Fuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants
Risk Analysis, Vol. 33, No. 6, 2013 DOI: 10.1111/j.1539-6924.2012.01899.xFuzzy-Logic-Based Safety Verification Frameworkfor Nuclear Power PlantsAchint Rastogi and Hossam A. GabbarThis article presents a practical implementation of a safety verification framework for nuclearpower plants (NPPs) based on fuzzy logic where hazard scenarios are identified in view ofsafety and control limits in different plant process values. Risk is estimated quantitativelyand compared with safety limits in real time so that safety verification can be achieved. Fuzzylogic is used to define safety rules that map hazard condition with required safety protectionin view of risk estimate. Case studies are analyzed from NPP to realize the proposed real-timesafety verification framework. An automated system is developed to demonstrate the safetylimit for different hazard scenarios.KEY WORDS: Fuzzy logic; NPP safety; nuclear power plant safety; safety verification1. INTRODUCTIONSafety is an important task in nuclear powerplants and plays a significant role throughout theplant life cycle.(1) Governmental safety regulationsand international standards support overall processsafety.(2) Lack of plant safety might lead to haz-ardous events with high risks to human life, plant,and environment. It is important to describe a prac-tical integrated framework for plant safety basedon independent protection layers and defense-in-depth concepts. Safety control is one important layerwithin overall safety protection layers. Safety con-trol systems are designed and evaluated in view ofsafety requirement specifications and correspond-ing safety rules and constraints are mapped toprotection layers or barriers. The proposed risk-based safety verification framework can be appliedFaculty of Energy Systems and Nuclear Science, University ofOntario Institute of Technology (UOIT), 2000 Simcoe StreetNorth, Oshawa L1H7K4 ON, Canada; Hossam.firstname.lastname@example.org.Address correspondence to Hossam A. Gabbar, Faculty of En-ergy Systems and Nuclear Science, University of Ontario, Insti-tute of Technology, UOIT, 2000 Simcoe St. N., Oshawa L1H7K4ON, Canada; Hossam.email@example.com nuclear power plants, smart grids, oil and gasproduction plants, or other manufacturing plants.Industrial facilities are required to provide a safeatmosphere by proper implementation of safetyverification techniques, proper safety instrumentedsystems (SIS), and frameworks for safety design ofenergy and production plants, as per IEC61508.(36)Verification is the evaluation of an implementationto determine that applicable safety-critical require-ments for any plant and its operations are met. Theverification process ensures that the design solu-tion meets or exceeds all validated safety require-ments.(7,8) A verified system shows measurable evi-dence that it complies with the overall system safetyneeds by incorporating an efficient safety verificationframework.(8)2. PROPOSED FRAMEWORKThe proposed risk-based safety verificationframework is shown in Fig. 1. Fig. 2 shows the pro-posed activity model using IDEF0. It should be notedthat the main purpose of this framework is not to re-place existing technologies but to integrate them sothat they may become more effective when it comes1128 0272-4332/13/0100-1128$22.00/1 C 2012 Society for Risk AnalysisFuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 1129Fig. 1. Flowchart of safety verification framework.to accident prevention. This is a five-step frame-work and helps in verifying the safety of a processin a nuclear power plant. It starts with control limitsestimation based on upper control limits (UCLs) andlower control limits (LCLs). Data points that maycause a hazard (usually the data points that lie out-side these limits) are identified. Once these limitsare identified, the next step is hazards identification.All possible hazards that could be caused by a singleevent are identified. After hazard identification, thenext step is risk estimation and evaluation. The riskassociated with a particular event is calculated. Forthis, a particular event is selected, and it is furtherbroken down into all the possible fault propagationscenarios that it could take to cause the hazard. Therisk associated with each individual fault propagationscenario is calculated and then combined to estimatethe total risk associated (TRA) with the event. Thenext step is safety verification. Once the TRA is es-timated, it is compared with the value of the targetrisk for that event. If the TRA is more than the tar-get risk, the process is unsafe and vice versa. The laststep of the framework, i.e., risk reduction, only comesinto play if the TRA with a particular event is morethan the target risk and the process is unsafe to oper-ate. It is needed, at this stage, that the risk should bereduced to such an extent that it no longer exceedsthe maximum allowable risk. This step is facilitatedby step five of the framework, risk reduction. Eachpart of the framework is discussed in more detail inthe following sections.2.1. Step 1: Control Limit EstimationEstimating the control limits forms the first blockof the framework. In general, defining the control orsafety limits requires the following key points to bekept in mind whenever risk is assessed: Determining the requirements of the machineor process Determining both the use and operation andmisuse and malfunction User training, expertise, and knowledge Possibility of people being exposed to machinehazardsFig. 2. The proposed risk-based safetyverification framework for nuclear powerplants.1130 Rastogi and GabbarFig. 3. Theoretical basis of a control chart showing the centerline,upper control limit (UCL), and the lower control limit (LCL) forany set of random data.There are two types of limits that are needed tobe estimated for any process occurring in a nuclearpower plant: Control limits Safety limits(9)The control limits are the limits within whichthe process operates with maximum efficiency, bothin terms of operations and economic costs. When-ever the process exceeds their limits, its operationbecomes undesirable. The process may, however, besafe to operate, but is highly undesirable as it leads toinefficient operation and economic losses. The UCLand the LCL are the two control limits, and the zonebetween them is known as the zone of most efficientoperation. This area is shown by the violet band inFig. 3 (colors visible in online version). The safetylimits, on the other hand, are the limits beyond whichthe operation of a given process becomes unsafe. Ifthe process operates in a region beyond the safetylimits, it may cause hazards, fatalities, and accidents.Whenever a process goes beyond the safety limits,shutdown is the only option left to ensure safety. Sim-ilar to the control limits, there are two safety limits,the upper safety limit and the lower safety limit, andthe zone between them is called the zone of safe op-eration. The red bands depict the area of unsafe op-eration.For the purpose of calculating the safety limits,we can make use of control charts. Control charts instatistical process control (SPC; also known as She-whart charts or process-behavior charts) are toolsused to determine whether or not a manufacturingor business process is in a state of statistical control.SPC is a powerful collection of problem-solving toolsuseful in understanding process variability, achiev-ing process stability, and improving process perfor-mance through the reduction of avoidable variabil-Fig. 4. EWMA curve for a statistically moving random data set.ity.