Interactive safety assessment of nuclear reactor systems

Reliability Engineering 3 (1982) 393-410

INTERACTIVE SAFETY ASSESSMENT OF NUCLEAR REACTOR SYSTEMSt

R. N. ALLAN, A. ADRAKTAS

Department of Electrical Engineering and Electronics, UMIST, P.O. Box 88, Manchester M60 IQD, Great Britain

J. F. CAMPBELL

H.M. Nuclear Installations Inspectorate, Millbank, London, Great Britain

(Received: 10 August, 1981)

ABSTRACT

This paper describes graphic~interactive computational techniques for assessing safety in complex systems. These techniques permit input and modification of system configuration and operational policy, input and modification of numerical reliability data, storage and retrieval of all system data and qualitative and~or quantitative safety analysis. The analysis is based on the event tree method and permits event trees, minimal cut sets and common mode failure analyses to be performed. These graphic/ interactive techniques permit very flexible, convenient and comprehensive analyses and allow a large number of sensitivity studies to be performed efficiently and rapidly. The techniques, although described in terms of nuclear reactor systems, can be equally applied to the safety of any other similar type of system.

1. INTRODUCTION

One of the principal goals of interactive computat ion, graphic or otherwise, is the symbiosis between man and machine. When a user is able to interact with a computer so that he is unaware either of the computer or of the medium of communication, this interaction is said to be conversational. Therefore the capabilities of the two partners, man and computer, become as one, working together on a single task.

t A version of this paper was presented at the Third National Reliability Engineering Conference-- Reliability '81, 29 April-I May, 1981, Birmingham, Great Britain and is reproduced by kind permission of the organisers.

393 Reliability Engineering 0143-8174/82/0003-0393/$02.75 © Applied Science Publishers Ltd, England, 1982 Printed in Great Britain

394 R. N. ALLAN, A. ADRAKTAS, J. F. CAMPBELL

Many engineers are initially sceptical of the significant advantages to be gained by using a graphical display instead of a non-graphical one. However, once they have undertaken system analysis using both types they are generally left in no doubt that computer graphics are well worthwhile. Graphical techniques permit easier interaction and enable the input and output to be presented in a familiar and readily understood form. It therefore helps the engineer who is not well acquainted with system analysis to feel at ease using the computer, whilst an experienced user is able to proceed with his design studies more smoothly.

Interactive computation allows a dialogue in which the engineer can select the analysis he requires based on currently available results. Also, unprofitable lines of analysis can be terminated, and the printed output can be selective.

Consideration of all these aspects has led to the development of computational techniques 1 which incorporate:

(1) A method for modelling the logical functioning and performance of a system using graphics facilities.

(2) A qualitative method for defining various failure mechanisms of a system. This method is based on the event tree methodology.

(3) A means of calculating the probability of occurrence of each failure mechanism.

2. GRAPHICS/INTERACTIVE COMPUTATIONAL TECHNIQUES

2.1. Logic flow diagram The logic flow diagram (LFD) is a model that represents the operational logic of a

system. This diagram gives an appreciation of the system performance capability and permits the tracing of a signal as it proceeds through the system from the beginning to the end.

Consider a part of a typical reactor emergency cooling system (RECS) shown in Fig. 1. In the event of a loss of coolant accident (LOCA), valve Vl must open to let coolant reach the pump. The coolant is pumped into a parallel set of coolant legs

va valve V2

valve V3 Fig. I. Part of typical RECS.

INTERACTIVE SAFETY ASSESSMEN'I ~ OF N U C L E A R R E A C T O R SYSTEMS 395

%

5O o flow

flow Fig. 2. Logic flow diagram of Fig. ].

through valves V2 and V3. The physical result of the system operation is determined as:

(1) 100% flow, when coolant flows through both coolant legs. (2) 50% flow, when coolant flows through one leg only. (3) No coolant flow at all.

The LFD for the system of Fig. I is shown in Fig. 2. It is quite similar to the actual physical network and its construction is based on the engineering description of the system shown in Fig. I. According to the LFD shown in Fig. 2:

(1) The event '100 % flow' occurs when both valves V2 and V3 are open given that valve Vl is open and the pump is working (good).

