Diesel Generator Failure

8/2/2019 Diesel Generator Failure

1/36

IAEA-TECDOC-648

Procedures for conductingcommon cause failure analysisin probabilistic safety assessment

INTERNATIONAL ATOMIC ENERGY AGENCYpZ / v


2/36

The IAEA does not norrnally maintain stocks of reports in this series.However, microfiche copies of these reports can be obtained from

INIS Clear inghouseInternational Atomic Energy AgencyWagramerstrasse 5P . O . Box 100A-1400 Vienna, Austria

Orders should be accompanied by prepayment of Austrian Schillings 100,in the form of a cheque or in the form of IAEA microfiche service couponswhich may be ordered separately from the INIS Clear inghouse.


3/36

PROCEDURES FOR CONDUCTING COMMON CAUSE FAILURE ANALYSISIN PROBABILISTIC SAFETY ASSESSMENT

IAEA, VIENNA, 1992IAEA-TECDOC-648ISSN 1011-4289

Printed by the IAEA in AustriaMay 1992


4/36

P L E A S E B E A W A R E T H A TA L L O F T H E M I S S I N G P A G E S I N T H I S D O C U M E N TW E R E O R I G I N A L L Y B L A N K


5/36

FOREWORD

P robabi l i s t ic safety assessment ( P S A ) is increasingly important in the safedesign and opera t ion of nuclear p o we r p lants t h r o u g h o u t th e wo rld . T h e A g e n c ysuppor ts this t rend and has focused on promot i ng , assisting and facilitating the use ofP S A , by reviewing th e t e chnique s developed in M e m b e r States, assisting in thef o rmula t io n o f g uide l ine s and he lp ing M e m b e r Sta tes to apply such guidel ines ino r d e r to e n h a n c e th e safety of nuclear p o w e r plants.

In this context, a set of publications is bei ng prepared to promote t ra nsfer ofstate of the art approaches t o P S A modell ing topics and to encourage consistency int h e w a y P S A i s carried out.The publications, of which the pres ent repor t fo r m s a part , cover the role ofP S A and probabi l i s t ic safety criteria in nuclear safety, provide guidance on theconduct o f P S A a n d o n specific topics such as external hazards, h u m a n reliabilityanalysis, common cause failure analysis and c o m p u t e r codes for P S A .


6/36

EDITORIAL NOTEin preparing this material for the press, s t a f f of the International Atomic Energy Agency have

mounted and paginated the original manuscripts and given some attention to presentation.The views expressed do not necessarily reflect those of the governments of the Member States or

organizations under whose auspices the manuscripts were produced.The use in this book of particular designations of countries or territories does not imply anyjudgement by the publisher, the IAEA, as to the legal status of such countries or territories, of theirauthorities and institutions or of the delimitation of their boundaries.The mention of specific companies or of their products or brand names does no t imply any

endorsement or recommendation on the part of the IAEA.


7/36

CONTENTS

1 . INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 .1 . B a c k g r o u n d .................................................................................................... 71 . 2 . O bject ive ......................................................................................................... 71 .3 . S tructure ......................................................................................................... 7

2. F R A M E W O R K FOR C O M M O N CAUSE FAILURE ANALYSIS . . . . . . . . . . . . . . . . . 82 . 1 . Definit ion ........................................................................................................... 82 . 2 . O v e r v i e w of analysis f r a m e w o r k .................................................................... 8

3. SCOPE OF COMMON CAUSE FAILURE A N A L Y S I S ................................... 9

4. MODELS, PA RA M E T E R ESTIMATION AND DATA ANALYSIS . . . . . . . . . . . . . 1 34 . 1 . In t roduct ion ...................................................................................................... 134 . 2 . R e c o m m e n d e d p a r a m e t r i c C C F models .................................................... 134 . 3 . P a r a m e t e r estimates and data analysis ....................................................... 17

5. ANALYSIS OF RESULTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6. PRACTICAL CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 . 1 . Int ro duct io n ...................................................................................................... 296 . 2 . M odel ling of high redundancy systems ....................................................... 306 . 3 . C o m m o n cause failure component groups - B reaking the symmetry ....31

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35


8/36

1 . I NTRODUCTI ON1 . 1 . B A C K G R O U N D

T h r o u g h o u t th e wo r ld , co u n tr ies with o p e ra t ing nucle ar p lants a re recognizingth e n e e d for a q ua nt i t a t i ve expression of the safety of t h e i r plants. In some cases th en e e d is to e n s u r e tha t all plants conform to some p re scr ib e d safety level , expressed int e r m s of p r o b ab i l i ty of core d a m a g e o r r e l e a s e o f radioact ivi ty . I n o t h e r cases th eneed is to veri fy w h e t h e r d e s i g n backfi ts o r chan g e in o p e r a t i o n a l practices areneeded and to choose b e t w e e n al te r n at iv es . A p ar t i cu l ar l y recent d e v e l o p m e n t is theneed t o e n s u r e t h a t o p e r a t i n g ut i l i t y c o m p a n i e s a re p r e p a r e d to d e a l with a s evereaccide nt a n d h a v e t h o u g h t t h r o u g h th e r e q u i r e d r e s p o n s e s in some detail.Probabilist ic Safety A s s e s s m e n t ( P S A ) i s now a widely used tool for such b e y o n ddesign basis analysis .

M o s t of the recently c o m p l e t e d P S A s have found tha t common cause fa i lures(CCFs) are significant contributors to core damage f req uenc y . The analysis ofc o m m o n cause fai lures h as u n d e r g o n e significant i m p r o v e m e n t over the last fe w y e a r sw h i c h has led to the w ri t i n g o f this d o c u m e n t .

1.2. OBJECTIVET he principal objective of this repor t is to s u p p l e m e n t th e p r o c e d u r edeveloped in M o sle h et al. (1988, 1989) by providing m o r e explicit guidance for apract ical approach t o C C F analysis. T he detailed C C F analysis following tha tp r o c e d u r e wo uld be very labour intensive and t ime consuming. T h i s d o c u m e n tident i f ies a n u m b e r of options for performi ng th e m o r e labour intensive parts of theanalysis in an a t t e m p t to achieve a balance b e t w e e n th e n e e d for detail , the p u r p o s eof the analysis and the re so urce s avai lable.T h e d o c u m e n t is intended to be compatible with th e A g e n c y ' s Pr o c e d u r e s forCo nduct ing Pro b ab i l i s t ic Saf e t y A sse ssme nts for N u c l e a r P o w e r P l a n t s (IAEA, 1992),b ut can b e re g arde d as a s t a nd-a l one repor t to be used in conjunct ion withNUREG/CR-4780 ( M o sl eh et al., 1988, 1989) to provide additional detail , anddiscussion of key technical issues.

1.3. STRUCTUREIn section 2 common cause failures are defined and an overview of the analysisprocedure is presented. Section 3 discusses th e definition of the scope of the analysis.Sect ion 4 presents recommendat ions f o r C C F models and gives some guidance ondata analysis and pa r a m e t e r estimation. The analysis of results is discussed in section5, and some specific c onc erns i n C C F model l ing are addressed in section 6.


9/36

2. FRAMEWORK FOR COMMON CAUSE F A I L U R E A N A L Y S I SThis s ec t io n p r o v id es the d e f i n i t i o n o f co m m o n cau s e f a i l u r e (CCF) e v e n t s an da n overvi ew of the p r o c e d u r a l f r a m e w o r k . T h e d es cr i p t i o n g i v e n h e r e is only a br i efs u m m a r y of t h e d e t a i l e d f r a m e w o r k p r o v i d e d in the P r o c e d u r e s f o r T r e a t i n g C o m m o nC a u s e F a i l u r e s in Safety and R e l i a bi l i t y S t u d i e s ( M o sl eh e t al., 1988, 1989), which hasalso b e e n a d o p t e d in the P r o c e d u r e s f or C o n d u ct in g Probabil ist ic Safety A s se s sm e n t s

of N u c l e a r P o w e r P l a n t s ( IA E A , 1992) .2.1. D E F I N I T I O N

Common cause f a i l u re event s a re d e f i ne d as m u l t i p l e fa i l ures of c o m p o n e n t sfrom shared root causes . From a pract ical p o i n t o f view, th e c o m m o n cause fa i luree v e n t s inc lude d in plant logic m o d e l s r e p r e s e n t those i n t e r c o m p o n e n t d e p e n d e n c i e swhich are considered to be potential ly significant, and who se m e c h a n i s m s are no texplicitly r e p r e s e n t e d in the logic mo de l (e v e nt t rees and faul t t rees ) of the plant . It isi m p o r t a n t to emphas ize t h a t it is advisable to explicitly m o d e l specific d e p e n d e n tfai lure m e c h a n i s m s whe ne v e r p o ss ib le and to m a k e a clear dis t inction b e t w e e n t h ecoverage of such mo de l l ing on the one h a n d , and the scope of the c o m m o n causefa i lure analysis on the o t h e r h a n d . This aspect will be f u r t h er e l a b o r a t e d in section 3deal ing with th e scope o f c o m m o n cause failure analysis.

2.2. O V E R V I E W O F A N A L Y S I S F R A M E W O R KF o u r ma jor stages, each of which contains a n u m b e r o f steps, form th e

procedural f r a m e w o r k for t h e analysis. F i g u r e 1 s u m m a r i z e s th e m a i n e l e m e n t s o f t h ef r a m e w o r k . S o m e c o m m e n t s are given below including th e r e f e r e n c e s to the sect ionsof th e present g u id e l in es , w hi ch specifically cover th e unde r l y i ng co nce p ts . F or m o r edetailed d ef in i t io n s w e r e f e r to the original r e f e r e n c e ( M o s le h e t al., 1988, 1989).

Stage 1 - Sys tem L o g ic M o d e l De v e lo p me nt - i s co v e re d in the generalguidelines f o r P S A (IAEA, 1992). This stage is a p r e r e q u i s i t e f o r c o m m o n causefailure analysis. A spects re la ted to the in terface b e t w e e n t h a t stage and thesubsequent ones will b e t o u c h e d u p o n in section 3.

Stage 2 - Id en t i f ica t io n of C o m m o n C a u s e C o m p o n e n t G r o u p s - focuses on thescreening process and is critical fo r def ini t ion of the scope of the detai led analysis .Due to i ts importance with respect to the choice of a sui table d e g r e e of detai l , thecharacteristics of the screening procedures will be f u r t h er described in section 3.

Stage 3 - C o m m o n C a u s e M o d e ll in g and D a t a Analysis - A defini t ion ofcommon cause basic events has been given in sect ion 2.1. T h e i nc orpora t i on ofcommon cause e v e n t s in the logic m o d e l is achieved by a s t r a ig ht fo r war d m o d i -fication of i ts s t ructure . T h e select ion of m o d e l s for quanti f icat ion o f C C F c o n t r i b u -tions and the analysis and manipulat ion of data const i tute the tasks w h i c h call formost guidance. Section 4 dea l s with t h ese aspects.

