly dependent on the minimization of F(XO. This leads to a requirement of a smaller F(XO, which means a larger X~ because F(X1)w. 1/XI. On the other hand, if we choose Wt << W 2, we could have a larger F(X~), i.e. a smaller X~. Generally speaking, it is not easy to choose weighting factors W~ ( i= 1, 2 , . . . , n). Different experts could have different criteria for choosing W~ ( i= 1,2,. . . ,n). One possible way is to specify W~ by emphasizing the importance of any dominant events. If the contribution of Xi (frequency of accident event i) to risks is large, we should design a small X~ which corresponds to a small W~ according to our previous arguments. On the contrary, if Xi has a small contribution to risk, we could have a larger X~ to reduce the design cost, which means a larger Wu Therefore, we can make the following assumption:

W~ oc 1/(contribution of X~ to the risk) (11)

2.4 Objective function

In order to apply the methodology described previously to the nuclear safety goal allocation problem, we have to use appropriate cost functions and PRA models. Since most PRA models are used to evaluate severe accident risk for a given plant, they do not take into consideration the cost which is related to the reliability of the plant. The type of cost we are interested in is that

2 6 4 X. P. Yang, W. E. Kastenberg, D. Okrent

associated with achieving a particular level of reliability for safety related systems. Cost functions (cost-reliability data) are essential for the solution of the safety goal allocation problem. A general mathematical formulation for such a function, which is valid for all kinds of components, may not be feasible. The concept of'life cycle cost' (LCC) has successfully evolved in the 'design to cost' philosophy of a highly reliable system. It is the sum of acquisition cost (AC) and logistics support cost (LSC).12 Thus

LCC --- AC + LSC where

LCC = LCC(X,-)AC = AC(X~)LSC = LSC(X~)

In the hitherto published literature, what is referred to as cost is really the acquisition cost only, and hence the logistics support cost has been neglected altogether. We can make this approximation when dealing with nuclear safety goal allocation because in the high reliability region, LSC is very small compared with AC. Therefore, in this study we just consider the acquisition cost. The basic requirements of any model for AC are as follows: ~2

(1) Acquisition cost of a low reliability system is very low. (2) Acquisition cost of a high reliability system is very high. (3) Acquisition cost is a monotonic increasing function of reliability. (4) Derivatives of acquisition cost with respect to reliability is a

monotonic increasing function of reliability.

These properties express intuitively appealing characteristics of the cost function, supported by experience, which, in addition, result in some analytical convenience. The cost functions for systems existing in the real world do not necessarily satisfy these properties. Some of the reliability cost functions used in the reliability literature are listed as follows (expressed in terms of the unreliability or unavailability of a subsystem, X/, and denoted by F~(Xi)): 12

Function (1)

where

when

we have

~ ]odXO F~(Xi) = ai tan~(1 - X~) + b~

gi(Xi) = 1 -b (1 - - Xi) c'

C i : O, gi(Xi) --- 1,

7c Fi(Xi) = ai tan~(1 - X/) + b i

O ~ c i ~ 1

a i, b i > O

ai, b i > 0

(12)


Function (2)

Function (3)

Fi(Xi) = al exp (b~/Xi)

f l - - Xi '~ c' F , ( x , ) = + b,

when Xi is very small, and let ci = 1, we have

1 g i ( x i ) = a i - - + b i x,

Function (4)

ai, b i > 0

ai, bi, ci > 0

t13)

(14)

= + bi ai, bi > 0 (15)

It can be shown that the cost functions (1) to (4) satisfy the basic requirements for AC mentioned before. The parameters ai and bi can be determined from the actual cost data of the components.

It is reasonable to assume that the system cost function is additive in terms of the cost of the individual subsystems. Therefore, once reliability cost functions are known for individual components or subsystems, we can get the total cost of the whole system as follows:

n

F(X) = ) ' F~(Xi) W~ (16)

i = 1

where ~ are weighting factors. In this paper, we choose Function (3) with c~ = 1 for analytical convenience.