(2) The event '50 % flow' occurs when either valve V2 is closed and V3 open or V2 open and'V3 closed given that valve Vl is open and the pump is working (good).

(3) The event 'no flow' occurs when: (a) Valve V1 is open, the pump is working and both valves V2 and V3 are

closed. (b) Valve V1 is open and the pump is failed irrespective of the position of

valves V2 and V3. (c) Valve V1 is closed irrespective of the condition of the pump and the

position of valves V2 and V3.

This type of diagram represents logically the way the components of the system are combined to give an overall performance or end result. The diagram consists of

396 R.N. ALLAN, A. ADRAKTAS, J. F. CAMPBELL

blocks joined together by links and is drawn in a success and failure notation. The blocks are combined in a logical manner (using logical gates) such that the flow is maintained towards an objective. A LFD is qualitative in nature.

The construction of a LFD is generalised by introducing the symbols shown in Fig. 3. The first five symbols represent the OR, AND, NOT, EXCLUSIVE OR and M-OUT-OF-N gates whose concepts are explained in Section 2.4. The sixth symbol

INPUTS OUTPUTS INPUTS OUTPUTS success

3-state 1. ~ OR gate 8. ~ d e r a t e d component/module

failure 2. ~ AND gate

intermediate 9. ~ outcome

3. NOT gate 10. - { ~ final

outcome 4. > - ) ~ ) - EOR gate

11. ~ containment 1 outcome

5. N ' ~ ) - - M-OUt-Of-N gate 12. - ~ transfer-out

initiating 13. ~ transfer-in 6. ( ~ event t , - "

success _ < ~ 2-state

7. component/module

failure

Fig. 3. LFD symbols.

represents an initiating event. This indicates the component (or module) which is required to operate first and, hence, the module (or component) is allowed to perform its intended function. The next two symbols represent the models (see Section 2.3) of components (or modules). The rhombus is the symbol of a two-state component (or module). The pentagon is the symbol of a three-state component (or module). The rectangle is used to label intermediate outcomes in a LFD. It is also used for the final outcome, which is the final event of interest. The eleventh symbol is the symbol of containment outcome. This is used instead of the final outcome symbol to indicate that the final event of interest does not entail any radioactivity release into the environment. The triangles are used to indicate continuation. For instance, the line which begins at a transfer-in symbol is the continuation of the line which ends with the corresponding transfer-out symbol.

INTERACTIVE SAFETY ASSESSMENT OF NUCLEAR REACTOR SYSTEMS 397

I~ODULE/$YSTEM I)RNJIItG NtD N)DIF¥11tG ROUTIHE TYPE 'H' IF YOU NEED NtY HELP

Fig. 4. LFD of system in Fig. 1.

Using the symbolism of Fig. 3, the LFD shown in Fig. 2 can be redrawn as shown in Fig. 4. In this LFD:

Symbol 100 represents the initiating event, i.e. a LOCA. Symbol 1 represents valve VI. Symbol 2 represents the pump. Symbol 3 represents valve V2. Symbol 4 represents valve V3. Outcome 5 represents '100 ~o flow'. Outcome 6 represents '50 ~o flow'. Outcome 7 represents 'No flow'.

Complete LFDs can be constructed for every module and for the system.

2.2. Modules 2.2.1. General: Although any system can be analysed as one complete system, the

most efficient method of analysing a large complex system is to subdivide it into modules, each of which may contain a small or large number of individual components. This division can be based upon functional or operational features and/or the physical layout of the system. It offers the following advantages:

(1) Each module, if suitably defined so that it is completely independent of the others, can be designed and analysed separately.

(2) The appropriate documentation, e.g. specification, design details, performance charts of each module can be recorded, stored and retrieved quite independently of the others. This permits the design and performance records of any individual module to be reconsidered at any point in time without disturbing that of other modules.

398 R . N . ALLAN, A. ADRAKTAS, J. F. CAMPBELL

(3) In the final stage of the analysis, when the system is analysed in terms of modules, the computational effort is greatly reduced, since the total number of modules being analysed is considerably smaller than the total number of system components.

