- Email: [email protected]
Analysis and Design of a Nuclear Safety System v. The Operator Time Constraints
COl" rif(ht © I F . \C \bll - \I;"hilll' S"t( 'II1>, \ ·; lr t'~t:. il ah. I ~);-':,-)
ANALYSIS AND DESIGN OF A NUCLEAR SAFETY SYSTEM v. THE OPERATOR TIME CONSTRAINTS P. C. Cacciabue* and G. Cojazzi** *(;OI//ll/issiOIl
/f thr
EllroP1'll1l CUlII lII llllit irs, J oillt RI',IPf/l-ch Cnllrl', I spm Es t([bli.,hllll'llt, !.IPI'(( (1 '1/), It([/y **CES.\'t'F, Politr(lli(() di ,\[ i /([IIO, It([ly
Abstract , This paper describes the basic features of a new concept of incident simula tor, System Response Anal yser (SRA) , which is being developed within the CEC - JRC research program on Reactor Safety and which is focused on the problem of managemen t of safety systems in emergency conditions. The resu lts obtained in the case of the Auxiliary Feed water System of Paluel Nuclear Power Plant show that SRA is particularly valid in the fields of design and reliability, thanks to the self contained evaluation of the physical transient response of the system combined with human actions and to the easily performed identification of the operator time constraints for the appropriate management of the system , Indeed , the study of the effects of the operato r interventions , even if based on a simp le parametrical model for the decision making process , enhance the potentiality of the proposed technique, Keywords. Dynamic response; Ergonomies , Human factors ; Management of systems; Manmachine systems; Nuclear plants ; Probabilistic Risk Assessment; Reliability theory .
INTRODUCTION
Station is performed as an example of potential application of SRA.
The study of Human - Machine Interaction is approached in this paper from a system engineering point of view , focusing on some critica l aspects of management of an auxiliary system of a nuclear power plant during emergency conditions . Indeed , a correct design , specia lly of control and sa:ety systems has to account for the interface and interaction between the operator (s) and the machine which, in turn, calls for a thorough understanding of the functions the oper at or can accompl ish , of those taken care of by the automation and finally of the dynamic characteristics of the p lant.
The i nteresting feature of this case lies also in the fact that the same system and incident have already been studied in the Reliability Benchmark Exercise (RBE) (Amendola , 1985) , where classical reliability methods and procedures have been compared and assessed by a very wide number of groups from all ove~ Europe. Such methodologies are essentially based on a "static " analysis of possible system behaviours and consequences following the initiati ng event, but do not satisfactorily take into considera tion the "dynamic 11 development of the accident in terms of phys ical parameters , such as flows , p ressures, temperatu res, and of human intervention (Amendola and others , 1982). The incident to be studied consists in the transient following a steam generator feedline break at the junction of the AFS and the feedwater flow control system . The SRA approach requires primarily the modellin~ of the physical behaviour of the system , in a ll possible configurations assumed by its componen ts. The model for the opera tor intervention is then superimposed and interacts with the physical model.
In various types of ana l ysis such as in - task ana lysis, the actions of the operators are studied and defined in great detail but the behaviour of the plant is somewhat forgotten. On the other hand, in systems analysis the operator is given only a few possibilit ies to err and to recover and at prefixed times , but the accident development and its consequences are greatly detailed. In reality the operato r is asked to exercise conti nuously, during the accident development , various tasks which can be structured in a more genera l context of successive failure detection , failure diagnosis and system compensat ion activities (Rouse, 1982) . Errors can occur at any level of this sequence and it is important to understand how the performance of the system will change according to these errors .
ANALYSIS OF THE AFS PHYSICAL BEHlVIOUR With reference to the actua l AFS system (Amendola, 1985) a simplification has been performed by grouping together sets of components in such a way that no particular effect is l ost on the overal l system behaviour. The following simplifications are performed (Fig. 1):
The SRA (System Response Analyser) , in development at the Joint Research Centre of Ispra (Cacc iabue and others , 1985) , tr ies to 1 ink through the use of the DYLAM (Amendola and Reina , 198 4 ) methodology , operator behaviour, system ' s cor.ponent perfor mances and physical evolution 0: the accident aiming at the characterization of an instrument pri marily usefull for the design of safety and emer gency systems .
1 ) The regulation lines, containing a regulati on
valve, a check valve and a manual ly operated isolation valve , have been schematized by a single component capable of simulating the pos sible conditions arising from the behaviour of each of the three different components . 2) On the injection lines the two ci1eck valves in ser ies, have also been combined in a single cOMrx:>nent .
In the following, the study of the management in accidental condition of the Auxiliary Feedwater System (AFS) of Paluel (France) Nuclear Power
237
238
,---11 -+---.,--.
To main s/ram
~~
-
-
- MOPI
~-N-ill
~lbt-N-~
Insldr
TA
Conlalnmtnl
:~~c-~_ N_~U=l--rom-alns~tam "V ¥
rurblnr
TB ' - - -- - -- - - -. (As rA (or 503 and Si", MOP] and TOP]) Fig .
