Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant

Annals of Nuclear Energy xxx (xxxx) xxx

Contents lists available at ScienceDirect

Annals of Nuclear Energy journal homepage: www.elsevier.com/locate/anucene

Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant A. Manish Tripathi a,⇑, B. Lalit Kumar Singh b, C. Suneet Singh a a b

Department of Energy Science & Engineering, IIT Bombay, India Department of Computer Science & Engineering, IIT (BHU), Varanasi, India

a r t i c l e

i n f o

Article history: Received 8 May 2019 Received in revised form 7 October 2019 Accepted 15 October 2019 Available online xxxx Keywords: Nuclear Power Plant Dependability analysis System design Failure data

a b s t r a c t Passive Systems are being incorporated in Nuclear Power Plants to meet high safety requirements. The main motivation factor for introducing such systems is the lessons learned from past nuclear reactor accidents such as TMI, Chernobyl, and Fukushima. Such systems must be designed to ensure dependability, especially reliability and safety. We propose a noble method for dynamic reliability analysis of the Passive Decay Heat Removal System of NPP, which is a First of a Kind System. The methodology includes mathematical modeling of the system using the stochastic modeling technique and solving the model mathematically. The proposed method has been successfully applied to different safety systems of the Nuclear Power Plant. Ó 2019 Elsevier Ltd. All rights reserved.

1. Introduction Nuclear energy has been considered as an important source of energy since the inception of nuclear fission. Nuclear energy can minimize or remove the dependence of human society on conventional sources of energy. Until December 2018, 451 nuclear reactors are in operations for electricity production (IAEA, 2019). A large inventory of the radioactive fission products is produced in the NPPs during nuclear fission from which the public must be protected. The release of a significant amount of heat due to the decay of these radioactive fission products also continues for a prolonged period, even after the shutdown of the NPP. Due to these two reasons, the NPPs are designed with the multiple-layers of the safety systems, one back by other. This philosophy is called defense in depth. Despite adopting the defense-in-depth philosophy in the design and operation of nuclear reactors, three major accidents Abbreviations: BWR, Boiling Water Reactor; CCF, Common Cause Failure; DTMC, Discrete Time Markov Chain; FOAK, First of a kind; EC, Emergency Condenser; FT, Fault Tree; FTA, Fault Tree Analysis; IEEE, Institute of Electrical and Electronics Engineers; NPP, Nuclear Power Plant; MC, Markov Chain; NUREG, Nuclear Regulatory Report; PN, Petri net; SBO, Station Blackout; UML, Unified Modeling Language; U.S. NRC, United States Nuclear Regulatory Commission; PDHRS, Passive Decay Heat Removal System; PHWR, Pressurized Heavy Water Reactor; PRA, Probabilistic Risk Assessment; SCRAM, Safety Control Rod Axe Man; SPN, Stochastic Petri Net. ⇑ Corresponding author. E-mail addresses: [email protected] (A.M. Tripathi), [email protected] (B. Lalit Kumar Singh), [email protected] (C.S. Singh).

viz. Three Mile Island (Corey, 1979) (1979), Chernobyl (Gittus, 1987) (1986), and Fukushima (Povinec et al., 2013) (2011) leading to core meltdown have occurred. A large amount of radioactivity was also released to the environment except the Three Mile Island accident. These accidents have raised public concerns over nuclear energy, hence efforts were made worldwide to bring in new safety features in the design of the nuclear reactors. The safety goals for future reactors were also amplified accordingly to minimize the risk to the public and environment. Traditionally, most of the safety systems of nuclear reactors have been designed based on active components such as pumps and motor-operated valves, etc. however, the achievement of the enhanced safety goals is very difficult with active systems. The reliability of active systems cannot be increased beyond a threshold. More-over active systems are most prone to operator errors as well as latent errors during maintenance. Passive systems have emerged as a better option to improve the safety of the NPPs. They are considered more reliable than the active systems so that they can enhance safety during postulated accident conditions. Passive systems do not require external power supplies or pneumatic air supply or human intervention for operation. The incorporation of passive safety systems in the design is one of the goals of the Gen-IV reactor forum (Abram and Ion, 2008). A new reactor design concept like Advanced Heavy Water Reactor (AHWR) is using passive systems for primary heat transport systems (Sinha and Kakodkar, 2006). PDHRS has been added as an extra design feature in 700 MWe Indian PHWR for handling

https://doi.org/10.1016/j.anucene.2019.107139 0306-4549/Ó 2019 Elsevier Ltd. All rights reserved.