2.5 Application of the proposed method to SAFR

Most nuclear plant risk analyses utilize fault trees, event trees, initiating events, system failure probabilities, containment failure probabilities, radioactive release categories, individual doses and population doses to quantify the PRA model. To illustrate the methodology developed in this paper, the SAFR PRA model I 3 is used. SAFR is the name of a liquid metal fast breeder reactor designed by Rockwell International. The model is described as follows:

RMV = (IEV), (PM), (CM), (SM) (17)

Here RMV is 1 x 5 risk measure vector, where RMV(1) is the prompt fatality risk within one mile of exclusion

radius (fatalities/person/year).


RMV(2) is the latent fatality risk within 50 miles of exclusion radius (fatalities/person/year).

RMV(3) is the total prompt deaths per year. RMV(4) is the total latent deaths per year. RMV(5) is the total person-rein per year.

IEV is 1 × 4 initiating event vector (frequency). IEV(1) is the frequency of the loss of flow (LOF). IEV(2) is the frequency of the transient overpower (TOP). IEV(3) is the frequency of the protected loss of heat sink (PLOHS). IEV(4) is the frequency of the unprotected loss of heat sink (ULOHS).

The estimated values of IEV for SAFR are

I E V = [9"9 x 10 9, 2"2 x 10- 1°, 3"6 x 10-s, 9'0 × 10-s] (18)

PM is a 4 × 15 plant transition matrix, which describes the transition from initiating event to core damage. It is convenient to define a damage state vector as:

PDV = (IEV), (PM)

Where PDV is a 1 × 15 plant damage vector. Fifteen plant damage states are considered in the SAFR PRA.

PDV(1) = PDV(2) = PDV(3) = PDV(4) = PDV(5) =

PDV(6) =

PDV(7) = PDV(8) = PDV(9) =

PDV(10) =

PDF(11) =

PDV(12) =

PDV(13) =

PDV(14) =

(19)

no damage (ND) or in-vessel damage (IVD) early head leakage, no subsequent vessel damage (EVL) early vessel melt-through (EVMT) early head failure, no subsequent damage (EHF) early head failure, subsequent thermal breach of vessel (EHF. T) early lower vessel failure, subsequent thermal breach of vessel (EVF. T) late head failure, no subsequent damage (LHF) late head failure, no subsequent damage (LHF(U)) late head failure, no subsequent damage (LHF(U)*) late head failure, subsequent thermal breach of vessel (LHF. T) late head failure, subsequent thermal breach of vessel (LHF. T(U)) late head failure, subsequent thermal breach of vessel (LHF. T(U)*) late head failure, subsequent energetics and melt-through (LHP. ET) late head failure, subsequent energetics and melt-through (LHP. ET(U))


PDV(15) = late head failure, subsequent energetics and melt-through (LHP. ET(U)*)

Each element of PM(I,J) represents the conditional probability that a specific initiating event will result in a specific plant damage state that is:

P(I, J) = P[PDV(J)/IEV(I)] (20)

The estimated value of PM(I,J) for SAFR is given in Ref. 13. CM is a 15 x 20 containment transition matrix. Each element of CM(I, J)

represents the conditional probability that a specific plant damage state will result in a specific release category. Twenty release categories are considered in the SAFR PRA model.

If we assume RCV is the release category vector, we have

RCV = (PDV) • (CM) (21)

CM(I, J) = P[RCV(J)/PDV(I)] (22)

The estimated value of CM(I, J) for SAFR is given in Ref. 13. SM is a 20 x 5 site transition matrix. Each element of SM(I, J) represents

the conditional probability that a specific release category will result in a specific kind of risk. Thus

where

SM(I, J )= P[RMV(J)/RCV(I)] (23)

RMV = (RCV) • (SM) (24)

RMV is the I x 5 risk measure vector. The estimated value of SM(I, J) for SAFR is given in Ref. 13.