1
Simplified scheme of the auxiliary feedwa ter reference system
3) The pumping systems , including the upstream iso l a tion va l ves and the steam feeding syst.em for the turbopumps, have been simulated in the glo b al behaviour of the pumps .
These equations coupled with the conti nu ity condi t ions a t each branch po i nt , give rise to several systems of equations describing the hydraulic be haviour of the network in all configur a tions .
In order to describe the fluid behaviour of the system by means of the conse r vation equations , the energy ba l ance between two branch po i nts of the hydraulic network has been simplified assuming a constant coefficient K, accounting for a l l pressure losses o f a l ine (lumped parameter technique) , and a l inea r pump characteristic for those branches compr i s i ng a pump . In this manner a l l branches of the ne t work c a n be presented by similar equations. Acco r d i ng to the Fa i lure Mode and Effect Anal ysis (F MEA) , pe r fo r med for a ll the components of the system , th r ee p a rametrica l energy equations are obta i ned fo r the pumps , regulation and injection li nes . In Table 1 they are shown together with the poss i b l e states assumed by the components .
The transient evolution of AFS is performed accoun ting for the time variation of t he boundary condi tions , i . e. the pressures ups t re a m and downstream of the system . For s i mpl icity i t has been assumed that the pressures in the steam gene r ators remain constant for all the transient , while the pressur e at the tank outlet has be e n allOl.;ed to vary wi th the feedwater l eve l . The solution methods adopted for al l systems of equations are: a di r ec t expli cit solution for the time variations of the tank l evel and pressure , and a generalized version of the iterative Cross method , for the hydrauli c equi librium of the network .
TABLE 1
ParaMe trical Equations for AFS
Component/Parametr i ca l Eg .
Meaning
Parameters
norna1 blocked
L( 1)
1
L(2)
L( 1)
a
L( 2)
normal check valve failed open check or ref. valve failed closed on- off valve closed
V( j) V( j) v (j)
H ( lIp , a)
a
V( j)
H( 6 p , a) 'H(t , t e )
1=1
normal
1=2
~ailed
C (l) C (1)
a
State
P ump Eg . (1)
Sing l e v a lve simulating: check valve , reg. va l ve , on-off valve
Eg . (2) Sing l e valve simulatinq: two check valves in series Eg. (3) 6 p "" (Pupstream - Pdownstrean) ;
Co~ponents
H{x , y)
closed
"" step function:
for
Y.. >
y H(x , y)
a
6E'/ !6p!
H (6p , 0)
=
1;
otherwise
H(x , y) = 0; A(t) = flow cross-section of regulation valve; a,b = constants in the pump equation; te = ti~e delay for manually reopening of the valve . Parame triea l
equa tions
Eg. (1)
( 2)
(3)
239
:"-iuclcar S"fi.'l\· S\stt'l1l RELIABILITY ANALYSIS AND COMPI'.RISON
~lITH
RBE
The objec"ive of the reliability analysis of the system is the identification of the conditions leading to the failure of the system in satisfac-
torily performing its duty (TOP conditions). For the incident under study this consisted in the insufficient mass flow to the sane steam generators
after the break on the feedwater line of SG1. In order to ensure sufficient cooling the assumed
mini:'lum flow condi tions were: 50 t/h to three good SGs or 100 t/h to two good SGs. For simplicity these rates have been conservatively kept constant during the transient time.
The operator model has been included in a dynamic modelling scheme, whereby consideration has been given to the sequential tasks performance of failure detection, failure diagnosis and action-compensation, as well as to the loop involving the system response to operator actions and the following decision control process, which can result in the detection of an erroneous action/diagnosis or in the prosecution of the already started procedure
(Mancini and Amendola, 1983). A complex model for the operator decision making based on well developed theories of mental processes and reasoning (Isermann, 1984; Leplat and Rasmussen, 1~84; etc.) has not yet been applied, although no formal problems are expected t.o its implementation.
The DYLAM analysis of the reliability of the system identifies the sequences leading to the TOP condition, as well as the time intervals at which such
In the present study the operator has been treated
TOP is encountered, by solving all the systems of equations obtained combining all possible states of the AFS components. The fundamental difference between this approach and the classical faul t-tree/ event tree consists in the fact that, while a classical technique starts by defining the TOP event and then deductively identifies the primary events, the DYLAM analysis starts with the modelling of the
DYLAM-reliability point of view and his tasks performance model has been based on simple parametrical treatments (Table 2).
