A success-oriented analysis technique for operational risk supervision in sea-borne nuclear power plants

Nuclear Engineering and Design 340 (2018) 229–239

Contents lists available at ScienceDirect

Nuclear Engineering and Design journal homepage: www.elsevier.com/locate/nucengdes

A success-oriented analysis technique for operational risk supervision in seaborne nuclear power plants Jun Yanga, Xinyu Daib, Wanqing Chenc, Ming Yanga, Wenlin Wangd,

T

⁎

a

School of Electric Power, South China University of Technology, 381 Wushan Road, Guangzhou 510640, PR China Key Laboratory of Fundamental Science on Nuclear Safety and Simulation Technology, Harbin Engineering University, 145 Nantong Street, Harbin 150001, PR China c China Ship Development and Design Center, 268 Zhangzhidong Road, Wuhan 430064, PR China d School of Automation, Wuhan University of Technology, 122 Luoshi Road, Wuhan 430070, PR China b

A R T I C LE I N FO

A B S T R A C T

Keywords: Human error Operational risk supervision GO-FLOW NPPs

The paper presents a success-oriented analysis technique for operational risk supervision in sea-borne nuclear power plants. The feasibility and acceptability evaluation of operational sequence is demonstrated through two hierarchical case studies: (1) high-level operational risk evaluation of an emergency operating procedure for small-break LOCA; (2) low-level reliability monitoring of an example residual heat removal system with due consideration of human actions. It shows that the success-oriented analysis technique is applicable for operational risk supervision and reliability monitoring of sequence of integration operator actions. Human error or system malfunction can be identified and avoided through reliability and performance-based pre-assessment and comparison.

1. Introduction As the energy demand grows for driving offshore oil and gas exploration in remote oceans, great attentions are being drawn to the development and application of sea-borne nuclear power plants (http:// can.ca, 2018). The spreading idea is to integrate a nuclear reactor into a shipyard or a floating platform for multiple purposes, i.e., for electricity generation, propulsion or desalination of sea water. Recently, Russia has launched its first floating nuclear power station on the Baltic sea (http://arstechnica.com, 2018). Also, China is on its way dreamed of a nuclear-powered propulsion fleet of vessels that could provide power to oil rigs and offshore islands, or travel for disaster-struck rescues (https://www.po;sci.com, 2018). The advancement of nuclear technology could bring nuclear maritime propulsion into more widespread use. The nuclear power is particularly suitable for supplying on powerful maritime propulsion system which need to head out at sea for long periods of time without refueling. Meanwhile, safety issue is of great concern along with the operation of naval reactors under harsh sea conditions. With the development of high nuclear technology and the continuous improvement of equipment reliability, human error has become one of the most important factors that lead to incidents or accidents. Reports (Watson, 2018; Dhillon, 2018; Doe-hdbp, 2009)

suggests that over 70% of incidents or accidents in nuclear power plants were caused by human errors. The number is even higher in marine nuclear reactors for that: (1) the safety facilities as well as the level of automation equipped for the nuclear ships are not abundant and advanced as compared to that of land nuclear power stations due to the space constraints; (2) manual interventions by main control room operators are required to maintain the safety operation of marine nuclear reactors when an abnormal condition occurs; (3) the plant personnel who are suffering from high mental pressure and workload in the long journey may be more prone to omission or improper operations. For the worst case scenario, it could be possible no proper standard operating procedures (SOP) for the main control room operators to follow in particular under the extremely unfamiliar environmental conditions. In case the worst happens, main control room operators have to take more flexible actions to ensure that the naval reactor is seaworthy. Therefore, continuous monitoring of operating status for the nuclear power systems and equipment together with impact evaluation of operator’s actions on system performance plays an important role in the safe operation of sea-borne nuclear power plants. It has to demonstrate that any operator manual actions are feasible and reliable. Note that the term ‘sea-borne nuclear power plants’ is used throughout the paper to differentiate it from conventional land nuclear power plants. Task completion is strongly depending on human factors and

⁎

Corresponding author. E-mail addresses: [email protected] (Y. Jun), [email protected] (D. Xinyu), [email protected] (C. Wanqing), [email protected] (Y. Ming), [email protected] (W. Wenlin). https://doi.org/10.1016/j.nucengdes.2018.09.030 Received 19 June 2018; Received in revised form 4 September 2018; Accepted 22 September 2018 0029-5493/ © 2018 Elsevier B.V. All rights reserved.

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al.

possibility that operator manual actions can be made, achieved or is reasonable (Kolaczkowski et al., 2007). Reliability is the ability of an item to perform its required functions under stated conditions for a specified period of time (Rausand and Hoyland, 2004). It is a measure of how long the item performs its intended functions. While availability is measure of the percentage of time the item is in an operable state. Availability represents the capability of an item conducting its required functions when called upon given that it is not failed or undergoing a repair action. The term reliability and feasibility are used interchangeable in the paper to assess the likelihood of human error and human performance for a given task. The effects of human errors on system performance and availability are accounted for operational risk supervision. The rest of the paper is organized as follows. Section 2 first introduces the fundamental of GO-FLOW methodology. The applicability and suitability of the GO-FLOW method for reliability evaluation of operator manual actions is also discussed in Section 2. The process of operational risk assessment is illustrated by an emergency operating procedure for small-break LOCA in Section 3. Section 4 demonstrates the feasibility and reliability evaluation of impact of human manual actions on system performance with an example residual heat removal system. Also, a strategy of pre-assessment and comparison on system mission reliability changes is presented for the concentration on human error recognition. Finally, the conclusions are given in Section 5.