Please cite this article as: A. M. Tripathi, B. L. K. Singh and C. S. Singh, Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant, Annals of Nuclear Energy, https://doi.org/10.1016/j.anucene.2019.107139

2

A.M. Tripathi et al. / Annals of Nuclear Energy xxx (xxxx) xxx

Prolonged SBO situation, which is a failure of class III and class IV AC power supply, as a FOAK system (Bhardwaj, 2006). The two BWRs at Tarapur, India have passive EC for decay heat removal (Katiyar and Bajaj, 2006). Safety grade decay heat removal system is used as a system for decay heat removal in Indian Prototype Fast Breeder Reactor (PFBR) (Mathews et al., 2008). Since the operating experience of passive systems is relatively less, the statistical data for the assessment of the reliability of such systems is not available. The FTA technique is a standard method for the reliability assessment of the plant systems when the component operational data is available widely. For new designs of passive safety systems, there is not operational evidence data that would allow classical statistical reliability analysis, therefore, dynamic reliability analysis should be performed (Liu, 2015; Tanaka et al., 1989). In this paper, we attempt to devise a method to quantify the reliability of such passive systems during the design phase itself. However, the estimate will keep on improving based on the dynamic failure data. The methodology includes stochastic modeling of the system and solves the model using mathematical techniques. The remainder of this paper is organized as follows. Section II discusses the related work along with their limitations. In section III, we give the basic definitions and terminologies. Section IV defines a case study of the passive system, in detail. In section V, we propose our technique to verify the design of the passive system. Experimental validation is shown in section VI. Section VII concludes this paper.

understood by all the stakeholders. The UML model was then converted into the stochastic model to capture the dynamics of the system. The model was solved mathematically to quantify the safety metrics. The validation of the approach was demonstrated in different safety–critical and control systems of NPP. A similar approach can be extended to quantify the reliability of the system. Q. Zhang and Z. Zhang (2016) proposed Dynamic Uncertain Causality Graph (DUCG) to deal with large and complex systems with dynamics and uncertainties. This paper extends the DUCG methodology to deal with negative feedback, which is one of the most difficult problems in fault diagnosis and predicts fault development online. They presented two methods. One does not involve causality propagation across time slices. Another involves causality propagation through time slices. They prove that DUCG is powerful in knowledge representation, diagnosing possible faults, and predicting developments of faults. They also prove that DUCG inference does not rely much on the accuracy of probability parameters. However, DUCG has not been applied to reliability. J. Yang et al (2014) proposed a noble approach for fault diagnosis in chemical processes using DUCG. Every step was explained and applied in a chemical process. However, the quantification of failures was not dealt and hence the paper does not talk anything about quantification of reliability.

2. Related work

A PN (Singh et al., 2014) can be defined as a 5-tuple, PN ¼ fP; T; F; W; M 0 g where P ¼ fp1 ; p2 ; p3 ; :::; pm g is a finite set of places, T ¼ ft1 ; t2 ; :::; tn g is finite set of transitions, F # ðP  TÞ[ ðT  PÞ is a set of arcs, W : F ! f1; 2; 3; :::g is a weight function, M0 : P ! f0; 1; 2; :::gis the initial marking, and P \ T ¼ / and P [ T–/: Some of the important definitions related to PN are as follows:

Kengo Urata and Masaki Inoue (Urata and Inoue, 2017) addresses quantitative analysis and performance improvement of feedbacked passive systems. It is shown that the performance of the feedback system is improved as compared to that of the disconnected subsystems. Authors’ find a special class of passive subsystems to achieve performance improvement via the feedback connection. However, the paper remains silent on the reliability attribute of the systems. C. Cho et al (2016) attempted to evaluate the intrusion probability quantitatively using generalized SPN. Apart from cyberattack prevention, the authors’ proposed a framework to conform to cybersecurity regulations, A physical framework is proposed to prevent physical attacks as well. The work was to address dependability issues, however, the focus was given only to the cybersecurity analysis and nothing was addressed concerning the reliability assessment of the system. Singh, L.K. et al (Singh and Rajput, 2018) introduces new dependability metrics - nonliveness, deadlock, stability, and throughput. The paper proposes an innovative methodology for the analysis of these metrics by linear programming using PN modeling. The application of the proposed techniques was validated on different safety–critical systems of NPP and shown for the reactor protection system. However, the focus was given on the safety attribute of dependability. L.K. Singh et al (2014) proposed a method to quantify the transition probabilities among the states of the MC. Then state equations were derived from constructed MC, which were solved mathematically. The approach was demonstrated step-by-step on a case study of a communicated module of an NPP system. However, MC follows memoryless property and the transition rates among the states follow the exponential distribution. V. Kumar et al (2018) make the use of UML technique to quantify the safety metrics. UML is an effective tool to capture all the functional requirements of the system and can easily be

3. Definitions and terminologies 3.1. Petri nets

1. Marking - A marking M of a PN is a function M : P ! N. A marked PN is a PN with an associated marking. A marking of a PN with n places is a ðnx1Þ vector, which associates with each place a certain number of tokens represented by black dots, and represents a state of the PN. An initial marking M 0 is associated with a given PN model. 2. Enabled transition - A transition T is enabled at a marking M if and only if when 8 p 2 t; MðpÞ P Wðp; tÞ, where p 2  t is the input place of t, MðpÞ is the number of tokens in place p, W ðp; tÞ is the weight of the arc from p to t. 3. Siphons and Trap: A non-empty set S # P is a siphon iff  S # S i.e. every transition having an output place in S has an input place in S. S # P is a trap iff S #  S. A siphon (trap) is minimal iff there is no siphon (trap) contained in it as a proper subset. A minimal siphon S is said to be strict if  S(S . 4. Marked Graph: A PN is said to be a marked graph iff 8 p 2 P; j pj ¼ jp j ¼ 1. 5. Reachability: The dynamic property of a system cannot be studied without reachability. A marking M n is reachable from another marking M 1 if there is a sequence of firings that transforms M 1 to M n . A firing sequence of transition is represented by r ¼ M1 t1 M2 t2 M3 :::tn Mn or simply r ¼ t1 t2 :::tn . 6. Boundedness: A PN ðN; M 0 Þ is said to be k- bounded or simply bounded if the number of tokens in each place does not exceed a finite number k for any marking reachable from M 0 i.e. M ðqÞ  k for every place p and every marking M 2 RðM 0 Þ. 7. Safeness: A PNðN; M 0 Þ is called as safe if it is 1-bounded. A PN is safe if each place is safe.