Stage 4 - S y s t em Q ua nt i f i c a t i on a nd I n t erpre t a t i on of Resul t s - sy nt h es i zes t h eke y output of the previous stages leading to quantif ication of s ys tem fa i lu r eprobabil i ty. I n addition, uncertainty and sensitivity analyses provide addi t ionalperspective for interpretation of results. This is discussed in section 5.8


10/36

S t a g e 1 - S y s t e m L o g i c M o d e l D e v e l o p m e n tS t e p s

1 . 1 S y s t e m F a m i l i a r i z a t i o n1 . 2 P r o b l e m D e f i n i t i o n1 . 3 L o g i c M o d e l D e v e l o p m e n t

S t a g e 2 - I d e n t i f i c a t i o n o fC o m m o n C a u s e C o m p o n e n t G r o u p sS t e p s

2 . 1 Q u a l i t a t i v e A n a l y s i s2 . 2 Q u a n t i t a t i v e S c r e e n i n g

iS t a g e 3 - C o m m o n C a u s e M o d e l i n ga n d D a t a A n a l y s i s

3 . 1 D e f i n i t i o n o f C o m m o n C a u s eB a s i c E v e n t s3 . 2 S e l e c t i o n o f P r o b a b i l i t yM o d e l s f o r C o m m o n C a u s eB a s i c E v e n t s3 . 3 D a t a C l a s s i f i c a t i o n a n dS c r e e n i n g3 . 4 P a r a m e t e r E s t i m a t i o n

S t a g e 4 - S y s t e m Q u a n t i f i c a t i o n a n dI n t e r p r e t a t i o n o f R e s u l t s

4 . 1 Q u a n t i f i c a t i o n4 . 2 R e s u l t s E v a l u a t i o n a n dS e n s i t i v i t y A n a l y s i s4 . 3 R e p o r t i n g

FIG. 1. Procedural framework fo r common cause failure analysis(Mosleh et al, 1988, 1989).

3. SCOPE OF C O M M O N CAUSE FAILURE ANALYSISA s indica te d in the objectives of the p r e s e n t gui del i nes (sect ion 1.2), common

cause failure analysis may represent a subs t a nt i a l effor t w h i c h requires significantresources. Due to the potent ia l importance of C C F s it is r e c o m m e n d e d t h a tcomprehensive qualitative and quanti tat ive C C F analyses should be an integral pa r tof each PSA.However , it is acknowledged that the scope of the studies must be in


11/36

balance w i t h th e a v a i l a b l e resources a n d m i g h t b e a f f ec t ed b y t h e p a r t i c u l a r o b j ec t i v eso f a PSA.In ad d i t io n , the d e g r e e o f d et a i l t ha t can b e r eas o n ab ly exp ected an d thechoice o f a s u i tab le a p p r o a c h d e p e n d o n a variety o f a n a l y s i s b o u n d a r y c o n d i t i o n s ,e . g . collection of p l a n t specific C C F data , on the datab ase u s ed for a s s i g n m e n t ofsingle f a i l u r e probabi l i t ies , on the available e vi de nc e o f CCFs e x p e r i e n c e d at thepa r t i c ul a r p lan t , o n the re le v ance an d t ransferabi l i ty o f ex ter n al ( g e n e r i c o r p l a n tspecific) data sources, and on the characteristics of the overall approach to the logicalm o d e l of the plant .Du e to the re aso ns g i v en a bove, th e g u i d e l i n e s p r o v i d e d in th is r e p o r t o f f erd i f f e r e n t o p t io ns w i t h r e s p e c t to the d e g r e e of d et a i l in the context of c o m m o n c a usef a i l u re analysis.

T h e present g u i d e l i n e s a re ba sed o n the an al ys i s f ramew o rk d e v e l o p e d in theUSNRC/EPRI p r o c e d u r e s fo r t r e a t m e n t of CCFs ( M o s le h e t al., 1988,1989), brief lysummarized in section 2 of this report . I t is assumed that the first stage of thef r a m e w o r k , i.e.system logic m o d e l d e v e l o p m e n t , is carried out in accordance w i t h theg e n e r a l P S A p r o c e d u r e s p r e p a r e d by the I A E A ( I A E A , 1992). Conseq uent l y , i t i si m p o r t a n t t h a t categories of de p e nde ncie s , such as funct ional ( in c lu d in g s h a r e de q u i p m e n t ) , physical an d h u m a n i n t e r a c t i ons , an d C o m m o n C a u s e In i t ia to r s (CCIs)are modelled explic i t ly to the extent that is pract ical in view of the i n f o r m a t i o navailable . I n a d d i t i o n , cer ta in m e c h a n i s m s f o r i n t e r c o m p o n e n t d e p e n d e n t fa i l ur e s m ayb e felt to be sufficiently important to be included explicitly in the m o d e l . F o rexample, i n t h e P S A p e r f o r m e d f o r t h e S ur r y nuc l e a r p l a n t as p a r t of the N U R E G1 1 5 0 project ( B e r t u c i o e t al., 1987), a mec h a ni sm for s t ea m bi ndi ng of the t h r e et ra i ns (two m o t o r driven, one t u r b i n e d r i v e n ) o f the auxil iary f e e d w a t e r s ys tem wasident i f ied, and a term included in the faul t t re e model t o r e p r e s e n t this m e c h a n i s m .T h e analysts responsible for integrat ion o f C C F co n tr ib u t io n s in the overall logicm o d e l m u s t be a w a r e of the extent of the explicit r e p r e s e n t a t i o n of suchd e p e n d e n c i e s in o r d e r to avoid possible omissions a n d / o r d o u b l e co u n t in g . A n o t h e ri m p o r t a n t a s p e c t in th is context is a clear speci f icat ion o f c o m p o n e n t b o u n d a r i e s toassure a proper dis t inction b e t w e e n t h e co n t r i b u t i o n s co v er ed b y c o m p o n e n t f a i l ur edata, a n d those c orrespondi ng t o s u p p o r t funct ions, w hi ch a re r e p r e s e n t e d sepa ra t e l yin the p l a n t model. This issue is of central importance for the asse ssme nt of b o t hsingle f a i l ur e a n d C C F probabi l i t ies . E x a m p l e s o f t ho ro u g hl y s p eci f i ed c o m p o n e n tb o u n d a r i e s m a y b e f o u n d in the S w e di sh Rel i ab i l i t y D a t a B o o k ( B e n t o e t al.,1985).

I n t he fol lowing, the discussion on the scope o f common cause f a i l u r e a na l y s i swill focus o n stage 2 of the g e n e r a l f r a m e w o r k , i.e. ident i f icat ion of c o m m o n c a usecomponent g r o u p s . T h e objectives of this stage include ( M o sle h et al., 1988, 1989):

I de nt i f y i ng th e g r o u p s o f system c o m p o n e n t s to be i n c l u d e d in, ore l i m i n a t e d f r om , t h e C C F analysis;Priori t izing th e g r o u p s of system c o m p o n e n t s i d en t i f i ed for f u r t h e ranalysis so t h a t t ime an d re so urce s can b e best al located d u r i n g th eC C F analysis;Providing engineering a r g u m e n t s to aid in data analysis (stage 3);Providing e ng ine e r ing arg ume nts to fo r m u la te d e f e n c e a l t erna t i ves an ds t ip ula te re co mme ndat io ns in stage 4 ( inte rp re ta t io n of results ) of theC C F analysis.

10


12/36

T h e s c r e e n i n g process serves as a tool for i d e nt i f i c a t i on of g r o u p s ofcomponents w h i c h m a y b e s u s c e p t i b l e t o c o m m o n c a u s e f a i l u r e a n d h e l p s t o l i m i t th escope o f t he a n a l y s i s . S c r e e n i n g c a n b e p e r f o r m e d q u a l i t a t i v e l y and/or q u a n t i t a t i v e l y .

Q u a l i t a t i v e s c r e e n i n g is c o n s i d e r e d as mo s t i m p o r t a n t for the p u r p o s e o fg a i n i n g e n g i n e e r i n g i n s i g h t s in the f o r m o f ident i f icat ion o f possible p l a n t specificw e a k n e s s e s , wh i c h m i g h t e v e n t u a l l y lead to a f o r m u l a t i o n o f d e f e n s i v e strategies.Q u a l i t a t i v e s c r e e n i n g i n c l u d e s ident i f icat ion o f root causes a n d c o u p l i n g m e c h a n i s m sfor specif ic c o m p o n e n t g r o u p s , as w e l l a s c ons i de r a t i on of exis t ing de f e ns i ve m e a s u r e s .A p l a n t speci f ic survey of all t h ese factors is not only h el p f u l as a basis for thes c r e e n i n g process, it also serves as a good b a c k g r o u n d for q ua l i t a t i ve u n d e r s t a n d i n g o fpast e v e n t s w h e n carry i n g o u t the ap p l i ca t i o n - o r i en t ed s cr een in g in order to generatepseudo p l a n t speci f ic d a t a . T h i s a spec t will b e h i g h l i g h t e d in m o r e d e t a i l in sect ion 4o f the present report.

T he q u a l i t a t i v e sc r e e ni ng i n c l u d es ident i f icat ion o f a t t r ib u tes suc h as design,l oc a t i on , modes o f o p e r a t i o n an d opera t i ona l history etc. for var ious components inorder to i d en t i f y factors t h a t m i g h t d e t e r m i n e c o m p o n e n t i n t e r d e p e n d e n c e . E x a m p l e sof such factors are: similarity in component type and design characterist ics,m a n u f a c t u r e r , i n t e r n a l a n d e x t e r n a l e n v i r o n m e n t s , location, tes t ing a n d m a i n t e n a n c eprocedures, etc.

T h e g e n e r i c cause a p p r o a c h ( R a s m u s o n e t al.,1982) offers a systematic ands t ruc t ured w a y t o scre e n g r o u p s o f c o m p o n e n t s susceptible to c o m m o n c a u s e f a i l u res .In principle any combinat ion o f co mp o ne nts could be postulated to have a p o t e n t i a lfor being involved in a co mmo n cause fa i lure event . I t is , therefore , recognized thatextensive application of gener ic cause approach or o t h e r types of qual i tat ive s creeningis t i m e c o n s u m i n g .However, there exist h a r d l y a n y e x a m p l e s o f ful l-scope PSAs where an in-depthqu al i ta t iv e sc reeni ng h a s been a ppl i ed t o a l a rge number of c o m p o n e n t g r o u p s . It isrecommended t h a t th e scope of such an i n-de pt h analysis be d e t e r m i n e d bya ppl i c a t i on of quant i ta t ive sc r e e ni ng , and by a prior i select ion of the typ e s ofc o m p o n e n t s which in view of p ast exp er ien ce s ho u l d be the subject of m o r e detailedanalysis.T h e p r e s e n t guidel ines r e c o m m e n d that some c o m p o n e n t types, wh i c h ,according to p re v io us experience, are e i the r particularly susceptible to c o m m o n causefa i lures and/or are critical for the level of plant safe ty , should always be a subject ofrelatively det a i l ed c o m m o n cause failure analysis. T he focus in th is context is onactive r e d u n d a n t c o m p o n e n t s an d int rasystem contribut ions. T he comparat ive reviewof d e p e n d e n t fai lure analysis in six Swed is h P S A s ( H i r s c h b e r g , 1990) has sho wn t h a tthe pr incipal CCF contributors are mo to r-o p e ra te d valves an d p u m p s . O t h e ri m p o r t a n t C C F c o n t r i b u t o r s mi gh t be diesel g e ne ra to rs , batteries, g as turb ine s ( i favailable) , p ressure relief valves, air-operated valves, check valves, scram valves,RPS-logic channe ls , b re ak e rs and sensors.T h e resul t s of PSAs p e r f o r m e d i n t h e U S A general ly s u p p o r t theseconclusions, although CCFs of diesel generators and batteries have somewhat higherimportance t h a n in the Swedish plants . In addit ion, common caus e failures o f reactorscram breakers (PWR)have b e e n considered important.