performance (human reliability) in nuclear power plants. Work on human reliability analysis started in the 1950s (Eduardo Calixto, 2016). Since Swain and Guttmann (NRC, 1975) proposed the first human reliability method in 1975 in nuclear industry, amounts of research activities have been carried out to resolve the human error problems (Boring, 2012; Bell and Holroyd, 2009; Adhikari et al., 2008; Forester et al., 2006). Often the development of human reliability method is deemed to have gone through three stages. THERP (Technique for Human Error Prediction) (Swain and Guttmann, 1983) is the representative method generated in the first stage (1970–1990) when attentions were most given to the human operational errors and the human error probability. The second generation of human reliability methods (1990–2005) (Lois et al., 2008), i.g., CREAM (Cognitive Reliability and Error Analysis Method) (Hollnagel, 1998) and ATHEANA (A Technique for Human Error Analysis) (NRC, 2000), sharpens its focus on human performance shaping factors (PSFs) and cognitive processes of detection, understanding, decision and action. The third phase (2005 to present day) (Gertman et al., 2005; Boring, 2007; Wallace and Ross, 2006) is continuous in the study of human PSFs at a deeper level. The third generation of human reliability analysis methods such as SPAR-H (Gertman et al., 2005) and Bayesian network (Mkrtchyan et al., 2015) concentrates on the study of human interactions based on the simulation and measurement of human performance in a real main control room environment. In general term, the main points of human reliability analysis are aimed at analysis of cognitive processes and behaviors, human error mechanisms and human error probabilities, etc. In this paper, a success-oriented GO-FLOW analysis technique is presented for reliability and risk evaluation of safety instrumented system incorporating with operational human performance in response to normal or abnormal conditions in sea-borne nuclear power plants. GO-FLOW method (Matsuoka and Kobayashi, 1988) is a system analysis technique that can easily handle time-dependent and phased mission problems. GO-FLOW method represents the system event/action sequence with consecutive time points. System reliability under different phased missions can be characterized and calculated with the input–output relationships of GO-FLOW operators and signals. In addition, GO-FLOW method is capable of availability analysis by considering the aging effects and maintenance activities (Okazaki et al., 2006). The GO-FLOW also supports for common cause analysis; uncertainty analysis, sensitivity analysis and importance analysis (Matsuoka and Kato, 2012; Matsuoka and Kobayashi, 1989a; Matsuoka and Kobayashi, 1989b; Matsuoka and Kobayashi, 1997; Matsuoka, 2010; Fan et al., 2016). The purpose of the study is to identify the potential human errors that are easily introduced in the sea-borne nuclear power plants through operational risk supervision or system reliability monitoring. For the sea-borne nuclear power plants, it places more emphasis on the importance of operator’s manual interventions for coping with commonly unexpected safety–critical situations, especially for these situations without proper operating procedure. The operational risk/reliability supervision would be considered in its implementation with and without the support of procedural guidance. The operational risk and feasibility evaluation conducted in the study is mainly going for providing safety validation and assurance on the flexible operator manual actions which are more likely to occur at sea-borne nuclear power plants. The human error recognition and operator’s risk awareness about their to-be-implemented actions could be achieved and enhanced based on the risk and feasibility evaluation of operational sequence by GO-FLOW. Human action sequence is modeled by time-dependent events and signals in GO-FLOW method for representation of implementation-specific function. The concept of system risk/reliability and performance-based monitoring is applied to achieve the detection of malfunction or mis-operation in system operational sequence. For clarity, the relationships among the terminology reliability, feasibility and availability are defined. The feasibility refers to the

2. GO-FLOW methodology The GO-FLOW methodology (Matsuoka and Kobayashi, 1988) is a semi-dynamic system analysis technique that evaluates system performance from a success-oriented point of view. The GO-FLOW method is capable of modeling fault detection, maintenance activities and human actions (Matsuoka and Kato, 2012). In addition, the GO-FLOW model is able to take into account all possible functional modes/states that a component may experience in its life cycle, i.g., operating, standby, failure, maintenance and test (Jun et al., 2014). GO-FLOW model can be constructed directly from system schematics. GO-FLOW modeling elements consist of GO-FLOW operator and signal line. GO-FLOW operator is used to represent various functions of component or logical relations. The definition of GO-FLOW operator and signal line is summarized in Table 1. As shown in Table 1, fourteen GO-FLOW operators are defined in GO-FLOW method. These GO-FLOW operators are grouped into three categories: (1) Functional GO-FLOW operator. The functional GO-FLOW operator is used to represent the functions or possible functional modes of physical component, i.g., failed on or failed off of a pump or a valve. (2) Logical GO-FLOW operator. Logical GO-FLOW operator is used to represent the system logical relations. (3) Signal generator. Signal generator is a representation of source signal which can be power source or water source. GO-FLOW operators are connected by signal line, in which signal flows throughout the system. As shown in Table 1, signal lines are also classified into three types: (1) main input signal; (2) sub-input signal; and (3) final signal. Signal represents physical quantity or information. Physical quantity can be water flow in a tube or current in a wire which flows along the main streaming signal line. While information carried by sub-input signal line has multiple meanings such as control or trigger signal, time delay or time duration, etc. The GO-FLOW model may consist of one or more final signals. Final signal means the end point of the streaming. The interpretation of signal implies both the actual and potential existence of physical quantity. The probability of signal existence is represented by intensity in GO-FLOW method. Intensity is the probability of physical quantity or information that exists for system missions. The modeling element ‘time point’ is introduced in GO-FLOW 230

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al.