Besides acute fatalities, latent fatalities, total prompt deaths per year, total latent deaths per year, and total person-rem per year, another important risk measure is the core melt frequency, which is related to the frequency of the plant damage state as follows:

15

FcM --- ) ' PDV(i) (25) / = 2

The general safety goal allocation problem for SAFR can be formulated a s

n

min F(X) = ~ W~Fi(Xi) (26) X G.a

/ = 1


subject to

RMV = RMV(X) = ( IEV) , (PM) , (CM) , (SM) ___ RMVG

15

FCM = FcM(X ) = ) ' PDV(i) _< FCM G

i=2

In the equations above, RMVG is a 1 × 5 vector which represents the safety goals for SAFR LMFBR reactor, and FcM~ is the safety goal for core melt frequency. X is the decision vector. The optimal safety goal allocation is to choose the decision vector in such a way that it minimizes the cost function F with the constraints being satisfied.

The decision variables could be

(a) the frequency of the initiating event (IEV) (b) the frequency of the plant damage state (PDV or PM) (c) containment failure probabilities (CM) (d) site parameters (SM).

Depending on the degree of allocation and on the purpose of the analysis, not every item listed above has to be included in the decision vector. For example, matrix PM, CM, and SM can be assumed as the nominal value for SAFR while the frequencies of the initiating event become the decision variable, or we could use PDV as the decision vector, with CM and SM fixed. As a more complicated choice of decision variables, we could also select parts of several vectors (IEV, PDV, CM, or SM) as the decision variables.

3 C O M P U T E R P R O G R A M FOR OPTIMAL SAFETY GOAL ALLOCATION

The optimal safety goal allocation problem is to choose the frequencies of the initiating events or the frequencies of the plant damage states such that they satisfy the safety goal constraints in some opt imum way, minimizing the cost of the whole system. The techniques which can be used to obtain the solution for the optimal safety goal allocation strongly depend on the properties of the objective function and the constraints. It is assumed that the objective function is continuous and is defined everywhere in the range between Xto~,er and Xuppe r. The bounds on the frequency X are referred to as side constraints and limit the region for the opt imum search. If any side constraint is not needed, its value should be set to 0 and 1 for X~ . . . . and Xuppe r, respectively.


The solution of the optimal safety goal allocation problem is separated into four basic levels:

1. Convert the actual safety goal allocation problem into a standard decomposed optimization problem.

2. Choose an appropriate optimization strategy, for example, Sequen- tial Unconstrained Minimization of Sequential Linear Programming.

3. Choose an appropriate optimizer from the provided optimizer sets, for example, the method of feasible directions for constrained minimization or variable metric methods for unconstrained optimization.

4. Choose appropriate one dimensional search algorithms from the provided algorithm sets, for example, golden section method or polynomial interpolation method.

In order to obtain the optimal safety goal allocation, the problem is converted into a decomposed optimization problem. For the fifteen plant damage state problem, the master optimization problem is decomposed into five independent subproblems with each having 3 decision variables. By choosing the different strategies, optimizers, and one dimensional search algorithms, the user of the computer program is provided considerable flexibility in creating an optimization program which works well for the decomposed independent optimal risk allocation subproblems.

The computer program control flow chart is shown in Fig. 1. It is easier to convert the matrix formalism ofa PRA model into a standard optimization problem than to deal with the non-matrix PRA formalism. If only fault trees and event trees are available for the plant, we have to convert fault trees and event trees into a matrix formalism. The lower and upper bounds for the decision variables are requested. The objective function (cost function) can only be assumed by generally applicable formulation because we do not have actual data to specify the constants in the formula.

The choice of the specific strategy, optimizer, and one dimensional search must be consistent with the type of the optimal safety goal allocation problem. For example, a variable metric optimizer would not be used to solve constrained problems unless a strategy is used to create the equivalent unconstrained minimization problem via some form of penalty function. It is also necessary to point out that not all combinations of strategy, optimizer and one dimensional search are meaningful. For example, a constrained one dimensional search is not meaningful when minimizing an unconstrained function. In order to improve the probability that the best combination of algorithms is found for the particular class of optimal safety goal allocation problem being solved, it is necessary to try many different options.