Please cite this article as: A. M. Tripathi, B. L. K. Singh and C. S. Singh, Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant, Annals of Nuclear Energy, https://doi.org/10.1016/j.anucene.2019.107139

3

A.M. Tripathi et al. / Annals of Nuclear Energy xxx (xxxx) xxx

8. Reachability Graph: A marking M is reachable from the initial marking M 0 if () M 0 ! M. i.e. there exists a firing sequence that brings us from the initial state of a PN to a state that corresponds to M0 . In a reachability graph of a PN, nodes correspond to reachable markings and edges corresponds to the relation !. There can be several notations for markings: (i) n1 ; n2 ;    ; nm corresponds to the number of elements in the places p1 ; p2 ;    ; pm respectively (ii) pn11 ; pn22 ;    ; pnmm where n1 is the number of times p1 appears. If pi appears zero times, we don’t show it in the marking. So a reachability graph shows all possible states (markings) that you can reach by triggering transitions that are enabled. 9. Coverability Tree: Given a PN ðN; M 0 Þ we can obtain, from initial marking M0 , we can obtain as many new markings as the number of the transitions. From each new marking, we can again reach more markings. This process results in a tree representation of the markings. Nodes represent markings generated from the M 0 (the root) and its successors, and each arc represent a transition firing, which transforms one marking to another. This tree representation, however, will grow infinity large, if the net is unbounded. To keep the tree finite, we introduce a special symbol x, which can considered as infinity. It has the properties that for each integer n; x > n; x  n ¼ x and x  x. The reachability tree for a PN N is constructed by the following algorithm. Step-1 Label the initial marking as M0 as the root and tag it ‘‘new”. Step-2. For every new marking M: Step-2.1 If M is identical to a marking already appeared in the tree, then tag M ‘‘old” and go to another new marking. Step-2.2 If no transitions are enabled at M, tag M ‘‘dead-end” and go to another new marking. Step-2.3 While there exist enabled transitions at M, do the following for each enabled transition t at M: Step-2.3.1 Obtain the marking M0 that results from firing t at M. Step-2.3.2 On the path from the root to M if there exists a marking M

00

0

0

00

such that M ðpÞ  M ðpÞ for each place p and 00

00

0

M ðpÞ–M ðpÞ, i. e. M is coverable, then replace M ðpÞ by x for 0

00

each p such that M ðpÞ > M ðpÞ. 0

Step-2.3.3 Introduce M as a node, draw an arc with label t from 0

0

M to M , and tag M ‘‘new”. Merging the same nodes in a reachability results in a reachability graph. For a bounded PN, Coverability Tree is called the reachability tree as it contains all possible reachable markings. 10. Liveness: The concept of liveness is closely related to the complete absence of deadlocks in operating systems. A PN ðN; M 0 Þ is said to be live (or equivalently M 0 is said to be live marking for N) if, no matter what marking has been reached from M 0 , it is possible to ultimately fire any transition of the net by progressing through some further firing sequence. This means that live PN guarantees deadlock free operation, no matter what firing sequence is chosen. 11. Fairness: Many different notations of fairness has been proposed in the literature on PNs. We present the two basic fairness concept: Bounded fairness and Unconditional (Global) Fairness. Two transitions t 1 and t2 said to be in bounded-fair (or in B-fair) relation if the maximum number of times that either one can fire while the other is not firing is bounded. A PN ðN; M 0 Þ is said to be B-fair net if every pair of transitions in the net are in B-Fair relation. A firing sequence r is said to be unconditionally (Globally) fair if it is finite or every transition in the net appears in finitely often

in r. A PN ðN; M 0 Þ is said to be unconditionally fair net if every firing sequence r from M is RðM0 Þ is unconditionally fair. 3.2. Markov chain Markov process is a stochastic process that satisfies the following Markov property: 8t; tn    ::t 1 t 0 Such that 8t > tn >    > t 1 > t 0 8x; xn    ::x1 x0

PfXðtÞ 6 xjX ðt n Þ ¼ xn ; . . . ; X ðt 1 Þ ¼ x1 ; X ðt0 Þg ¼ PfX ðt Þ 6 xX ðt n Þ ¼ xn g

ð1Þ

Which means that the dynamic behavior of a Markov process is such that probability distributions for its future development depend only on the present state Xðtn Þ not on how the process arrived in that state (past history). A Markov chain (MC) is a Markov process with a discrete (finite or countably infinite) state space. If we choose to observe the state of the process at a discrete set of time points, we get a discretetime Markov chain (DTMC). Let the random variable X 0 ; X 1 ;    :X n ;    represent the successive observations of a system with Markov Properties at time steps 0; 1;    n; :: respectively. Then the sequence of the Random variable fX n ; n  0g forms a DTMC. The Markov property in this case can be stated as: 8i0 ; i1 ;    ::; in 2 Z