2.2.2. Module boundaries." The basic procedure for defining module boundaries is described in the following algorithm. 2 In this algorithm, a module candidate is defined as 'one of a set of components which together may be considered to form a system module provided that certain rules are satisfied'. These candidates can be identified using past experience of relevant and existing plant and/or a knowledge of the physical layout of the system.

The algorithm for defining the module boundaries is:

Step (1): Identify all module candidates. Step (2): Check whether each module candidate satisfies existing rules for the

drawing of the module boundaries. Step (3): Rearrange the module candidates and return to step (2) until all module

candidates satisfy the existing rules.

The rules which govern the definition of module boundaries are:

(1) A module must contain all statistically dependent components because the computational technique assumes that all modules are statistically independent.

(2) If the operation of a component or a set of components affects the output state of more than one module, the component(s) must form a separate module.

(3) If the operation of a component or a set of components affects the output state of components in a module A, then: (a) If module A fails as a direct result of the component(s) under

consideration, the component(s) may either form a separate module or be included in module A.

(b) If module A does not fail as a direct result of the component(s) under consideration, the component(s) must be included in module A.

(4) Two modules may share one or more components provided that the interrelations between them are so defined that they do not appear simultaneously in any event tree path.

(5) Each component of a module must either be independent of all other modules or be dependent on a common module(s). Components which are dependent on different modules cannot be included in the same module.

2.3. Component or module states It is assumed that components (or modules) can be represented by one of the

following models:


(1) Two-state model. According to this model, the components (or modules) can be in one of two mutually exclusive states: success and failure.

(2) Three-state model. According to this model, the components (or modules) can be in one of three mutually exclusive states: success, partial failure (or derated/degraded state) and failure.

2.4. Logical operations The logical relationships between the module components and between modules,

or between the system components if the system has not been divided into modules, are expressed by logical gates. These gates represent Boolean operations on the module components and modules, or on the system components, in order to facilitate the reliability/safety analysis of the system. The logical gates which have been considered are:

(1) The OR gate. This is equivalent to the Boolean symbol ( + ) and represents the union of the inputs attached to the gate. It gives an output when at least one input is present. For example, i fY is the output of an OR gate with two inputs, A and B, the equivalent Boolean equation is Y = A + B.

(2) The AND gate. This is equivalent to the Boolean symbol (.) and represents the intersection of the inputs attached to the gate. It gives an output when all the inputs are simultaneously present. For example, if Y is the output of an AND gate with two inputs, A and B, the equivalent Boolean equation is Y = A . B .

(3) The NOT gate. This is equivalent to the Boolean symbol (-) and represents the complement of the input attached to the gate. It gives an output when the input is absent. For example, if Y is the output of a NOT gate whose input is A, the equivalent Boolean equation is Y = A.

(4) The EXCLUSIVE OR gate (EOR gate). This gives an output when one input is present and the other absent simultaneously. I fY is the output of an EXCLUSIVE OR gate with two inputs, A and B, the equivalent Boolean equation is Y = (A. B) + (B. A).

(5) The M-OUT-OF-N gate. This gives an output if any M or more of the N inputs attached to the gate are simultaneously present.

2.5. Means of &teraction The techniques have been designed specifically to evaluate the reliability/safety of

complex systems using interactive computation. Consequently, a prerequisite is that the techniques should prompt the user at strategic stages of the analysis and present him with the various options that are available or executable at each stage. The following three methods of interaction using Tektronix graphic display units were developed:

(1) A question or request for information is displayed on the screen. The user

400 R. N. ALLAN, A. ADRAKTAS, J. F. CAMPBELL

responds as follows. A question is answered by typing Y for yes or N for no. A request usually needs a longer reply, e.g. a system title may be requested.

(2) When several alternatives are available, these are listed on the screen and the user selects the one required using the horizontal cursor and typing any key (usually the space bar because of its convenience).

(3) When it is necessary to indicate a specific position on the screen in order for an action to be taken, e.g. when drawing the LFD, the position is selected using a combination of the cross hair cursors and a code character is typed to indicate the required action.

2.6. Performing graphics actions The process of drawing an LFD on the display screen instructs the computer to

perform a sequence of graphics actions identified by the analyst, e.g. drawing a symbol or a connecting line, moving a symbol to a new position, deleting a drawn symbol, etc. Each graphics action is performed individually, is independent of any other action and can be instructed after the previous action has been completed. Each graphics action is identified by typing a mnemonic code character, e.g. typing N draws the symbol of a N O T gate, typing B draws the symbol of a two-state module or component, typing A draws the symbol of an A N D gate, etc.