270 ,¥. P. Yany~, IV. E. Kastenberg, D. Okrent

O

e"-

8 ¢-

0

~=

o E o'~ 10 (~,

. A c

N aJ

- 0 ~ ' ~

I convert the master problem into decomposed subproblems

Input technical constraints lower and upper bounds

Input objective functions

~ Choose strategy, optimizer, and one dimensional searcher

I STRATEGY 1. go directly to appropriate algorithm 2. convert the constrained into uncons. 3. go directly to constrained algorithm

OPTIMIZER 1. constrained optimization algorithm 2. unconstrained optimization algorithm

I

ONE DIMENSIONAL SEARCH I

I 1. unconstrained search problem 2. constrained search problem

n o ~ ~

works ? ~ U y e s

I Print the optimal safety goal allocations I

Fig. 1. The control flow chart of the computer program.

(t} ° _ ¢9

c-

t - O

O3


4 RESULTS A N D CONCLUSIONS

In order to show the efficiency of the proposed method for safety goal allocation problem, the PRA model for SAFR is used to carry out the allocation optimization. Although this PRA model does not include external events, it represents a standard matrix formalism and contains most of the aspects that would be of interest in a demonstration of the proposed method. The proposed method can be applied directly to more detailed PRA models without difficulty. The nominal risk measure frequencies, which are provided by the SAFR PRA model, are used as the safety goal constraints for this demonstration. The values are given in Table 1. These are not the real safety goals for LMFBRs; we use them for the purpose of demonstrating the proposed method.

In the first allocation model, we use the frequency of the initiating events as the decision variables. A sensitivity analysis for the cost function is demonstrated by following four cases:

case 1 F ( X ) = 0 . 1 0 ( ~ I + 1 1 1"~ E+Z+Z) 0.10 0 .01 0.10 0-10

case 2 F(X) = ~ T + ~ - 2 + --~- 4 x ,

0"10 5"00 1"00 1"00 case 3 F ( X ) = - - + - - + - - 4

XI X2 X3 X4 TABLE 1

Safety Goals used for the Optimal Risk Allocation

Risk measurements Metal core Oxide core

Planned Unplanned Planned Unplanned evacuation evacuation evacuation evacuation

1 Acute risk within 1 mile

(fatality/person/year) 2 Latent risk within 50 miles

(fatality/person/year) 3 Total Acute

(fatality/year) 4 Total Latent

(fatality/year) 5 Total Dose

(man-rem/year)

6 Core Melt (per year)

2"5 × 10 - 1 3 8"2 × 10 - t ° 6"5 × 10 12 1"3 × 10 - 9

7 '8× 10 -12 8 '6× 10 -12 1"2× 10 11 1"4× 10 11

7"2 × 10 1o 1'2 × 10 - 6 1"9 × 10 -8 1"9 × 10 - 6

1"1 × 10 4 1'1 x 10 4 1 '6x 10 4 1"6× 10 4

1"7 1"7 2"6 2"6

4"5 x 10 -8 6"2 × 10 -8

272 Y. P. Yanl¢, W. E. Kastenherg, D. Okrent

T A B L E 2 Optimal Frequency Allocation of Initiating Events

Cases Frequency ~1 Frequency ~/ Frequency ~/ Frequency ~/ LOF TOP PLOHS ULOHS

( x lO s) { × 10 '~} ( x 1071 { x 107 )

optimal nominal optimal nominal optimal nominal optimal nominal

1 0"700 0"99 0"220 0"22 0"131 0'36 0"298 0"90 2 0"914 0-99 0"083 0-22 0'106 0'36 0"341 0"90 3 0"746 0-99 0"220 0"22 0-190 036 0"257 0-90 4 0"752 0-99 0'215 0"22 0-104 0'36 0'344 0-90

LOF: Loss of flow: TOP: Transient overpower: PLOHS: Protected loss of heat sink; ULOHS: Unprotected loss of heat sink.