Table 1 Operators and signal lines in GO-FLOW method (Adapted from Matsuoka and Kobayashi, 1988). Symbol

Type

Functional GO-FLOW Operator Type-21 Operator

Meaning

Operator for a Two State Item

21

DIF

Difference Operator

Type-26 Operator

Operator for Normally Closed Item

Meaning

Type-35 Operator

Operator for an Item with Ageing Effect (Operating Failure)

Type-37 Operator

Operator for an Item with Ageing Effect (Standby Failure) Operator for an Item in Preventive Maintenance

Type-38 Operator

Failure of an Item in Closed State

Type-27 Operator

Operator for Normally Open Item

Type-39 Operator

Operator for an Item with Opening and Closing Action

Type-28 Operator

Operator for an Item with Delay Impact

Type-40 Operator

Phased Mission Operator

Type-30 Operator

AND Gate

Final Signal

End Point of the Streaming Signal

37

26

38

27

39

40

28 Logical GO-FLOW Operator Type-22 Operator

OR

OR Gate

AND 30

22 NOT

Type

35 Type-24Operator

24

DLY

Symbol

Type-23 Operator

NOT Gate

23 Signal Generator Type-25 Operator

Signal Generator

25 Signal Line Main Input Signal Sub-input Signal

Physical Quantity: Probability of Signal Existence Information: Trigger Signal, Time Interval, etc.

human reliability, specifically including source signal, probability of failure on demand, operating failure rate, time interval and human error probability, etc. (iii) GO-FLOW analysis. GO-FLOW analysis can be accomplished directly from the GO-FLOW software package. The GO-FLOW analysis tool integrates a fast fault tree analysis algorithm for getting fast calculation speed (Matsuoka, 1986). (iv) Result analysis. System reliability or availability can be obtained directly from quantitative GO-FLOW analysis. Both the success probability and failure probability of system operational sequence with time stamps can be obtained with one computer run. The qualitative GO-FLOW analysis results need to be further processed to obtain the minimal cut sets information for system failure, though the processing procedure is a little complicated. In general terms, quantitative analysis results can be directly applied to system reliability/availability monitoring. The system performance and safety status can be monitored by reliability/availability curve.

method for describing system operational sequence. Through the definition of time points, sequential missions or tasks towards system goal fulfillment can be modeled by GO-FLOW method. The GO-FLOW modeling and analysis process involves in following activities. (i) System GO-FLOW modeling. Functional analysis together with establishment of system success criteria is conducted before stepping into GO-FLOW modeling. System structure model is then built by choosing the right GO-FLOW operators in accordance with the types of components of the target system. For example, type-21 GO-FLOW operator is used for a two-state component representation. Normally closed item is represented by type-26 GO-FLOW operator. Type-27 GO-FLOW operator denotes the normally open item. Type-39 GO-FLOW operator is used to model the function of ‘on-off’ component. The selected GO-FLOW operators are connected by signal lines on the basis of system functional and structural logical relations. The GO-FLOW chart is consistent with the system flowchart. All possible system states can be included in one GO-FLOW chart with multiple final signals. The system operational sequence is characterized by consecutive time points. The number of time points is defined depending on the user’s needs. The sequence of operations or actions is marked by the consecutive time points. (ii) GO-FLOW model and parameter setting. Reliability data are incorporated into the GO-FLOW model via parameter setting on the GO-FLOW operator. The GO-FLOW model and parameter setting take into account both the input data of equipment reliability and

In the paper, GO-FLOW method will be applied to the impact evaluation of human manual actions on the integrity of system function and safety. As for the demonstration of operational risk supervision, the applicability and effectiveness of GO-FLOW methodology is hold by following features. (1) The success-oriented idea of GO-FLOW method totally matches with the goal-directed behaviors for mission achievement. (2) The capability of GO-FLOW method in dealing with phased mission 231

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al.

Fig. 1. Task analysis of emergency operating procedure for small-break LOCA.

(3)

(4)

(5)

(6)

and Section 4, respectively.

problem and time-dependent effects makes it suitable for reliability modeling and analysis of task and action response during the operation of nuclear power system. Human actions or behaviors can be easily modeled and captured through the switch action and parameter setting of functional GOFLOW operator. GO-FLOW allows for user definition of time points, which could be used to describe the system operational sequence and to support for reliability and risk monitoring of nuclear power system by date, month or year. The technique of online GO-FLOW model modification and requantification proposed in (Jun et al., 2014) can provide a fast model update and calculation, which forms the basis for implementation of online reliability and risk monitoring for nuclear power systems. The impact of operator actions on system performance can be estimated by the level of value changes in system reliability/availability monitoring. When a significant change occurs in system reliability/availability, main control room operators should be aware about the risk of potential human errors. In that case, plant personnel need be very careful in implementing their actions.

3. Operational risk evaluation of task sequence for small-break LOCA In this Section, a case study of operational risk evaluation of task sequence according to standard operating procedure is demonstrated by GO-FLOW method. Standard operating procedure (IAEA, 2006) is a series of well validated documents consisting of step-by-step information on how to execute a task, by which main control room operators can confidently maintain the nuclear power plants at a safety status. In general terms, the main control room operators in nuclear power plants must comply with the sequence of operations set in the standard operating procedure under all circumstances. Any operation violating the regulations is considered to be an undesirable mis-operation. The focus of this Section is concerning plant-level risk evaluation of integration sequence of safety system operation and manual missions. In this Section, a simplified task sequence is taken out of the emergency operating procedure (EOP) for Small-break Loss of Coolant Accident (Small-break LOCA) to illustrate the risk evaluation of procedural operation sequence with the GO-FLOW method.