(10) SPC is not a new term and has been used inmanufacturing industries for years. It has also beenshown that use of SPC can enhance safety in a nu-clear power plant.SPC methods can be applied as an early warningsystem capable of identifying significant equipmentproblems well in advance of traditional control roomalarm indicators. Such a system would provide oper-ators with ample time to respond to possible emer-gency situations and thus improve plant safety andreliability.(11,12,5)Control limits can be estimated effectively andefficiently by using any SPC charts.No matter which control chart is chosen for aparticular process, the basic idea remains the same.In general, the chart contains a centerline that repre-sents the mean value for the in-control process. Twoother horizontal lines, called the UCL and the LCL,are also shown on the chart. These control limits arechosen so that almost all of the data points will fallwithin these limits as long as the process remains in-control. The theoretical basis of a control chart isshown in Fig. 3.EWMA stands for exponentially weighted mov-ing average. EWMA is a statistic for monitoring theprocess that averages the data in a way that gives lessand less weight to data as they are further removedin time, as shown in Fig. 4. The statistic calculated isshown in Equation (1):(13)EWMAt = Yt + (1 ) EWMAt1for t = 1, 2, 3 . . . n, (1)where:EWMAt is the mean of historical data (target)Yt is the observation at time tn is the number of observations to be moni-tored including EWMA0Fuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 11310 < 1 is a constant that determines thedepth of memory of the EWMAt .In this project, we will be using EWMA tech-nique as it is best suited for processes where the dataset is not constant and where the older data valuesare not as important as the recent ones.2.2. Step 2: Hazard IdentificationA hazard, in simple words, can be defined as asituation having a potential to cause harm.(14) In alittle more detail, it could be best described as anunsafe physical condition which is always in one ofthe three modes: dormant (unable to cause harm),armed (able to cause harm), and active (causing in-jury, death, and/or damage by releasing unwantedenergy).(15) It is very clear from this definition thathazards, in any form, are highly undesirable. Thuspredicting and identifying hazards, so that they maybe stopped before causing any harm, is the main ob-jective of this block of the framework.Once the control limits are estimated, the nextstep is to identify the potential hazards. There is nodirect interconnection between the control limit es-timation step and the hazard identification step, andany of the steps could be performed earlier. This re-port chooses the control limit estimation as the firststep followed by the hazard identification step.Hazard identification is fundamental to the safedesign and operation of any system, be it a processplant or any other facility.(16) Thus, the hazards iden-tification block forms the second step of the frame-work. Hazard identification means checking for allthe hazardous conditions and hazardous events as-sociated with the machine. Hazard identification in-cludes predicting hazards, which may be caused bya process. These hazards can be mechanical, electri-cal, thermal, chemical, radiological, or environmen-tal in nature. There are a lot of hazard identificationtools available in the literature of hazard analy-sis. Some of the most common techniques are: haz-ard and operability analysis; failure mode and effectanalysis (FMEA); event tree analysis; fault tree anal-ysis; and what-if analysis.Although there are many more techniques, itusually requires a combination of two or moretechniques to effectively predict and identify haz-ards. An effective risk analysis requires basic knowl-edge about possible risks, characteristics of poten-tial hazards, and comprehensive understanding ofthe associated cause-effect relationships, for nuclearfacilities.(9)2.3. Step 3: Risk Estimation and EvaluationOnce the hazards are estimated, the next impor-tant step is to evaluate the risk. Risk can be defined asa combination of a predicted frequency of an unde-sired initiating event and the predicted damage suchan event might cause if the ensuing follow-up eventswere to occur.(17)Again, there are many risk estimation methodsavailable that could be used in nuclear industries.Some of them are shown in detail in Refs (18) and(19). As per them, the risk estimation methods couldbe classified into three main categories: qualitative,quantitative, and hybrid. These are further subclas-sified into various methods depending upon the typeand the evaluation process. We shall be using the pro-portional risk assessment technique (PRAT) as illus-trated by Ref. (18) and (19). PRAT is a quantitativetechnique of risk evaluation that uses a proportionalformula for calculating the quantized risk because ofhazard. The risk is calculated considering the poten-tial consequences of an accident, the exposure factor,and the probability factor.(1822)In general, risk associated with an event (Ri )could be understood as the product of the probabilityof that event ( fi ) and the magnitude of consequencescaused by the event (Di ):Ri = fi Di . (2)Risk analysis consists of two distinct phases: aqualitative step of identifying, characterizing, andranking hazards; and a quantitative step of risk eval-uation that includes the estimation of likelihood(frequencies) and consequences of hazards occur-rence.(13) Both the steps are equally important.2.4. Step 4: Safety VerificationThe main task performed in this step is to ver-ify whether the process is safe or not. At this step itis checked whether the actual risk associated with aprocess (calculated in the earlier step using PRAT)is above or below the allowable risk (or targetrisk/threshold risk [TR]). The process has to operatein accordance with the regulatory requirements listedin the Nuclear Safety and Control Act and those ofthe Canadian Nuclear Safety Commission. The pro-cess is verified as to whether it meets the various stan-dards and guidelines set in the Act.If the calculated actual risk is below the TR, theprocess is said to be safe and no further action istaken until any further developments. But, if the cal-culated actual risk is above the TR, the process is1132 Rastogi and Gabbarnot safe. The plant cannot be operated in an unsafemanner. Hence risk reduction techniques are used soas to reduce the risk below the TR limit. These riskreduction techniques are described in the followingsection.Safety verification is carried out