0"10 0"10 0"01 0"10 case 4 F(X) =--X~-+ - ~ - + ~ + X4

The optimal safety goal allocation results for a metal core with planned evacuation are given in Table 2. Comparing the results for case 1 with those for case 2 shows, numerically, that decreasing W~ in the objective function leads to a smaller frequency. This means that the cost for decreasing the frequency of the corresponding initiating events is relatively low.

Table 3 gives the optimal risk allocation results for different plant design alternatives. In the table, the nominal values are cited from the SAFR PRA model. Comparing the results obtained by algorithm 1 with those obtained by algorithm 2, we conclude that two different algorithms yield almost the same allocation results. In algorithm 1, the augmented Lagrangian multiplier method, Broydon-Fle tcher-Goldfarb-Shanno (BFGS) method, and polynomial interpolation are used as strategy, optimizer, and one- dimensional search respectively. In algorithm 2, the linear extended interior penalty function is used as the strategy.

In the second allocation model, we use the frequency of the fifteen plant damage states as the decision variables. The weighting factors W~ for different plant designs are given in Table 4. The corresponding optimal safety goal allocation results are shown in Tables 5 and 6. Table 5 gives the optimal frequency allocation for the metal core design with planned evacuation and unplanned evacuation. Table 6 shows the optimal frequency allocation for the oxide core design with planned evacuation and unplanned evacuation. In order to check whether there exist numerical errors in the

Optimal safety goal allocation for nuclear power plants

T A B L E 3 Opt imiza t ion Results for Different Plant Design

273

Cases Frequency of Frequent'), of Frequency of Frequency of LOF TOP PLOHS ULOHS

( x 10 8) ( x 10 9) ( x 10 7) ( ?,< 10 7)

optimal nominal optimal nominal optimal nominal optimal nominal

1 0.746 0"99 0"22 0"22 0" 134 0'36 0"312 0'90 I

2 0-744 0"99 0'22 0"22 0"131 0"36 0.300 0"90 1 0-196 0"99 0'22 0'22 0"105 0-36 0"336 0"90

II 2 0"175 0"99 0'22 0'22 0'112 0"36 0'330 0'90 1 0"749 0'99 0"22 0'22 0"140 0"36 0"226 0'90

III 2 0'743 0-99 0-22 0.22 0.139 0.36 0-227 0.90 1 0"137 0"99 0.22 0-22 0.116 0"36 0-230 0.90

IV 2 0-133 0-99 0.22 0.22 0.117 0"36 0.227 0.90

1: C o m b i n a t i o n of augmenta l Lagrange mult ipl ier method, BFGS, and polynomial interpolat ion. 2: C o m b i n a t i o n of l inear extended interior, BFGS, and polynomial interpolat ion. I: Metal core with p lanned evacuat ion; II: Metal core with unp lanned evacuat ion; I l l : Oxide core with p lanned evacuat ion; IV: Oxide core with unp lanned evacuat ion.

T A B L E 4 Weight ing Fac tors of the Cost Func t ion

Type of Metal core Metal core Oxide core Oxide core sign with with with with

planned unplanned planned unplanned evacuation evacuation evacuation evacuation

w, \

1 1"0 1"0 1-0 1"0 2 10 -6 10 -7 0-1 × 10 -3 10 -6

3 1"0 0"01 1-0 1"0 4 1-0 10 -7 0-1 x 10 -3 10 -5

5 1"0 10- 5 1"0 0'01 6 1"0 10 -5 1"0 0'1 × 10 - 3

7 1 "0 1-0 1 "0 1 '0 8 1"0 0-5 x 10 -2 1.0 0"1 9 10 8 10-6 10-6 5 × 10 7

10 1 "0 1 "0 1 "0 1 '0 11 1-0 1 "0 1 "0 1 '0 12 10 -5 10 -5 0'1 x 10 -3 5 x 10 - s 13 1"0 0.1 x 10 -1 0'1 x 10 -1 0'! x 10 -2 14 1-0 0.1 x 10 -3 0.1 x 10 -1 0-1 × 10 -2 15 10 -8 10 -11 10 _6 10 8

TABLE 5 O p t i m a l F r e q u e n c y A l l o c a t i o n for P l an t D a m a g e S ta tes [Meta l C o r c l i x 10")