The paper concentrates on operational risk assessment and supervision associated with manual missions in sea-borne nuclear power plants. Two case studies are considered for operation supervision in this paper, which are i) operational risk evaluation of mission sequence at a plant level; ii) system reliability monitoring of manual action sequence at a system level. In either case, any task that involves human actions must be feasible and reliable. The feasibility and acceptability of manual actions are justified with GO-FLOW modeling and analysis in the study. The feasibility evaluation and supervision of plant-level task sequence and system-level action sequence are presented in Section 3

3.1. Task analysis of EOP for small-break LOCA Small-break LOCA is a design basis accident for nuclear reactor, which is mainly caused by stress during the normal operating mode of nuclear power system (NEA, 2009). The Small-break LOCA considered in the study refers to the cold-leg piping break with the equivalent diameter ranging from 9.5 mm to 50.8 mm (Aksan, THICKET2008, 2008). When a small-break LOCA occurs, the primary pressure decreases with the break area and the emergency core cooling system (ECCS) will then be activated to pump water into the reactor. In the 232

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al.

four scenarios are generated in bold lines for the successful event response. Since the operational risk evaluation in the study is conducted from a success-oriented point of view, more attentions are put on the success scenarios that will move towards safety plant state of cold shutdown other than failure paths leading to core damage in the task analysis of EOP for small-break LOCA. The elaborated failure scenario analysis and other associated task analysis are therefore not emphasized in Fig. 1 but could also be extended if needed. For example, the misdiagnosis occurred in sub-task 2 may guide the plant operators to the entrance of EOP for Steam Generator Tube Rupture (Task 2) or EOP for large-break LOCA (Task 3). In the meantime, the failure of sub-task 4 of safety injection control could also lead to the transition to EOP of largebreak LOCA.

event of a small-break LOCA, several critical safety functions involved in the mitigation activities include reactivity control, reactor coolant system integrity, reactor core cooling, decay heat removal, containment integrity and radioactivity control. The critical functions are fulfilled with following safety systems and features: primary coolant system, secondary loop system, safety injection system, residual heat removal system and safety-related operator actions, etc. If a small-break LOCA is diagnosed and confirmed in nuclear power system, safety systems and associated manual operations must be put in place promptly in response to the abnormal event. Operator manual actions are implemented with reference to the standard operating procedure (SOP). The task analysis of emergency operating procedure (EOP) for small-break LOCA is depicted in Fig. 1. The emergency operating procedure is concluded in a hierarchical graphical presentation so as to reduce the tedious burden of reading the procedure manual and to improve the operator’s understanding of the mission tasks. As to the emergency operating procedure for small-break LOCA presented in Fig. 1, the procedure of hierarchical graphical presentation is divided into tasks, sub tasks and steps. The task layer describes the purpose of the operating procedure. The final plant states can be deduced with implementation of the standard operating procedure under given initial trigger conditions. Safety functions or operations on systems required to be fulfilled in the implementation process of standard operating procedure are described by sub-tasks. The sub-task is broken down into steps. The step-by-step actions on specific system components are in detail described in the bottom layer. GOTO statement can be used among the correlative operations on the same layer. When initial state or condition is satisfied, operations can be carried out step-by-step according to the standard operating procedure originally designed for accident mitigation. The high-level task is accomplished upon the completion of all lower levels of sub-tasks and their constituent steps. The plant status and system status are determined on the basis of task and sub-task accomplishment. Note that the operational sequence analysis of small-break LOCA conducted in this study is mainly directed to the task and sub-tasks of safety/system function and its involved operator action implementation. The sub-tasks achieved through detailed action steps are decomposed in more detail in system operational reliability evaluation and monitoring. For example, in the sub-task 10 of safety relief system, plant operators need to open the safety valves Y05 and Y07 to achieve the emergency core cooling with coolant filling and discharging after cooling failure occurs in sub-task 3. The series of steps to be implemented for the achievement of sub-task 10 are grouped in a dashed box as shown in Fig. 1, which can be further considered and modeled in system-level operational reliability monitoring. The other sub-tasks with their constituent steps are handled in a similar manner, i.e., operational reliability supervision on residual heat removal system (see Section 4). The system-level operational evaluation results can again be integrated as inputs to the plant-level operational risk assessment. In order to facilitate main control room operators to distinguish the missions in different layers, plant initial condition, task, sub-task, and step are denoted with different color coding. For example, task is marked with orange. Sub-task is denoted by light green. Step is represented with light blue. System initial state and final state are highlighted with light purple and yellow, respectively. The operation status of every possible task, sub-task and step is defined with two states being in either success (S) or failure (F). The status bar will be activated with lively color highlights when the task, sub-task and step are terminated. For instance, the successfully completed task, sub-task and step will be illumined by green and their failures are lightened by red. The plant system status is regarded as failure when there are sub-tasks and/or steps not implemented or failure to fully implemented prior to the end of task. These successfully implemented sequences of steps will be formulated as success scenarios that lead to the safety plant state. In the case of task analysis of small-break LOCA as shown in Fig. 1,