11


13/36

It is r e c o m m e n d e d t h a t th e a b o v e m e n t i o n e d c o m p o n e n t t y pes b e consideredin the CCF an al ys i s as a m i n i m u m . The degree to w h i c h these CCF c o n t r i b u t i o n s andthose fo r other id en t ica l , funct ional ly non-diverse, act ive, r e d u n d a n t c o m p o n e n t ssh oul d be i nves t i ga t ed i n det a i l ma y be det ermi ned by m e a n s of q u a n t i t a t i v escreening.Quant i ta t ive s creening includes i m p l e m e n t a t i o n of c o m m o n cause f a i l ur e

e v e n t s for each c o m p o n e n t in a c o m m o n cause fai lure group, ass ig nme nt o f screeningn u m e r i c a l v a l u e s to each c o n t r i b u t i o n (e.g.b y use o f a p r e s u m a b l y c onserva t i ve betafactor of C.I) and solution of the faul t trees. T h e results of qu an t i f i ca t i o n m ay se rv eas a basis for final decisions with respect to:th e n e e d of detailed quali tat ive analyses for the m i n i m a l g r o u p o f C C Fcontr ibutors and for o t h e r candidates, as well as the n e e d of detai leddata analysis; andth e n e e d of r e p r e s e n t a t i o n of a l l ap p l icab le fai lure m u l t i p l i c i t i e s .

T h e decision as to w h e t h e r to perform a detai led analysis m u s t be based o ns c r e e n i n g criteria. T h i s must be es t a bl i sh ed by t h e u s er o nce th e p r e l im in ar y r es u l ts o fth e PSA, using t h e s e sc reeni ng values, h a v e b e e n o b ta ine d . Clearly , i f a part icularC C F c o n t r i b u t o r is in one of the hig hes t probabil i ty cut sets, it is a c a n d i d a t e fordetailed analysis. I f , however, th e probabilities a re essent ial ly of t h e same order o fm a g n i t u d e for a l l the cut sets , then the hig hes t pr oba bi l i t y cu t sets m a y n o t hav e ad o m i n a n t effect on total unavailabil i ty. Thus the decision to p e rf o rm detai led analysison any contr ibutor is a funct ion of i ts importance to the overall result . I t m u s t also ber e m e m b e r e d that other par ts of the analysis m a y b e u n d e r g o i n g r e f i n e m e n t at thesame time (for e xamp le , th e es t im at io n o f h u m a n error proba bi l i t i es ) . Conseq uent l y ,it is important to h a v e a global perspect ive of the results in o r d e r t o m a k e ef fect iveuse of resources for detailed analysis.

A s a r u l e , fully d i v e r s e c o m p o n e n t s are co n s id er ed as no t suscept ible t o C C Fevents. However, care m u s t b e t a k e n with diverse c o m p o n e n t s with ident ical pieceparts . C l e a r specifications of component boundar ies , ment ioned ear l ier , will h e l p toidentify such si tuations. A lso passive com pone nts are seldom subject to c o m m o ncause fai lure analysis. H o w e v e r , checks should b e m a d e that events such as, forexample , blockage of r e d u n d a n t p u m p strainers, have b e e n explicitly r e p r e s e n t e d inth e logic model of the plant .A n o t h e r issue which influences th e scope of analysis is the quest ion ofrepresenta t ion of all applicable failure multiplicit ies (e.g. inclusion of double , triplea n d quadruple CCFs in a plant designed with f o u r r e d u n d a n t t r a in s in safety sy s t ems) .N e g l e c t of lower fa i lure multiplicities results in underes t imat ion of the f requencies ofaccident sequences. I n most cases th e contribut ions of the lower fa i lure multiplicitiesto the core damage f r equ en cy are low ( H i r s c h b e r g e t al.,1989), but the actualsignificance depends, fo r e xamp le , on t h e prevail ing success cr i te r ia . Co nse que nt ly , itis recommended that w h e n e v e r possible all applicable fa i lure mult ipl ic i t ies sho uld b etaken into account. I n case simplified parametric m o d e l s which only acco unt for thehighest failure multiplicity are used , checks should be m a d e to verify tha t thisapproximation is reasonable. This is discussed further in section 6.

12


14/36

T h e scope o f data a na l y s i s m ay vary as d es cr i b ed i n more d et a i l i n section 4 .T h e p r e f e r r e d a p p r o a c h i n c l u d es a t h o r o u g h p l a n t speci f ic analysis . It is , h o w e v e r ,r e c o g n i z e d t h a t p a r a m e t e r e s t i m a t i o n in so me cases has to be based on g e n e r i csources. I n such s i t u a t i o n s , th e m i n i m u m r e q u i r e m e n t w o u l d b e to discuss th er e l e v a n c e o f s u ch s o u r ces an d t h e i r appl icabi l i ty to the p l a n t b e i n g a n a l y z e d .Fi na l l y , gi ve n tha t a m o d e l an d data h a ve b e e n selected and the analysis has

b e e n carr ie d o u t , th e resul t s o b ta ine d should b e subject to sensitivity an d unc er t a i n t yanalysis. Sensitivity analysis in p ar t icu lar is a p r im ar y tool to d e m o n s t r a t e the i m p a c tof m o d e l l i n g a s s u m p t i o n s i n c o m m o n cause f a i l u r e a na l y s i s on P S A r es u l ts an dconclusions. Section 5 w i l l addre ss this issue.

4. MODELS, P A R A M E T E R E S T IM A T IO N A N D D A T A A N A L Y S I S4 . 1 . INTRODUCTION

M a n y m o d e l s hav e been proposed for the evaluat ion of c o m m o n cause failures,but only those that hav e b e e n used in performi ng P S As belong to the classes refer redt o a s p a r a m e t r i c m o d e l s o r shock m o d e l s . T h e E u r o p e a n C C F b e n c h m a r k exercise( P o u c e t e t al., 1 9 8 7 ) and the Scan d in av ian b e n c h m a r k exercise (Hirschberg, 1 9 8 7 )bot h s h o w e d t h a t th e choice o f C C F m o d e l is not important i f a consistent set of datais u s e d . So m e of the available models have, ho we v e r , a st ructure that can complicated a t a analysis. O t h e r m o d e l s , for exa mpl e Drre (1989) and H u g h e s (1987), have n o tb e e n used in p ub l i she d P S A s . Co nse que nt ly , only two models are discussed h e r e , th eBasic P a r a m e t e r M o d e l ( F l e m i n g and M os leh, 1985), which is the most g e n e r a l formof t h e c o m m o n l y u s e d p a r a m e t r i c model s , a nd a p ar t icu lar r e p a r a m e t e r i z a t i o n o f t h a tm o d e l called the alpha factor m o d e l ( M o sl eh and S i u , 1987). T he estimation of thep a r a m e t e r s of these models is discussed, point ing out d if fe r en t options availabled e p e n d i n g on the resources. Because of the impor tance of the quali tat ive aspects ofhis to r ica l e v e nt analysis , addit ional g u id an ce i s given o v er an d above t h a t g i ven inMosleh et al. (1988, 1989).

4 . 2 . RECOMMENDED PARAMETRIC CCF MODELS4.2.1. Basic Parameter M o d e l

T h e m o s t general of the c o m m o n l y u s ed p a r a m e t r i c C C F m o d e l s i s t h e BasicP a r a m e t e r M o d e l . A l l t h e o t h e r parametr ic models can be characterized asreparameterizations of this m o d e l . In this m o d e l , a set of p a r a m e t e r s Q k ( m ) is def i nedas follows:

Q k ( m ) = probabil i ty of a basic e v e n t involving k specific components(1 .


15/36

P(A,) = P(B,) = P(Q)= Q/3)P(CAB) = P (C A C ) = P ( C B C ) =P ( C A B C ) = Q3(3)

N o t e tha t , with the symmetry assumption, the probabi l i ty of f a i l ur e of anygiven bas ic event involving s imilar c o m p o n e n t s d e p e n d s only on the n u m b e r and no ton the specific components in t h a t basic event .D e p e n d i n g on the system modell ing r e q u i r e m e n t s , Q k ( m ) s can be de f ine d asd e m a n d - b a s e d (f requency of fai lures p e r d e m a n d ) o r t ime based ( ra te of fa i lures pe runi t t i m e ) . T he la t ter can be d ef in ed both for the standby fa i lure ra tes as well as forth e rate o f fai lures dur i ng opera t ion.I n t e r m s of the basic specific p a r a m e t e r s d ef in ed above, the total fa i lure

probabil i ty , Q t, of a c o m p o n e n t in a c o m m o n cause g r o u p of m c o m p o n e n t s is1 o- i O k

w h e r e t h e b i n o m i a l term

-1! _ (m-1) Ik-1) (m-k) ! (Jr-l) !

represents th e n u m b e r o f different ways tha t a specified c o m p o n e n t can fail with (k-1)other c o m p o n e n t s in a g ro up o f m similar c o m p o n e n t s .A s s u m i n g t h a t th e Q k ( m ) s are to be d ef in ed a s d e m a n d bas ed, it is s h o w n inM o sle h e t al.,(1988, 1989) tha t th e m a x i m u m likelihood e s t imato rs for Qk(m ) aregiven by

nm _ kV/Jc ~ "77"Nk

w h e r en k = n u m b e r of events involving k co mp o ne nts in a failed stateandNk = number of demands on any k component in the common cause group.T h u s in principle, to estimate the Q k ( m ) , one needs to count the number o fevents nk, with k failures, and the n u m b e r of d e m a n d s N k on all groups of k

14


16/36

c o m p o n e n t s . T h e n u m b e r of d e m a n d s , N k, is of ten e s t imate d on the basis of theo p e r a t i n g p r a c t i c e s at the p l a n t . For e x a mpl e , i f , each t im e th e system is operated, aKof t he m c o m p o n e n t s in t he g r o u p a re demanded, a n d t h i s n u m b e r o f demands is N D ,then

T he b ino mial term lm\ repres ents th e n u m b e r of groups of k c o m p o n e n t st h a t can be formed from rn components . W e , t h erefore , have

, ( /n) _ nk

T he intermedia te s tep of estimating th e (N k) can be avoided if , instead ofusing th e basic parameter model , a reparameter izat ion of tha t model is used, asdescribed in section 4.2.2. This avoidance of direct es t i ma t i ons of the N k is use f u lw h e n a wel l -establ ished data base exists for the single fai lure e v e n t probabilities thatis di f f e r e nt f rom th e data base t h a t will be used for the c o m m o n cause fai lureanalysis. This happens wh en, for exa mpl e , p l a nt specific data is suff ic ient to producereliable estimates fo r i ndi v i dua l c o m p o n e n t fai lure ra te s or probabil i t ies, but not forc o m m o n cause fai lure rates o r probabilities. This is the most common si tuat ion.There are m a n y possible parametr ic models, but for the reasons explained i n M o sl e ha nd S i u (1987) th e p r e f e r r e d m o d e l is the alp ha factor m o d e l .