2.7. LFD drawing restrictions A LFD comprises symbols and connecting lines. The maximum number of

connecting lines each symbol input or output can accommodate depends on the dimensioning of the arrays which store the diagrammatic data. Additionally, however, some symbol inputs or outputs have a restricted number of connecting lines for other reasons. These restrictions which are imposed by the definitions of the relevant events or logical gates, are as follows:

(1) Each module (or component) has one input and two outputs for a two-state module (or component) or three outputs for a three-state module (or component). Each output can have as many connecting lines as the dimensions permit.

(2) The N O T gate has one input and one output. (3) The A N D and OR gates have two or more inputs. The EXCLUSIVE OR

gate has two inputs only. Each of these gates has one output. (4) The intermediate outcome has one input and one outcome. (5) The final outcome, the containment outcome and the transfer-out have one

input only. (6) The initiating event, and the transfer-in have one output only. (7) The M-out-of-N gate has N inputs and one output.

2.8. The graphics jacilities In order to provide very flexible LFD drawing techniques the following graphics

facilities have been developed:


(1) The MOVE facility. Having drawn a LFD, the user can rearrange it by moving symbols around the screen. In order to move a symbol the cursors are located near to its centre and the character M is typed; the cursors are then located at the new position and the space bar is pressed. The screen is erased and the diagram is redrawn with the symbol centred at the new position.

(2) The NAME facility. In order to distinguish between the various symbols of a LFD, they nmst be given a name. The symbols which can be named are: two- and three-state modules (or components), initiating events, intermediate or final outcomes, transfer-in and -out symbols and containment outcomes. A symbol is named by identifying it with cursors and typing the character W. When the alpha cursor appears inside the symbol, the name can be inserted.

(3) The DELETE facility. This facility enables the user to erase errors or to make system changes. It can either delete a symbol or delete an existing connecting line between two symbols. In the first case, all the connecting lines of this symbol are also deleted. To delete a connecting line, the symbol which is the start of the line is identified with the cursors and the character J is typed; the second symbol is then identified and the space bar is pressed. To delete a symbol, it is identified with the cursors and the character J is typed twice.

(4) The F O R G E T facility. This facility cancels the MOVE or DELETE instruction if one has unnecessarily been entered. This is achieved by typing the character L after typing M or J.

(5) The ERASE and REDRAW facility. This facility becomes particularly useful when several deletions have been made. At any stage in the graphics section, typing R erases and redraws the diagram.

(6) The RESCALE and RECENTRE facility. Having drawn a LFD, the scale and centre of it can be changed in order to improve its appearance or to permit extensions of the diagram. Following recentering, part of the original diagram may be moved off the screen. This is not lost however and can be recovered by recentering or rescaling. Any size of system can be accommodated in this way.

(7) The HELP facility. If the user requires information concerning t h e mnemonic codes or other helpful information, this can be obtained by typing H. This displays the appropriate section of the users manual on the screen.

2.9. Constructing the LFD A LFD is constructed by using the graphics actions described in previous

sections. The necessary information for the construction of the LFD is deduced from line diagrams of the systems, engineering description of its operational logic, general design information or from the physical processes that take place. This


information describes the functional dependence between the components of the system, that is, when each component is required to operate and relates the component output states to the system defined outcomes.

2.10. Non-graphic input data The process of drawing a LFD sets up associated numerical data arrays and

generates additional information requests. These arrays must be completed and the additional information supplied. This data input is divided into two groups.

The first group includes information common to more than one component. The relevant information is requested using the interactive communication techniques described in Section 2.5.

The second group includes the information associated with individual components. In this case the program displays a heading which describes the information required and a list of the components in tabular form. The user inputs the relevant data which are then listed in tabular form alongside the list of components.

2.11. LFD storage and retrieval It is important to file LFD information on backing storage for access at some

later time. This information is likely to be part of a larger set of information which will form an engineering/reliability data base. A simple approach has been adopted, which may either be interfaced with an existing data base or function independently.

