Reliability Engineering 16 (1986) 265-276
A Safety Prediction Technique for Nuclear Power Plants
C. D. Henry III and D. C. Brauer
Reliability Technology Associates, 700 Ravinia Place, Orland Park, Illinois 60462, USA
(Received: 27 February 1986)
This paper presents a Safety Prediction Technique (SPT) for nuclear power plants. SPT is used to develop models which calculate criticality as the product o f failure~error probability for a component~action, which can be estimated from failure~error data, and the sensitivity of the component~action, which is the conditional probability that the plant will be unsafe given that a failure~error has occurred. These models are described in terms of both functional block diagrams as well as computer data format following procedures and codes developed in the paper.
Safety Prediction Technique (SPT) provides a new computerized method- ology by which the effect of component failure or procedural, software, or human error on nuclear power plant safety can be measured. It provides a viable alternative to the traditional performance of a costly and cumbersome probability risk assessment (PRA).
The authors have tailored an analysis technique, originally developed by ARINC Research Corporation, which they have applied extensively in developing safety models for many US Air Force aircraft under the aegis of Mr H. Cheesman of Kelly Air Force Base, USA. 1 It was through this experience that the application of SPT to nuclear power plants was realized and consequently developed.
265 Reliability Engineering 0143-8174/86/$03.50 Elsevier Applied Science Publishers Ltd, England, 1986. Printed in Great Britain
266 C. D. Henry II1, D. C. Brauer
The overall objectives of SPT are:
(1) to predict unsafe situations so that corrective actions can be taken before accidents occur;
(2) to quantify the impact of equipment malfunction or procedural, software, or human error on safety and thereby establish priorities for proposed modifications; and
(3) to provide a means of evaluating proposed changes for their impact on safety prior to implementation and to provide a method of tracking implemented changes.
Implementation of the new technique ultimately provides a quanti- fication called 'criticality', which is proportional to the probability that a given component or procedural/human action will cause the plant to operate in a hazardous mode. A hazardous mode is characterized by the fact that there has been a failure/error and the plant, its operating crew, and the public are exposed to danger. Whether the event results in an accident, an incident, or merely the exposure to danger is dependent upon the skill and reaction of the operating crew as well as external influences.
2 SPT METHOD APPROACH
Criticality of a component or a procedural/human action is defined as follows:
Criticality = P(A O fail)
where 'fail' designates the event that a particular failure/error has occurred and 'A' designates the event that the plant is operating in a hazardous mode. P(A O fail) expressed verbally is the probability that the events 'A' and 'fail' will occur simultaneously.
From elementary probability theory it can be shown that
P(A O fail)= P(AI fail) e(fail) (1)
This equation means that the probability that a particular component/ action will cause the plant to operate in an unsafe mode is the product of two probabilities, first the conditional probability that the plant will be unsafe given that a failure/error has occurred, and secondly the prob- ability that the failure/error will occur.
A safety prediction technique for nuclear power plants 267
Equation (1) is used for criticality calculations in SPT. P(fail) can be estimated from failure/error data. The value of P(A I fail), the sensitivity, is calculated for each component/action from data input to SPT safety assessment models. To match failure/error data to sensitivity, a five- or seven-digit code, where the digits can be numbers or letters, is assigned to each component or action and is used to identify the component/action in both the failure data and the safety assessment model.
The sensitivity of a component/action then is a measure of the importance of that component/action to plant safety. It is the likelihood that the plant will enter a hazardous mode if the component fails or an error occurs in the action. Sensitivity values are always between 0 and 1, inclusive. A value of 0 means that failure of the component or error in the action never has an effect on safety or has a negligible effect. A value of 1 means that failure of the component or error in the action always has an effect on safety (or nearly always). A typical sensitivity value is neither 0 nor 1 but some value between. Factors which must be considered in the assessment of sensitivity values include the design of the particular component, the relationship of the component/action to other components/actions in the plant, and the effect of certain operating conditions. In actual practice these factors are treated individu- ally by the engineers who are developing SPT models. The combined effect of the individual factors is calculated in the SPT computer program.
3 SPT IMPLEMENTATION
SPT is implemented through the application of a 9-step process as outlined below.