using fuzzy logic.A fuzzy logic rule base is created and the corre-sponding membership functions are defined. TheMATLAB fuzzy logic toolbox is used for buildingmembership functions. We will make use of the fuzzyinference system for verifying the process safety. It isa method that interprets the values in the input vec-tor and, based on user-defined rules, assigns values tothe output vector.2.5. Step 5: Risk ReductionThe risk reduction block forms the last and the fi-nal block of the proposed framework. Whenever theactual risk is more than the TR,1 the process is un-safe.It is required to reduce the risk to such an extentthat it is no longer greater than the TR. For risk re-duction, the following action may be taken: Reduce the probability and severity Eliminate or reduce exposure to hazard as faras practical Use safeguards and safety devices Determine that the performance and func-tional characteristics of the safety measures aresuitable for the machine and its useRisk reduction can be performed in a number ofways. Passive safety, inherent safety,(23) principles ofdefense-in-depth, safety culture, SIS, operator train-ing, emergency preparedness, consequence mitiga-tion, etc. are a few ways of reducing risk. The generalconcept is to employ as many barriers as economi-cally feasible between the initial events and the finalhazardous consequences.Risk reduction is not always needed. Only if theactual risk is greater than the TR do we need to re-duce the risk so as to bring it below the maximumpermissible value.1 Threshold risk is the maximum value of allowable risk withinwhich the process could operate safely. It is calculated as a prod-uct of the frequency of hazard occurrence and the magnitude ofconsequence. The frequency of hazard occurrence is a value justbelow the maximum frequency permitted. Similarly, the magni-tude of consequence is a value corresponding to the consequenceincurred when the frequency of hazard occurrence is just belowthe maximum frequency permitted.3. FUZZY LOGIC VERIFICATION3.1. Definition of TermsIn this article, a number of terms are used, whichare described in this section. The below-mentionedterms enhance our understanding of application ofthe fuzzy logic applied to the nuclear power plants. Safe operating condition: A condition that iscompletely safe and has no threats or dangersto the life of the personnel or property. Unsafe operating condition: A condition that isnot safe. Such a condition poses a major threatto life, property, and environment and is highlyundesirable. Inherent safety systems (ISS): Inherent safetyis a concept particularly used in the chemicaland process industries. An inherently safe pro-cess has a low level of danger even if things gowrong. An inherently safer design is one thatavoids hazards instead of controlling them,particularly by reducing the amount of haz-ardous material and the number of hazardousoperations in the plant.(24) SIS: These systems are also referred to asshutdown safety systems. Whenever an un-safe situation is detected in a nuclear powerplant, these systems immediately shut downthe power plant. Generally, a fault detectionsystem is used and triggers the shutdown sys-tems automatically. These systems are consid-ered as the last layer of active safety within thepower plant. Emergency response systems (ERS): Conse-quence mitigation systems or ERS are trig-gered when there is an emergency situation inthe power plant. Such an emergency may haveserious consequences if ignored. In projectmanagement terminology, the purpose of themitigation plan is to describe how a particularrisk will be handledwhat, when, by whom,and how will it be done to avoid it or minimizeconsequences if it becomes a liability.(25) Initiating events (I): These are also known asprimary events or first-degree events. Theseare caused by some internal or external distur-bances in a system. It is important to note thatnot all of the initial events convert themselvesinto faults. There are several safety systemsemployed to check the propagation of theseevents, and it is the objective of every safetyplan to effectively suppress any initial eventsFuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 1133before they finally transform themselves intohazards. Secondary events (S): These are also known asfollow-up events. These are generally causedby the initiating events. Whenever any initi-ating event takes place, and is not controlledby the responsible safety system (it may bean active or passive safety system), it leads tosome other events. Thus, those events that arecaused by the initiating events are known assecondary events. These, if not stopped, maylead to tertiary events and finally result in thehazardous situation. Hazardous or emergency events (H): Theseevents may be caused in two ways: escalationof initiating events finally resulting in a haz-ard or by some other external factor result-ing in a hazard (like an airplane crash, terror-ist attack, etc.). Although the former can bestopped as the fault propagation path has sev-eral safety measures employed to check them,the later ones are more severe and hard tocontrol. Hazard resistance rate: It is defined as the rateat which any safety system tries to suppressthe particular hazards. It is also defined as therate of resistance offered to the hazards by anysafety system. Hazards isolation rate: It is defined as the rateat which any safety system tries to isolate theparticular hazards. It is also defined as the rateof isolation offered to the hazards by any safetysystem. Hazard mitigation rate: It is defined as the rateat which any safety system tries to mitigatethe particular hazards. It is also defined as therate of mitigation offered to the hazards by anysafety system.3.2. Fuzzy-Logic-Based Safety AnalysisOne very good thing about fuzzy logic is thatit does not require crisp mathematical data. It canwork well in the absence of numbers. The terms ofthe framework are linguistic objects or words ratherthan numbers, and are broadly categorized into safe,unsafe, and response. The general guidelines thatwill be used while defining the fuzzy rule matrix areshown in Table I.Similarly, the general guidelines that will beused while defining the fuzzy rule matrix for rate ofchange of error are shown in Table II. In the table,Table I. General IF-IS-THEN Fuzzy Logic ScenarioIF (Condition) IS (State) THEN (Response)Safeunsafe Zero Zero error occursSafeunsafe Positive Positive error occursSafeunsafe Large positive Large positive error occursSafeunsafe Negative Negative error occursSafeunsafe Large negative Large negative error occursTable II. General IF-IS-THEN Fuzzy Logic Scenario for Rate(of Change) of ErrorIF (Condition) IS (State) THEN (Response)d(Safeunsafe)/dt Zero Rate (of change) oferror is zerod(Safeunsafe)/dt Positive Rate (of change) oferror is positived(Safeunsafe)/dt Large positive Rate (of change) oferror is large positived(Safeunsafe)/dt Negative Rate (of change) oferror is negatived(Safeunsafe)/dt Large negative Rate (of change) oferror is large negatived(Sa f e Unsa f e)/dt represents the rate of changeof a