A LFD is filed appropriately using a conversational mode of questions and answers. A LFD retrieved from storage can be modified using the drawing routines. If these changes represent an improved design which makes the already filed version redundant, the current LFD can be filed in place of the old version. Alternatively, the latest version can be filed separately and both old and new versions retained for further comparison. In addition, outdated LFDs can be deleted from store in order to contain the size of the file.

2.12. Operational logic of a system The event tree methodology relates qualitatively and quantitatively a single

initiating event to various system outcomes and therefore provides the framework for the quantitative reliability analysis of a system. The input information required to develop the event tree is the operational logic of the system expressed in terms of logical statements. 2 These statements relate the functional dependence between modules of the system, between components in a module or between components of the system which is being analysed without division into modules. Logical statements also relate module (or component) operation to the set of defined system (or module) outcomes.

The logical statements of a system (or module) are deduced by computationally


tracing all the paths of the system (or module) LFD between the initiating event and all outcomes of the LFD. This path tracing approach identifies the operational interrelationships between the elements of the system (or the module).

3. RELIABILITY ANALYSIS TECHNIQUES

3.1. Qualitative reliability The reliability assessment techniques are based on similar techniques published

previously. 2'3 In the present computational method the LFD represents the operational logic of the physical system and is the starting point for deducing the event tree. This tree simulates the topology and operation of any system and each branch can be related to its impact on specified system outcomes.

When a system is analysed in terms of components, the analysis is carried out in one step (analysis at the system level). In this case, all components are combined logically to produce the system event tree.and hence the required qualitative and/or quantitative results. When a system is subdivided into modules however, the analysis is carried out in two steps. First, each module is analysed in turn (analysis at the module level) to produce equivalent components. All modules (equivalent components) are then combined logically to produce the system event tree and, hence, the required qualitative and/or quantitative results.

Finally, the minimal cut or tie sets of any module or system outcome can be deduced. These sets help the analyst to identify the weak areas of the system for which the design may not meet the predefined requirements.

3.2. Quantitative reliability The event tree, although in itself qualitative in nature, can provide a framework

for quantitative probabilistic analyses of systems. The probabilities corresponding to the various states of the system components permit the event path probabilities and the probabilities of occurrence of the module and system outcomes at the required points in time to be evaluated. Furthermore, the probability of occurrence of all the minimal cut or tie sets that have been deduced for any m6dule or system outcome can also be evaluated.

3.3. Common mode failure analysis Much emphasis has been placed recently (e.g. ref. 4) on effective identification of

potentially hazardous conditions due to a growing interest in the defence against them. Based on the concept of common special conditions shared by all the components implied by the basic events of a minimal cut or tie set, the cut or tie sets containing potential dependent failures of all or some components can be deduced. 3

404 R . N . A L L A N , A. A D R A K T A S , J. F. CAMPBELL

~ \ 7.~1.. ~ Fov,- ~ , t e "D.o_

~t:g:

E

]2 ~ 0 . t.q

~J


4. APPLICATION OF THE TECHNIQUES

4.1. Sys tem studied The techniques presented in the previous sections have been applied to the three-

loop PWR plant described in detail in the WASH 1400 report (USAEC). 5 A simplified one-line d iagram of this plant is shown in Fig. 5. This system has been analysed to give both quali tative and quant i ta t ive results for different system outcomes that follow the occurrence of a t ransient ini t iat ing event. These outcomes

are described in Section 4.4. The operat ional logic assumed for the system was based on that published in

Ref. 5. The componen t reliability data used to evaluate the final quant i ta t ive results are hypothetical and are used solely for the purpose of i l lustrating the techniques; the values therefore do not necessarily relate to actual operat ing experience.

In this analysis, the PWR plant has been subdivided 2'5 into 17 modules which are shown in Table 1. One of these modules, module 14, is analysed in detail in Section 4.2. The analysis of the other modules follows a similar pat tern.

