system analysis - international atomic energy agency · – the event tree headers representing...

IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making

System AnalysisSystem Analysis

Workshop InformationWorkshop InformationIAEA WorkshopIAEA Workshop City , Country

XX - XX Month, YearCity , Country

XX - XX Month, Year

LecturerLesson IV 3_2.3

LecturerLesson IV 3_2.3

IAEA Training Course on Safety Assessment 2

Principal Objective of System Analysis Principal Objective of System Analysis Task in a PSA of NPPTask in a PSA of NPP

– To develop system models for safety functions intervening in the accident sequence headers.

– Fault Tree Analysis is the technique most broadly used for system modelling.

– Event Trees and Fault Trees of frontal systems (normally those directly performing safety functions) are linked together. Frontal systems usually depend on support systems, such as power supply or cooling water, to perform their function.


Systems Usually Modelled in a PSASystems Usually Modelled in a PSA

PWR BWRFront line systems

Support systems

• High pressure safety injection (and/or charging pumps)

• Low pressure safety injection (and/or RHR)

• Accumulators • Primary and Secondary pressure

control• Isolation of steam generators. • Containment spray

• Safety injection or spray to the vessel: HPCS, LPCI, LPCS, RHR

• Containment Spray• Core isolation cooling (RCIC)• Emergency boration (SBLC) • Steam isolation • Safety/relief valves, ADSL • Reactor scram systems

AC,DC power supplies, including Diesel Generators.Component cooling water, Service water,

Ventilation,Reactor protection system, etc.


Fault TreesFault Trees

– A fault tree is a Boolean reliability model, since all the elements in the fault tree, from the elementary or basic events to the top event (e.g. representing the system failure) have 2 only possible states: the event occurs (e.g. the component fails) or does not occur (the component fulfils its mission perfectly).A Boolean variable is assigned to each element of the fault tree

– A fault tree is a graphical representation of the logical relationship existing between an undesired event or a failure ofa system (top event) and the possible causes leading to it. These causes are recursively analysed until the undesired event is related to combinations of elementary events in the system, such as component failure or a human failures


Boolean AlgebraBoolean Algebra

– George Boole, British Mathematician (1815-1864)

The negative logic used in fault trees, they correspond respectively to: failure, event happens / success, event doesn’t happen

– Boolean variables:

They can take only 2 different values. Several sets of value names can be used:

TRUE / FALSE1 / 0Yes / No


Boolean Operators and LawsBoolean Operators and Laws

“OR” Disjunction: (∨), frequently, the arithmetic addition symbol is used instead: +

“AND” Conjunction: (∧); frequently, the arithmetic multiplication symbols are used instead: x, ·, *

“NOT” Negation: Several symbols added to the Boolean variable are used, such as: “/”, “ ’ ”: /A, A’

Boolean laws or properties: Commutative, Associative, Distributive, Idempotent, Absorption, Morgan’s laws, ...


MATHEMATICAL NOT. USUAL NOTATION LAW NAMEX∧Y = Y∧X X•Y = Y•X COMMUTATIVE LAWX∨Y = Y∨X X+Y = Y+X

X∧(Y∧Z)=(X∧Y)∧Z X•(Y•Z)=(X•Y)•Z ASSOCIATIVE LAWX∨(Y∨Z)=(X∨Y)∨Z X+(Y+Z)=(X+Y)+Z

X∧(Y∨Z)=(X∧Y)∨(X∧Z) X•(Y+Z)=X•Y + X•Z DISTRIBUTIVE LAWX∧X = X X•X = X IDEMPOTENT LAWX∨(X∧Y) = X X+(X•Y) = X ABSORPTION LAW

X∧X'= 0 X•X'= 0 COMPLEMENTATION LAWX∨X' = 1 X+X' = 1(X')' = X (X')' = X

(X∧Y)' = X'∨Y' (X•Y)' = X'+Y' MORGAN’S LAWS(X∨Y)' = X'∧Y' (X+Y)' = X'•Y'

0∧X = 0 0•X = 01∧X = X 1•X = X1∨X = 1 1+X = 10∨X = 0 0+X = 0

Boolean LawsBoolean Laws


Structure Function of the SystemStructure Function of the System

– The structure function relates the state of the system to the state of the components or basic events.