Step 1: Identify major nuclear power plant functions. Step 2: Construct functional diagram per function. Step 3: Assign alpha codes to functions, subfunctions, etc. down to
the component/action level. Step 4: Identify operational phases. Step 5: Assess functional sensitivity by phase. Step 6: Assign provisory factors. Step 7: Determine link dependencies by phase. Step 8: Enter/edit data. Step 9: Computer processing.
268 C. D. Henry Ill, D. C. Brauer
Each of these steps is an integral part of the SPT engineering process. Application of this process and the resultant SPT model ensure that nuclear power plants remain in good condition and, consequently, are able to fully support safety requirements.
3.1 Step 1: identify major nuclear power plant functions
The SPT model is initiated by identifying the functions performed by the plant and how these functions are interrelated. Tabulating each identified plant function, the equipment/human actions necessary for its performance and all outputs required from other systems are required for a systematic accounting procedure. The major functions related to plant safety are listed in Table 1. The alpha designator in the first column is an identification code for computer use.
3.2 Step 2: construct functional diagram per function
Functional block diagrams are constructed for each of the major functions. In functional diagrams, functions of equal level are arranged in rows such that proceeding from the major function down the page (across rows) leads to progressively lower levels until the end of the path is reached. In contrast to other analysis techniques, the functional diagram is a 'success tree' which describes the intra-relationships of the components/actions within a subfunction as well as the relation between a component/action and a subfunction. A sample functional diagram is shown in Fig. 1. Some of the terms on the legend are defined later in this paper.
TABLE 1 Major Nuclear Power Plant Functions
Alpha designator Function
A Containment B Power production C Control D Instrumentation and display E Environmental control F Fire protection S Balance of plant support U Utilities X Auxiliaries
270 C. D. Henry III, D. C. Brauer
3.3 Step 3: assign alpha codes to functions, subfunctions, etc. down to the component/action level
To identify function relationships in the computer program, an alpha code is assigned to each function, subfunction, etc., down to the component/action level. There are only three restrictions placed on these assignments: (1) all characters in a code must be a letter of the alphabet; (2) the maximum number of characters in one code is seven; (3) codes assigned to major functions must be in accordance with the alpha designators in Table 1. To facilitate accounting procedures, subordinate function codes begin with the parent function code. However, the computer will accept any arrangement of alphanumeric characters. A character is generally not added to the code at each lower level. When a function is required by more than one higher level function (or when a component/action is required by more than one function and for the same purpose), the same alpha code is used in each application. When a component/action is required for more than one purpose, different alpha codes are assigned.
3.4 Step 4: identify operational phases
The function of some components/actions, as well as the importance of the failure of a function, is not constant throughout plant operation. Unlike other analysis techniques, SPT deals with the problems of changing roles by dividing plant operation into nine distinct phases, as listed in Table 2. These phases allow plant component criticality variances to be recognized and analyzed as to their impact on plant safety.
TABLE 2 Phases of Nuclear Power Plant Operation
1. Start up 2. Approach to criticality 3. Power ascension to turbine synchronization 4. Power ascension to steady state power 5. Steady state power 6. Power reduction to turbine disconnect 7. Power reduction to reactor shutdown 8. Post-criticality cooling 9. Shutdown
A safety prediction technique for nuclear power plants 271
3.5 Step 5: assess functional sensitivity by phase
The sensitivity of a function is defined as the probability that loss of the function will cause the plant to enter a hazardous mode. The actual numerical values assigned are proportional rather than absolute and increments no smaller than 0.1 are assigned. Increments smaller than 0.1, when required, are assigned by defining a quasi-function one level below the function of interest. The value assigned to the quasi-function is such that the product of the two sensitivities is equal to the desired sensitivity. Any number of quasi-functions, each at a successively lower level, can be used. This method of attenuation allows for assignment of sensitivities at the highest degree of accuracy which can be assessed. In some cases, the sensitivity is made at the major function level; in other instances, it is made at the next lower level. The levels at which sensitivities are assigned are designated by ellipses on functional diagrams.