situation from a safe condition to an unsafe con-dition. For example, the first row of the table shouldbe read as IF the rate of change of situation (froma safe condition to an unsafe condition) IS ZERO,THEN the rate of change of error is ZERO, andso on. It should be noted that the table representsthe general IF-IS-THEN situations and not the spe-cific conditions of the project. The terms used in themodel framework are described later in a tabularform.Bringing into focus, the terms used in the modelframework are slightly different, and are explainedbelow, in Table III.Once these fuzzy variables are defined, the nextstep is the analysis of these variables and the forma-tion of fuzzy rule matrix or rule base. This involvesdefining fuzzy rules based on the characteristics ofthe variables and terms. This defining process oftenutilizes experience. Historical data and professionalexperience is always useful when defining these rules.These are again linguistic rules without any mathe-matical data involved. These rules can be changedinto crisp mathematical rules if mathematical dataare available; however, that is beyond the scope ofthe project.1134 Rastogi and GabbarTable III. Terms Used in the Framework with Their MeaningsTerm MeaningISS-I Difference between the capability of inherent safety systems and the potential of initial event to cause a hazard. Dependingupon its value, it can be said whether the inherent safety system could suppress the initial event or not.ISS-S Difference between the capability of inherent safety systems and the potential of secondary event to cause a hazard. Dependingupon its value, it can be said whether the inherent safety system could suppress the secondary event or not.ISS-H Difference between the capability of inherent safety systems and the potential of hazardous event to cause a hazard. Dependingupon its value, it can be said whether the inherent safety system could suppress the hazardous event or not.SIS-I Difference between the capability of safety instrumented systems and the potential of initial event to cause a hazard. Dependingupon its value, it can be said whether the safety instrumented system could suppress the initial event or not.SIS-S Difference between the capability of safety instrumented systems and the potential of secondary event to cause a hazard.Depending upon its value, it can be said whether the safety instrumented system could suppress the secondary event or not.SIS-H Difference between the capability of safety instrumented systems and the potential of a hazardous event to cause a hazard.Depending upon its value, it can be said whether the safety instrumented system could suppress the hazardous event or not.ERS-I Difference between the capability of emergency response systems and the potential of initial event to cause a hazard.Depending upon its value, it can be said whether the emergency response system could suppress the initial event or not.ERS-S Difference between the capability of emergency response systems and the potential of secondary event to cause a hazard.Depending upon its value, it can be said whether the emergency response system could suppress the secondary event or not.ERS-H Difference between the capability of emergency response systems and the potential of a hazardous event to cause a hazard.3.3. Individual Rule MatrixFrom linguistic or fuzzy variables, the linguis-tic rules are defined. These rules represent the ac-tual behavior of the fuzzy logic controller. At theonset of a particular event, the actual response ofthe fuzzy logic controller is demonstrated in the rulematrix.Again, before starting the construction of therule matrix, the important rules involved and theirmeaning are highlighted in Tables IV and V.In summary, the variables are categorized into:error and rate-of-change-of-error. Also the vari-ables are modified into negative, zero, and pos-itive. Because the variables are in three pairs,the simplest practical implementation is a 3 3 matrix.4. CASE STUDYThe case study is performed on a hypotheticalscenario that is commonly encountered in a nuclearpower plant. Any equipment or process could betaken to demonstrate the case study of the fault prop-agation scenario. In this example, a tank is consid-ered. Various causes that could lead to a hazard areanalyzed, and based upon the analysis, safety verifi-cation is performed.Any accident that occurs in a nuclear powerplant is because of a single initial event.(26) Thisinitial event escalates, propagates, and multipliesin magnitude, and causes several secondary events,if unchecked. This propagation of fault leads toa hazardous situation, and if still unchecked andnot stopped could lead to a major accident in theplant.In this case, as many as eight initial events areconsidered for the analysis, though there are manymore. These are: High temperature Low temperature High pressure Low pressure High flow Low flow Overflow ImpuritiesThere are several safety systems employed in thepower plant to check these initial events. These maybe special safety systems, or embedded in the formof passive safety or inherent safety. The vertical lineafter the initial event represents the safety systemsthat have been installed to check the propagation ofinitial events. It is important to note that not everyinitial event leads to a fault. Some of these die outeventually with time, whereas others have a potentialto convert themselves into faults.Now, once an initial event has taken place, itcan either be suppressed by the corresponding safetysystem, or could break the barrier or the safetysystems and could result in a secondary cause or aprimary event. In this case, two primary events areconsidered:Fuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 1135Table IV. Meaning of Fuzzy RulesTerms MeaningISS-I = 0 ISS-S = 0 ISS-H = 0 ISS just capable enough to suppress I/S/H2event3ISS-I = + ISS-S = + ISS-H = + ISS more than capable to suppress I/S/H event4ISS-I = ISS-S = ISS-H = ISS not capable enough to suppress I/S/H event5SIS-I = 0 SIS-S = 0 SIS-H = 0 SIS just capable enough to suppress I/S/H eventSIS-I = + SIS-S = + SIS-H = + SIS more than capable to suppress I/S/H eventSIS-I = SIS-S = SIS-H = SIS not capable enough to suppress I/S/H eventERS-I = 0 ERS-S = 0 ERS-H = 0 ERS just capable enough to suppress I/S/H eventERS-I = + ERS-S = + ERS-H = + ERS more than capable to suppress I/S/H eventERS-I = ERS-S = ERS-H = ERS not capable enough to suppress I/S/H event2I/S/H stands for initial event, secondary event, and hazardous event, respectively.3Green color represents the satisfactory zone of operation (color visible in online version).4Red color represents the unsatisfactory zone of operation (color visible in online version).5Yellow color represents the warning zone of operation (color visible in online version).Table V. Meaning of Fuzzy Rules (Rate of Change Terms)Terms Meaningd(ISS-I)/dt = 0 d(ISS-S)/dt = 0 d(ISS-H)/dt = 0 6The rate at which ISS is suppressing I/S/H event is zerod(ISS-I)/dt = + d(ISS-S)/dt = + d(ISS-H)/dt = + 7The rate at which ISS is suppressing I/S/H event is positived(ISS-I)/dt = d(ISS-S)/dt = d(ISS-H)/dt = 8The rate at which ISS is suppressing I/S/H event is negatived(SIS-I)/dt = 0 d(SIS-S)/dt = 0 d(SIS-H)/dt = 0 The rate at which SIS is suppressing I/S/H event is zerod(SIS-I)/dt = + d(SIS-S)/dt = + d(SIS-H)/dt = + The rate at which SIS is suppressing I/S/H event is positived(SIS-I)/dt = d(SIS-S)/dt = d(SIS-H)/dt = The rate at which SIS is suppressing I/S/H event is negatived(ERS-I)/dt = 0 d(ERS-S)/dt = 0 d(ERS-H)/dt = 0 The rate at which ERS is suppressing I/S/H event is zerod(ERS-I)/dt = + d(ERS-S)/dt = + d(ERS-H)/dt = + The rate at which ERS is suppressing I/S/H event is positived(ERS-I)/dt = d(ERS-S)/dt = d(ERS-H)/dt = The rate at which ERS is suppressing I/S/H event is negative6This means that the rate at which the ISS is trying to suppress the fault and the rate at which the initial event is trying to escalate is equal.7This means that the rate at which the ISS is trying to suppress the fault is greater than the rate at which the initial event is escalating. Hencethe initial event will finally be overcome by the ISS.8This means that the rate at which the ISS is trying to suppress the fault is lesser than the rate at which the initial event is escalating. Hencethe initial event never be suppressed by the ISS. Vibrations BlockagesAlthough high temperature, high pressure, highflow, overflow, and impurities could cause vibrationsand blockage, low temperature, low pressure, andlow flow causes only vibrations and no blockage. Vi-brations and blockage is caused because the initialevents were not checked by the safety systems, orin other words, the primary safety systems failed.Now it would be interesting to see how the sec-ondary safety systems react to this condition. Thesesecondary causes have a potential to give birth to ter-tiary events if they are not stopped by the secondarysafety systems.Now, if the secondary safety systems also failed,tertiary events may be caused, which is corrosion.Corrosion may be caused by vibrations or by con-tinuous blockage and reduces the durability and per-formance of the tank, and hence is an undesirableevent. If corrosion occurs, the probability of occur-rence of a hazard increases rapidly because if thethird-level safety systems fail, it may lead to a leak orreduced mechanical strength. A leak can cause fireor intoxication (depending upon the contents of thetank), whereas reduced mechanical strength of thetank may result in an explosion in the plant,(23,27) andboth of these situations are extremely undesirable.Hence, in our safety verification, we would be tryingto know whether after the occurrence of any hazard-causing event or failure of safety systems what thesafety level of the plant is. If the safety level is belowa certain threshold limit, the plant is safe enough tooperate, even if there is a fault. This is because, inthat case, the safety system could be relied upon, andhence the need to shut down the process does not1136 Rastogi and GabbarFig. 5. Fault propagation scenario of aparticular event in consideration.Fig. 6. Fault propagation scenario examples in a typical nuclear power plant.arise. Safety verification is done as per the proposedmethodology, shown earlier. However, for simplicity,we would be considering a particular event scenarioin our case study, which is shown in Fig. 5. It shouldbe noted that Fig. 5 is a subsection of Fig. 6.4.1. Control Limits EstimationThe first step of safety verification is controllimits estimation. For this purpose, we will use thedata demonstrated in Table VI. We will be using theEWMA technique for estimating the control limits ofthe tank. Only two control limits are estimated: UCLand LCL. The UCL and LCL to be calculated aredefined with the help of the following expressions:UCL = EWMA0 + ksEWMA;LCL = EWMA0 ksEWMA(3)s2EWMA = (/[2 ])s2, (4)where:s = standard deviation of the datas2EWMA = estimated variance = aconstant whose value lies between 0.2and 0.3UCL = upper control limitFuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 1137Table VI. Historical Tank Temperature Data Retrieved fromRef. 28Specific Level TempDate Gravity (Inches) (Celsius)1 May 1997 1.51 80 302 May 1997 1.53 38 353 June 1997 1.27 293 334 June 1997 1.31 325 295 June 1997 1.43 75 376 July 1997 1.48 229 277 August 1997 1.44 53 488 August 1997 1.38 262 359 September 1997 1.4 310 3010 September 1997 1.45 70 3011 September 1997 1.46 52 2712 September 1997 1.22 271 2313 November 1997 1.2 241 3214 January 1998 1.26 72 1915 January 1998 1.1 33 1716 January 1998 1.05 259 1917 January 1998 1.02 191 2118 January 1998 1.06 78 2019 January 1998 1.36 78 3420 January 1998 1.32 41 3921 February 1998 1.45 46 3422 February 1998 1.4 104 5723 February 1998 1.18 55 3124 February 1998 1.41 85 4525 February 1998 1.45 253 51Table VII. Values of Different Parameters to be Calculated,Including UCL and LCLParameter ValueStandard deviation (s) 10.19Estimated variance (s2EWMA) 12.14Mean (EWMA0) 32.12Value of 0.29Value of k 3UCL 42.57LCL 21.68LCL = lower control limitEWMA0 = is the mean of historical datak = a factor usually set to 3 or chosen usingRef. 13Now, calculating the values of UCL and LCL forthe above data, we get the values for the upper andthe UCLs, as shown in Table VII. When these val-ues are plotted on an EWMA plot, we could clearlysee the data points that lie outside the specified zoneof operation. In other words, whenever the temper-ature crosses either the UCL or the LCL, there is aFig. 7. EWMA plot for the data set with UCL and LCL.possibility of an initial event taking place. A few out-of-zone points do not cause problems, but when theysuccessively remain out, as depicted by the last fivedata points (see Fig. 7), it is an indication of a poten-tial problem, which, if unchecked, could result in ahazard.4.2. Hazard IdentificationOnce the control limits are estimated, the nextstep is to identify the hazards. Thus hazards iden-tification forms the second step of the framework.Hazard identification means checking for all the haz-ardous conditions and hazardous events associatedwith the machine. Hazard identification includes pre-dicting hazards that may be caused by a process.These hazards can be mechanical, electrical, thermal,chemical, radiological, or environmental in nature.As mentioned earlier, there are a lot of techniquesavailable for hazard identification; we will make useof FMEA. FMEA is a comprehensive technique thatis commonly used in fault scenarios resulting in mul-tiple failure modes. It is a method that examines po-tential failures in products or processes and has beenused in many quality management systems.(29) Thisrisk probability analysis tool assumes that a failuremode occurs in a system/component through somefailure mechanism. The effect of this failure is thenevaluated. A risk probability ranking is produced toprioritize the attention for each of the failure modesidentified.(30)The tool has become increasingly important innew product development, manufacture, or engi-neering applications. Generally, risk assessment inFMEA is carried out by using risk priority num-bers (RPNs), which can be determined by evaluating1138 Rastogi and GabbarFig. 