PfX n ¼ in X n 1 ¼ in 1 ; . . . ; X 1 ¼ i1 ; X 0 ¼ i0 g ¼ PfX n ¼ in X n 1 ¼ in 1 g

ð2Þ

where Z is set of all the integers. If

PfX mþn ¼ jX m ¼ ig ¼ PfX n ¼ jX 0 ¼ ig

ð3Þ

The DTMC is said to be homogeneous. Define the one-step transition probability matrix P ¼ ½pij ði; j 2 XÞ of homogeneous DTMC such that:

pij ¼ P fX nþ1 ¼ jX n ¼ ig ¼ PfX i ¼ jX 0 ¼ ig

ð4Þ

Then the entries of the matrix P satisfy the following properties:

X

8i; j 2 X; 0  pij < 1&

p j ij

¼1

Also let PðnÞ ¼ ½pij (n)] be the transition probability matrix of DTMC such that:

8i; j 2 X; pij ðnÞ ¼ PfX n ¼ j j X 0 ¼ iÞ The probability mass functions of the random variable X 0 over all the states in the state space is called the initial distribution and is specified by the initial probability vector:

pð0Þ ¼ ðp0 ð0Þ; p1 ð0Þ; p2 ð0Þ;    :;   Þ

ð5Þ

Defining the vector of probabilities of being in each state of the system at time n after starting from the initial state as:

pðnÞ ¼ ðp0 ðnÞ; p1 ðnÞ; p2 ðnÞ;    :;   Þ

ð6Þ

The vector pðnÞ is then the transient solution, or timedependent solution of DTMC and is computed as:

pðnÞ ¼ pð0ÞPn ;

X

pj ðnÞ ¼ 1

j¼X

This means that a DTMC is completely described by its one-step transition probability matrix and its initial probability vector.

Please cite this article as: A. M. Tripathi, B. L. K. Singh and C. S. Singh, Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant, Annals of Nuclear Energy, https://doi.org/10.1016/j.anucene.2019.107139

4

A.M. Tripathi et al. / Annals of Nuclear Energy xxx (xxxx) xxx

4. PDHRS: A case study and operating modes A conceptual representation of a typical BWR with the EC system is shown in the following Fig. 1. The reactor core is submerged in the pool of water inside the Reactor Pressure Vessel (RPV) which acts as Steam Generator (SG). The heat produced in the reactor core due to nuclear fission is transferred to pool water to convert it to steam. During normal operating conditions, water makeup is done using the main feed water line. The steam is sent to the turbine to produce electricity. The reactor pressure vessel to the turbine line has an isolation valve VT. The main feed water line also has an isolation valve VM. The EC System consists of steam EC isolation valve VE, condensate line isolation valve VC, a heat exchanger on the primary side and a water pool with a vent line on the secondary side. Water make up valve VW is provided for water makeup during prolonged SBO situation on the secondary side of the EC. These valves are fed by the class-II reliable power supply. During normal operating conditions, the system is isolated from the reactor primary system. In this condition, VT and VM are in open state, while VE, VC and VW are in closed Condition. As the reactor SCRAM occurs and the SBO situation is sensed, the turbine side isolation valve VT and the main feed water line isolation valve VM close and EC Isolation valve VE and condensate line isolation valves VC open on auto. The steam generated due to decay heat from the reactor core passes through the EC which consists of generally a tube of bundles to provide a larger surface area for better heat transfer characteristics. In this way, heat transfer takes place automatically by the phenomenon of natural circulation, known as thermosyphoning. A Level Sensor is also installed on the secondary side of EC for the level measurements. If the secondary side water level in the EC is below 20 percent of capacity, the water inventory makeup should be done. If the prolonged SBO situation arises and power class III and Class IV power supplies are not restored, water

make-up will be required using the water makeup valve VW. The makeup system consists of two redundant diesel-driven pumps that can supply the water to the secondary side of EC. However, the analysis is confined to valve VW, considering that fact the water make-up system that provides water to VW, is reliable.

5. Proposed framework of our approach We propose an approach to quantify the reliability of PDHRS that consists of seven phases, as described below. 1. PN generation In this phase, PN model is constructed based on system specification, for which researchers have proposed several methods (Murata, 1989). The main activity involves understanding the functional requirements of the target system, identification of places and transitions. For our case study, PDHRS, we have identified the places and transitions given in table 1. It is to be noted that transitions t7 and t 0 both transits to initial/reset state. Transition t7 represents a transition to initial state after mission is accomplished, in case of prolonged SBO condition. However, t0 represents a transition, when class III and class IV AC power supply restores, in which SBO condition does not last for longer period and reactor cooling will be continued by normal cooling systems. It also mentions the details of places and transitions. The created PN model is shown in Fig. 2. 2. Model Parameter Assignment We use a tool TimeNET (Kelling, 1995; Kelling, 1996) for SPN creation. Thereafter, we have assigned the delay in each transition as per the system specification, given in Table 2 (a). The time delay can also be inputted based on the operational profile data, when the system is under operational for a long time. The long-time behavior of this SPN can be studied by so-called stationary or steady-state evaluation, the method of which has been described by many authors. Stationary analysis (Zuberek, 2001) was performed in TimeNET to get the throughput (number of firings per unit time) values, as shown in Table 2(b). 3. Reachability Graph Creation The reachability graph can be created by identifying all the possible markings along with the respective transitions (Murata,