basic components of the system and inductively ar-
rives at the definition of the minimal cut-sets. This results in a very high flexibility of the new methodology, in that t.he evaluation of different TOP conditions is readily performed by simply spe-
just as another component of the system from the
TABLE 2 Component
Operator Model
State
Meaning
Effects
o
nominal
detection after 30'
delay
detection after IItd + T n
2
fails
no detection at all
Fail ure diagnosis
o
nominal erroneous
identify SG1 identify SG2
Compensa tion
o
nominal
Regulation according
operator Failure
detection
::::; Tn
cifying the new TOP condition and rerunning the
system DYLAM-physical model. The resul ts of DYLAM and those of the RBE have been compared for the first phase of the incident only, i.e. for the first half hour, when the operator intervention is not considered and consequently the TOP conditions are caused only by failures of mechanical components: no difference of results has
to procedures: - isolate identified SG; - 50 t/h to 3 sane SGs or 100 t/hto 2 sane SGs
been found as could have been expected because no operator action nor the physical behaviour of the
system were allowed to modify, in the first 30' of sequence, the initial state of
co~ponents
(Caccia-
bue and Cojazzi, 1985). This means that no consideration was given to the effect of the transient evolution of the incident on the reliability res-
- max mass flow ::::;
100 t/h - do not allow for flows < 0, check
ponse of components, which represents the domain
where the DYLAM peculiarities are exploited at their best and where classical methodologies, on the contrary, find most difficulties.
at tc ::::; Te Recovery
OPERATOR BEHAVIOUR MODEL
o
nominal
Recovery after 6 t rec = Tr from erroneous diagnosis
The dynamic nature of DYLAM allows for the study of the time variation of the TOP conditions when external or internal causes or even the transient
physical evolution of the system affect the probabilistic behaviour of components. In SRA the influence of the operator intervention can thus be taken into consideration at any level of complexity
and the study of the ways in which he manages com-'i plex plant safety systems, in case of multiple failure events and critical behaviours, can easily be performed. For these reasons SPA represents an appropriate instrument for: -
identification and prediction of relevant sequences; - validation of operating procedures in emergency;
- study and modelling of human behaviours; - designing safety and control systems; - designing support systems for aid to the operator. In all these cases the definition of the operator time constraints for a safe operation and management of a system is very important: the operator
behaviour model coupled to the physical model of. the AFS has been developed to demonstrate the potentiality of the SRA methodology for treating this type of problems,
The failure detection task is assumed to be accomplished, after 30', from incident initiation, in nominal condition, or after a variable time delay
which becomes infinity for fa i lure to detect the incident. No other approaches have been used such as, for example, those based on signal detection or pattern recognition or filtering techniques. ?he failure diagnosis task also presents two pos-
sible states: a nominal one which implies the correct identification of the defective SG, and an erroneous one by which SG2 is isolated instead of SG1. No time delay is assumed between the failure de tection and the diagnosis. No diagnosis is performed using descriptive models such as fuzzy sets,
even if these are attentively studied for future refinement of the AFS analysis (Amendola and others, 1 a 85) . The two tasks of compensation and recovery are as-
sumed to be always performed with a nominal behaviour of the "component operator!!. However, the
time delay for recovery as well as for repositioning valves are not fixed in order to allow for parar.letrical studies. No consideration has yet been
P.
240
c.
Cacciablll' an d L. Cojazzi
given to the failure of the operator on carrying out compensation actions , such as isolating the wrong SG since the correct diagnosis was performed. The operator intervention model has been coupled wi th the model for the AFS hydraulic behaviour and the second phase, i.e. for time after 30 ' from ini tiation of the incident, has been studied , firstly from the system re l iability point of view . A de tailed comparison with the results of the RBE has not been made because of the differences due to the consideration of the dynamic operator behaviour mo de l . The analysis of the RBE considered only fixed operator actions at 30' and did no t include pos sib ility of recovery . A comparison of qualitative nature c a n be made only on the total number of se quences leading to TOP conditions . The DYLAM analysis results in a number of TOP sequences , satis fied for the entire duration of the incident, i.e. 450 minutes , drastically reduced in comparison with those of the RBE, because the intervention of the operator provides , in many cases, the necessary actions ensuring sufficient mass flow to the steam generators , even if the states of only the mechanical components would lead to TOP conditions . Moreover, sequences which could not easily be mode lled by means of classical reliability methodo lo gies, have been straightforwardly described by the DYLAMhuman i ntervention model . A significative example of this type of condition is the management of the system when reverse flow through a failed check va l ve and a failed pump occurs on train B , with the "component operator" being in nominal state, i . e. with the operator performing all his tasks correctly and as expected. I n this case, after 30' , the mass flow to SG I is stopped (Fig . 2) , while the mass flow to SG2 rise s , because of the system hydraul ic response to the isola tion, and i t is then reduced to the maximum val ue a ll owed b y the procedures. The mass flows to SG3 and SG4 are very low, 40 and 0 t/h, respectively, because of the failed states of the components on the train B. The TOP cond ition is thus sa tisfied up to tc = 90' of the incident time, when the failed i njecti on l ine is identified and isolated . At this point a more-than-sufficient mass flow is es tablishej by ~he system response. The subsequent regula tion a t 100 ' is the resul t of the compensa tion action according to the established procedures. This sequence is one of the 2140 sequences automatically generated and analysed by DYLAM.