TABLE 1 SYSTEM MODULES

Module Component(s) or subsystem(s) in the module number

5 6 7 8 9

10

11 12 13 14

15 16 17

Off-site electric power (EP) and emergency electric power Reactor protection system Power conversion system--condensate pumps (electrically driven)

--main feedwater pumps (electrically driven) -----condenser vacuum

Auxiliary feedwater system--I steam pump --2 electric pumps

Secondary steam relief function: --steam relief valves (power operated) --steam safety valves

(EP available) Auxiliary feedwater system: --1 steam pump Secondary steam relief function: --steam safety valves (EP not available) 3 Reactor coolant system pressuriser valves (opening) 3 Reactor coolant system pressuriser valves (reclosing) 'Containment access' function Residual water storage tank and its corresponding valve 2 Pumps of the containment spray injection system High pressure injection system and chemical volume and control system. These systems form 4 lines which pump coolant from the residual water storage tank and deliver it through a boron tank to the reactor vessel 2 Pumps of the low pressure injection system 2 Accumulators with their corresponding pressurisers and valves 'Emergency cooling' function Containment spray recirculation system and containment heat removal system. These systems form 4 lines which pump coolant from the containment sump and through heat exchangers deliver it to spray headers 2 Pumps of the low pressure recirculation system 2 Pumps of the high pressure recirculation system 'Sodium hydroxide addition' function


coolant from containment sump

CHRS C S R S he(a t

Qr'K:Jers

to service river water

Fig. 6. Module 14.

4.2. Analysis of module 14 The module contains the core spray recirculation system (CSRS) and the

containment heat removal system (CHRS). These systems form four lines each having a pump that pumps coolant from the containment sump, a heat exchanger and a spray header. Assuming the spray headers to be 100 ~ reliable, a line diagram of this module is shown in Fig. 6. All four lines operate in parallel and each component can be represented by a two-state model.

Successful operation of a line requires both the corresponding pump and the heat exchanger to operate. Therefore, when a pump fails to operate, successful or failed operation of the corresponding heat exchanger is irrelevant. The LFD of this module is shown in Fig. 7.

I~OI)UUE/SYSTER I)Ii~IING N/I) N)DIFYI I~ ROUTINE 'H' IF ~ U NEED ANY HELP

Fig. 7. LFD of module 14.


There are three module states as follows:

(a) Module success state (outcome 9 of the LFD shown in Fig. 7): Both the CSRS and the CHRS must operate so that at least 2 lines are successful. This is expressed with an M-out-of-N gate as shown in Fig. 7.

(b) Module derated state (outcome 10 shown in Fig. 7): The CSRS must operate so that at least 2 CSRS pumps are successful while at least 3 lines have failed. This state is expressed with an M-out-of-N gate as shown in Fig. 7.

(c) Module failure state: At least 3 CSRS-CHRS lines must fail to operate.

4.3. Overall system analysis Consideration of the interrelations between the modules (equivalent components)

of the system results in the construction of the LFD shown in Fig. 8. There are 3 LOCAs to be considered depending on whether the RCS valves open and how many reclose after the opening:

(1) Large LOCA.5 This LOCA occurs when either the three RCS valves do not open (module 5 fails) or when there is EP available but both modules 2 and 3 fail.

(2) S1 LOCA.5 This LOCA occurs when at least two RCS valves do not reclose after all three valves have opened.

(3) $2 LOCA. 5 This LOCA occurs when exactly one RCS valve does not reclose after three valves have opened.

4.4. Definition of system outcomes The system which is represented by the LFD shown in Fig. 8 was analysed for the

following system outcomes:

(1) Radioactivity release greater than 1 ERL. The radioactivity release exceeds 1 ERL when the core melts or when a LOCA occurs and the containment access function fails. This system outcome is represented by outcome 100 in the LFD shown in Fig. 8.

(2) Occurrence of large LOCA.5 This LOCA occurs when either module 5 fails or both modules 2 and 3 fail. This outcome is represented by outcome 200 in the LFD shown in Fig. 8.

(3) Occurrence of SI LOCA. 5 This LOCA occurs when module6 is in its derated state. This outcome is represented by outcome 300 in the LFD shown in Fig. 8.

(4) Occurrence of $2 LOCA. 5 This LOCA occurs when module 6 fails. This outcome is represented by outcome 400 in the LFD shown in Fig. 8.

~O

Dll

i C

'/,~

U~

TZ

'M

I'%

I~A

IIT

~-

Ak.

lr'.