Table 1 PDHRS Places and Transitions. P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 t1 t2 t3 t4 t5 t6 t7 t0

Trip parameter detected Initial condition created Initial condition holds EC loop activated VT valve closed VM valve closed VE valve open VC valve open Level measurement of EC VW valve open Creates initial condition and energies the relays to close the VT and VM Triggers to close the VM valve Trigger the EC Loop Triggers to open the VE and VC valve Trigger level measurement of EC on secondary side Triggers to open VW for water makeup if EC level is less than 20 percent of total capacity Reset Reset on restoration of class III & class IV AC power supply

Fig. 1. Schematic of PDHRS.

Please cite this article as: A. M. Tripathi, B. L. K. Singh and C. S. Singh, Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant, Annals of Nuclear Energy, https://doi.org/10.1016/j.anucene.2019.107139

5

A.M. Tripathi et al. / Annals of Nuclear Energy xxx (xxxx) xxx Table 3 Markings of PN model of PDHRS. M0

1,000,000,000

Tangible

M1 M2 M3 M4 M5 M6

0,100,000,000 0,010,110,000 0,010,001,100 0,001,000,000 0,000,000,010 0,000,000,001

Tangible Tangible Tangible Tangible Tangible Tangible

Fig. 2. PN model of PDHRS.

Table 2 (a) Time delay of the transitions (b) Throughput of the Transitions. t0 t1 t2 t3 t4 t5 t6 t7

1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms 1 ms

k0 k1 k2 k3 k4 k5 k6 k7

0.09090915 0.18181817 0.09090915 0.09090915 0.09090912 0.18181821 0.18181808 0.18181811

1989). Table 3 shows the marking of SPN of PDHRS. The full reachability graph is shown in Fig. 3.

Fig. 3. Reachability graph.

4. Markov Chain Creation The MC of a PN, shown in Fig. 2, is given in Fig. 4, which can be obtained from the reachability graph of the PN. The transition rate matrix Q is given in equation (8). The rates for a given state should sum to zero, yielding the diagonal elements to be

qii ¼

X

qij

ð7Þ

j–i

3 2 3 M0 M1 M2 M3 M0 M5 M6 M1 M4 M5 M2 M3 M4 M6 M M 0 0 7 6 6 0 0 0 7 0 0 0 0 0 7 6 M 0:18181817 0:18181817 7 6 M k1 k1 0 0 7 6 1 7 6 1 7 6 0 k2 k2 0 0 0 0 7 6 0 0:09090915 0:09090915 0 0 0 0 7 6 M2 7 6 M2 7 7 6 6 0 k 0 k 0 0 0 0 0 0:09090915 0:09090915 0 0 0 3 3 7 6 7 6 7 ¼ 6 M3 7 6 M3 7 6 6 k4 0 0 7 0 0 0 0:09090912 0:09090912 0 0 7 6 M4 7 6 M4 0 0 0 k4 7 7 6 6 k0 0 0 0 k0 k5 k5 0 7 6 k0 0 0 0 k0 0:18181821 0:18181821 0 7 6 7 6 M5 7 6 M5 5 4 4 0 0 0 0 0 k6 k6 0 0 0 0 0 0:18181808 0:18181808 5 M6 M6 0 k7 k7 0 0 0 0 0:18181811 0 0 0 0 0 0:18181811 ð9Þ 2

Please cite this article as: A. M. Tripathi, B. L. K. Singh and C. S. Singh, Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant, Annals of Nuclear Energy, https://doi.org/10.1016/j.anucene.2019.107139

6

A.M. Tripathi et al. / Annals of Nuclear Energy xxx (xxxx) xxx

3. Reliability Prediction There are only two failure states M 3 and M 4 in the created MC, rests of the states are Behavioral states. pi ðtÞ Let be the probability that a component is instate i at time t. When component executes for a very long time ðt ! 1Þ, these probability converges and leads to stationary distribution. The proof is given in (Murata, 1989).

 !  p ¼ pðM 0 Þ; pðM 1 Þ; pðM2 Þ; pðM3 Þ; pðM4 Þ; pðM5 Þ; pðM 6 Þ X

pðiÞ ¼ 1

ð11Þ ð12Þ

i2M

Rest PDHRS ¼ 1

X

pðMi Þ

13Þ

i23

These are the linear equations which can be solved by standard method (Kelling, 1995). Hence

Fig. 4. Markov model for PDHRS.

0:33M 4 þ M 6 ¼ M 0

14:1Þ

1. Transition Probability Computation

M0 ¼ M1

ð14:2Þ

The transition probability pij of the MC, created from SPN can be computed with the help of transition rate matrix Q . Since transition rate qij represents the transition of a state to another state per unit time and therefore if we take the ratio of transition rate qij (of going from state i to state j) and the sum of all transition rates except it transits to itself, we will get the transition probability from one state to other ðpij Þ. Clearly if it transits to itself infinitely, it will not be ergodic and in this case pij will be zero i.e.