STUDY CF THE OPERATOR TI101E CONSTRAINTS The parametrical fo r mulation of the operator deci sion making process allows the study of critica l time s for the incident management . In the case of the AFS the most sui tab l e analysis to be pe rformed concerns the cr i tica l tirre constraints to the operator for ensuring sufficient cooling to the pri mary circui t and for maintaining the availabili ty of feedwater for the entire sequence. While the former analysis , under study at the p resent time , requires a more complex and detailed model li ng of the heat transfer process , of the steam generators response and of the human behavi our , the study of the a vai l abi l ity of the feedwater in the tank coul d be performed with the model described above. The time constraints of the compensation actions of the ope rator have been identified performing parametrical studies relative to possib l e delay times of failure detection , mass flow regulation and recovery. I ndeed , the timing of al l these tasks plays a very important role for the definition of the amount of feedwater present in the tank and thus they have been studied in a coupled fashion in order to identify which are the limit time intervals for the operator actions . The most characteristic results have been obtained evaluating the maximum delay time for failure detection in relation to the maximum delay for the compensation action of flow regulation, assuming that a co rrect fa ilure d i agnosis is performed. The results of this parametriC study (Fig . 3) lead to the identification of two well defined areas of operation: any point of the plan below the limiting curve identifies a couple of time of failure detections and delays of regulation which is acceptable, while the area above the curve represents inacceptable timings, for ensuring the presence of a mini mum of water still available in the tank at the end of the transient. Similar curves have been obtained studying the maximum allowable recovery time and delay of regulations when the erroneous SG has been isolated.
CONCLUS IONS The results obtained in this document , in terms of effects of operato r intervention and study of c ritical timings , enhance the potentiality of the methodology of SRA.
C):";lt;l
() ..,C2
o
o
16
IJ .-;(;.1 Qy;4
11
+
-x- \
x-
+
\
r-2
10 3~
6
Fig. 2
+
7
System response and O;Jera tor compensation in terms of mass flows (Q) to SGs during n. tynical ir,c ident'.al sequenCE· .
302~--~--~--~~~--~6--~7~--~8~--~9----~10~~,~1---t'?2---'~3;-~ )(10 1 -.in ,
Fig. 3
Critical operator time of intervention (TI) vs de lay of regulation ( DR).
!'Iuclear SafelY System Indeed on the one hand no classical reliability technique is abl e to quantify , like the proposed one, the importa nce of a sequence in terms of probability, physical system transient behaviour and operator intervention in a self contained calculation. On the other hand, SRA appears to be a promising instrument to be used for the design of safety systems and emergency procedures, which require the consideration of different human actions in order to clearly define dimensions , capabilities and perhaps levels of automation of systems . the versatility of the approach allows SRA to be used in accident simulators , par ticularl y devoted to the analysis of the management of sys tems of complex plant accounting for the humanmachine interaction and/or for the study of opera tor responses and actions in emergency situations . F~nally ,
REFERENCES Amendola , A ., G . Mancini, A . Poucet and G. Reina ( 1982). Dynamic and static models for nuc l ear reactor operators - needs and application examples . Proc. of the 1st IFAC/IFIP/IFORS/IEA Cont. IIAnalysis, Design and Evaluation of ManMachine Systems , Baden-Baden. Pergamon Press Oxford . Amendola, A. and G. Reina (1984) . DYLAM-l, a soft ware package for event sequence and consequence spectrum methodology. Euratom report EUR9224-EN . Amendola, A., G . Reina and F. Ciceri (1985). Dyna mic simulation of man - machine interaction in incident control. 2nd IFAC/IFIP/IFORS/IEA Conf. "Analysis, Design and Evaluation of r-1.an- Machine Systems ", Varese , 10-1 2 Sep . 1985 . Amendola, A. Results of the reliability benchmark exercise and the future CEC- JRC programme. Proc. of the Int. ANS/ENS Top . Meet. on Probabilistic Safety Methods and Applications, San Francisco , 24 - 28 Feb . 1985. Cacciabue , P.c. and G. Cojazzi (1985) . Reliability study of a PI-/R/MS by the DYLAM approach. Proc. of the 8th Conf. on SMiRT, Brussels, 19-23 Aug. 1985 . Paper M2 3/8.
24 1
Cacciabue , P.c., A. Amendola and G. Mancini ( 1985) . Accident simulator development for probabili s tic safety analysis. Proc. of the Int . ANS/ENS Top. Meet. on Probabilistic Safety Methods and Applications, San FranCiSCO, 24-28 Feb. 1985 . Isermann , R. (1984) . Process fault detection based on modelling and estimation methods. A survey. Automatica , Vol . 20 , No.4 , pp . 387 -404, 1984, Pergamon Press, Oxford. Leplat, J . and J. Rasmussen (1984). Analysis of human errors in industrial incidents and acci dents for improvement of work safety . Accid . Anal. and Prev ., Vol.16, No.2, pp . 77-8s:-T984 . Pergamon Press, Oxford. Mancini, G . and A . Amendola (1983). Human model and the problem of data . Proc . of the 4th EuReDatA Conf., Venice , 23 - 25 March 1983 . RouSe;w.B. (1982) . l10dels of human problem solving: detection diagnosis and compensation for system failures. Proc . of the 1st IFAC / IFIP / IFORS/IEA Cont. "Analysis Design and Evaluation of Man-Machine Systems", Baden-Baden . Pergamon Pres s , Oxford.