3.6 Step 6: assign provisory factors
The significance of certain functions is dependent on external influences, for which cases 'provisory factors' have to be identified. For such functions, the procedure used is to always assign the worst case sensitivity or link dependency which would then be modified by the provisory factor. In general, provisory factors represent the probability of the existence of external conditions influencing the sensitivity of the function. Table 3 is a list of standard provisory factor codes and descriptions used in SPT. Values suitable to the particular plant under study must be assigned.
Provisory factors make SPT a powerful and unique tool. Other analysis techniques, fault tree analysis for example, require that a new model be developed to evaluate the impact of each external influence. SPT, using provisory factors, requires only that a single model be developed to evaluate the impact of all external influences. This increases analysis efficiency and cost-effectiveness.
3.7 Step 7: determine link dependencies by phase
Link dependency is the probability that the loss of a function will cause loss of the next higher level function which is dependent upon it. The
272 C. D. Henry III, D. C. Brauer
TABLE 3 Provisory Factors
Code Description Code Description
A Icing conditions K Normal system failed B Backup system inoperative L Loss of cooling C Cold weather S Unscheduled scram D Power blackout T Unscheduled turbine trip E Earthquake X Fire F Overpower transient 2 1 of 3 units required G Tornado/hurricane/high wind 3 2 of 3 units required H Hot weather 4 1 of 4 units required I Loss of function for which 5 2 of 4 units required
indicator is provided 6 3 of 4 units required J Function present only part
assignment of link dependency requires only a knowledge of the system operation because it is concerned only with function levels below those assigned a function sensitivity. The evaluation of the impact on plant safety of the loss of a given component or of an error in a human action is made by the computer, which multiplies each successive link dependency times the 'sensitivity' of the top-level function to arrive at a sensitivity for each component/action and each subfunction. The link dependency between two functions A and B, where B is dependent on A, is defined as the probability that the loss of function A will result in the loss of function B. Like sensitivities, link dependency values are assigned in increments of 0.1. The method of attenuation can be applied to link dependencies, as in assigning sensitivity values. However, the quasi-function is usually placed one level above the function rather than below the function as in sensitivity attenuation. Link dependency values are operation-phase dependent in that a function's importance to a successor function may depend on the phase of operation.
Redundancy in functional block diagrams can be either active or stand-by. However, from the point of view of nuclear power plant safety, situations involving true active redundancy are rare. Careful analysis of cases of apparent active redundancy will inevitably reveal that failure of one of the redundant units will degrade plant safety. When a case of true active redundancy does occur, it can be handled effectively by careful assignment of link dependency values, that is, by
A safety prediction technique for nuclear power plants 273
ignoring the rule that link dependencies are based on function only and do not reflect the unit's safety impact. Assignment of link dependency values to redundant subfunctions utilizes either provisory factor K or one of the numeric codes. When one of these codes is used, the alternate subfunction must be identified.
For stand-by redundancy, the link dependency value assigned to the primary unit (or subfunction) is the probability that the stand-by unit will fail to produce or will degrade the required function. The value assigned to the stand-by unit is the dependency of the higher-level function on receiving an output from either unit. The eventual evaluation of the path sensitivity made by the computer will include multiplying by the value of the provisory factor (either K or one of the numeric codes).
Switching in redundant functions can occur in any one of several forms and each case must be treated according to its own merit. If the units have separate switches, the switches can be diagrammed as input functions of the respective units and appropriate link dependency values assigned. If the units have a common switch, there are two methods of diagramming available. One method is to make the switch a required input to the function one level below the redundant units. The other method is to make the switch an input to each of the redundant units. When this method is used, a divergent-convergent situation occurs. Any path which, when traced from a low level to a higher, divides into two paths such that these later merge into a single path again is called divergent-convergent.
To illustrate this, consider four functions A, B, C, D, arranged in a divergent-convergent path (see Fig. 2). There are two cases of importance to the dependency of A on B and C: first, the event that A does not occur, given that B does not occur but C does, denoted A IB~C; secondly, the event that A does not occur, given that C does not occur but B does, denoted A IBt~C. The link dependency of A on B is P(A [ B t~ C) and that of A on C is P(A [ B ~ C). Similarly, the dependen- cies of B on D and C on D are P(B[ IS)) and P(C[ IS)), respectively.