3.2. Operational risk model of EOP for small-break LOCA The success criteria for the mitigation of small-break LOCA are depending on whether the reactor could be brought into a cold shutdown state. The four successful scenarios leading to safety cold shutdown state that are elaborated from the task analysis of emergency operating procedure for small-break LOCA are modeled by GO-FLOW chart, which is presented in Fig. 2. As shown in Fig. 2, the task analysis of emergency operating procedure for small-break LOCA starts with the abnormality detection in containment and ends at the successful goal achievement towards plant cold shutdown state. The inter-process sub-tasks involving operation of safety systems and operator manual actions are modeled by event headers as listed on the top of Fig. 2. Note that the order of event headers listed on the top of Fig. 2 does not reflect the exact temporal functional dependencies between sub-tasks. The number marked on the GO-FLOW operator represents the signal number. The GO-FLOW model takes into account the effects of both system reliability/availability and human manual errors. In this study, system reliability/availability and safety performance are monitored by the combination of a type-25 GO-FLOW operator and a type-21 GO-FLOW operator. System reliability/availability analysis results obtained at a lower level are imported into the operational sequence model (see Fig. 2) through the type-25 GO-FLOW operator. Type-21 GO-FLOW operator represents system behaviors and system reliability/availability level under particular missions. Human operation supervision can be handled in a similar way as system reliability/availability monitoring does. For human operational reliability supervision, a type-25 GOFLOW operator can be used with a type-21 GO-FLOW operator to respectively simulate the manual control signal and the operator manual actions. The parameter Pg defined in type-21 GO-FLOW operator of the GO-FLOW model denotes the probability that a safety system successfully fulfills its function or the main control room operators correctly perform an action. 3.2.1. Definition of time points The implementation of emergency operating procedure for smallbreak LOCA allows nuclear reactor to be brought into a safety cold shutdown state through four possible success scenarios. While in the actual situations, the development of operational sequence is much more highly dependent on the state of the reactor at the time. The time sequence of possible route paths generated in response to small-break LOCA is relatively independent from each other. In this study, we use Ti j to represent the time sequence of events that occur along the scenarios. Where subscript i (i = 1, 2, 3, 4) is the number of success scenarios, j (j = 1, 2, 3, ...) denotes the number of time points defined for each success scenario. The time points defined for scenario 1, 2, 3, 4 are presented in Table 2–5, respectively. It should be noted that the order of time tags for occurrence of events along the sequence of scenarios is only a relative concept, not representing the real time progress. The chronological order of signal output associating with actions or events only works for particular scenario shown in Table 2–5. 233

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al.

Fig. 2. GO-FLOW model of EOP of small-break LOCA. Table 2 Time points defined for Scenario 1.

Table 3 Time points defined for Scenario 2.

Time Points

Signal Number

Sub-task Events

Time Points

Signal Number

Sub-task Events

T11 T12 T13 T14 T15 T16 T17 T18

1

Initial state

1

Initial state

2

Abnormity detection in containment

2

Abnormity detection in containment

4

Notify main control room operators

4

Notify main control room operators

7

Confirm the event of small-break LOCA

7

Confirm the event of small-break LOCA

11

Open the relief valve in pressurizer

11

Open the relief valve in pressurizer

14

Safety injection control

14

Safety injection control

27

Success of residual heat removal

28

Failure of residual heat removal

30

T21 T22 T23 T24 T25 T26 T27 T28 T29

33

Containment spraying

30

T210

36

Tank water level monitoring for recirculation cooling Isolation of safety injection water storage tank

T211

39

Low pressure recirculation cooling

T19

36

Tank water level monitoring for recirculation cooling Isolation of safety injection water storage tank

T110

39

Low pressure recirculation cooling

234

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al. n1

Table 4 Time points defined for Scenario 3. Time Points

Signal Number

P (Scenario

1) =

∏ P1j1 = 9.1465173 × 10−1 (1)

j1 = 1

Sub-task Events n2

T31

1

Initial state

T32 T33 T34 T35 T36 T37 T38 T39

2

Abnormity detection in containment

4

Notify main control room operators

7

Confirm the event of small-break LOCA

12

Cooling failure

17

High pressure core injection

21

Open the safety valve in pressurizer

24

High pressure recirculation cooling

33

Containment spraying

P (Scenario

Signal Number

Sub-task Events

T41

1

Initial state

T42

2

Abnormity detection in containment

T43

4

Notify main control room operators

T44

7

Confirm the event of small-break LOCA

T45

12

Depressure failure

T46

24

High pressure recirculation cooling

T47

33

Containment spraying

∏ P2j2 = 9.1465173 × 10−5 (2)

j2 = 1

n3

P (Scenario

3) =

∏ P3j3 = 2.7675825 × 10−3 (3)

j3 = 1 n4

P (Scenario

4) =

∏ P4j4 = 2.7762018 × 10−3 (4)

j4 = 1

where n1 = 10 , n2 = 11, n3 = 9 and n4 = 7 respectively denote the total number of sub-task events that occur at specific time points ( j1, j2 , j3 and j4 ) along the successful scenario path 1, 2, 3 and 4. Since the conditional correlations of event failure/success have been considered in the operational event sequence model, the probability of final success of reactor safety cold shutdown can be taken as the sum of each contributed success paths. The probability of plant being successfully brought to a safety cold shutdown state is given as,

Table 5 Time points defined for Scenario 4. Time Points

2) =

4

P (Cold

Shutdown) =

∑ Pi (Success

Scenarios ) = 9.2028698 × 10−1

i=1

(5) Corresponding risk of core damage for small-break LOCA in nuclear power plants is estimated as,

3.2.2. Reliability data for operational sequence analysis Table 6 shows the reliability data (Ekanem, 2013) used for operational risk assessment of EOP for small-break LOCA. The data are used to provide only a proof-of-concept study for demonstration of the operational risk evaluation and supervision. In this study, the probability value of Pg = 0.9999 is used for the reliability/availability estimation of safety systems that are involved in the response scenarios. The feasibility and reliability monitoring of human manual actions related to system-level performance is illustrated in detail in Section 4.