ANALYSIS AND DESIGN OF A NUCLEAR SAFETY SYSTEM v. THE OPERATOR TIME CONSTRAINTS P. C. Cacciabue* and G. Cojazzi** *(;OI//ll/issiOIl
/f thr
EllroP1'll1l CUlII lII llllit irs, J oillt RI',IPf/l-ch Cnllrl', I spm Es t([bli.,hllll'llt, !.IPI'(( (1 '1/), It([/y **CES.\'t'F, Politr(lli(() di ,\[ i /([IIO, It([ly
Abstract , This paper describes the basic features of a new concept of incident simula tor, System Response Anal yser (SRA) , which is being developed within the CEC - JRC research program on Reactor Safety and which is focused on the problem of managemen t of safety systems in emergency conditions. The resu lts obtained in the case of the Auxiliary Feed water System of Paluel Nuclear Power Plant show that SRA is particularly valid in the fields of design and reliability, thanks to the self contained evaluation of the physical transient response of the system combined with human actions and to the easily performed identification of the operator time constraints for the appropriate management of the system , Indeed , the study of the effects of the operato r interventions , even if based on a simp le parametrical model for the decision making process , enhance the potentiality of the proposed technique, Keywords. Dynamic response; Ergonomies , Human factors ; Management of systems; Manmachine systems; Nuclear plants ; Probabilistic Risk Assessment; Reliability theory .
INTRODUCTION
Station is performed as an example of potential application of SRA.
The study of Human - Machine Interaction is approached in this paper from a system engineering point of view , focusing on some critica l aspects of management of an auxiliary system of a nuclear power plant during emergency conditions . Indeed , a correct design , specia lly of control and sa:ety systems has to account for the interface and interaction between the operator (s) and the machine which, in turn, calls for a thorough understanding of the functions the oper at or can accompl ish , of those taken care of by the automation and finally of the dynamic characteristics of the p lant.
The i nteresting feature of this case lies also in the fact that the same system and incident have already been studied in the Reliability Benchmark Exercise (RBE) (Amendola , 1985) , where classical reliability methods and procedures have been compared and assessed by a very wide number of groups from all ove~ Europe. Such methodologies are essentially based on a "static " analysis of possible system behaviours and consequences following the initiati ng event, but do not satisfactorily take into considera tion the "dynamic 11 development of the accident in terms of phys ical parameters , such as flows , p ressures, temperatu res, and of human intervention (Amendola and others , 1982). The incident to be studied consists in the transient following a steam generator feedline break at the junction of the AFS and the feedwater flow control system . The SRA approach requires primarily the modellin~ of the physical behaviour of the system , in a ll possible configurations assumed by its componen ts. The model for the opera tor intervention is then superimposed and interacts with the physical model.
In various types of ana l ysis such as in - task ana lysis, the actions of the operators are studied and defined in great detail but the behaviour of the plant is somewhat forgotten. On the other hand, in systems analysis the operator is given only a few possibilit ies to err and to recover and at prefixed times , but the accident development and its consequences are greatly detailed. In reality the operato r is asked to exercise conti nuously, during the accident development , various tasks which can be structured in a more genera l context of successive failure detection , failure diagnosis and system compensat ion activities (Rouse, 1982) . Errors can occur at any level of this sequence and it is important to understand how the performance of the system will change according to these errors .
ANALYSIS OF THE AFS PHYSICAL BEHlVIOUR With reference to the actua l AFS system (Amendola, 1985) a simplification has been performed by grouping together sets of components in such a way that no particular effect is l ost on the overal l system behaviour. The following simplifications are performed (Fig. 1):
The SRA (System Response Analyser) , in development at the Joint Research Centre of Ispra (Cacc iabue and others , 1985) , tr ies to 1 ink through the use of the DYLAM (Amendola and Reina , 198 4 ) methodology , operator behaviour, system ' s cor.ponent perfor mances and physical evolution 0: the accident aiming at the characterization of an instrument pri marily usefull for the design of safety and emer gency systems .
1 ) The regulation lines, containing a regulati on
valve, a check valve and a manual ly operated isolation valve , have been schematized by a single component capable of simulating the pos sible conditions arising from the behaviour of each of the three different components . 2) On the injection lines the two ci1eck valves in ser ies, have also been combined in a single cOMrx:>nent .
In the following, the study of the management in accidental condition of the Auxiliary Feedwater System (AFS) of Paluel (France) Nuclear Power
237
238
,---11 -+---.,--.
To main s/ram
~~
-
-
- MOPI
~-N-ill
~lbt-N-~
Insldr
TA
Conlalnmtnl
:~~c-~_ N_~U=l--rom-alns~tam "V ¥
rurblnr
TB ' - - -- - -- - - -. (As rA (or 503 and Si", MOP] and TOP]) Fig .
1
Simplified scheme of the auxiliary feedwa ter reference system
3) The pumping systems , including the upstream iso l a tion va l ves and the steam feeding syst.em for the turbopumps, have been simulated in the glo b al behaviour of the pumps .
