IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making System Analysis Workshop Information IAEA Workshop City, Country XX - XX Month, Year Lecturer Lesson IV 3_2.3 Lecturer Lesson IV 3_2.3

IAEA Training Course on Safety Assessment 2 Principal Objective of System Analysis Task in a PSA of NPP –To develop system models for safety functions intervening in the accident sequence headers. –Fault Tree Analysis is the technique most broadly used for system modelling. –Event Trees and Fault Trees of frontal systems (normally those directly performing safety functions) are linked together. Frontal systems usually depend on support systems, such as power supply or cooling water, to perform their function.

IAEA Training Course on Safety Assessment 3 Systems Usually Modelled in a PSA PWR BWR Front line systems Support systems High pressure safety injection (and/or charging pumps) Low pressure safety injection (and/or RHR) Accumulators Primary and Secondary pressure control Isolation of steam generators. Containment spray AC,DC power supplies, including Diesel Generators. Component cooling water, Service water, Ventilation, Reactor protection system, etc. Safety injection or spray to the vessel: HPCS, LPCI, LPCS, RHR Containment Spray Core isolation cooling (RCIC) Emergency boration (SBLC) Steam isolation Safety/relief valves, ADSL Reactor scram systems

IAEA Training Course on Safety Assessment 4 Fault Trees –A fault tree is a Boolean reliability model, since all the elements in the fault tree, from the elementary or basic events to the top event (e.g. representing the system failure) have 2 only possible states: the event occurs (e.g. the component fails) or does not occur (the component fulfils its mission perfectly). A Boolean variable is assigned to each element of the fault tree –A fault tree is a graphical representation of the logical relationship existing between an undesired event or a failure of a system (top event) and the possible causes leading to it. These causes are recursively analysed until the undesired event is related to combinations of elementary events in the system, such as component failure or a human failures

IAEA Training Course on Safety Assessment 5 Boolean Algebra – George Boole, British Mathematician ( ) The negative logic used in fault trees, they correspond respectively to: failure, event happens / success, event doesn’t happen – Boolean variables: They can take only 2 different values. Several sets of value names can be used: TRUE/ FALSE 1 / 0 Yes/ No

IAEA Training Course on Safety Assessment 6 Boolean Operators and Laws “OR”Disjunction: (  ), frequently, the arithmetic addition symbol is used instead: + “AND” Conjunction: (  ); frequently, the arithmetic multiplication symbols are used instead: x, ·, * “NOT”Negation: Several symbols added to the Boolean variable are used, such as: “/”, “ ’ ”: /A, A’ Boolean laws or properties: Commutative, Associative, Distributive, Idempotent, Absorption, Morgan’s laws,...

IAEA Training Course on Safety Assessment 7 MATHEMATICAL NOT.USUAL NOTATION LAW NAME X  Y = Y  XX  Y = Y  X COMMUTATIVE LAW X  Y = Y  XX+Y = Y+X X  (Y  Z)=(X  Y)  ZX  (Y  Z)=(X  Y)  Z ASSOCIATIVE LAW X  (Y  Z)=(X  Y)  ZX+(Y+Z)=(X+Y)+Z X  (Y  Z)=(X  Y)  (X  Z)X  (Y+Z)=X  Y + X  Z DISTRIBUTIVE LAW X  X = XX  X = X IDEMPOTENT LAW X  (X  Y) = XX+(X  Y) = X ABSORPTION LAW X  X'= 0X  X'= 0 COMPLEMENTATION LAW X  X' = 1X+X' = 1(X')' = X (X  Y)' = X'  Y' (X  Y)' = X'+Y' MORGAN’S LAWS (X  Y)' = X'  Y'(X+Y)' = X'  Y' 0  X = 00  X = 0 1  X = X1  X = X 1  X = 11+X = 1 0  X = 00+X = 0 Boolean Laws

IAEA Training Course on Safety Assessment 8 Structure Function of the System –The structure function relates the state of the system to the state of the components or basic events. –It is a Boolean function (time dependent) containing therefore Boolean variables and Boolean operators: S ( t ) =  ( X ( t )) –The gates of a fault tree represent Boolean operators. The structure function is defined by the fault tree logic. –The fault tree itself is a model of the system and contains valuable information. However, the structure function is the basis for the estimation of system failure probability

IAEA Training Course on Safety Assessment 9 OR gate “O” S=A+B+C+… represents disjunction Fault Tree Symbols AND gate “Y” S=A·B·C·… represents conjunction Basic Event Event to be developed in other fault tree TW

IAEA Training Course on Safety Assessment 10 Simple Case Example 1 System structure function:  S = A  B Reliability block diagram Plant drawing A B S Failure to deliver flow to point S Valve A fails to open Valve B fails to open Fault tree A B S A B (AND gate)

IAEA Training Course on Safety Assessment 11 Simple Case Example 2 System structure function:  S = A  B Reliability block diagram Plant drawing A B S Failure to cut flow to point S + Valve A fails to close Valve B fails to close Fault tree A B S A B (OR gate) 

IAEA Training Course on Safety Assessment 12 –Acquisition of deep knowledge of system design and operation –Obtaining modelling requirements, success criteria and boundary conditions –Definition of system boundaries and interfaces –Constructing simplified diagrams. Support simplification assumptions. –Document the study and define needs for other models and reliability data in: Phases of System Analysis AVVM Dependency matrix Instrumentation matrix Maintenance matrix Test matrix –Document modelling assumptions –DEVELOP FAULT TREE MODEL. Check model validity.

IAEA Training Course on Safety Assessment 13 Fault Tree Example Failure of steam suply from Steam generator C to the auxiliary feed water turbine driven pump 36K05-36P01 “Loss of flow in piping segment D2”

IAEA Training Course on Safety Assessment 14 Fault Tree solution Minimal cut sets EQ1 = EQ2 · EQ3 EQ2 = SB1 + SB2 EQ3 = SB1 + SB3 EQ1 = (SB1+SB2)·(SB1+SB3) (original structure function) EQ1 = SB1·SB1 + SB1·SB3 + SB2·SB1 + SB2·SB3 EQ1 = SB1 + SB1·SB3 + SB2·SB1 + SB2·SB3 EQ1 = SB1 + SB2·SB3 (Disjunctive normal form, suitable for quantification) EQ2 SB1SB2 EQ3 SB1SB3 EQ1

IAEA Training Course on Safety Assessment 15 Accident Sequence Equations A-05 = A · /F · /I · D1 D1 = GD11 · GD12 GD11 = GD111 · GD GD12 = GD121 + GD122 · GDxxx= Basic1 +Basic Dependent Boolean variable

IAEA Training Course on Safety Assessment 16 Final Objective: Core damage equation >> Core damage frequency and dominant risk contributors Initiating event Basic events Different codes for: Human errors Hardware failures Component outages They are independent Boolean variales

IAEA Training Course on Safety Assessment 17 Summary –The event tree headers representing failures of safety systems must be developed by fault tree analysis until the failure of the header can be represented in terms of independent basic events. –In the System Analysis Task of a PSA the Fault Trees of all the intervening systems for accident mitigation are obtained and linked together –The Boolean models associated to the fault tree structure are developed to obtain the Minimal Cut sets. These cut sets represent minimal combinations of basic events that are enough to cause a system failure. For a system failure to occur is necessary that at least all the basic events of one minimal cut set have occurred. These minimal cut sets are the basis for obtaining the system failure probability, and later on the core damage frequency.