P (Core

Damage ) = 1−P (Cold

Shutdown) = 7.9713021 × 10−2

(6)

The analysis results show that scenario 1 is of the highest success probability among all these four scenarios. Scenario 1 is the path by which all the sequential sub-tasks have been successfully implemented. The other three sequential paths are all completed with one of the step failed. For example at third step of task implementation, scenario 3 and scenario 4 are divided by the cooling failure and depressure failure, respectively. The success probability of route path 3 and 4 are very close to each other because of their similar operations on events. 4. Feasibility and reliability evaluation of operator manual actions

3.3. Risk evaluation of operational response scenarios Risk evaluation of operational response scenarios can be performed based on the operational sequence model and reliability data presented in Fig. 2 and Table 6. The success probability of each scenario at the end of time sequence is given as.

In this Section, an example safety system will be presented for demonstration of feasibility and reliability monitoring of human performance for task fulfillment. Malfunction or mis-operation is expected to be detected and recognized through a reliability-based pre-assessment

Table 6 Reliability data used for operational sequence analysis. Number of GO-FLOW Operator

Type of GO-FLOW Operator

Parameter Setting

Sub-task Events

1, 3, 6, 13, 16, 23, 26, 29, 32, 35, 38 2

25 21

R (t ) = 1 Pg = 0.9996

Initial state Abnormity detection in containment

4

21

Pg = 0.994

Notify main control room operators

7

21

Pg = 0.93

Confirm the event of small-break LOCA

10 11

25 26

P (td ) = 0.999995 Pg = 0.997

Control Signal for Opening Relief Valve Open the relief valve in pressurizer

14

21

Pg = 0.999

Safety injection control

17

21

Pg = 0.9999

High pressure core injection

20 21

25 26

P (td ) = 0.999995 Pg = 0.997

Control signal for opening safety valve Open the safety valve in pressurizer

24

21

Pg = 0.9999

High pressure recirculation cooling

27

21

Pg = 0.9999

Residual heat removal system

30

21

Pg = 0.999

Tank water level monitoring for recirculation cooling

33

21

Pg = 0.9999

Containment spray system

36

21

Pg = 0.995

Isolation of safety injection water storage tank

39

21

Pg = 0.9999

Low pressure recirculation cooling

235

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al.

Fig. 3. Example system.

modeled by the control signal (Type-25 GO-FLOW operator used as a sub-input signal) connected to the manually operated components. Five time points are defined for the system operational sequence. T1 means system initial state. Valve A and valve G are manually opened at time point T2. Following that, pump B is activated at time point T3. Half hour later, pump C is turned on at time point T4. The system is operating for another 24 h at time point T5. For the successful operation of the system, at least one of the sequence lines must be put into operation to transfer the decay heat from reactor. The procedural operations acted on system components are organized in a series of steps as shown in Fig. 5 for the system function achievement of residual heat removal. The sequence of operations in steps can be attached upward to the subtask 5 of the emergency procedure for small-break LOCA (See Fig. 1). Table 7 shows the reliability data (Ekanem, 2013; T-book, 2005) used for GO-FLOW analysis. The aging effects and together human factors are studied on the operational performance of the case example system. Note that system availability analysis can be also easily obtained with the extensive inclusion of maintenance strategies and activities.

and comparison strategy. 4.1. Example system Fig. 3 shows the example system tailored for the demonstration of reliability monitoring of human manual action sequence. The system structure can be considered part of the residual heat removal system, which is used to complete the cold shutdown cooling process in seaborne nuclear power plants. Decay heat is removed from the reactor by the system structure. The structure consists of two residual heat removal pump B and C, one heat exchanger F, two manually operated valve A and G, two check valve D and E, and associated pipelines. The system structure is put into operation with control valve A and G manually opened in the first step. The primary coolant enters from the left main pipeline (hot leg). Following that, residual heat removal pump B is activated to let the heat removed by the heat exchanger F. After pump B working for a period of time (half hour), residual heat removal pump C is manually turned on. The cooling coolant coming out of the heat exchanger is sent back to the cold leg of reactor for recirculation.

4.3. Feasibility and reliability evaluation of manual operational sequence 4.2. GO-FLOW model of the example system Three cases are considered for the feasibility and reliability evaluation of manual operational sequence, which are (I) system operational analysis without consideration of human errors; (II) system operational analysis with consideration of possible human errors; (III) system operational analysis under the condition of human errors. The obtained analysis results are presented in Table 8 and Fig. 6. Here, it should be noted that system mission reliability is defined as the probability of successful completion of particular mission by the system deployed under stated conditions. Phase failure detection and standby switchover can be involved in the system mission reliability

Corresponding GO-FLOW chart can be constructed directly according to the flowchart of the example system structure, as shown in Fig. 4. In the GO-FLOW model, primary coolant inflow is modeled by a signal generator (type-25 GO-FLOW operator). Type-26 GO-FLOW operator is used to represent the manually operated valve A and G. Type39 GO-FLOW operator is used for modeling the open and close action of residual heat removal pump B and C. The two-state components of check valve D, E and heat exchanger F are represented by type-21 GOFLOW operator. Operator manual actions and human probability are 236

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al.

Fig. 4. GO-FLOW chart of the example system.

mission. At initial state, no action is performed on the system. It is therefore that the probability of system being put into operation ahead of time for all three cases is totally same at time point T1. Whereafter, the trend in the reliability of system in Case II is similar to that of Case I but with little bit lower values because of the additional possibility of human errors. At time point T3, the mission reliability obtained in Case III hits a low point when compared to that of result value in Case II. In Case II, human errors occur with a probability somewhere between certain and impossible. While in Case III, it is assumed that system mission reliability model is updated with real-time observed equipment status information via condition monitoring system. The status of equipment is in continuous monitored and verified upon the completion of every move or action made at each time point. When the action on a component is done, the certain state of system components in either success or failure will be modified into the system reliability model. If

analysis. The basic system reliability is defined as the probability that system completes its specified functions by only taking into account the equipment failure in the paper. The average reliability refers to the probability of performing task in view of all aspects of potential failures that may lead to system failure. The basic system reliability analysis, system average reliability analysis and system mission reliability analysis respectively correspond to Case I, Case II and Case III analysis. Case I assumes that human performance is perfect with a success probability of 1, where only equipment reliability is considered in the case. Case II considers both the impacts of equipment failure and human factors on system performance over given missions. Case III implies the actual system reliability monitoring in terms of real-time information of component status and system configuration. In Case III, a manual control signal (human error) is assumed to actually take place in the step for activating pump B at time point T3 during system

Fig. 5. Sub-task implementation for residual heat removal. 237

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al.