– It is a Boolean function (time dependent) containing therefore Boolean variables and Boolean operators:

S ( t ) = ϕ ( X( t ))

– The gates of a fault tree represent Boolean operators. The structure function is defined by the fault tree logic.

– The fault tree itself is a model of the system and contains valuable information. However, the structure function is the basis for the estimation of system failure probability


OR gate “O”

S=A+B+C+…

represents disjunction

Fault Tree SymbolsFault Tree Symbols

AND gate “Y”

S=A·B·C·…

represents conjunction

Basic

Event

Event to be developed in

other fault tree

TW


Simple Case Example 1Simple Case Example 1

System structure function:S = A ∧∧B

Reliability block diagram

Plant drawing

A

B

S

Failure to deliver flow to point S

Valve A fails to open

Valve B fails to open

Fault tree

A

B

S A B0 0 00 1 00 0 11 1 1

(AND gate)

∧∧


Simple Case Example 2Simple Case Example 2

System structure function:S = A ∨∨ B

Reliability block diagram

Plant drawing

A

B

S

Failure to cut flow to point S

+

Valve A fails to close

Valve B fails to close

Fault tree

A B

S A B0 0 01 1 01 0 11 1 1

(OR gate)

∨∨


– Acquisition of deep knowledge of system design and operation– Obtaining modelling requirements, success criteria and boundary

conditions– Definition of system boundaries and interfaces– Constructing simplified diagrams. Support simplification assumptions.– Document the study and define needs for other models and reliability

data in:

Phases of System AnalysisPhases of System AnalysisA V VM

• Dependency matrix• Instrumentation matrix• Maintenance matrix• Test matrix

– Document modelling assumptions

– DEVELOP FAULT TREE MODEL. Check model validity.


Fault Tree ExampleFault Tree Example70 71 88

Failure of steam suply from Steam generator C to the auxiliary feed water turbine driven

pump 36K05-36P01

“Loss of flow in piping segment D2”


Fault Tree solutionFault Tree solutionMinimal cut setsMinimal cut sets

EQ1 = EQ2 · EQ3

EQ2 = SB1 + SB2

EQ3 = SB1 + SB3

EQ1 = (SB1+SB2)·(SB1+SB3)(original structure function)

EQ1 = SB1·SB1 +

SB1·SB3 +

SB2·SB1 +

SB2·SB3

EQ1 = SB1 +

SB1·SB3 +

SB2·SB1 +

SB2·SB3

EQ1 = SB1 +

SB2·SB3(Disjunctive normal form, suitable for quantification)

EQ2

SB1 SB2

EQ3

SB1 SB3

EQ1


Accident Sequence EquationsAccident Sequence Equations

A-05 = A · /F · /I · D1

D1 = GD11 · GD12

GD11 = GD111 · GD112 + ...

GD12 = GD121 + GD122 · ...

...

...

GDxxx= Basic1 +Basic2 + ... + ...Dependent Boolean

variable


Final Objective: Core damage equation >> Core damage Final Objective: Core damage equation >> Core damage frequency and dominant risk contributorsfrequency and dominant risk contributors

• Initiating event

• Basic events

Different codes for:

• Human errors

• Hardware failures

• Component outages

They are independent Boolean

variales


SummarySummary

– The event tree headers representing failures of safety systems must be developed by fault tree analysis until the failure of the header can be represented in terms of independent basic events.

– In the System Analysis Task of a PSA the Fault Trees of all the intervening systems for accident mitigation are obtained and linked together

– The Boolean models associated to the fault tree structure are developed to obtain the Minimal Cut sets. These cut sets represent minimal combinations of basic events that are enough to cause a system failure. For a system failure to occur is necessary that at least all the basic events of one minimal cut set have occurred.These minimal cut sets are the basis for obtaining the system failure probability, and later on the core damage frequency.

system analysis - international atomic energy agency · – the event tree headers representing...

Documents