4.2.2. The Alpha Factor ModelT h e alpha factor m o d e l de f i ne s c o m m o n cause fai lure probabilities f rom a setof fa i lu r e f r equ en cy ratios and the total c o m p o n e n t failure probability Q t. I n t e r m s o fth e basic event probabilities, the a lp ha factor p a r a m e t e r s a re d ef in ed as


17/36

F or example, for a g r o u p of t h r e e s imilar c o m p o n e n t s w e h a v e(3 )

> 3(3)

3C > 2(3 )

(3) _3 (3)301

and a/3-1 + ar2(3 ) + a3(3;) = 1 as e xp e cte d .

W e can se e tha t the b as ic e v e n t probabi l i t ies can be wri t t en as a f u n ct i o n of Q,and the a l p h a factors as follows:

w h e r e

A n estimator fo r e ach of t h e a factor p a r a m e t e r s (ak)c a n be based on itsdefini t ion as the f ract ion o f to ta l fai lure e v e nts tha t involve k component f a i l u res d u eto common cause. Therefore, for a system of m r e d u n d a n t c o m p o n e n t s ,

k=I

Thus, in this case, to e v aluate t h e C C F contr ibutions , it is only necessary toestimate Q t, and m e a s u r e th e various n k , but es t imates of the N k are not directlyrequired. H o w e v e r , it should be noted that the assumptions tha t g o into estimating N kare embedded in the formul a t i on of the a factor m o d e l . This is discussed in AppendixC of Mosleh et al. (1988, 1989).

Thus, in order to estimate CCF contribut ions, it is necessary to obtain ND, nl5...., n m for the basic parameter model , or to already have an est imate of Q t, andobtain n 1? ., n m for the a factor model .16


18/36

4.3. PARAMETER ESTIMATES AND DATA A N A L Y S I S4.3.1. Plant Specific Estimates

I I is g e n e r a l l y co n s id er ed t h a t C C F s are p l a n t specific. T h u s th e m o s ta p p r o p r i a t e e s t i m a t e s o f C C F m o d e l p a r a m e t e r s w o u l d b e o b t a i n e d f r om p l a n tspecif ic d a t a . H o w e v e r , n u c l e a r p o w e r p l a n t c o m p o n e n t s a re g e n e r a l l y very retable,and only few significant i n d e p e n d e n t fa i lures are expected for any p o p u l a t i o n ofc o m p o n e n t s . M u l ti p le f a i l u r e ev en ts a re e v e n r a r e r a nd a statistically a d e q u a t e , p l a n tspecific, data bas e for ev alu at in g C C F pr oba bi l i t i e s is highly unl i ke l y to be available.I t is b e c a u s e of this that the procedure for pool ing data from a variety of plants, andt rying to c o n s t r u c t a p s e u d o p l a n t specific d a t a base b y r e i n t e r pr e t i ng h i s t or i c a l e v e n t sin th e c o n t e x t of t h e p l a nt i n q ue s t i on , w a s de ve l ope d ( M o sle h e t al., 1988, 1989).

4.3.2, Construction of Pseudo Plant Specific Data Baseand Parameter EstimatesA p p l i c a ti o n of the d a t a analysis process i s ve r y t i me -c onsumi ng and,f u r t h e r m o r e , i n M o sle h et al. (1988, 1989), ther e i s little gui da nc e o n ho w th is s ho u ldb e p e r f o r m e d . However, i t is an i m p o r t a n t s t ep in order to g a i n i n s i g n t in to th ep o t e n t i a l w a y s t h a t CCFs can occur, and it is as m u c h for this, a s f or i mpr ovi ng t h ep a r a m e t e r e s t i m a t e s t h e mse l ve s , t h a t th e fol lowing process is r e c o m m e n d e d . I n th issubsection s o m e ideas are i n t roduc ed to h el p analyzing th e data .

4.3.2.1. G u i d e l in e s f or Hi s t or i c a l E vent I n t erpre t a t i onI n principle , each e v e n t associated with inoperabil i ty o f e q u i p m e n t s ho u ld beid en t i f iab le w i t h a basic e v e n t o f the m o d el . T h e r e ar e two basic fea tu r es o f the e v e n tdesc r i p t i on w h i c h are necessary to m a k e this ident i f icat ion.T h e first is the effec t o f the ev en t , wh i c h gui de s th e a na l y s t to a p ar t icu larbasic e v e nt o f the mo de l o r a p ar t icu lar ga t e , e.g. R H R p u m p A inoperable - u n a b l et o per form i t s funct ion. T h e sec ond basic f e a t ur e describes th e cause, which , t o g e t h e rwith a k n o w l e d g e of the b o u n d a r i e s of the basic e v e n t s of the m o d e l s , e n a b l e s th ecorrect al locat ion to be m a d e ; for example, i f the cause is de -e ne rg iza t io n of the 4.16K V bus, t h e n th e e v e n t is associated with the bus unavailabi l i ty , not the p u m p . If it is

a local faul t of the pump or i ts breaker, i t i s associated with th e p u m p c o m p o n e n titself. F or s tan d b y c o m p o n e n t s , such as pumps, i t is necessary to dist inguish b e t w e e nfai lure to start and fa i lure to run - this is not always s t r a i gh t f or w a r d.T h e following are some ground rules for e v e n t allocation.

1. If the cause of unavailabi l i ty of a s tandby c o m p o n e n t is self- revealing at thet ime it occurs, or occurs during a test but is revealed at the end of a test, andresults in m a i n t e n a n c e , the event is accounted for in the unavailability due tomaintenance. T h e e v e nt m ay a ls o b e c o u n t e d to war d s e s t imat io n of the fa i lureto perform the mission.

2. Fai lures to start or run are characterL ' by the failure condit ion n ot beingrevealed before a test or an actual u c m a n c and the failure being catastrophic17


19/36

( in th e sense o f p r e v e n t i n g o p e r a t i o n , o r p r e v e n t i n g o p e r a t i o n a b o v e a c e r t a i nm i n i m u m p e r f o r m a n c e l e v e l ) .3. F a i l u r e s , s u c h a s l e a k s o f c o m p o n e n t s (i.e. p u m p s a n d v a l v e s ) , w h i c h a r e n o ts e r i o u s e n o u g h to be f a i l u r e s o f t he p res s u re b o u n d a r y b y a n a c c e p t e dd ef i n i t i o n , w o u l d b e i n c l u d ed in the unavai labi l i ty d u e to m ain ten an ce , as the i reffect is to i n d u c e m a i n t e n a n c e activity.4. If the ef fect , for e x a m p l e p u m p A fails, is the res u l t of the f a i l u r e of a n o t h e rc o m p o n e n t t ha t i s m o d e l l e d expl ici t ly , t he ev en t i s as s o cia ted w i t h t h a tc o m p o n e n t , not t h e p u m p .5. If the f a i l u r e is c a use d by the test i tself , or can o n l y o c c u r u n d e r t es tco n d i t i o n s , it s ho u l d n o t b e co n s i d e red i f t he t es t co n d i t i o n s are b ey o n d t h o s enorrnal l} e x p e c t e d on a real d e m a n d .6. If the f a i l u r e is spurious and c o u l d not be repeated on an immediate second

test o r s u b s e q u e n t tests, i t c o u l d b e i n c l u d e d a s a p o t e n t i a l f a i l u r e but to a beste s t i m a t e it is not a fa i lure . In the same way, e v e n t s which are ins tant lyr e c o v e r a b l e are n o t i m p o r t a n t f a i l u r e s . This is of co u r s e a f u n c t i o n of thesuc c e ss c r i t e r i o n f o r t h e c o m p o n e n t in t e r m s o f t h e t i m e w i n d o w w i t h i n w h i c hit has to be o p e r a t i n g .1. F a i l u r e s c a u s e d by t h e t e s t s p e r f o r m e d as p a r t o f t r o u b l e s h o o t i n g a r e not validf a i l ur e s .8 . A n event only r e p o r t i n g a d e g r a d e d c o m p o n e n t s t a t e , e.g. f a i l u r e o f o n e a i r

start motor o f a d i es e l generator w h i c h h a s r e d u n d a n t a ir s t a r t m o t o r s , s h o u l db e careful ly exclu d ed f rom th e fa i lure ev en ts .G i v e n t h a t th e a bove g u i d e l i n e s h e l p ident i fy f a i l u r e e ve nt s , it is i m p o r t a n t alsoto c o n s i d e r h o w t o ident i fy c o m m o n c a use f a i l u r e e ve nt s . T h e f o l l o w i n g g u i d e l i n e s a res u g g e s t e d :

1. I f poss i bl e , a single causal r o o t m e c h a n i s m s h o u l d be i d e n t i f i e d as the cause oft h e m u l t i p l e fa i l ur e e v e n t .2. The t i m e p e r io d wi t h i n wh i c h th e f a i l u r e s c a n o ccu r is an i m p o r t a n t c o n c e r n .F o r s t a n d b y c o m p o n e n t s , th e f a i l u r e s m u s t o ccu r w i t h i n th e m i n i m u m t i m eb e t w e e n effect ive oppor t uni t i es to reveal the faults. F or o p e r a t i n g c o m p o n e n t st h e y m u s t occur w i t h i n the mission t i m e used for the PSA. Since the miss iont i m e is g en er a l ly co n s i d erab l y l o n g e r t h a n th e o p e r a t i n g t e s t t i m e f o r s t a n d b yc o m p o n e n t s such as p u m p s , special co n s i d era t i o n has to be g i v en to ev en ts t h a tinc lude d e g r a d e d states of c o m p o n e n t s . A j u d g e m e n t s h o u l d b e made as tow h e t h e r th e d e g r a d a t i o n is such t h a t i t m i g h t h a v e led to f a i l u r e w i t h i n th em is s io n t im e .3. Cascade f a i l u r e s a n d o t h e r d e p e n d e n c i e s w h i c h o r i g i n a t e f r o m b as i c d e s i g n

principles (e.g. funct ional d e p e n d e n c i e s re la te d t o p o w e r s u p p l y , s ignalexchange or to o t h e r explicitly m o d e l l e d auxil iary systems) , are not r e g a r d e d asC C F s .18


20/36

4 . M a n y f a i l u r e s a r e n o t m a n i f e s t e d a s m u l t i p l e , s i n c e m e a s u r e s a r e t a k e n top r e v e n t t h e m b e f o r e t h e y o ccu r . I n s o m e cas es th e f a i l u r e e v e n t h a s s u c h ac h a r a c t e r t h a t e v e n i f o n l y a s i n g l e f a i l u r e h a s a c t u a l l y occurred, th e onset o fth e s a m e f a i l u r e m e c h a n i s m w i t h th e s a m e cause m a y b e d e t e c t e d in o t h e ru n i t s . F u r t h e r m o r e , s e e m i n g l y i n d e p e n d e n t m u l t i p l e f a i l u r e s w h i c h occur closein t i m e c a n n o t a pr i or i b e re g arde d as fully i n d e p e n d e n t . S u c h f a i l ur e s s ho u ldb e i d e n t i f i e d as p o t e n t i a l C C F s . This category can e v e n i n c l u d e c o m p o n e n t s ind e g r a d e d c o n d i t i o n w h e n e v e r t h e y o c c u r in c o n j u n c t i o n wi t h a c t u a l f a i l u r e s ina d e p e n d e n t fa sh i on , as d i sc usse d und e r 2.5. Th e aim of the analysis is to i d e n t i f y all r e l e v a n t C C F e v e nts w h i c h involvei d e n t i c a l c o m p o n e n t s w i t h i n e a c h p l a n t . C o n s equ en t l y , t he an al ys i s n e e d not , ap r i o r i , b e l i m i t e d to r e d u n d a n t c o m p o n e n t s w i t h i n a single s y s t e m . I t i s ,ho wev er , exp ected tha t the e v i d e n c e of C C F s involving i de nt i c a l c o m p o n e n t sw i t h i n d i f f e r e n t s y s t e m s ( i n t e r c o m p o n e n t - i n t e rs ys t em CCFs) wi l l b e r a t h e rw e a k . A l s o , m o s t P S A s to d a t e hav e n ot i n c l u d e d i n t e rs ys t em CCFs.