Table 7 Reliability data used for GO-FLOW analysis. Number of GO-FLOW Operator

Type of GO-FLOW Operator

Parameter Setting

Task

1 2 3

25 25 26

R (t ) = 1 P (t2) = 0.997 Pg = 0.9995

Initial state Incorrect operation on valve A (Human error probability) Valve A being successfully opened (Demand success probability)

Pp = 0.000264

Valve A being opened in advance

4 6

25 39

P (t3) = 0.997 Po = Pc = 0.9998 Pp = 0.00025

Incorrect operation on pump B (Human error probability) Pump B being successfully turned on or off (Demand success probability) Pump B being turned on in advance

7 8

25 35

P (t4 ) = 0.5 P (t5) = 24

Pump B keeps operating for 24.5 h Failure rate of Pump B

9

21

10 12

25 39

P (t4 ) = 0.997 Po = Pc = 0.9998 Pp = 0.00025

Incorrect operation on pump C (Human error probability) Pump C being successfully turned on or off (Demand success probability) Pump C being turned on in advance

13 14

25 35

P (t5) = 24

Pump C keeps operating for 24 h Failure rate of Pump C

15

21

17

21

λ = 5× 10 - 5/ h Pg = 0.99998 Pg = 0.99999

18 19

25 26

P (t2) = 0.997 Pg = 0.9995

Incorrect operation on valve G (Human error probability) Valve G being successfully opened (Demand success probability)

Pp = 0.000264

Valve G being opened in advance

λ = 5× 10 - 5/ h Pg = 0.99998

Case I: without consideration of human errors

Case II: with consideration of possible human errors

Case III: under the condition of human errors

T1 T2 T3 T4 T5

3.48426E−11 4.99423E−04 9.98771E−01 9.98990E−01 9.98988E−01

3.48426E−11 4.96423E−04 9.89812E−01 9.92997E−01 9.92988E−01

3.48426E−11 4.99923E−04 4.99923E−04 9.99970E−01 9.98771E−01

Check valve E to be working normally (Demand success probability) Heat exchanger F to be working normally (Demand success probability)

real-time reliability calculation and monitoring. The slight decrease over system operational period from time point T4 to T5 is due to aging failure for all three cases. At time point T5, the point value of system reliability in Case III is a little bit lower than the value of Case I. This is because the aging effects are partially compensated by the possible redundant line sequences in Case I. While in Case III, system is operated in single sequence branch. The higher reliability value of Case I at time point T5 reflects well on the effectiveness of redundancy design for system reliability improvement. Obviously in Fig. 6, the conditions of possible and certain occurrence of human failure assumed for Case II and Case III will cause great discrepancy, by which potential human errors are identified through the operational reliability supervision. The system degradation caused by operator malfunction can lead to a significant decrease in system mission reliability. Consistent reliability monitoring can be performed to support the impact assessment of human failures on system performance. In the meantime, human error can be detected and identified through comparison of system mission reliability and average reliability during the process of system reliability or risk monitoring.

Table 8 Success probability obtained from system operational sequence analysis. Time Points

Check valve D to be working normally (Demand success probability)

5. Conclusions In the paper, a method for feasibility and acceptability evaluation of system operational sequence is investigated from a success-oriented perspective. The operational risk assessment and reliability evaluation of operator manual actions are illustrated by an emergency operating procedure for small-break LOCA and an example safety system in seaborne nuclear power plants, respectively. It is demonstrated that GOFLOW method is applicable to feasibility and reliability evaluation of sequence of system operation and operator actions. The impacts of operator manual actions on system performance can be pre-assessed to determine if the action to be implemented is feasible or reliable. The pre-assessment idea could be used to assist plant personnel with a timely reminder of risk information that are associated with their actions. Preventive measures can be taken to mitigate the impacts of human failures on big risk. The operation supervision based on reliability or risk monitoring is effective for avoidance of improper actions that would violate system safety.

Fig. 6. Comparative analysis results of system operational sequence.

the action of automatic control or operator manual control on a component is successful, then the probability of that on-demand component becomes 1. Otherwise, demand failure is assigned with a probability value of 0. In Case III, the human error of failure opening pump B is certain to occur with the probability of 0 at time point T3. That is why in Case III an apparently great variation is observed in the reliability curve for the duration of specified mission profile. Meanwhile, system reliability in Case III reaches high peaks among all three cases at time points T2 and T4 during the system operational mission. The reason for this phenomenon happened is that the afterconfirmed success open status of valve A, G and pump C are updated with certain value of 1 other than possible probability value for the

Acknowledgements This study is in part supported by a Grant from the China 238

Nuclear Engineering and Design 340 (2018) 229–239

Y. Jun et al.

Postdoctoral Science Foundation under Grant L2171010 and by the Fundamental Research Funds for the Central Universities under Grant D2180980.