These equations coupled with the conti nu ity condi t ions a t each branch po i nt , give rise to several systems of equations describing the hydraulic be haviour of the network in all configur a tions .
In order to describe the fluid behaviour of the system by means of the conse r vation equations , the energy ba l ance between two branch po i nts of the hydraulic network has been simplified assuming a constant coefficient K, accounting for a l l pressure losses o f a l ine (lumped parameter technique) , and a l inea r pump characteristic for those branches compr i s i ng a pump . In this manner a l l branches of the ne t work c a n be presented by similar equations. Acco r d i ng to the Fa i lure Mode and Effect Anal ysis (F MEA) , pe r fo r med for a ll the components of the system , th r ee p a rametrica l energy equations are obta i ned fo r the pumps , regulation and injection li nes . In Table 1 they are shown together with the poss i b l e states assumed by the components .
The transient evolution of AFS is performed accoun ting for the time variation of t he boundary condi tions , i . e. the pressures ups t re a m and downstream of the system . For s i mpl icity i t has been assumed that the pressures in the steam gene r ators remain constant for all the transient , while the pressur e at the tank outlet has be e n allOl.;ed to vary wi th the feedwater l eve l . The solution methods adopted for al l systems of equations are: a di r ec t expli cit solution for the time variations of the tank l evel and pressure , and a generalized version of the iterative Cross method , for the hydrauli c equi librium of the network .
TABLE 1
ParaMe trical Equations for AFS
Component/Parametr i ca l Eg .
Meaning
Parameters
norna1 blocked
L( 1)
1
L(2)
L( 1)
a
L( 2)
normal check valve failed open check or ref. valve failed closed on- off valve closed
V( j) V( j) v (j)
H ( lIp , a)
a
V( j)
H( 6 p , a) 'H(t , t e )
1=1
normal
1=2
~ailed
C (l) C (1)
a
State
P ump Eg . (1)
Sing l e v a lve simulating: check valve , reg. va l ve , on-off valve
Eg . (2) Sing l e valve simulatinq: two check valves in series Eg. (3) 6 p "" (Pupstream - Pdownstrean) ;
Co~ponents
H{x , y)
closed
"" step function:
for
Y.. >
y H(x , y)
a
6E'/ !6p!
H (6p , 0)
=
1;
otherwise
H(x , y) = 0; A(t) = flow cross-section of regulation valve; a,b = constants in the pump equation; te = ti~e delay for manually reopening of the valve . Parame triea l
equa tions
Eg. (1)
( 2)
(3)
239
:"-iuclcar S"fi.'l\· S\stt'l1l RELIABILITY ANALYSIS AND COMPI'.RISON
~lITH
RBE
The objec"ive of the reliability analysis of the system is the identification of the conditions leading to the failure of the system in satisfac-
torily performing its duty (TOP conditions). For the incident under study this consisted in the insufficient mass flow to the sane steam generators
after the break on the feedwater line of SG1. In order to ensure sufficient cooling the assumed
mini:'lum flow condi tions were: 50 t/h to three good SGs or 100 t/h to two good SGs. For simplicity these rates have been conservatively kept constant during the transient time.
The operator model has been included in a dynamic modelling scheme, whereby consideration has been given to the sequential tasks performance of failure detection, failure diagnosis and action-compensation, as well as to the loop involving the system response to operator actions and the following decision control process, which can result in the detection of an erroneous action/diagnosis or in the prosecution of the already started procedure
(Mancini and Amendola, 1983). A complex model for the operator decision making based on well developed theories of mental processes and reasoning (Isermann, 1984; Leplat and Rasmussen, 1~84; etc.) has not yet been applied, although no formal problems are expected t.o its implementation.
The DYLAM analysis of the reliability of the system identifies the sequences leading to the TOP condition, as well as the time intervals at which such
In the present study the operator has been treated
TOP is encountered, by solving all the systems of equations obtained combining all possible states of the AFS components. The fundamental difference between this approach and the classical faul t-tree/ event tree consists in the fact that, while a classical technique starts by defining the TOP event and then deductively identifies the primary events, the DYLAM analysis starts with the modelling of the
DYLAM-reliability point of view and his tasks performance model has been based on simple parametrical treatments (Table 2).
basic components of the system and inductively ar-
rives at the definition of the minimal cut-sets. This results in a very high flexibility of the new methodology, in that t.he evaluation of different TOP conditions is readily performed by simply spe-
just as another component of the system from the
TABLE 2 Component
Operator Model
State
Meaning
Effects
o
nominal
detection after 30'
delay
detection after IItd + T n
2
fails
no detection at all
Fail ure diagnosis
o
nominal erroneous
identify SG1 identify SG2
Compensa tion
o
nominal
Regulation according
operator Failure
detection
::::; Tn
cifying the new TOP condition and rerunning the
system DYLAM-physical model. The resul ts of DYLAM and those of the RBE have been compared for the first phase of the incident only, i.e. for the first half hour, when the operator intervention is not considered and consequently the TOP conditions are caused only by failures of mechanical components: no difference of results has
to procedures: - isolate identified SG; - 50 t/h to 3 sane SGs or 100 t/hto 2 sane SGs
been found as could have been expected because no operator action nor the physical behaviour of the
system were allowed to modify, in the first 30' of sequence, the initial state of
co~ponents
(Caccia-
bue and Cojazzi, 1985). This means that no consideration was given to the effect of the transient evolution of the incident on the reliability res-
- max mass flow ::::;
100 t/h - do not allow for flows < 0, check
ponse of components, which represents the domain
where the DYLAM peculiarities are exploited at their best and where classical methodologies, on the contrary, find most difficulties.