M1 ¼ M2

14:3Þ

M2 ¼ M3

ð14:4Þ

(

pij ¼ P¼I

P

qij q k–i ik

ifi–k

ð8Þ

0otherwise

0:66M 4 ¼ M 5

14:5Þ

M5 ¼ M6

ð14:6Þ

M0 þ M1 þ M2 þ M3 þ M4 þ M4 þ M5 þ M6 ¼ 1

ð14:7Þ

Solving the above equations, we get Hence M 3 ¼ 0:157978

) Reliability ¼ 1 0:157978 ¼ 0:842022

ð15Þ

D 1 Q Q ; where 6. Validation

DQ ¼ diag fQ gisthediagonalmatrixofQ

2. Design Matrix Evaluation After estimating the transition probabilities in between the states on MC, we estimate the design metrics. Design metrics and its severity are specific to domain of the projects. NPP systems must be designed such that they are able to fulfill the reliability and performance requirements as per the guidelines of the Atomic Energy Regulatory Board (AERB). By reliability of a NPP system means the failure free operation of NPP system up to a given period of time under certain conditions. Performance of a NPP system means how much time the NPP system takes to perform a function. For the purpose of safety, control systems and other monitoring systems of NPP have strict reliability requirements while safety systems of NPP have strict reliability and performance requirements.

2

M0 M1 6 M0 0 1 6M 6 1 6 0 0 6 M2 6 0 0 6 P ¼ 6 M3 6 6 M4 0 0 6 0:33 0 6 6 M5 4 0 0 M6 1 0

M2 M3 M4 M5 M6

3

1

0

0

1

0

0

0 0

0 0

0 7 7 7 0 0 0 7 7 0 0 0 7 7 7 1 0 0 7 7 1 0:66 0 7 7 7 0 0 1 5

0

0

0

0

0

0

0

0

0

ð10Þ

FTA, a deductive failure analysis technique, can be simply described as an analytical technique, whereby an undesired state of a system is specified, and the system is then analyzed in the context of its environment and operation to find all credible ways in which the undesired event can occur. The FT itself is a graphic model of the various parallel and sequential combinations of faults that will result in the occurrence of a predefined undesired event. The faults can be events that are failures, human errors, or any other pertinent events which can lead to the undesired event. A FT depicts the logical interrelationships of basic events that lead to the undesired event which is the top event of the FT. FTA can be used in the design phase of the plant to uncover hidden failure modes that result from combinations of equipment failures. FTA including operator and procedure characteristics can be used to study an operating plant to identify potential combinations of failures for specific accidents. To validate our approach, reliability assessment of the EC System/ PDHRS was also carried out using the FT method as per NUREG-0492 (Haasl et al., 1981), for which RISK Spectrum (Relcon Scandpower, 2008) software tool was used. Success criteria during the SBO Condition for the EC system was defined as it should be capable to remove the decay heat during the SBO Condition. The components which can contribute to system failure are modeled for their different failure modes, as shown in Fig. 5. For a change of state of the component, the demand failure probability model was considered. Plant specific failure data for demand failure modes of the components was used as observed during EC Failure occurred in unit-1 of Fukushima Daiichi Nuclear power station

Please cite this article as: A. M. Tripathi, B. L. K. Singh and C. S. Singh, Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant, Annals of Nuclear Energy, https://doi.org/10.1016/j.anucene.2019.107139

7

A.M. Tripathi et al. / Annals of Nuclear Energy xxx (xxxx) xxx

Fig. 5. FT for Emergency Condenser System.

Table 4 Demand failure probability based on Emergency Condenser Loop Valve failure occurred at Fukushima Daiichi NPP-1. Component

Component type

Failure mode

Model Used

Demand Failure Probability

Valve Valve Valve Valve Valve

Gate Gate Gate Gate Gate

Fail Fail Fail Fail Fail

Failure Failure Failure Failure Failure

0.0208 0.0208 0.0208 0.0208 0.0208

VT VM VE VC VW

Valve Valve Valve Valve Valve

to to to to to

Close Close Open Open Open

(FTC) (FTC) (FTO) (FTO) (FTO)

(Gauntt et al., 2012) and is given in Table 4. For the continuous running mode of the components, the mission time model was considered. In this case, the plant-specific failure data was not available hence generic data based on IAEA TECHDOC 478 (TECDOC, IAEA, 1988) is used and is given in table 5.

on on on on on

Demand Demand Demand Demand Demand

The basic events and their input parameters used in Fig. 5 are given in Table 6. CCFs were modelled using Alpha factor model for the similar components with similar failure modes. 4 CCF groups were considered in FTA. Two CCF groups for valves VT and VM failing to close and failing to remain close, and two

Please cite this article as: A. M. Tripathi, B. L. K. Singh and C. S. Singh, Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant, Annals of Nuclear Energy, https://doi.org/10.1016/j.anucene.2019.107139

8

A.M. Tripathi et al. / Annals of Nuclear Energy xxx (xxxx) xxx

Table 5 Generic data used for FTA. Component

Component type

Failure mode

Valve VT Valve VM Valve VE Valve VC Emergency Condenser Loop Pipe Emergency Condenser Valve VW

Gate Valve Gate Valve Gate Valve Gate Valve Pipe Failure > 300 diameter (50 Sections) U tube horizontal shell and tube type Gate Valve