G i v e n a set of f a i l u r e e v e n t s , b o t h single a n d m u l t i p l e , t h e C C F p r o c e d u r er e q u i r e s t h e m to be i n t e r p r e t e d f o r t h e i r C C F p o t e n t i a l .M o s l e h e t a l. (1988, 1989), se c t i on 5 , proposed d i s c u s s i n g CCFs u s i n g th e

concepts o f r o o t c a u s e s , c o u p l i n g m e c h a n i s m s a n d d e f e n s i v e m e c h a n i s m s . T h i ssuggests a causa! p i c t u r e of f a i l u r e wi t h th e identification of a root cause , a m e a n s byw h i c h th e r o o t c a u s e is m o r e i n c l i n e d to i m p a c t o n a n u m b e r o f c o m p o n e n t ss i m u l t a n e o u s l y (thec o u p l i n g ) , an d t he f a i l u r e of the d e f e n c e s ag ai n s t s u ch mu l t i p l ef a i l u r e s . T h i s c o n c e p t h as b e e n d e v e l o p e d t o s o m e d e g r e e as a m e a n s o f p r o v i d i n gg u i d a n c e f o r e v e n t i n t e r p r e t a t i o n ( P a u l a an d P a r r y , 1990).

F a i l u r e C a u s e sI t is r eco g n is ed t h a t t h e d e sc r i p t i on of a f a i l u r e in t e r m s of a single "cause" iso f t e n to o s i m p l i s t i c . F o r e x a m p l e , f o r s o m e p u r p o s e s i t ma y be q u i t e a d e q u a t e toi d e n t i f y t h a t a p u m p fa i led b e c a u s e o f h i g h h u m i d i t y . B u t t o u n d e r s t a n d , i n a d e t a i l e dw a y , th e p o t e n t i a l f o r m u l t i p l e f a i l u r e s , it is ne c e ssa r y to i d e n t i f y f u r t h e r w h y t h eh u m i d i t y w as h i g h and why i t affected the p u m p (i .e., it is ne c e ssa r y to i d e n t i f y th eu l t i m a t e c a u s e o f f a i l u r e ) . There a r e m a n y d i f f e r e n t p a t h s b y w h i c h t h i s u l t i m a t e

c a u s e f o r f a i l u r e c oul d b e f o u n d . A n d t h e s e q u e n c e o f e v e n t s t h a t c o n s t i t u t e ap a r t i c u l a r f a i l u r e p a t h , o r f a i l u r e mechan i s m, i s n o t ne c e ssa r i l y s i m pl e . A s an a i d t ou n d e r s t a n d i n g f a i l u r e m e c h a n i s m s , th e f o l l o w i n g co n cep ts a re p r o p o s e d :A p r o x i m a t e cau s e t h a t is associated w i t h a f a i l u r e e v e n t i s a c h a r a c t e r i z a t i o nof th e c o n d i t i o n t h a t is readi ly ident i f iable as l e a d i n g to the f a i l u r e . In the a b o v ee x a m p l e , h u m i d i t y c o u l d b e i d e n t i f i e d a s t h e p r o x i m a t e c a u s e . T h e p r o x i m a t e c a u s e ina se nse can be r e g a r d e d as a s y m p t o m of the f a i l u r e cause, and i t do e s not in i tselfn eces s ar i l y p r o v i d e a f u l l und e r s t a nd i ng of wh a t l e d t o t h a t c o n d i t i o n . A s s u c h , i t mayn o t , in g e n e r a l , b e t h e m o s t u s e f u l c h a r a c t e r i z a t i o n o f f a i l u r e events f o r t h e p u r p o s e s

o f i d e n t i f y i n g a p p r o p r i a t e c o r r e c t i v e a c t i o n s .T o e x p a n d th e d es cr i p t i o n of the causal c h a i n o f ev en ts resul t ing in the fa i l ur e ,it is u s e f u l to introduce the concepts of condi t ioning events and t r igger events. Theseconcepts are i n t r o d u c e d as an aid to a systematic review of e v e n t data and are

19


21/36

p a r t i c u l a r l y u s e f u l i n a n a l y z i n g c o m p o n e n t f a i l u r e s f r o m e n v i r o n m e n t a l causes. B u t i tis n o t a l w a y s n e c e s s a r y o r c o n v e n i e n t to c o n s i d e r b o t h c o n c e p t s .A c o n d i t i o n i n g e v e n t i s a n e ve nt w h i c h p r e d i s p o s e s a c o m p o n e n t t o f a i l u r e , o r

increases its suscept ibi l i ty to f a i l u r e , b u t d o e s not of i tself c a use f a i l u r e . I n t hep r e v i o u s e x a m p l e ( p u m p fa i led b e c a u s e o f h i g h h u m i d i t y ) , t h e c o n d i t i o n i n g e v e n tcould h a v e b e e n fa i lure o f m a i n t e n a n c e p e r s o n n e l to p r o p er ly sea l t h e pump c ont rolcabinet following m a i n t e n a n c e . T h e effect of the c ondi t i oni ng e v e n t is latent, but thec o n d i t i o n i n g e v e n t is in this, and in m a n y o t h e r cases, a n eces s ar y c o n t r i b u t i o n to thef a i l u r e m e c h a n i s m . A trigger event is an e v e n t wh i c h activates a f a i l u re , or in i t ia testhe t r an s i t io n to the fa i led sta te, w h e t h e r or not the fa i l ur e i s r ev ealed a t the t i m e th et r ig g er event occurs . A n e v e n t wh i c h led to h i g h h u m i d i t y in a r o o m (and s u b s e q u e n te q u i p m e n t f a i l u r e ) w o u l d b e such a t r i gge r ev en t . A t r i gge r e v e n t t h e r e f o r e is ad y n a m i c f e a t u r e of the fa i l ur e m e c h a n i s m . A t r i g g e r e ve nt , pa r t i c u l a r l y in the case o fC C F events, is usually an e v e n t external to the components in quest ion.

It is not always necessary, or even possible, to uniquely define a condit ioningevent and a t r igger e v e n t for every type of fa i lure . H o w e v e r , th e concepts are usefulin t h a t the y focus on the ideas of an i m m e d i a t e cause, and subsidiary causes, w h o s ef u n ct i o n is to increase susceptibil i ty to failure, given th e a p p r o p r i a t e e n s u i n gcondit ions. S o m e examples of the use of these concepts are given in T a b l e I .

T h e n e x t c o n c e p t of interes t is t h a t of the "root cause". The root cause.fol lowing Gano (1987), is the basic reason or rea sons w h y t h e c o m p o n e n t ( s ) fail , an yof w h i c h , if corrected, w o u l d p r e v e n t r e c u r r e n c e . T h e ident i f icat ion of a r o o t cause,therefore , can be seen to be t ied to the imp le me nta t io n of defences.A s s hown in Table I , the root caus e may be a t r igger event ( second event inth e table) or a condit ioning e v e n t (third event ) . It is clear from Events 1 and 4 in

Table I that m a n y proxi ma t e causes ( m o i s t u r e a nd v ib r a t io n ) are i n d e e d onlysymptoms of the root cause, and that the proximate causes do not in themselvesprovide a full u n d e r s t a n d i n g o f what led to t h a t condit ion. A ll too of t e n , investigationsof fai lure occurrences (and t h us t h e event descriptions in fa i lure repor t s a nd i n databases) d o n o t determine th e root causes o f failures, e v e n t h ough t h i s d e t e r m i n a t i o n iscrucial fo r judgi ng th e a d e q u a c y o f de f e nc e s against t h e s e fa i lures.

Coupling Factors and M e c h an is m sF o r fai lures to become mult iple fai lures f r om th e same c a use , t h e c ondi t i ons

have to be c onduc i ve for the t r igger e v e n t and/or th e condit ioning events to affect allth e components simultaneously. T h e m e a n i n g o f simultanei ty in this context is thatfa i lures occur close enough i n t im e to lead to inabili ty o f r e d u n d a n t components toperform th e mission required o f the r ed u n d an t s ys tem o f w hi ch they are a part. It isconvenient to def i ne a set of coupling factors. A coupling factor is a characteristic ofa g r o u p of components or piece parts that identifies t h e m as susceptible to the samecausal mechanisms of failure. Such factors include similarity in design, location,environment, mission and operational, m a i n t e n a n c e , and test procedures. These, insome references, have been r e f e r r e d t o a s exa mpl es of a c oupl i ng mec h a ni sm, butbecause t h ey really identify a potential for c ommon susceptibility, it is preferable tothink of these factors as factors which h e l p d ef i n e a potential common causecomponent group.20


22/36

T A B L E I E X A M P L E S T H A T I L L U S T R A T E C O N C E P T S U S E F U L I N A N A L Y Z I N G C C F s (Paula and Parry , 1990)

Failure E v e n t Proximate Cause Thgger Event Condi t ioning Event Root Cause1 A p u m p fails to runbecause of moisturein t h e p u m p controlcabinet2 A design e r r or is

such that u n d e r realdemand condi t ions ac om p one nt fails toperform i ts funct ion(component had suc-cessfully performedit s function duringtesting)3a Following a mainte-nance act,a compo-nent f a i l s Th e f a i l -ure is eventuallyattr ibuted to an errorin th e maintenanceprocedure3b Following a mainte-nance act, a compo-

nent f a i l s Th e f a i l -ure is eventuallyattr ibuted to a slipon the part of themaintenance crew4 A p u m p shaft failsbecause of the c u m u -lative effect of highvibration, resultingf r o m an instal la t ion

C o r r o s i o n f r o mmoisture or highh u m i d i t y

Design error

E ven t leading to theoccurrence of high humidi ty( e g , steam leak in p u m pr o o m )Design error

M aintenance error M aintenance ac t

Maintenance error M aintenance act

Failure to properly seal thecontrol cabinet followingma i nt e na nc e

N o n e

Lack of attention duringm a i n t e n a n c e and/ordeficiency in the writ tenproceduresE rro r m design realizationand failure to realize thatproof testing was notadequately simulating realdemand conditions

E rro r or ambiguity m Error or ambiguity inmaintenance procedure maintenance procedure an dinadequate training