MK

~I~T

C"V

TN

~'_

D~

II"I

['T

N~

"

"YF

Z Z

:'ig.

8.

LF

D o

f ov

eral

l sy

stem

.

INTERACTIVE SAFETY ASSESSMENT OF NUCLEAR REACTOR SYSTEMS

TABLE 2 ASSUMED COMPONENT RELIABILITY DATA

409

Component Distribution Failure rate Failure probability (subsystem) (f/yr) (if distribution is fixed)

type

Off-site EP fixed - - 2 x 10 -2 Emergency EP fixed - - 10 -2 Reactor protection system fixed - - 5 x 10-3 Stand-by pump exponential 0.04 - - Continuously operating pump

(failure) exponential 0.1 - - Continuously operating pump

(repair) exponential 100 - - (repair rate)

Condenser vacuum fixed - - 2 x 10 -3 Relief/safety valve (open) exponential 0.08 - - Relief/safety valve (close) exponential 0.01 - - Any other valve (open) exponential 0.03 - - Any other valve (close) exponential 0.01 - - Containment access function fixed - - 2 × 10 - 6

Residual water storage tank fixed - - 10-5 Boron tank fixed - - 10- 5

Pressuriser fixed - - 1 0 - 2

Accumulator fixed - - 5 × 10 -4 Emergency cooling function fixed - - 5 x 10-a Heat exchanger fixed - - 7 x 10 -4 Sodium hydroxide addition

function fixed - - 5 x 10 -4

TABLE 3 SYSTEM OUTCOME PROBABILITIES

System outcome Probability of occurrence of outcome given that an initiating transient occurs

at time 1.0 years

Radioactivity release greater than 1 ERL 0.4301 x 10 -4 Large LOCA 0.1114 x 10 -3 S1 LOCA 0.9140 x 10 -7 $2 LOCA 0.3648 x 10 -4

4.5. Reliability evaluation The assumed reliability data assigned to the components of all modules are shown

in Table 2, and the results for the four outcomes using this data and the computational techniques are shown in Table 3.

5. CONCLUSIONS

A n e f f i c i e n t a n d n o v e l c o m p u t a t i o n a l t e c h n i q u e f o r a s s e s s i n g t h e r e l i a b i l i t y / s a f e t y o f

c o m p l e x s y s t e m s h a s b e e n d e s c r i b e d w h i c h i n t r o d u c e s a l o g i c a l m e t h o d o f m o d e l l i n g

410 R. N, ALLAN, A. ADRAKTAS, J. F. CAMPBELL

the performance of a system, the logic flow diagram. This type of diagram indicates clearly the performance capability of a system and defines the logical manner in which the components of a system are combined to give the overall system performance.

The program has been designed with graphic/interactive techniques to guide the engineer through all the computational steps. In particular it:

(1) Enables engineers to perform reliability analyses easily and flexibly. (2) Allows changes to be made to system data and permits immediate output

response to these changes.

This continuity is important as it enables the analyst to perform a wide range of sensitivity studies and therefore to develop a sound engineering appreciation of the behaviour of the system under study.

ACKNOWLEDGEMENTS

The authors are indebted to HM Nuclear Installations Inspectorate for their financial support. Although the work was conducted under a research contract funded by HM Nil, the results, comments and conclusions are those of the authors and not necessarily of HM Nil.

REFERENCES

1. ADRAKTAS, A. Interactive reliability evaluation of nuclear plants. Ph.D. Thesis, UMIST, 1980. 2. ALLAN, R. N., RONDIRIS, I. L., FRYER, D. M. and TYE, C. Second National Reliability Conf., March

1979, paper 3D/1. 3. ALLAN, R. N., RONDIRIS, I. L. and FRYER, D. M. 1EEL Trans. on Reliability, R-30 (1981),

pp. 101-9. 4. EDWARDS, G. T. and WATSON, I. A. A Study of Common Mode Failures, UKAEA Report SRD R 146,

1979. 5. US ATOMIC ENERGY COMMISSION. Reactor Safety Study. An Assessment of Accident Risks in US

Commercial Nuclear Power Plants, USAEC Report WASH-1400.

Documents

Interactive safety assessment of nuclear reactor systems