Fail to Remain Fail to Remain Fail to Remain Fail to Remain Rupture Tube Rupture Fail to Remain

Close Close Open Open

(FTRC) (FTRC) (FTRO) (FTRO)

Open (FTRO)

Model Used

Failure rate

Mission Mission Mission Mission Mission Mission Mission

4.6E-5/hr 4.6E-5/hr 4.6E-5/hr 4.6E-5/hr 7.91E-09 1.1E-5/hr 1.1E-5/hr

Time Time Time Time Time Time Time

Table 6 Basic Events & their Input Parameters used in FTA. Basic Event

Description of Basic Event

Model

Failure Probability (q)

EC-LOOP-PIPE RUPTURE EC-TUBE RUPTURE EC-VALVE-VC-FTO EC-VALVE-VC-FTRO EC-VALVE-VE-FTO EC-VALVE-VE-FTRO EC-VALVE-VM-FTC EC-VALVE-VM-FTRC EC-VALVE-VT-FTC EC-VALVE-VT-FTRC EC-VALVE-VW-FTO EC-VALVE-VW-FTRO

EC loop pipe rupture EC tube rupture Valve VC fails to open Valve VC fails to remain open Valve VE fails to open Valve VE fails to remain open Valve VM fails to close Valve VM fails to remain close Valve VT fails to close Valve VT fails to remain close Valve VW fails to open Valve VW fails to remain open

3.80E-07 5.28E-04 2.08E-02 2.21E-03 2.08E-02 2.21E-03 2.08E-02 2.21E-03 2.08E-02 2.21E-03 2.08E-02 2.21E-03

Mission time Mission time Probability Mission time Probability Mission time Probability Mission time Probability Mission time Probability Mission time

Table 7 CCF groups used in FTA. CCF Group Name

Description

Number of Components in the Group

Model

EC-VM &VT-FTC-CC EC-VM &VT-FTRC-CC EC-VE, VC & VW-FTO-CC EC-VE &VC-FTRO-CC

Valve Valve Valve Valve

2 2 3 3

Alpha Alpha Alpha Alpha

VM and VT Fail to Close due to Common Cause VM and VT Fail to Remain Close due to Common Cause VE, VC & VW Fail to Open due to Common Cause VE, VC & VW Fail to Remain Open due to Common Cause

CCF groups for VE, VC and VW failing to open and failing to remain open. Noticeably, the location of VC and VM is in different compartment. The physical distance between the valve VC and VM is also large. Fig. 5 is the representative diagram. The failure modes of VE and VT are different. The Failure modes of VT are fails to close and fails to remain close while for VE are fails to open and fails to remain open. As per the CCF methodology, the CCFs are considered for similar failure modes. The physical distance between VE and VT is also large. Hence CCF between VE and VT is not considered. CCF parameter values are given in Table 7. These values are estimated based on methodology given in NUREG6268y (Database, 2007). The obtained system reliability estimated using FTA is 0.931214. Valve VT and VM fail to close and VE, VC and VW fail to open are predominant contributors to system failure which in the line with the system design. To validate our approach, we have compared the reliability obtained by state space model with the FTA approach as:

dev iatedreliability Þ  100 %Accuracy ¼ ð1 ReliabilitybyFTA   0:931214 0:842022  100 ¼ 90:42198% ¼ 1 0:931214 Considering the lack of data due to FOAK system, we have received very high accuracy. The accuracy will keep on improving as and when, sufficient operational profile data becomes available.

Parameter Valve Factor Factor Factor Factor

5.0E-02 2.5E-02 4.0E-02 & 1.0E-2 2.0E-02 & 5.0E-2

7. Conclusion In this paper, we provide a technique to verify the design of passive system, known as PDHRS, which is FOAK system. The technique contains seven phases, PN generation, Model parameter assignment, reachability graph creation, Markov chain creation, Transition probability computation, Design Matrix evaluation and Reliability prediction. The methodology has been validated with traditional approach and obtained significant accuracy of 90.42%. The proposed methodology has been validated on 11 other different systems of different NPP that include LWR, and PHWR out of which 10 systems were validated based on real data (operational profile data). The accuracy will keep on improving as and when sufficient failure data shall be available from operational profile data. The methodology has been applied to 21 NPP systems so far.

Appendix A. Supplementary data Supplementary data to this article can be found online at https://doi.org/10.1016/j.anucene.2019.107139.

References Abram, Tim, Ion, Sue, 2008. Generation-IV nuclear power: a review of the state of the science. Energy Policy 36 (12), 4323–4330. Bhardwaj, S.A., 2006. The future 700 MWe pressurized heavy water reactor. Nuclear Engineering and Design 236 (7-8), 861–871. Cho, C., Chung, W., Kuo, S., March 2016. Cyberphysical Security and Dependability Analysis of Digital Control Systems in Nuclear Power Plants. IEEE Transactions

Please cite this article as: A. M. Tripathi, B. L. K. Singh and C. S. Singh, Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant, Annals of Nuclear Energy, https://doi.org/10.1016/j.anucene.2019.107139