Inadequate t raining and lackof attention during mainte-nance

Inadequate t raining an d lackof motivation

Vibration Cumulative exposure of thep u m p to the excessivevibrationInstallation error Inadequate t raining ofinstallation crew and defi-c i e nc y i n i nst a l l a t i onprocedures

ro


23/36

I n f a c t , i t i s q ue s t i ona bl e w h e t h e r i t i s necessary to ta lk a b o u t a c oupl i ngm e c h a n i s m as an en t i t y s e p a r a t e f rom th e f a i l u r e m e c h a n i s m . W h a t i s i mpor t a nt i s t oident i fy th e specific f e a t u r e s of the coupl ing factors t h a t lead t o a s i m u l t a n e o u si m p a c t on the c o m p o n e n t s i n t h e gr oup. T h i s is a f u n c t i o n of h ow t h e t r i gge r a ndco ndi t io ning event s a re i n t r o d u c e d at the system o r c o m m o n c a u s e c o m p o n e n t g r o u plevel. So , f o r example , in the four e xamp le s discussed in Table I :1. M o r e than one p u m p m ay f a i l if the conditions of high humidity exist inm o r e than o ne co nt ro l cabinet . However , fo r this to h a p p e n , all controlcabinets have to be susceptible to moisture int rusion, and they also h a v eto be located in a similar e nv i ro nme nt . Fo l lo wing f rom the p re v io usexample , if t h e r e w e r e a condit ioning e v e n t of fai l ing to seal th ecabinets properly , it would have to have occurred in m o r e t h a n o necabinet, and in addition, the t r igger event causing the high h umi di t ywo uld have to affect the cabinets simultaneously (within o u r d ef in i t io nof s i mul t a ne i t y ) , for t h e r e to be a CCF. T h i s i mpl i e s a c o m m o n d o m a i nof i n f l ue nc e of the source of the t r i gge r e v e n t an d the co n d i t io n in g

event .2. C o m p o n e n t s of the same design in a similar usa ge will all fail on ac o m m o n d e m a n d if t h e r e is a fa tal design e r r o r . T h e t r i gger e v e n t (thedesign e r r o r ) is c o m m o n to all c o m p o n e n t s in the g r o u p , and isin t roduced simultaneously into the group.3. There are m a n y w ays a m a i n t e n a n c e r e l a t e d e r r o r can propagate toaffect th e system, d e p e n d i n g o n h o w i t arose. F or e xamp le , a basic e r r o rin the p r o c e d u r e wo u ld systematically affect all crews, n o m a t t e r w h e n

they carry ou t maintenance. T h e conditioning event (i.e., th e p r o c e d u r a lerror) i s co mmo n to a l l crews. O n t h e o t h e r h a n d , ambigui ty in thep r o c e d u r e m ay resul t in one crew adopting an al ternat ive approachconsistently, n o m a t t e r w h e n they perform th e maintenance . T h eambigui ty in the p r o c e d u r e re p re se nts a condi t ioning event ; th e triggere v e n t is the part icular maintenance activity in which the crewmisinterprets and misapplies the procedures. In this case, th e crew actsas the a g e n t int roducing th e fai lure. H o w e v e r , th e fai lure m ay still notbecome a C C F unless th e c r e w pe r f or ms th e m a i n t e n a n c e o n r e d u n d a n tequipment close e n o u g h in t ime with re sp e ct to opportunities fo rdiscovery of the e r r o r (the f requ en cy of m a i n t e n a n c e is g r e a t e r t h a n th ef req uenc y of the ap p ro p ria te tests) .Slips or errors m a d e during maintenance (Event 3b in Table I ) areunl ikely to be sources of CCFs unless m a i n t e n a n c e i s p e r f o r m e d onseveral r e d u n d a n t components during a short t ime interval. If this w e r eth e case, it w oul d be a coupling i n t roduc ed by t h e specific w aymaintenance is p e r f o r m e d .

4. A common, systematic, installation error could lead to simultaneoushigh levels of degradation. The coupling of fai lures is introduced intoth e s ys tem thr o u g h a conditioning event , and is activated by the t r iggerevent .

22


24/36

W h a t is clear is t h a t t h e w a y t h e p o t e n t i a l f or co u p l in g is a c t i va t ed va r i es forth e d i f f e r e n t co n d i t i o n i n g an d t r i g g er e v e n t s . In addi t ion, i t i s c l ea r t h a t i t is not easyto separate th e co nce p ts o f the co u p l in g a n d f a i l u r e m e c h a n i s m ; c o u p l i n g can o c c u r atall points of the cau s al c h a i n to some degree or other.D e f e n c e sCCFs can be p r e v e n t e d by a variety of defences. A de f e nce can operate top r e v e n t th e occurrence of fa i lures. A n example re la ted to the first event in Table Iwo uld be to e n s u r e tha t control cabinets are ade quate ly protected agains t humidi ty b ya qual i ty co nt ro l (QC) of the seals. This is e q u i v a l e n t to ens ur ing th e h a r d e n i n g of thec o m p o n e n t s , and is a defence against potential condit ioning e v e nts . Another exampleof a d e f e n c e t h a t a t t e m p t s to prevent the occurrence of fai lures is the training ofm a i n t e n a n c e staff to e n s u r e c orrec t in te r p r e ta t io n o f p r o c e d u r e s . T h e co u p l in g fac to r sare not being directly affected by t h e s e tw o defenc es .A n o t h e r a p p ro a c h to d e f e n d against C C F s is to decouple fai lures ( as opposed

to p r e v e n t th e o c c u r r e n c e of fa i lures) by effectively decreasing the similarity ofc o m p o n e n t s and t h e i r e n v i r o n m e n t in s ome w ay that p r e v e n t s a par t icular ty pe offa i lu r e cause from affecting al l components simultaneously an d allows m o r eo p p o r tu n i ty fo r det ec t i ng f a i l u res b e f o r e t hey a p p e a r in all c o m p o n e n t s of the g r o u p .F o r e x a m p l e , diversi ty in staff m ay p re v e nt multiple fai lures tha t resul t fromh u m a n - r e l a t e d m ain ten an ce e r r o r s . ( A l tho u g h i t wo u ld n o t n ecess ari ly r e d u c e th ef r e q u e n c y o f single fa i l ur e s f r om such errors . )T h e key t o successful mitigat ion and p r e v e n t i o n of CCFs is to u n d e r s t a n d h owth e p r i m a r y d e f e n c e s m i g h t fail. I n t h e examples considered previously, th e fol lowing

are p lausib le re aso ns w h y t h e fa i lures o ccu r r ed , in t e r m s of fai lure o f d efen ces .1. If the e r r o r w e r e that , at the design stage, i t was not envis ioned that ahigh h u m i d i t y condit ion might ar ise , the design review process w asp o ten t ia l ly def icient . O n t h e o t h e r h a n d , as a s s u m e d in Table I , thefa i lu r e m ay h a v e b e e n a fai lure to m ain ta in an a d e q u a t e b a r r i e r against

moisture i n t r u s i o n , g i v en t h a t i t w as realized t h a t such a barrier w a sne ce ssary .2. T h e des ign review process as a p r im ar y d efen ce and proof tes t ing as ase co ndary de f e nce we re deficient .3. Insuff icient o r i n a d e q u a t e t ra ining could have led to the condit ioning ofa part icular crew such t h a t they had a high l ikel ihood o f mak ing errors( E v e n t 3b in Table I ) . In another case ( E v e n t 3a in Table I) i t couldhav e b e e n a fa i l ur e i n t h e p r o c e d u r e s review p ro ce ss t h a t re sul te d infaul ty o r am b ig u o u s p r o c e d u r e s . In the case o f am b ig u o u s p r o c e d u r e s ,t ra i n i ng can be a secondary defenc e . A n e r r o r resul t ing from ambiguousp r o c e d u r e s can t h e r e f o r e be r e g a r d e d as resul t ing from a fa i lure of twod efen ces , the p r o ced u r es r ev iew an d t ra i n i n g .4. The QC process d u r i n g ins tal lat ion was d ef i c i en t , allowing aninstallation er ror to go undetected. The installation error in itself w asth e res ul t of i n a d e q u a t e t ra ining of the installation crew and deficienciesin procedures.

23


25/36

For t h e p u r p o s e s o f discussion, a new se t of g e n e r a l de f e ns i ve tactics ared e f i n e d below. They are to be regarded as g e n e r a l tactics i m p l e m e n t e d to d e c r e a s eth e l i ke l i h ood o f c o m p o n e n t o r system u n a v a i l a b i l i t y . M a n y of the desc r i p t i ons areadapted f r om S m i t h et al . (1988).B a r r i e r sP e r s o n n e l Training

Qu al i ty C o n t r o l

R e d u n d a n c y

P r e v e n t i v e M a in te n a n c e

M o n it or in g , S urvei l l a nc eTesting, and Insp e ct io n

Procedures R e v i e w

Diversi ty

A n y p h y s i c a l i m p e d i m e n t t h a t t e n d s to c o n f i n eand/or restr ic t a pot e nt i a l l y d a m a g i n g co n d i t io n .A p r o g r a m m e to e n s u r e t h a t th e o p e r a t o r s an dm a i n t a i n e r s a re fa m i l i a r w i t h p r o c e d u r e s an d ar eable to follow t h e m d u r i n g all co n d i t io n s o foperat ion .A p r o g r a m m e to e n s u r e t h a t th e product is inco n fo r m an ce wi t h t h e d o c u m e n t e d d e s i g n , a n d t h a tit s o p e ra t io n an d m a i n t e n a n c e take p lace accordingto a p p r o v e d p r o c e d u r e s , s t a nda rds , a nd r eg u la to r yr e q u i r e m e n t s .A d d i ti o n a l, ident ical , r e d u n d a n t c o m p o n e n t s a d d e dto a system for the p u r p o s e of increasing th el ikelihood t h a t th e n u m b e r o f c o m p o n e n t s r e q u i r e dto pe r f or m a given function will survive e xp o sure toa gi ve n cause of fa i lure .A p r o g r a m m e of applicable and effectivep r ev en t iv e m ain ten an ce tas k s des i gned t o p r e v e n tp r e m a t u r e failure or degradat ion of components .M o n ito r in g v ia a lar m s , f r e q u e n t tests, and/orinspect ions so t h a t fai lures f rom an y detectablecause a re not al lowed t o a c c umul a t e . T h i s includesspecial tests p e r f o r m e d o n r e d u n d a n t c o m p o n e n t sin re sp o nse to obse~ved fa i lures.A review of operational, maintenance, andcal ib ra t io n/ te s t p ro ce dure s to el i mi na t e inco rre c tor inappropriate act i o n s that could result inc o m p o n e n t o r system unavailabil i ty.The u s e o f totally d i f fe r e n t a p p r o a c h e s to achie v eroughly th e s a m e results ( f unc t i ona l divers i ty) o rthe use of d i f fe r e n t types of e q u i p m e n t ( e q u i p m e n tdiversity) to perform th e same function. E q u i p m e n tdiversity can be co nside re d i n t erms ofconstruction, physical characteristics, applying thisapplying this concept. Diversity is a tactic t h a tspecifically addresses C C F s .