\ Type o1 Metal core with ,~etal core with \ design planned unplanned

Frequency \ (ff:tlcUalio#l Cl'a~'lt~llion

damage ~ \ optimal nominal states "~

optimal nominal

1 0"910 0"910 0 '910 0 9 1 0

2 0"148 x I0 3 0 '310 × 10 4 0 '310 × 10 5 0"310 x 10 4

3 0"041 x 10 i 0 " 0 2 3 x 10 1 0 ' 0 8 2 × 10 t 0"023 x 10-1

4 0"272 x 10 ~' 0"990 x 10 s 0"548 x 10 ~ 0"990 × 10 - s

5 0 "027× I0 2 0 " 0 3 6 x 1 0 2 0 " 1 9 8 x 1 0 2 0 " 0 3 6 x 10 2

6 0 ' 0 2 7 x 10 2 0 " 0 3 6 x I 0 2 0 " 1 9 8 x 10 2 0 " 0 3 6 x 10 2

7 0"401 x 1 0 1 0"043 0"074 0'043

8 0"108 x 10 i 0"011 0"053 x 10 i 0'011

9 0"463 x 10 s 0 '450 x 10 s 0"450 × 10- ~" 0"450 x 1 0 5

10 0 '307 0"310 0"210 0 '310

11 0"075 0"078 1"456 x 10- 1 0"078

12 0"008 x 10 2 0"032 x 1 0 2 0 '115 x 10 2 0"032 x 10 ``2

13 0 " 3 9 5 x I0 2 0 " 0 3 9 x 10 1 0 " 6 9 4 x 1 0 2 0"039× 10 1

14 0"528 x 10 -2 0"099 × 10 -2 0"071 x 10 -2 0"099 x 10 ̀ 2

15 1'006 x 10 6 4"100 x 10 7 0"261 x 10 5 0"410 x 10 "~'

TABLE 6 O p t i m a l F r e q u e n c y A l l o c a t i o n for P l an t D a m a g e S ta tes (oxide core) ( x l0 T)

Type Of Oxide core with Oxide core with \ design planned unplanned

O,r," ~ \

states

1 0"750 0"750 0"750 0"750

2 0 ' 2 5 0 x 10 3 0 " 4 3 0 x 10-3 0 " 2 1 0 x 10 3 0 " 4 3 0 x 10 3

3 0"297 x 10- i 0"026 1"357 x 10 2 0 '026

4 0"001 x 10 ~ 2 0"096 x 1 0 3 0 '042 x 10 3 0"096 x 10 3

5 1"044x 10-3 0"011 x 1 0 1 1"375x I0 3 0"011 x 10 1

6 1 -043x 10 -3 0 - 0 9 3 x I0 2 1 . 3 7 4 x 1 0 - 3 0 " 0 9 3 x I0 '-

7 0"456 x 10 i 0"043 1'341 x 10 i 0"043

8 4"094 x 1 0 2 0"027 4-294 x 10 2 0"027

9 0 ' 0 1 2 x 10 -~ 0 - 0 1 2 x 10 2 0 " 0 3 3 x 10 2 0 - 0 1 2 x 10 2

I0 3"026 x 10- 1 0-310 2"499 x 10 i 0-310

11 0"193 0 '200 1-646 x 10 1 0 '200

12 0'011 x 10 ~1 0 ' 0 8 5 x 10 2 0"233 x I0 2 0 " 0 8 5 x 10 2

13 0 " 0 2 4 x 10 1 0 " 0 3 9 x 10 1 4"291 x 10 3 0 ' 0 3 9 x I0 i

14 0 " 2 4 4 x 10 2 0 ' 0 2 4 x 10 1 0 ' 0 4 3 x 10 i 0 " 0 2 4 x 10

15 0 " 0 1 6 x 1 0 3 0"011 x 10 -3 O ' O 1 8 x l O s 0"011 x l O s


TABLE 7 Comparison of the Optimal Risk Allocation Results Obtained by Two

Different Optimization Algorithms

Core Frequencies of metal core damage damage with planned evacuation ( × 10 v) states