at tc ::::; Te Recovery
OPERATOR BEHAVIOUR MODEL
o
nominal
Recovery after 6 t rec = Tr from erroneous diagnosis
The dynamic nature of DYLAM allows for the study of the time variation of the TOP conditions when external or internal causes or even the transient
physical evolution of the system affect the probabilistic behaviour of components. In SRA the influence of the operator intervention can thus be taken into consideration at any level of complexity
and the study of the ways in which he manages com-'i plex plant safety systems, in case of multiple failure events and critical behaviours, can easily be performed. For these reasons SPA represents an appropriate instrument for: -
identification and prediction of relevant sequences; - validation of operating procedures in emergency;
- study and modelling of human behaviours; - designing safety and control systems; - designing support systems for aid to the operator. In all these cases the definition of the operator time constraints for a safe operation and management of a system is very important: the operator
behaviour model coupled to the physical model of. the AFS has been developed to demonstrate the potentiality of the SRA methodology for treating this type of problems,
The failure detection task is assumed to be accomplished, after 30', from incident initiation, in nominal condition, or after a variable time delay
which becomes infinity for fa i lure to detect the incident. No other approaches have been used such as, for example, those based on signal detection or pattern recognition or filtering techniques. ?he failure diagnosis task also presents two pos-
sible states: a nominal one which implies the correct identification of the defective SG, and an erroneous one by which SG2 is isolated instead of SG1. No time delay is assumed between the failure de tection and the diagnosis. No diagnosis is performed using descriptive models such as fuzzy sets,
even if these are attentively studied for future refinement of the AFS analysis (Amendola and others, 1 a 85) . The two tasks of compensation and recovery are as-
sumed to be always performed with a nominal behaviour of the "component operator!!. However, the
time delay for recovery as well as for repositioning valves are not fixed in order to allow for parar.letrical studies. No consideration has yet been
P.
240
c.
Cacciablll' an d L. Cojazzi
given to the failure of the operator on carrying out compensation actions , such as isolating the wrong SG since the correct diagnosis was performed. The operator intervention model has been coupled wi th the model for the AFS hydraulic behaviour and the second phase, i.e. for time after 30 ' from ini tiation of the incident, has been studied , firstly from the system re l iability point of view . A de tailed comparison with the results of the RBE has not been made because of the differences due to the consideration of the dynamic operator behaviour mo de l . The analysis of the RBE considered only fixed operator actions at 30' and did no t include pos sib ility of recovery . A comparison of qualitative nature c a n be made only on the total number of se quences leading to TOP conditions . The DYLAM analysis results in a number of TOP sequences , satis fied for the entire duration of the incident, i.e. 450 minutes , drastically reduced in comparison with those of the RBE, because the intervention of the operator provides , in many cases, the necessary actions ensuring sufficient mass flow to the steam generators , even if the states of only the mechanical components would lead to TOP conditions . Moreover, sequences which could not easily be mode lled by means of classical reliability methodo lo gies, have been straightforwardly described by the DYLAMhuman i ntervention model . A significative example of this type of condition is the management of the system when reverse flow through a failed check va l ve and a failed pump occurs on train B , with the "component operator" being in nominal state, i . e. with the operator performing all his tasks correctly and as expected. I n this case, after 30' , the mass flow to SG I is stopped (Fig . 2) , while the mass flow to SG2 rise s , because of the system hydraul ic response to the isola tion, and i t is then reduced to the maximum val ue a ll owed b y the procedures. The mass flows to SG3 and SG4 are very low, 40 and 0 t/h, respectively, because of the failed states of the components on the train B. The TOP cond ition is thus sa tisfied up to tc = 90' of the incident time, when the failed i njecti on l ine is identified and isolated . At this point a more-than-sufficient mass flow is es tablishej by ~he system response. The subsequent regula tion a t 100 ' is the resul t of the compensa tion action according to the established procedures. This sequence is one of the 2140 sequences automatically generated and analysed by DYLAM.