Cause-Defence MatricesThe analysis of the generic data can be used to construct cause defencematrices to record th e insights gained. A n example matr ix is sho wn in Tables I I and

I I I , taken from Paula an d Parry (1990). The construction of such matrices for all24


26/36

T A B L E I I . A S S U M E D I M P A C T O F D E F E N S E S O N S E L E C T E D F A I L U R E M E C H A N I S M S F O R D I E S E L G E N E R A T O R S(Paula a nd Pa rry , 1990)Selected Defenses Against Root Causes

General Adnunjstrattvc/Proccdural Cootrob

Selected FailureMechanisms

for Diesel Conguratioo Maintenance Operating TestGenerators Control Procedures Procedures Procdures

Specific M aintenance/Operation PracticesDrain W f c t e r Corrosion Serviceand Sediment Inhibitor WaterGovernor from in Chemistry

Overbad Fuel Tanks Coolant Control

Design Features

Air DryersO QAir StartCompressors

Dust Coverswith Scaboo Relay Fud TankCabinets Drains

RoomCooknCorrosion products m a i r s t a r tsvsiemDust on iei.ivcontactsG o v e r n o r out ofa djust m entW a t e r s e d i m e n t int u e lC o r r o s i o n i nj a c k e t c o o l i n gs v s t e mI m p r o p e r l i n e u p ofc o o l i n g w a 1 e rvalvesA q u a t i c o r g a n i s m sin servi c e w a t e rH i g h room te r nperaiu^eI m p r o p e r l ube oi lp r e s s u r e t n p s e tpoi ntA i r s t a r t s v s i e mva l ved outF u e l s u p p l y v a l v e sl e f t closedFuel l i n e blockag-*A ir S ia r t r e c e i v e rl ea ka g eC o r r e c t ive m i ni t n i n e e o n \ \ r i nJ i e s U ^ L n ^ r n >r


27/36

T A B L E I I I . A S S U M E D I M P A C T O F D E F E N S E S O N S E L E C T E D C O U P L I N G M E C H A N I S M S F O R D I E S E L G E N E R A T O R S(Paula and Parry, 1990)

SelectedFailure Mechanisms forDtad Generator!

Selected Defenses Against CouplingDivenity Barrier 'Icsling and Maintenance Policy

Functional Equipment Staff SpatialSeparationRemoval of Crocs-ties(or Impkmentatioa ofAdministrative Controls) Staggered Testing StaggeredMaintenance

Corrosion products inair start systemDust on relay contactsGovernor ou i olajusi-mentWfcter/sediment m f u e lCorrosion in jacketcooling s y s t e mImproper lineup ofcooling w a t e r valvesAquatic organisms mservice waterHigh room temperatureImproper lube oil pres-sure trip setpomtA ir start system valvedou tF u e l supply valves l e f tclosedFuel l i n e blockageA jr start receiverleakageCorrective maintenanceon w r o n g d i e s e lg e ne r a t o r


28/36

c o m p o n e n t s is v e r y t i m e c o n s u m i n g , bu t p r o v id es a systematic w a y o f r e c o r d i n g th eins ights and also a g u i d e fo r f u t u r e s tu d ies as to w h a t f e a t u r e s to look for in thed e f e n c e s at a p l a n t to assess the p o t e n t i a l fo r CCFs. T h e c a u s e - d e f e n c e i n f o r m a t i o n isq u a l i t a t i v e : a solid s q u a r e ( ) r epres ents a s t r o n g de f e nce , a n open circle ( o )r e p r e s e n t s a relat ively w e a k d e f e n c e , and a dash ( -) r e p r e s e n t s n o d e f e n c e .A n e x a m p l e of p r a c t i c a l i m p l e m e n t a t i o n of the cause -de f e nce m a t r i c e s and ofaccount ing for the influence of de f e nce s is presented in H i m a n e n et al. (1989).

4.3.2.2. E v e n t R e i n t e r p r e t a t i o nT h e process o f e v e n t r e i n t e r p r e t a t i o n to co n s t r u ct th e p s e u d o p l a n t specificd a t a base involves i d en t i f y i n g w h e t h e r th e tr igger and/or c ondi t i oni ng e v e n t s t h a to c c u r r e d at the initial p l a n t could also o ccu r at the target plant , and to t ry to assessw h e t h e r th e q ua l i t y o f the d e f e n c e s at the t a rget p lant a re such t h a t the y w o u l dp r e v e n t th e t r i gger an d c ondi t i oni ng e v e n t s from o ccu r r in g s i mul t a neous l y , o r w h e t h e r

they w o u l d b e more likely to resul t in mult iple fa i lures. This is clearly very subjectiveand d e p e n d e n t on the quali ty of the data base available . H o w e v e r , th e process itself isw o r t h w h i l e because of the i n c r e a s e d u n d e r s t a n d i n g o f C C F mechanisms it a f for d s .

4.3.2.3. C h o i c e of Data B a s eIn M o sl eh et al. (1988, 1989) th e r e c o m m e n d e d data base i s the N uclearP o w e r E x p e r i e n c e (NPE) ( S . M . S t ol l er - continuously u p d a t e d ) . H o w e v e r , t h i s choiceis largely based o n U S n u c l e a r plant experience and may not be the most a p p r o p r i a t e

data s ource to use. In c ount r i es such as F r a n c e a n d S w e d e n , w h i c h h a v e t h e i r o w ndata collection schemes, these data sources m a y b e m o r e a p p r o p r i a t e . N e v e r t h e l e s s ,t h e N P E data base is g en er a l ly avai lable, and m ay b e the only s ource . I n this case ithas to be u s e d careful ly, recognizing t h a t t h e r e m a y b e inte rnal inconsistencies, fo rexample th e c o m p o n e n t b o u n d a r y defini t ions m a y b e different at d if fe r en t plants . I tdoes h o w e v e r p r o v i d e a s p e c t r u m o f fa i lure mec h a ni sms a nd significant qual i ta t iv einsights , e v e n i f the q u a n t i t a t i v e es t i ma t es are subject to la rg e u n c e r t a i n t y .

4.3.2.4. Parameter E s t i m a t i o nS ect ions 3.3.3.3 t h r o u g h 3.3.3.5 in M o s le h et al. (1988, 1989)de scr ib e how-e v e n t i n t e r p r e t a t i o n a nd re i n t erpre t a t i on c a n be s u m m a r i z e d in t e r m s of i m p a c tvectors. Section 3.3.3.4 in particular demonstrates how adjustments can be m a d e toth e impact vec tor to account for any difference in size b e t w e e n t h e C C F g r o u p in theinit ial plant , w h e r e t h e e v e n t o c c u r r e d , and the ta rg e t p lant . This a d j u s t m e n t is madeindividual ly for e a c h e v e n t . T h e s u m m a t i o n over each of the c o m p o n e n t s of theimpact vector, provides th e final p s e u d o plant specific data base in t e r m s of then u m b e r n k of e v e n t s in which k components failed. These values are then used inth e parameter es t imators discussed in section 4.1. T h e re sul t s o f a P S A m a y b esensit ive to the p ar t icular f e a t u r e s o f the a d j u s t m e n t s c h e m e c h o s e n . A l te r n a ti v eschemes to that proposed in M o sle h et al. (1988, 1989) can be def ined. A practicalw ay of studying th e uncer ta in t ies as s ociated w i t h this issue is to carry ou t sensit ivitystudies of the assumptions m a d e in this context.

27


29/36

4.3,3. Generic Parameter EstimatesI f the resources are not a va i l a bl e to p e r f o r m the more detailed CCF analysisdiscussed in section 4.3.2, or if i n d e e d there is i n s u f f i c i e n t data, th e onl y a l t e r n a t i v e isto use generic p a r a m e t e r es t imates . This is not g e n e r a l l y r e c o m m e n d e d as it does no tp r o v i d e an y insight into w h a t p r e c a u t i o n s could b e t a k e n , o r d e f e n c e s i m p l e m e n t e d a tth e p l a n t to imp ro v e safety. W h a t i t w o u l d provi de is a m e a n s o f inco rp o ra t ing , into

th e est imate of c o r e d a m a g e f r equ en cy, a m e a s u r e of some ( i l l - d ef in ed ) industryaverage C C F potent ia l .There are various sources available, but one of the most useful is F l e m i n g andM o sle h (1985). T h i s d o c u m e n t p r o v i d e s gener i c es t i ma t es , a l t h ough t h e s e sh oul d b eu s e d with care, as they are av e rag e d over fa i l ur e mo de . The y are a l so based o n ap a r t i c u l a r i n t e r p r e t a t i o n o f his tor ical e v e nts . H o w e v e r , t h e r e p o r t d o e s i nc l ude b r ie fdescriptions of all the mul t i p l e fa i lure events t h a t w e n t into mak ing the es t imates , an d

these a re use fu l for a c ompa r i son w i t h t h e t a r g e t p l a n t . I t s ho u ld b e r e a l i z e d t h o u g htha t , because th e single events are not de scr ib e d , re inte rp re t ing th e e v e n t s asdescribed above can only lead to a decrease of the c o m m o n cause factors.I n m a n y cases, it can be arg ue d tha t , for those c o m p o n e n t s for wh i c h little orno data is available, their fai lure probabil i t ies or fa i lure ra tes sho uld be low and the yare no t l ikely to be s ignif icant c ont r i but ors to core d a m a g e f r e q u e n c y , and acons ervat ive gener ic b e t a factor of 0.1 is likely to be a d e q u a t e . H o w e v e r , there m ayb e cases where an e n g i n e e r i n g assessment is necessary to sup p o rt lo we r n u m b e r s .

5 . ANALYSIS OF RESULTST h e resul t s o f a c o m m o n cause analysis may, at one e x t r e m e , be essent ial lyquantitative, co nst i tut ing e s t imate s o f c o m m o n cause fai lure p ro b ab i l i t i e s b a s e d o n

generic parameter es t imates . A t the o the r e xt re me , the quan t i ta t iv e analysis issupported b y an in-de p th quali tat ive analysis which p ro v ide s the o p p o rtuni ty toident i fy p o t e n t i a l w e a k n e s s e s in the plant defenc es against the occurrence o f mult ip lefai lures.I t has to be recognised that the estimation o f t h e C C F m o d e l p a r a m e t e r s has,associated with it, considerable unce r ta inty . T h e detai led analysis p r o p o s e d in M o sle het al. (1988, 1989) is d e p e n d e n t on a data base, which m ay have s ubs tant ia lde f ic ie ncie s , and re qui re s the analyst t o m a k e j u d g e m e n t s as to the cause ,applicability, and i m p a c t of the historical events. It is e sse nt ia l that the results of theP S A b e qual i fied to recognize th is uncerta inty. A forma l approach to qualifying th e

estimates of core d a m a ge f req uenc y is to construct a distr ibution of the CCF failureprobabilities, wh i c h covers all sources of u n cer ta in ty , but part icularly t h a t ofinterpreting the event reports and propagate t h a t u n c e r t a i n t y through the analysis inthe usual way.A general approach to doing this is outlined in section 3.3.4.4 ofMosleh et al. (1988, 1989). This is a very complex analysis if t h e r e are a large n u m b e rof historical events to be analyze d . The propagat ion of u n c e r t ai n ty , p e r f o r m e d in thisw a y , would be useful for qualifying the analysts' confidence in the bottom-line result,28


30/36

core damage f r e q u e n c y , b u t p r o v i d e s l i t t le i n f o r m a t i o n o n t he s i g n i f i can ce o f t here l a t i ve co n tr ib u t io n s , an d , in p r ac t ice suc h a d e ta i led u n cer ta in ty an alys is has n o tbeen p e r f o r m e d . Some s h o r t cut m e t h o d s w e r e d i sc usse d in Mosleh et al. (1988,1989). T h e signi f icance of the contr ibut ions of basic e v e n t s is g en er a l ly assessed byu s i n g p o i n t estimates w h i c h a r e m e a n v a l u e s o f t he pr oba bi l i t y d i s t r i b u t i o n s o n thesee v e n t p r o b ab i l i t ies . It is i m p o r t a n t to p e r f o r m sensit ivi ty an alys es on t h e v a l u e of theCCF p ro b ab i l i t i e s to h a v e s o m e feel ing for the possible range o f imp o rtance o f the i rc o n t r i b u t i o n .