Algorithm I a Algorithm 2 b Nominal

1 0"910 0"910 0"910 2 0"015 x 10 -z 0"013 x 10 -z 0"031 × 10 - 3

3 0.041 × 10 -1 0-462 x 10 -1 0-023 x 10 -1 4 0'027 × 10 - 3 0"273 × 10 -4 0-001 × 10 -z 5 0'027 x 10 -2 0"271 X 10 - 3 0"036 x 10 -2 6 0"027 × 10 -2 0"271 X 10 - 3 0"036 × 10 -2 7 0"402 × 10-1 0-407 x 10-1 0"043 8 0'108× 10 1 0-118× 10 -1 0"011 9 0'046 × 10 4 0-047 × 10 - 4 0"045 × 10 - 4

10 0'307 0"306 0"310 ! 1 0'075 0'074 0"078 12 0'008 × 10 -2 0-007 × 10 -z 0"032 × 10 3 13 0"395 x 10 -2 0"419 x 10 -z 0"039 × 10 -1 14 0"528 × 10 -2 0"524 × 10 -2 0"099 x 10 --2 15 0"010 × 10 -4 0'016 × 10 -4 0'041 x 10 5

a Combination of augmental Lagrange multiplier method, BFGS, and polynomial interpolation. h Combination of linear extended interior, BFGS, and polynomial interpolation.

op t imiza t ion process, two different a lgor i thms are used to s tudy the same

op t imiza t ion problem. The results are shown in Table 7. By c o m p a r i n g the

first two columns, we can conc lude that the opt imal f requency a l locat ion

results ob ta ined by the two different a lgor i thms are a lmost the same. Here, it

is necessary to point ou t tha t the differences can be reduced fur ther by

adjust ing the convergence factors.

By chang ing the weight ing factors for some o f the d a m a g e states, we can

show their effect on the a l locat ion results. The weight ing factors for three

different cases are shown in Table 8. The co r r e spond ing opt imal a l locat ion is

shown in Table 9. By c o m p a r i n g the third row o f the first three columns, we

conc lude that the op t imal frequencies increase with the weight ing factors. Again, ou r analyt ical conc lus ion concern ing the effect o f the weight ing fac tor on the a l locat ion results is p roved numerical ly.

Based on the numerica l results summar ized above, we arrive at the

fol lowing conclus ions:

1. It is quant i ta t ive ly possible to car ry ou t safety goal a l locat ion for large scale nuclear systems.


T A B L E 8 Weight ing Fac to r s for Sensitivity Analysis

w•ases Case 1 Case 2 Case 3

1 1.0 1.0 1.0 2 0.1 x 10 -~ 0.I x 10 - s 0-1 × 10 5

3 0.5 1.0 5.0

4 1.0 1.0 1.0

5 1.0 1.0 1-0

6 1.0 1-0 1.0

7 1-0 1.0 1.0

8 1.0 1.0 1.0 9 0-1 x 10 6 0.1 × 10 -6 0.1 x 10-6

10 1.0 1-0 1.0

11 1.0 l-0 1.0

12 0"1 x 10 4 0"1 x 10 4 0"1 x 10 4

13 1.0 1.0 1.0

14 1.0 1.0 1.0

15 0"1 x 10 7 0"1 x 10 ~ 0"1 x 10 ~

T A B L E 9 Effect o f Weight ing Fac to r s on the Op t ima l Core D a m a g e F requency Al locat ion

Core Optimal frequency allocation for damage core damage state ( x 107) states

Case 1 Case 2 Case 3 Nominal

1 0"910 0"910 0"910 0'910

2 0"147 x 10 -3 0"148 X 10 - 3 0"373 x 10 -4 0"031 x 10 -3

3 0"265 x 10 2 0"041 x lO - I 0'175 x l O - ' 0"023 × 1 0 - '