8. The FMEA sheet used for hazard identification.three factors: occurrence (OCC), severity (SEV), anddetection (DET).The FMEA is performed for the case study andthe sheet is shown in Fig. 8. The major hazards iden-tified are fire, explosion, and release of radioactivematerials, which can cause widespread injuries andconsequences to surrounding environment and alsoto the workers working inside the plant.Based upon the values of the three parametersused in FMEA, RPNs are determined. The valuesof occurrence (OCC), severity (SEV), and detection(DET) are determined on a scale of 10 based uponthe category in which a particular process lies. Thesecategories are shown in Table VIII. The higher thevalue of RPN, the higher is the likelihood of the haz-ard occurrence. In our case, the number is 108. Thisindicates a slight possibility of a hazard occurrence.This is because of the fact that most of the data pointslie between the UCL and LCL as depicted in Fig. 7.Table VIII. Determination of Severity (SEV)-Occurrence(OCC)-Detection (DET)Scale Severity Occurrence Detection1 Will not notice 1 in 100,0000 100%2 Probable slightannoyance1 in 20,000 99%3 Slight annoyance 1 in 5,000 95%4 Dissatisfaction 1 in 2,000 90%5 Uncomfortable 1 in 500 85%6 Slight compliant 1 in 100 80%7 Highdissatisfaction1 in 50 70%8 Very highdissatisfaction1 in 20 60%9 Endangered withwarning1 in 10 50%10 Endangeredwithoutwarning1 in 2 Less than 50%Fuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 1139Table IX. Failure Rate Data, Retrieved from Refs. 22-31Symbol Meaning MagnitudeR1 Risk associated with high temperature 10R2 Risk associated with vibrations 2R3 Risk associated with blockage 1.1R4 Risk associated with corrosion 0.9R5 Risk associated with leak 0.06R6 Risk associated with reduced mechanicalstrength0.09PFD1 Probability of failure on demand ofsafety system-10.003PFD2 Probability of failure on demand ofsafety system-20.003PFD3 Probability of failure on demand ofsafety system-30.003Table X. Fuzzy Logic Rule Structure for ISS-I = 0 and DifferentConditions of d(ISS-I)/dtISS-I = 0 d(ISS-I)/dt = 0 Zero errord(ISS-I)/dt = + Negative error98d(ISS-I)/dt = Positive errorISS-I = + d(ISS-I)/dt = 0 Negative errord(ISS-I)/dt = + Negative errord(ISS-I)/dt = Zero errorISS-I = d(ISS-I)/dt = 0 Positive errord(ISS-I)/dt = + Zero errord(ISS-I)/dt = Positive error4.3. Risk Estimation and EvaluationRisk estimation is an essential part of risk anal-ysis in a process where safety requirements are spec-ified. Once the hazards are identified, the next stepis the quantification of risk. This risk evaluation iscarried out using PRAT, as discussed earlier. It cov-ers risk estimation and risk evaluation and forms thethird and a key step in the safety verification frame-work.But before evaluating the risk, some key termsare defined for better understanding. Here, in thiscase study, we will be using the data from Ref. 31 fordemonstration purposes. These data are failure ratedata for various equipment and parts of the process,as shown in Table IX.As mentioned earlier, risk is a product of fail-ure rate (or probability of failure) and magnitudeof its consequence. The magnitude of failure is ac-tually given by the company based on the historicaldata of accidents and the consequences occurred perevent.(32) We are assuming it to be a constant be-cause it is a number that can be later substituted toget more correct information. Thus assuming magni-tude of failure to be a constant, we can now say thatthe risk associated with any event is directly propor-tional to its failure rate and is a function of failurerate:Risk Associated= f (failure rate).The selected fault propagation scenario is bro-ken into four individual fault propagation scenarios.This is, again, done to enhance the simplicity of thecomplex process. Once broken down into individualfault propagation scenarios, they are evaluated andthen combined to calculate the overall risk of the en-tire process. The individual fault propagation scenar-ios are shown in the following sections. They use thefollowing general formula to calculate the risk.Risk Associated (Path i) = (R1) (PF D1) (R2) (PF D2) (R3) (PF D3) . . . . . . . . . . . . . . . . . . (Rn) (PF Dn)(5)Or in other words,Risk Associated (Path i)= (Risk Associatedevent 1) (Probability of failure on demandof safety measure 1) (Risk Associated event 2) (Probability of failure on demandof safety measure 2) (Risk Associated event n) (Probability of failure on demandof safety measure n)4.3.1. Individual Fault Propagation Path-1The first fault propagation scenario is shown inFig. 9. The risk associated with fault propagationpath-1 is calculated as below:Risk Associated (Path 1) = R1PFD1 R2 PFD2 R4 PFD3 R5 (6)RiskAssociated (Path 1) = 10 0.003 2 0.003 0.9 0.003 0.06 = 2.916E 08.(7)4.3.2. Individual Fault Propagation Path-2The second fault propagation scenario is shownin Fig. 10. The risk associated with fault propagation1140 Rastogi and GabbarFig. 9. Individual fault propagationscenario for path-1.Fig. 10. Individual fault propagationscenario for path-2.Fig. 11. Individual fault propagationscenario for path-3.path-2 is calculated as below:Risk Associated (Path 2) = R1 PFD1R2 PFD2 R4 PFD3 R6 (8)Risk Associated (Path 2) = 10 0.003 2 0.003 0.9 0.003 0.09 = 4.374E 08.(9)4.3.3. Individual Fault Propagation Path-3The third fault propagation scenario is shown inFig. 11. The risk associated with fault propagationpath-3 is calculated as below:Risk Associated (Path 3) = R1PFD1R3PFD2R4PFD3R5 (10)Risk Associated (Path 3) = 10 0.003 1.1 0.003 0.9 0.003 0.06 = 1.6038E 08. (11)4.3.4. Individual Fault Propagation Path-4The fourth fault propagation scenario is shownin Fig. 12. The risk associated with fault propagationpath-4 is calculated as below:Risk Associated (Path 4) = R1 PFD1 R3 PFD2 R4 PFD3 R6 (12)Risk Associated (Path 4) = 10 0.003 1.1 0.003 0.9 0.003 0.09 = 2.4057E 08. (13)4.3.5. Calculation of TRAThe TRA (combined of all paths) that an onsetof a fault, i.e., high flow, will lead to a hazard, i.e.,fire or explosion, is the sum total of the TRA of allthe paths. If the TRA is less than the TR (maximumlevel of acceptable risk) then our process is safe, oth-erwise it is not. This value of TR is calculated fromthe process historical data and other equipment data.It is calculated on the basis of the following formula:Threshold Risk (TR)= Frequency of Failure Magnitude of FailureAgain assuming the risk as a function of failurerate, we can calculate the TR. The typical value offailure rate can be taken as 5E 06 per year.(31) Thusif the TRA is more than this value, our process is un-safe.Total Risk Associated (TRA)= Risk Associated (path 1)+Risk Associated (path 2)+Risk Associated (path 3)+Risk Associated (path 4)(14)Total Risk Associated (TRA) = 2.916E 08+ 4.374E 08 + 1.6038E 08 + 2.4057E 08 = 1.1304E 07.