It is genera l l y a g r e e d t h a t co mmo n cause fa i lure probabil i t ies r e p r e s e n t , atm o s t , typical ly a fac to r of 0.2 of the single c o m p o n e n t fa i l ur e p r o b ab i l i t ies and this,t h e r e f o r e , w o u l d be a rea sona bl e w or s t case s cen ar io . T h e b e st case sc ena r i o i s t h a tt h e c o m m o n cause fa i l ur e p r o b ab i l i t ies are zero. T h i s sensi t ivi ty case w o u l d give am e a s u r e of the m a x i m u m p o s si b le i m p r o v e m e n t .I f the P S A i s to b e used to identify areas for p lan t i m p r o v e m e n t , t h e n one hasto r a n k th e v a r i o u s C C F t e r m s a lo n g w i t h o ther can d id ates . I t has to be r e m e m b e r e dt h a t t h e C C F f a i l u r e pr oba bi l i t y m a y b e a n c h o r e d to a s ingle c o m p o n e n t f a i l u re

probabil i ty t h a t h as b e e n o b ta ine d f rom a d i f f e ren t source t h a n t h e C C F m o d e lp a r a m e t e r s . F o r e xamp le , using th e a lp ha factor mo de l , the Q t m ay have b e e no b t a i n e d f ro m p l a n t specific da t a , a n d t h e a l p h a factors from a g e n e r i c data so urcesuch as N P E . T h u s t h e C C F c o n t r i b u t i o n m a y b e r e d u c e d b y dec rea s i ng Q, as w e l l asby d e c r e a s i n g t h e a l p h a factors.H a v i n g es tab l is hed tha t t h e r e ar e s o m e c a n d i d a t e s f o r p l a n t i m p r o v e m e n t , ithas to be d e c i d e d w h a t i m p r o v e m e n t i s p o s s i b l e o r effect ive . The qu al i ta t iv e an alys esp e r f o r m e d in s u p p o r t of q u a n t i f i c a t i o n will clearly be of h e l p in t h i s proc ess .H o w e v e r , it is s o m e w h a t l imited in t h a t it is based on the historical eventsonly. Ideal ly , the lessons l ear n t f r om th e review should b e g e n e r a l i z e d to t ry to bem o r e c o m p l e t e in assessing pot ent i a l wea knesses i n t h e plant defences, and h e n c ep o t e n t i a l fixes. C lear ly , h o w e v e r , an analysis based on using g e n e r i c p a r a m e t e r v a l u e swil l p r o v i d e l i t t le i n p u t to th is a spec t of the analysis of the results.

6. P R A CT I CA L CONSIDERATIONS6.1. INTRODUCTION

There a re s o m e p r act ica l co n cer n s tha t arise when ap p lyin g t h e m e t h o d o l o g yof M o sl eh et al. (1988, 1989). T h e r e is a general concern a b o u t th e mo de l l ing of highr e d u n d a n c y systems which is discussed in section 6.2. The discussion is split into tw oparts; th e first co nce rns systems of high r ed u n d an cy, the sec ond systems of ul tra highr e d u n d a n c y , w i t h m, t h e d e g r e e o f r e d u n d a n c y , in the o r d e r of 5 or h i gh er . Anotherconcern, associated wi t h th e ident i f icat ion o f C C F component groups is discussed insection 6.3. W hile s o m e of this material is contained in M o sle h et al. (1988, 1989), itis included h e r e to give i t greater prominence .

29


31/36

6.2. MODELLING OF HIGH R E D U N D A N C Y SYSTEMS6.2.1. Cut S et Proliferation

T h e first c onc ern raised h e r e is t h a t of the p r o l i f e r a t i o n of c ut sets, and itsi m p a c t on the solution of the system f a u l t t rees . A d o p t i o n of the a l p h a factor , o r basicp a r a m e t e r m o d e l , i m p l i e s t h a t e ach basic event associated w i t h a m e m b e r o f t h e C C Fc o m p o n e n t g r o u p is effec t ively subst i t u t e d by a n u m b e r of basic e v e n t s d e p e n d i n g o nth e d e gr e e of r e d u n d a n c y . So, for a system of r e d u n d a n c y 3 ( r e p r e s e n t e d b y A , B , C )each basic e v e n t f o r A , say, is subst i tuted by

A I + CAB + CAC + CABCin the language of M osleh et al. (1988, 1989). For a system of r e d u n d a n c y 4, eachbasic event is replaced by 8 basic events and so on.

This incre ase s th e size o f the t r e e considerably an d can lead to p r o b l e m s w i t hits sol ut i on . There are at least tw o a p p r o a c h e s to solving this p r o b l e m . T h e f irst is top e r f o r m th e model solution without inclusion o f c o m m o n cause f a i l u re t e rms, andt h e n to p e r f o r m cut set subs t i t u t i on an d r em in im al iza t io n . A ma j or c o n c e r n here ist h a t th e original solution should not be p e r f o r m e d with a cut-off va l ue t h a t is tooh i gh , so t h a t th e components o f interest could dis appear f rom the mo de l .

A n o t h e r approach is to include only that term of the m o d e l which affects allth e c o m p o n e n t s or t h e ma xi mum n u m b e r k ( k < m ) required fo r fa i lure by t h e systemsuccess criterion, t h a t is to p er fo r m th e subst i tut ion Q, + Q m or Q, + J^ Qj only.

i=k

This should not be confused with th e beta factor mo de l , as the p a r a m e t e r s areevaluated taking into account th e events of different multiplicity as discussed insection 4. This approach is only valid if it can be assured that this global commoncause t e rm real ly does do minate . This may b e diff icult to establish a p r io r i . Fo rexample, for a simple 1 out of 3 system with only o n e c o m p o n e n t p e r t ra in, it requiresdemonstrating that

Q3 3 Q! Q2F or m or e than one c o m p o n e n t p e r train the equat ion clearly b e c o m e s m o r ecomplicated, requiring all combinations of component cut sets to be taken intoaccount , as in the following equat ion

3Q1(i ).Q2(j)

wh i c h may be use d to c o m p a r e with Q3 0). The supersc r i p t (i) r u n s o v e r allcomponents in the train mo de l , a nd ( j ) i ndexes t h e CCF c o m p o n e n t group of inte re s t .

Care has to be taken, however , that before performi ng such an a prioriestimation th e correct expression for the success criterion is used, and that the CCF30


32/36

c o m p o n e n t g r o u p really do e s display the s y m m e t r y that is a s s u m e d . S o m e questions o fs y m m e t r y are discussed in s ec t i o n 6.3.Whichever o f these a p p r o x i m a t i o n s is made, i t h a s t o b e p e r f o r m e d wi t h careas the above discussions show.

6.2.2. Ultra High Redundancy SystemsS o m e sy s t ems hav e a very large n u m b e r o f co mp o ne nts f o r which c o m m o ncause f a i l ur e m a y b e a c onc ern . Case s o f interest comprise e.g. p r e s s u r e rel ief valves ,co nt ro l rods and fine mo tio n drives, scram modules (Swedish reac tors ) . A surv e y o fS w e d i s h PSAs h as been m a d e with t h e p u r p o s e o f clarifying th e approaches (i.e.a s s u m p t i o n s , data , qu an t i f i ca t i o n m e t h o d s ) u s e d . I nc orrec t extr ap o la t io n s o f simple

parametric m e t h o d s h a v e b e e n observed in several cases. A ppl i c a t ion of a n e x t e n d e dC o m m o n L o a d ( C L ) m o d e l has b e e n recent ly propos ed as a solution to this problem( M a nk a m o an d K oson en, 1988).T h e p r o b l e m s differ with changing success cri teria . F or example , the successcri ter ia m a y b e such that a large n u m b e r o f components must fail to cause loss of thef u n c t i o n . This i s t r u e fo r the d ep r es s u r iza t io n funct ion i n G E B W R . O n e p r o b l e m ist h a t n o data exists fo r v ery la r g e n u m b e r s o f s i m u l t a n e o u s fai lures , h e n c e an a p p r o a c h

based o n t he alpha f a c t o r o r basic parameter m o d e l s is faced w i t h th e problem o fzero e v e n t s f o r t h e p a r a m e t e r s o f in te r es t . T h e p a r a m e t e r v a l u e s h a v e t h e n t o b ebased o n e n g i n e e r i n g j u d g e m e n t . There seems t o be little p o i n t i n d e v e l o p i n g a m o d e lin this case that has any m o r e t h a n a total c o m m o n cause fai lure t e r m Q, and h e n c eonly the c a t a s t roph i c , l e t h a l c o m m o n cause fa i lure t e r m is of inte re s t . E s t i m a t i n g th eproba bi l i t y o f this t e r m sh oul d involve a det a i l ed u n d e r s t a n d i n g o f the way the s ys temis engineered and o p e r a t e d . A n e x a m p l e i s given in section 6.3.3.

O n t h e o t h e r h a n d , th e success criteria m a y b e such t h a t failure o f a relativelysmall number of the components l e a d s to loss of the f u n c t i o n (e.g. control rod drivem e c h a n i s m s in B W R s ) . I n th is case th e a ssumpt i on o f a global c o m m o n cause t e r mm a y b e subs t a nt i a l l y non-c onse r va t i ve due to the c ombi na t or i a l f a c t or s associated w i t hth e l ower o r d e r t e r m s . A re aso nab le a pproa c h is to simplify th e m o d e l to includeC C F e v e n t s w h i c h r e p r e s e n t fa i l ur e s of 2, 3, 4 and all the c o m p o n e n t s .

6.3. C C F COMPONENT GROUPS - B R E A K I N G T H E S Y M M E T R YThree examples , tak e n f rom ( u n id en t i f ied ) P S A studies and s o m e w h a ts implif ied are used to i l lustrate the im p o r tan ce o f inter facing wi t h th e systemsa na l y s t s a nd sy s t ems engi neers t o ensure a n a ppropr i a t e ident i f icat ion o f C C Fc o m p o n e n t groups, and inclusion of subgroups in the model to incorporate th e effectsof asymmetr ies .

6.3.1. Example 1 - Functional AsymmetryT he f irst example is that o f a two u n i t B W R plant with f our diesel generators,but only t h r e e emergency service w a t e r ( E S W ) p u m p s . E a c h diesel g e n e r a t o r feeds aspecific emergency bus, and the ESW pumps are fed from three specific buses. U n d e r

31


33/36

normal c i r c u m s t a n c e s , w i t h c o m p l e t e s y m m e t r y , o n e w o u l d p r o b a b l y a r g u e t h a t , g i v e nthat o n e diesel generator is adequate f o r b o t h u n i t s , o n l y th e common cause f a i l u r e o ff o u r die se l g e n e r a t o r s n e e d s to be m o d e l l e d . H o w e v e r , if only th e t h r e e d ies e lgenerators associated w i t h th e E S W p u m p s fail, th e e m e r g e n c y o p e r a t i n g p r o c e d u r e sdi rec t th e o p e r a t o r s to c o n n e c t th e four t h di e se l t o one of t h e o t h e r buse s , t o a ssure asupply of cooling w a t e r for that diesel g e n e r a t o r and the o t h e r cooling loads. T h u s , ifth e m o d e l is to include this i m p o r t a n t opera tor action, it is necessary to m o d e l alsoth e c o m m o n cause f a i l ur e of the specific three diesels . W i t h o u t un d e r s t a n d in

Diesel Generator Failure

Documents

Transcript of Diesel Generator Failure