Since B and C depend on D, and A depends on B and C, then A depends on D. The link dependency of A on D should be P(A[I)). However, when dependency is calculated for the individual paths and the path dependencies are combined, the results will not necessarily be equal to P(.~t I3). This problem could be avoided by diagramming D on the level of B and C, thereby establishing a link A ID which is
274 C. D. Henry III, D. C. Brauer
IAI t i t
I I I
Io | Fig. 2. Divergent-convergent path.
independent of both B and C. There are cases when it is more convenient to diagram the divergent-convergent path. In these cases, a pseudo- path A to D is drawn and labeled with an'S ' (sensitivity) for computer identification. The paths B to D and C to D are included and labeled with 'F' (function). The computer is programmed to follow paths labeled 'S' and ignore those labeled 'F'.
3.8 Step 8: enter/edit data Data is entered into the SPT computer model using an 80-character format. The format design is standardized with defined data boundaries to allow for each data entry and subsequent editorial work, as needed.
3.9 Step 9: computer processing
The SPT computer processing program conducts a model path identi- fication/documentation analysis which traces all possible paths asso- ciated with each function and calculates the numerical sensitivities by nuclear power operation phase down to the component/action level. Then, a path combination analysis is made taking into account the dependence of more than one major function on a particular component/ action level. Finally, failure information from the plant's operational data system and numerical factors for provisory conditions are input into the computer and component/action level criticalities are generated.
A safety prediction technique for nuclear power plants 275
4 SPT OUTPUT PRODUCTS
As stated previously, SPT provides criticality numerics for plant com- ponents. The SPT criticality numerics provide data for determining the following: 2
(1) Which items should be given intensive study for elimination of the hazard that could cause the failure and for fail-safe design, failure rate reduction, or damage containment.
(2) Special requirements to be included in specifications for suppliers concerning design, performance, reliability, safety, or quality assurance.
(3) Acceptance standards to be established for components received at a plant from subcontractor and for parameters that should be tested most intensively.
(4) When special procedures, safeguards, protective equipment, monitoring devices, or warning systems should be provided.
(5) Optimal maintenance plans developed through the application of reliability-centered maintenance (RCM).
(6) Where accident prevention efforts and funds could be applied most effectively.
The computer compiles a critical items list which ranks those components that are most critical in meeting plant safety goals (see Table 4). It also provides this critical items list to be continually updated and published at regular intervals and used for criticality trend analyses, both listed and graphically displayed (if periodic failure/error data are used), so as to provide a basis for prioritizing plant safety improvement programs.
TABLE 4 Sample Safety Criticality Ranking
Criticality Component/ Percentage of Criticafity rank action code total criticality
1 14DA1 19-16 0-944 x 10 -3 2 13DCI 15"33 0-755 10 -3 3 14CDI 9"05 0'446 x 10 -3 4 13DBI 6"49 0'319 10 -3
276 C. D. Henry III, D. C. Brauer
This paper has presented a Safety Prediction Technique (SPT) developed for nuclear power plants. With SPT, a quantification called criticality is determined; this is proportional to the probability that a given component or procedural/human action will cause the plant to operate in a hazardous mode. Criticality is calculated in SPT as the product of the failure/error probability for the component/action, which can be estimated from failure/error data, and the sensitivity of the component/ action, which is the conditional probability that the plant will be unsafe given that a failure/error has occurred. Sensitivity is calculated from data input to SPT safety assessment models. These models are described in terms of both functional block diagrams as well as computer data format following the procedures and codes developed in this paper.
The model, in conjunction with the failure/error data, is then processed in a computer path generator program to yield safety criticality rankings for systems/components/actions and criticality trend analyses, both listed and graphically displayed.
1. Reliability Technology Associates. Flight Safety Prediction Technique--- applied to several aircraft, reports to U.S. Air Force. 1984-6: available from GIDEP.
2. Anderson, R. T. Reliability Engineering for Nuclear and Other High Technol- ogy Systems. London: Elsevier Applied Science Publishers, 1985.