(15)4.4. Safety VerificationThis step is supposed to be the last step of theframework. Depending upon the value that we getFuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 1141Fig. 12. Individual fault propagationscenario for path-4.Table XI. Fuzzy Logic Rule Structure for ISS-S = 0 andDifferent Conditions of d(ISS-S)/dtISS-S = 0 d(ISS-S)/dt = 0 Zero errord(ISS-S)/dt = + Positive errord(ISS-S)/dt = Negative errorISS-S = + d(ISS-S)/dt = 0 Positive errord(ISS-S)/dt = + Positive errord(ISS-S)/dt = Zero errorISS-S = d(ISS-S)/dt = 0 Negative errord(ISS-S)/dt = + Zero errord(ISS-S)/dt = Negative errorat this step (safe/unsafe), the need for risk reduc-tion would be determined. If the process is safe, theneed for risk reduction simply does not arise and viceversa. It is quite clear from the plant that safety ver-ification block checks whether the value of the cal-culated risk (TRA, in our case) is more than theTR (or the maximum allowable level of risk for safeoperation). If the value of TRA is more than the TR,our process is unsafe to operate and there is immedi-ate need of severe risk reduction techniques, other-wise the process is safe.This safety verification can be performed using afuzzy logic controller (a fuzzy logic toolbox in MAT-LAB) or manually. Fuzzy logic verification method-ology could be adopted to verify plants safety wherefuzzy logic rules are developed. Based on these rules,fuzzy logic matrices are drawn and depending uponthe linguistic value of membership functions, the rec-ommended action is taken.The manual method of verifying safety takes intoaccount the values of the TRA and the TR and com-pares them. For a process to operate in a safe zone,the calculated risk must never exceed the TR. As theTR is the maximum allowable risk, each and everyprocess must operate with a risk lower than it. There-fore, the TRA and TR are compared and based uponresults safety can be verified and justified.The rule structure is broken down into three sep-arate tables, each dealing with one of the followingconditions (as shown in Tables X, XI, and XII): ISS I = 0 and different conditions of d(ISS-I)/dtTable XII. Fuzzy Logic Rule Structure for ISS-H = 0 andDifferent Conditions of d(ISS-H)/dtISS-H = 0 d(ISS-H)/dt = 0 Zero errord(ISS-H)/dt = + Positive errord(ISS-H)/dt = Negative errorISS-H = + d(ISS-H)/dt = 0 Positive errord(ISS-H)/dt = + Positive errord(ISS-H)/dt = Zero errorISS-H = d(ISS-H)/dt = 0 Negative errord(ISS-H)/dt = + Zero errord(ISS-H)/dt = Negative errorTable XIII. Fuzzy Logic RULE MATRIX for ISS-I10ISS-I d(ISS-I)/dt Positive Zero NegativePositive Negative Positive ZeroZero Negative Zero PositiveNegative Zero Negative Positive ISS I = + and different conditions of d(ISS-I)/dt ISS I = and different conditions of d(ISS-I)/dtSimilar rule structures could be created for SISand ERS.We would first define the individual rule matriceseach for ISS, SIS, and ERS. And then combine themtogether, using fuzzy logic rules, and then create acomposite rule matrix.The individual rule matrices could be drawn us-ing the fuzzy logic rule structures. Here, only the rulematrix for the first case is shown (see Table XIII).Rule matrices could be drawn on a similar patternfor the remaining cases.To draw the composite matrix, we will be com-bining the various good and bad consequences andthen grouping them together. Also, generalization ofrepetitive rules will be enabled so that no two rulesrepresent the similar conditions. This will improvethe general clarity.In the case study, the calculated value for TRAis equal to 1.1304E 07.1142 Rastogi and GabbarFig. 13. Safety verification results.This value is the risk level of a single event sce-nario (high temperature being the event in our case)and comprises of all the possible fault propagationscenarios that the event could take to get convertedinto a hazard (which were four independent faultpropagation scenarios in our case.) The TR was equalto 5E 06 (calculation of TRA). The safety verifica-tion result is shown in Fig. 13.4.5. Risk ReductionIn our case, because the process is safe, there isno immediate need of any risk reduction. Had theTRA exceeded TR, immediate risk reduction wouldhave become necessary. But some methods that willhelp in reduction of risk are listed below in this sec-tion. The following actions are taken to reduce therisk associated with any process, as shown in Fig. 14: Eliminate or reduce exposure to hazard as faras practical Reduce the probability and severity Use safeguards and safety devices Determine that the performance and func-tional characteristics of the safety measures aresuitable for the machine and its use5. RESULTS AND DISCUSSIONSIn this section we shall discuss the results ob-tained from implementing the risk-based safety veri-fication framework on a case study, and then deriv-ing some striking conclusions from the case study.The five-step safety verification framework is imple-mented in a case study and can thus be successfullyFig. 14. Risk reduction process (Omron,2010).Fuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 1143Fig. 15. The FMEA sheet used for hazard identification.implemented in any nuclear power plant. The resultsobtained are summarized below.5.1. Control Limits EstimationThe control limits are estimated using EWMAtechnique. Two limits, UCL and LCL, are identi-fied. The process should ideally be between thesetwo limits. Whenever a stage comes when theprocess data points lie outside these limits, there isa danger of a fault to take place. The occurrence ofany hazard depends upon the magnitude of the faultand the competency of the safety systems to curb thefault. Thus monitoring the process data points is ourfirst level of defense. In our case the UCL and LCLare determined and their values are shown in Fig. 7:EWMA plot for the data set with UCL and LCL.The UCL is estimated to be 42.57 and the LCL isestimated to be 21.68. It has been found that out ofthe 25 data values monitored in a data set, four datapoints were beyond the UCL and five data pointswere below the LCL. A few data points above andbelow the UCL and LCL do not usually cause theproblem. A problem usually arises when the datapoints continue to stay out of the desired range forthreefour consecutive data values, which is the casein our study (last four data points were beyond thezone).5.2. Hazard IdentificationOnce the control limits are identified, the nextstep is hazard identification. For the process of haz-ards identification, the FMEA (FMEA) techniqueis used. It is a well-established hazard assessmentand prediction technique commonly used in pro-cess industries and power plants for identification ofhazardous conditions. The three main indices used1144 Rastogi and Gabbarfor identifying hazards are severity, occurrence, anddetection, and based upon their values, a RPN iscalculated. The RPN conveys significant informa-tion regarding the potential hazards that could oc-cur. In our case the RPN was estimated to be 108,which indicates that the risk is quite low and fre-quency of occurrence of hazards is low. The FMEAsheet for the case study and the sheet are shown inFig. 