4 0"274 x lO 4 0"272 x lO -4 0"270 x 10 -4 O'OOl x 10 3

5 0"271 × 10 3 0"270× 1 0 3 0"270x 10 3 0"036x 10-2

6 0"271 x 10 3 0-270 × 10 -3 0.269 x 10 3 0.036 × 10 2

7 0"409 x 10 - 1 0"402 x 10 - t 0"030 0"043

8 0"104 x 10 -1 0"108 x 10 - l 0"155 x 10 -1 0"011

9 0.045 x 10 -4 0.046 × 10 -4 0-046 x 10 -4 0"045 × 10 -4

10 0"308 0-307 0"295 0'310

11 0.076 0"075 0"063 0"078

12 0.081 × 10-3 0"008 x 10 -z 0"032 x 10 3 0"032 x 10 2

13 0"380x 10 -2 0"395x 10 -2 0"750x 10 z 0"390x 10 2

14 0 .540× 10 -z 0"528 × 10 -2 0.580 x 10 -2 0 ' 0 9 9 × 1 0 2

15 0-136× 10 5 0 . 1 0 0 x 10-5 0 .410x 10 -5 0'041 x I 0 - 5


2. The optimal safety goal allocation results, which are dependent on both the PRA model and the cost function, are different for different plant designs.

3. We can choose desired safety goal allocation variables flexibly. 4. The preferences of the decision maker can be incorporated into the

optimal safety goal allocation process through the use of the weighting factors in the objective function.

5. Increasing the weighting factors W~ in the cost function leads to higher frequencies of initiating event or plant damage states. On the other hand, when we decrease W~, the optimal allocated frequencies Xi will be decreased accordingly.

6. Consideration of the dominant events should be incorporated into the optimal safety goal allocation process.

REFERENCES

1. Knoll, A., Component cost and realiability importance for complex system optimization, Proceedings of the International ANS/ENS Topical Meeting on Probabilistic Risk Assessment, Vol. 11, Port Chester, NY, Sept. 1983.

2. Burdick, G. R., Rasmuson, D. M. & Weisman, J., Probabilistic approaches to advanced reactor design optimization. In Nuclear System Reliability Engineering and Risk Assessment, ed. Fussell & Burdick. SIAM, Philadelphia, PA, 1977.

3. Gokcek, O., Temme, M. I. & Derby, S. L., Risk allocation approach to reactor safety design and evaluation. Proceedings of the Topical Meeting on Probabilistic Analysis of Nuclear Reactor Safety, Vol. 2, Los Angeles, CA, May 1978.

4. Hurd, D. E., Risk analysis methods development April-June 1980. General Electric, GEFR- 14023-13, July 1980.

5. Cho, N. Z., Papazoglou, I. A. & Bari, R. A., Multiobjective programming approach to reliability allocation for nuclear power plants. Nucl. Sci. and Eng., 95 (1987), 165.

6. Yang, X. P., Kastenberg, W. E. & Okrent, D., Optimal safety goal allocation for liquid metal cooled fast reactors. UCLA-ENG-88-9, June 1988.

7. Cave, L. & Kastenberg, W. E., On the development and application of quantitative methods in nuclear reactors regulation. Nuclear Technology, 71 (Oct. 1985).

8. Apostolakis, G., Some issues related to goal allocation and performance criteria. 8th International Conference on Structural Mechanics in Reactor Technology, Brussel, Belgium, Aug. 19-23, 1985.

9. Tillman, F. A., Hwang, C. L. & Kuo, W., Optimization techniques for system reliability with redundancy--A review. IEEE Trans. Reliability, R-26(3) (Aug. 1977).

10. Tzafestas, S. G., Optimization of system reliability: A survey of problems and techniques. Int. J. Systems Science, 11(4) (1980), 455-86.


I 1. Lasdon, L. S., Optimization Theory.lor Large Systems, Macmillan, New York, 1970.

12. Govil, K. K., Optimum design of reliable systems for specified life cycle cost. Microelectron Reliability, 25(2) (1985), 239-41.

13. Rutherford, P. D., Probabilistic risk analysis of the SAFR plant. Rockwell International Report 149T1 000007, July 1985.