Wallace, B., Ross, A., 2006. Beyond Human Error. CRC Press. Mkrtchyan, L., Podofillini, L., Dang, V.N., 2015. Bayesian belief networks for human reliability analysis: a review of applications and gaps. Reliab. Eng. Syst. Saf. 139, 1–16. Matsuoka, T., Kobayashi, M., 1988. GO-FLOW: a new reliability analysis methodology. Nucl. Sci. Eng. 98 (1), 64–78. Okazaki T, Mitomo N, Matsuoka T. “The use of the GO-FLOW methodology to investigate the aging effects in nuclear power plants.” In: Proceedings of PSAM-8: International Conference on Probabilistic Safety Assessment and Management, New Orleans, Louisiana, USA, 2006. Matsuoka T, Kato Y. “Modeling of a human performance by the GO-FLOW methodology.” In: Proceedings of First International Symposium on Socially and Technically Symbiotic Systems, Okayama, Japan, 2012. Matsuoka T, Kobayashi M. “A phased mission analysis by the GO-FLOW methodology.” In: Proceeding of International ANS/ENS Tropical Meeting Probability, Reliability and Safety Assessment, Pittsburgh, USA, 1989. Matsuoka, T., Kobayashi, M., 1989b. GO-FLOW methodology: a reliability analysis of the emergency core cooling system of a marine reactor under accident conditions. Nucl. Technol. 84 (3), 285–295. Matsuoka, T., Kobayashi, M., 1997. The GO-FLOW reliability analysis methodology—analysis of common cause failures with uncertainty. Nucl. Eng. Des. 175, 205–214. Matsuoka, T., 2010. Method for solving logical loops in system reliability analysis. Nucl. Saf. Simul. 1 (4), 328–339. Fan Dongming, Wang Zili, Liu Linlin, et al. “A modified GO-FLOW methodology with common cause failures based on discrete time Bayesian network.” 305, 476–88, 2016. Kolaczkowski A, Forester J, Gallucci R, et al. “Demonstrating the feasibility and reliability of operator manual actions in response to fire,” NUREG-1852, 2007. Rausand, Marvin, Hoyland, Arnljot, 2004. System Reliability Theory: Models, Statistical Methods, and Applications, Second ed. John Wiley & Sons. Jun, Yang, Ming, Yang, Yoshikawa, Hidekazu, et al., 2014. Development of a risk monitoring system for nuclear power plants based on GO-FLOW methodology. Nucl. Eng. Des. 278, 255–267. Matsuoka Takeshi. “FFTA: A fast fault tree analysis program.” 91(1), 93–101, 1986. IAEA, 2006. Development and review of plant specific emergency operating procedures. Safety Reports Series No. 48. International Atomic Energy Agency, Vienna. NEA, 2009. Nuclear fuel behavior in loss-of-coolant accident (LOCA) conditions. Organization for Economic Co-operation and Development ISBN-978-92-64-99091-3. Aksan, Nusret, 2008.. International standard problems and small break loss-of-coolant accident (SBLOCA). THICKET2008. Ekanem Nsimah J. “A model-based human reliability analysis methodology (Phoenix method).” Dissertation, 2013. T-book, 2005. Reliability Data of Components in Nordic Nuclear Power Plants, sixth ed. TUD office.

References https://cna.ca/news/nuclear-at-sea-floating-ractors/. https://arstechnica.com/science/2018/04/russia-launched-a-floating-nuclear-powerplant-this-weekend/. https://www.popsci.com/china-floating-nuclear-reactors. Watson IA. “Review of human factors in reliability and risk assessment. IChemE Symposium Series,” No (93), p. 323–51. Dhillon, B.S., 2018. Safety, Reliability, Human Factors, and Human Error in Nuclear Power Plants. CRC Press. DOE-HDBK-1028-2009. “Human performance improvement handbook.” 2009. Eduardo Calixto, 2016. Gas and Oil Reliability Engineering: Modeling and Analysis, Second ed. Gulf Professional Publishing. NRC, 1975. Reactor Safety Study: An Assessment of Accident Risks in US Commercial Nuclear Power Plants. WASH-1400, NUREG-75/014. US Nuclear Regulatory Commission, Washington, DC. Ronald L. Boring. “Fifty years of THER and human reliability analysis,” PSAM11, 2012. Bell, J., Holroyd, J., 2009. Review of human reliability assessment methods. RR679. Health and Safety Executive, Buxton, UK. Adhikari, S., Bayley, C., Bedford, T., et al., 2008. Human reliability analysis: a review and critique. Final Report for EP/E017800/1. UK Engineering and Physical Sciences Research Council. Forester, J., Kolaczkowski, A., Lois, E., et al., 2006. Evaluation of Human Reliability Analysis Methods Against Good Practices. NUREG-1842. US Nuclear Regulatory Commission, Washington, DC. Swain AD, Guttmann HE. “Handbook of human reliability analysis with emphasis on nuclear power plant applications,” NUREG/CR-1278, 1983. Lois, E., Dang, V.N., Forester, J., et al., 2008. International HRA Empirical Study—Pilot Phase Report. HWR-844. OECD Halden Reactor Project, Halden, Norway. Hollnagel, E., 1998. Cognitive Reliability and Error Analysis Method (CREAM). Elsevier, Oxford. NRC, 2000. Technical Basis and Implementation Guidelines for a Technique for Human Event Analysis (ATHEANA). NUREG-1624, Rev. 1. US Nuclear Regulatory Commission, Washington, DC. Gertman, D., Blackman, H., Marble, J., et al., 2005. The SPAR-H Human Reliability Analysis Method. NUREG/CR-6883. DC, US Nuclear Regulatory Commission, Washington, DC. Boring, R.L., 2007. Dynamic human reliability analysis: benefits and challenges of simulating human performance. ESREL2007 2, 1043–1049.

239