A.M. Tripathi et al. / Annals of Nuclear Energy xxx (xxxx) xxx on Systems, Man, and Cybernetics: Systems 46 (3), 356–369. https://doi.org/ 10.1109/TSMC.2015.2452897. Corey, G.R., 1979. A brief review of the accident at Three Mile Island. IAEA Bulletin 21 (5), 54–59. Common-Cause Failure Database and Analysis System: Event Data Collection, Classification, and Coding NUREG/CR-6268, Rev. 1 INL/EXT-07-12969 September 2007. Gauntt, Randall, Kalinich, Donald, Cardoni, Jeff, Phillips, Jesse, Goldmann, Andrew, Pickering, Susan, Francis, Matthew, et al., 2012. Fukushima Daiichi accident study (status as of April 2012). Sandia Report Sand 6173. Gittus, J.H., 1987. The Chernobyl accident and its consequences. Atom (London), 2–9. Haasl, David F., Roberts, Norman H., Vesely, William E., Goldberg, Francine F., 1981. Fault tree handbook No. NUREG–0492. Nuclear Regulatory Commission. IAEA, 2019. Nuclear Power Reactors in the World. Edition, p. 60. Katiyar, S.C., Bajaj, S.S., 2006. Tarapur Atomic Power Station Units-1 and 2: Design features, operating experience and license renewal. Nuclear engineering and design 236 (7–8), 881–893. Kelling, C., 1995. TimeNET-Sim-a parallel simulator for stochastic Petri nets. In: Proc. 28th Annu. IEEE Simulation Symp., Apr. 1995, pp. 250–258. Kelling, C., 1996. TimeNET: evaluation tool for non-Markovian stochastic Petri nets. In: Proc. IEEE Int. Computer Performance and Dependability Symp., 1996, p. 62. Kumar, V., Singh, L.K., Singh, P., Singh, K.V., Maurya, A.K., Tripathi, A.K., May 2018. Parameter Estimation for Quantitative Dependability Analysis of Safety-Critical and Control Systems of NPP. IEEE Transactions on Nuclear Science 65 (5), 1080– 1090. https://doi.org/10.1109/TNS.2018.2827106. Liu, Yu. et al., 2015. Dynamic reliability assessment for multi-state systems utilizing system-level inspection data. IEEE Transactions on Reliability 64 (4), 1287– 1299. Mathews, T., Sajith, M., Ramakrishnan, U., Parthasarathy, A., Arul, John, Senthil Kumar, C., 2008. Functional reliability analysis of safety grade decay heat removal system of Indian 500 MWe PFBR. Nuclear Engineering and Design 238 (9), 2369–2376. Murata, T., 1989. Petri nets: Properties, analysis and applications. Proc. IEEE 77, 541–580. Povinec, Pavel, Hirose, Katsumi, Aoyama, Michio, 2013. Fukushima accident: radioactivity impact on the environment. Newnes.

9

Relcon Scandpower, A.B., 2008. RiskSpectrumÒ PSA Professional, developed and maintained by Relcon Scandpower AB in Sweden. Singh, L.K., Rajput, H., 2018. Dependability Analysis of Safety Critical Real-Time Systems by Using Petri Nets. IEEE Transactions on Control Systems Technology 26 (2), 415–426. https://doi.org/10.1109/tcst.2017.2669147. Singh, L.K., Vinod, G., Tripathi, A.K., Apr. 2014. Design verification of instrumentation and control systems of nuclear power plants. IEEE Trans. Nucl. Sci. 61 (2), 921–930. Sinha, R.K., Kakodkar, Anil, 2006. Design and development of the AHWR—the Indian thorium fuelled innovative nuclear reactor. Nuclear Engineering and design 236 (7-8), 683–700. Tanaka, Tsunehiko, Kumamoto, Hiromitsu, Inoue, Koichi, 1989. Evaluation of a dynamic reliability problem based on order of component failure. IEEE transactions on reliability 38 (5), 573–576. TECDOC, IAEA., 1988. 478. Component reliability data for use in probabilistic safety assessment. IAEA, Vienna. Urata, K., Inoue, M., 2017. Performance analysis of feedbacked passive systems for decentralized design of large-scale systems. In: 2017 IEEE 56th Annual Conference on Decision and Control (CDC). https://doi.org/10.1109/ cdc.2017.8263991. Yang, J., Zhang, Q., Zhu, Q., 2014. Application of dynamic uncertain causality graph to fault diagnosis in chemical processes. CAAI Trans Intell. Syst., 154–160 Zhang, Q., Zhang, Z., Jun. 2016. Dynamic uncertain causality graph applied to dynamic fault diagnoses and predictions with negative feedbacks. IEEE Trans. Rel. 65 (2), 1030–1044. Zuberek, Wlodzimierz M., 2001. Timed Petri nets in modeling and analysis of cluster tools. IEEE Transactions on Robotics and Automation 17 (5), 562–575.

Further reading [Online]. Available: http://www.dis.uniroma1.it/~leon/didattica/ webir/pagerank. pdf. Stewart, W., 1991. Numerical Solution of MC. CRC, New York, NY, USA.

Please cite this article as: A. M. Tripathi, B. L. K. Singh and C. S. Singh, Dynamic reliability analysis framework for passive safety systems of Nuclear Power Plant, Annals of Nuclear Energy, https://doi.org/10.1016/j.anucene.2019.107139