15. The major hazards identified are fire, explo-sion, and release of radioactive materials, which cancause widespread injuries and consequences to sur-rounding environment and also to the workers work-ing inside the plant.5.3. Risk Estimation and EvaluationThis step is the most important step of the en-tire framework. In this step the risk associated witha particular event is calculated and then based uponthat, verification of safety is done in the next step.For this step, PRAT is used. A single fault propaga-tion scenario shown in Fig. 5 is further broken downinto four individual fault propagation scenarios. Therisk associated with each individual fault propagationscenario is calculated and then combined to calcu-late the risk associated with the entire process (orevent, as in our case). The value of risk calculated foreach individual fault propagation scenario is shownbelow: The risk associated with fault propagationpath 1 = 2.916E 08 The risk associated with fault propagationpath 2 = 4.374E 08 The risk associated with fault propagationpath 3 = 1.6038E 08 The risk associated with fault propagationpath 4 = 2.4057E 08Once the individual values of associated risk arecalculated for each fault propagation scenario, thenext step is to combine these individual fault prop-agation values together to calculate the TRA withthe event. The event in our case is high temperaturein a tank, and the TRA with this event is equal to1.1304E 07.5.4. Safety VerificationOnce the TRA is calculated, the next step is toverify whether the process is safe to operate withthe calculated value of risk or not. This phase of theframework is called the safety verification phase. Thevalue of TRA is compared with the TR. TR is themaximum value of risk allowed below which the op-eration of the process will be safe and without anyoccurrence of hazards. This value of TR (also calledtarget risk or maximum allowable risk) is equal to5E 06 in our case. The risk associated with the oc-currence of the initial event (high temperature) isequal to 1.1304E 07, which is clearly lower thanthe maximum allowable risk. Hence, the safety of theprocess is verified. This means that even if the initialevent occurs, the process is safe to operate as the riskassociated with its operation is lower than the thresh-old value.5.5. Risk ReductionRisk reduction is the last step of the framework.This step is only required if the TRA is more than theTR. In our case, as the TRA is less than the TR, riskreduction is not required.ACKNOWLEDGMENTThis research was funded by a Discovery Grantfrom the Natural Sciences and Engineering ResearchCouncil of Canada.REFERENCES1. Holger G, Henner ST. Process hazard identification duringplant design by qualitative modelling. Simulation and analy-sis, European Symposium on Computer Aided Process Engi-neering, 1999; 23:S59S62.2. Ali R. Safety Life Cycle-Implementation, Benefits and Im-pact on Field Devices. Chicago: ISA-Expo, 2009.3. Bell R. Introduction to IEC 61508. ACS Workshop onTools and Standards, Conferences in Research and Prac-tice in Information Technology, Vol. 55. Sydney: UK Crown,2005.4. Brown S. IEC 61508overviewdesign of electrical/electronic/ programmable electronic safety-related systems.Computing & Control Engineering Journal, 2000; 11(4):612.5. Chiba M. Safety and reliability: A case study of operatingIkata nuclear power plant, Japan. Journal of Engineering andTechnology Management, 1991; 7(3-4):267278.6. Gabbar HA, Integrated framework for safety control designof nuclear power plants. Journal of Nuclear Engineering andDesign, 2010; 240:35503558.7. Everdij MC, Blom HA, Scholte JJ, Nollet JW, Kraan B.Developing a framework for safety validation of multi-stakeholder changes in air transport operations. Safety Sci-ence, 2009; 47(3): 405420.8. Felton B. Safety study IDs leading causes of accident. InTech,Morn Hill; 2011; 77.9. Ciattaglia S, Barabaschi P, Carretero J, Chiocchio S, HureauD, Girard J. ITER operating limit definition criteria. FusionEngineering and Design, 2009; 84(12):20592063.10. Ferrer-Riquelme A. 1.04-Statistical Control of Measures andProcesses. Pp. 97126. Comprehensive Chemometrics. Else-vier, 2009.Fuzzy-Logic-Based Safety Verification Framework for Nuclear Power Plants 114511. Patel B, Heising CD. Statistical analysis of the Ft. Calhoun re-actor coolant pump system. Annals of Nuclear Energy, 1997;24(3):167175.12. Bradely. The Reliability ChallengePresentation HandoutsConference in London. London, 1999.13. Modarres M, Kaminskiy M, Krivtsov V. Reliability Engineer-ing and Risk Analysis: A Practical Guide. New York: CRCPress, 1999.14. Well G. Hazard Identification and Risk Assessment. War-wickshire, UK: IChemE, 2004.15. MacCollum DV. Construction Safety Engineering Princi-ples: Designing and Managing Safer Job Sites. New York:McGraw-Hill Professional, 2007.16. Crawley F, Tyler B. Hazard Identification Methods. War-wickshire, UK: IChemE (European Process Safety Centre),2003.17. Lee JC, McCormick NJ. Risk and Safety Analysis of NuclearSystems. Hoboken, NJ: John Wiley and Sons, 2011.18. Marhavilas PK, Koulouriotis D. A risk-estimation method-ological framework using quantitative assessment techniquesand real accidents data: Application in an aluminum extru-sion industry. Journal of Loss Prevention in the Process In-dustries, 2008; 21(4):596603.19. Marhavilas P, Koulouriotis D, Gemeni V. Risk analysis andassessment methodologies in the work sites: On a review, clas-sification and comparative study of the scientific literature ofthe period 20002009. Journal of Loss Prevention in the Pro-cess Industries, 2011; 24(5):477523.20. Ayyub BM. Risk Analysis in Engineering and Economics.US: Chapman & Hall/CRC, 2003.21. Fullwood RR. Probabilistic Safety Assessment in the Chem-ical and Nuclear Industries. US: Butterworth-Heinemann,1999.22. Gabbar HA. Integrated framework for safety control designof nuclear power plants. Nuclear Engineering and Design,2010; 240(10):35503558.23. HSE. Explosions in Gas-Fired Plant, Clause 6.2 of ContractResearch Report 139/1997. UK: Health and Safety Executive,1997.24. Heikkila AM. Inherent Safety in Process Plant DesignAn Index Based Approach. Finland: VTT Publications,1999.25. Dorfman MS. Introduction to Risk Management and Insur-ance. Englewood Cliffs, NJ: Prentice Hall, 2007.26. IAEA. The Criticality Accident in Sorav. Vienna: Interna-tional Atomic Energy Agency, 2001.27. IAEA. Accidental Overexposure of Radiotherapy Patientsin Bialystok. Vienna: International Atomic Energy Agency,2004.28. Wiersma BJ. Determination of Temperature Limits for Ra-dioactive Waste Tanks. Savannah River Site, Aiken, SC:Westinghouse Savannah River Company, 1999.29. Chin KS, Wang YM, Poon GK, Yang JB. Failure mode andeffects analysis by data envelopment analysis. Decision Sup-port Systems, 2009; 48(1): 246256.30. Abu-Khader MM. Recent advances in nuclear power: A re-view article. Progress in Nuclear Energy, 2009; 51(2): 225235.31. Blanchard A. Savannah River Site Generic Data BaseDevelopment. Aiken, SC: Westinghouse Savannah RiverCompany-NTIS Order No. 29808, 1999.32. Belke J. Chemical Accident Risks in US IndustryA Prelim-inary Analysis of Accident Risk Data, US Hazardous Chemi-cal Facilities. 10th International Symposium on Loss Preven-tion and Safety Promotion in the Process Industries. Pp. 2435. Stockholm, Sweden: Elsevier Science, 2001.