STUDY CF THE OPERATOR TI101E CONSTRAINTS The parametrical fo r mulation of the operator deci sion making process allows the study of critica l time s for the incident management . In the case of the AFS the most sui tab l e analysis to be pe rformed concerns the cr i tica l tirre constraints to the operator for ensuring sufficient cooling to the pri mary circui t and for maintaining the availabili ty of feedwater for the entire sequence. While the former analysis , under study at the p resent time , requires a more complex and detailed model li ng of the heat transfer process , of the steam generators response and of the human behavi our , the study of the a vai l abi l ity of the feedwater in the tank coul d be performed with the model described above. The time constraints of the compensation actions of the ope rator have been identified performing parametrical studies relative to possib l e delay times of failure detection , mass flow regulation and recovery. I ndeed , the timing of al l these tasks plays a very important role for the definition of the amount of feedwater present in the tank and thus they have been studied in a coupled fashion in order to identify which are the limit time intervals for the operator actions . The most characteristic results have been obtained evaluating the maximum delay time for failure detection in relation to the maximum delay for the compensation action of flow regulation, assuming that a co rrect fa ilure d i agnosis is performed. The results of this parametriC study (Fig . 3) lead to the identification of two well defined areas of operation: any point of the plan below the limiting curve identifies a couple of time of failure detections and delays of regulation which is acceptable, while the area above the curve represents inacceptable timings, for ensuring the presence of a mini mum of water still available in the tank at the end of the transient. Similar curves have been obtained studying the maximum allowable recovery time and delay of regulations when the erroneous SG has been isolated.
CONCLUS IONS The results obtained in this document , in terms of effects of operato r intervention and study of c ritical timings , enhance the potentiality of the methodology of SRA.
C):";lt;l
() ..,C2
o
o
16
IJ .-;(;.1 Qy;4
11
+
-x- \
x-
+
\
r-2
10 3~
6
Fig. 2
+
7
System response and O;Jera tor compensation in terms of mass flows (Q) to SGs during n. tynical ir,c ident'.al sequenCE· .
302~--~--~--~~~--~6--~7~--~8~--~9----~10~~,~1---t'?2---'~3;-~ )(10 1 -.in ,
Fig. 3
Critical operator time of intervention (TI) vs de lay of regulation ( DR).
!'Iuclear SafelY System Indeed on the one hand no classical reliability technique is abl e to quantify , like the proposed one, the importa nce of a sequence in terms of probability, physical system transient behaviour and operator intervention in a self contained calculation. On the other hand, SRA appears to be a promising instrument to be used for the design of safety systems and emergency procedures, which require the consideration of different human actions in order to clearly define dimensions , capabilities and perhaps levels of automation of systems . the versatility of the approach allows SRA to be used in accident simulators , par ticularl y devoted to the analysis of the management of sys tems of complex plant accounting for the humanmachine interaction and/or for the study of opera tor responses and actions in emergency situations . F~nally ,
REFERENCES Amendola , A ., G . Mancini, A . Poucet and G. Reina ( 1982). Dynamic and static models for nuc l ear reactor operators - needs and application examples . Proc. of the 1st IFAC/IFIP/IFORS/IEA Cont. IIAnalysis, Design and Evaluation of ManMachine Systems , Baden-Baden. Pergamon Press Oxford . Amendola, A. and G. Reina (1984) . DYLAM-l, a soft ware package for event sequence and consequence spectrum methodology. Euratom report EUR9224-EN . Amendola, A., G . Reina and F. Ciceri (1985). Dyna mic simulation of man - machine interaction in incident control. 2nd IFAC/IFIP/IFORS/IEA Conf. "Analysis, Design and Evaluation of r-1.an- Machine Systems ", Varese , 10-1 2 Sep . 1985 . Amendola, A. Results of the reliability benchmark exercise and the future CEC- JRC programme. Proc. of the Int. ANS/ENS Top . Meet. on Probabilistic Safety Methods and Applications, San Francisco , 24 - 28 Feb . 1985. Cacciabue , P.c. and G. Cojazzi (1985) . Reliability study of a PI-/R/MS by the DYLAM approach. Proc. of the 8th Conf. on SMiRT, Brussels, 19-23 Aug. 1985 . Paper M2 3/8.
24 1
Cacciabue , P.c., A. Amendola and G. Mancini ( 1985) . Accident simulator development for probabili s tic safety analysis. Proc. of the Int . ANS/ENS Top. Meet. on Probabilistic Safety Methods and Applications, San FranCiSCO, 24-28 Feb. 1985 . Isermann , R. (1984) . Process fault detection based on modelling and estimation methods. A survey. Automatica , Vol . 20 , No.4 , pp . 387 -404, 1984, Pergamon Press, Oxford. Leplat, J . and J. Rasmussen (1984). Analysis of human errors in industrial incidents and acci dents for improvement of work safety . Accid . Anal. and Prev ., Vol.16, No.2, pp . 77-8s:-T984 . Pergamon Press, Oxford. Mancini, G . and A . Amendola (1983). Human model and the problem of data . Proc . of the 4th EuReDatA Conf., Venice , 23 - 25 March 1983 . RouSe;w.B. (1982) . l10dels of human problem solving: detection diagnosis and compensation for system failures. Proc . of the 1st IFAC / IFIP / IFORS/IEA Cont. "Analysis Design and Evaluation of Man-Machine Systems", Baden-Baden . Pergamon Pres s , Oxford.