- Email: [email protected]
Impact of PRA workstations on PRA applications
Reliability Engineering and System Safety 30 (1990) 355-365
Short Communication Impact of PRA Workstations on PRA Applications
ABSTRACT This paper briefly discusses the history of software tools for PRA and their development from the Jirst commercial PRAs to the present. The characteristics of a usable ('living') PRA are then described (i.e., accessibility, maintainability and quality). A description of the small event tree~largefault tree approach to PRA is discussed, with special attention paid to the interaction of the various PRA codes. Finally, four different applications of PRA are listed, showing the functions and interactions of SAIC's PRA workstation codes.
The software tools developed to support Probabilistic Risk Analyses (PRAs) have had a profound impact on the PRAs role in the utility regulatory environment. By providing the needed automation, integration and optimization, the costs of performing analyses have been greatly decreased while the timeliness of PRA results has improved. Automation and integration let the engineer focus on the analysis and not the procedures needed to perform the analysis, while optimization has allowed computations to be performed on a top-end personal computer, reducing costs. The resulting effect of the PRA workstations has been to change the nature of a PRA, from a static report that sat on a shelf to a living document which could be quickly updated, modified and analyzed. During the time of the first commercial PRAs (e.g. Zion & Oconee), 1 the only software tools supporting PRA were large mainframe fault tree quantification tools. In addition to the model quantification, there were 355 Reliability Engineering and System Safety 0951-8320/90/$03.50 © 1990 Elsevier Science Publishers Ltd, England. Printed in Great Britain
356
James Koren, Blake Putney, William Parkinson
many other tasks in a PRA that would benefit from computerization, including reliability data management, logic model editing, results interpretation and documentation generation. The advent of personal computers resulted in the perfect environment for a PRA workstation. However, the integration into a PC workstation of all these tasks could only be done practically if an appropriate methodology could be developed. The Oconee PRA 2 produced the foundation for an integrated methodology which also was compatible with a PC-based workstation. This foundation included: (1) functional event trees and top logic which reduced the number of event sequences to be quantified, and (2) human reliability screening values which allowed truncation of cut sets containing less important human errors without introduction of non-conservatisms. Later, during the Crystal River Unit 3 PRA, 3 the final critical portion of methodology was developed, namely modularization of fault trees. Modularized fault trees group component failure modes with similar effects on the plant model, thereby allowing for a substantial reduction in the number of cut sets. The new methodology was able to sufficiently reduce the number of event sequences and likely cut sets to be within the memory requirements of a PC. This paper will first describe the characteristics of a usable PRA, followed by a detailed description of an integrated methodology which provides those characteristics. Applications using these models will then be described. This provides a basis from which to judge the effectiveness of the PRA workstations and their applications to the problems facing the nuclear utilities. CHARACTERISTICS OF A USABLE PRA By usable PRA we mean that the information contained in the analysis has both accessibility and quality. Accessibility addresses the ease of both maintenance of the models and interpretation of results. Quality addresses the comprehensiveness, traceability and defensibility of the study. Another key aspect of a usable PRA is maintainability. The maintainability of the PRA model is a direct result of the integration of both methodology and supporting software tools. First, the tools must support the methodology throughout all its steps. If there are holes in the software that require manual operation and are monumental or tedious to perform, the staff will not be encouraged to maintain the models. Second, the analyst needs to be able to clearly relate each task to a given software function. If the process is complex or hidden within the software, the analysts (both new and old staff) could lose confidence in the results. A third aspect of maintainability is flexibility. The needs of users will change as current
Impact of PRA workstations on PRA applications
357
methodologies mature and are applied to new problems. If the tools are not flexible enough to meet these new needs, other approaches may be sought. One of the major benefits of a PRA as a risk management tool is that it allows the risk impacts of competing modification proposals to be evaluated and compared. That is, 'what if' questions that affect risk can be evaluated on a comparative basis. A desirable characteristic in a PRA involves the ease with which these 'what if' questions can be evaluated as to their effect on risk and cost. Any approach used should result in a PRA that minimizes the effort required to evaluate the risk/cost impacts of 'what if' questions. The software tools must provide sufficient flexibility to allow the analyst to exercise his creativity in developing and presenting results for specific problems. This has been accomplished through the use of efficient methodologies integrated with efficient computer workstations to manage models and data. The computer should (1) guide the user to the required changes, (2) perform the required Boolean reductions, requantifications, risk and cost measure evaluations, and system interaction reevaluations (all of which are mechanical manipulations not requiring operator oversight), and (3) present the results in a format that is easy to interpret and easy to present to others (i.e. graphs and tables). Another major benefit of a usable PRA is that the results, when properly displayed, can indicate cost-effective risk reduction strategies. A PRA workstation should not only identify and highlight the accident sequences that represent dominant contributors to risk, but also calculate risk importance measures that can be used to suggest possible risk reduction strategies. One type of importance measure, the risk-reduction worth, indicates a relative impact on risk from reducing the vulnerability due to a particular component or human failure mode (or from an initiating event). This measure can suggest likely candidates where increased surveillance, or design changes to increase redundancy or reduce transients, can be particularly effective in reducing risk. Another type of importance measure, the risk-achievement worth, indicates the impact on risk if the vulnerability from a component or human failure were to increase. This measure indicates where preventive maintenance should be emphasized, or where aging phenomena could have particularly adverse impacts on risk.
THE I N T E G R A T E D APPROACH TO PRA In the course of ongoing work in PRA methodology development and applications, SAIC has developed a PRA style that blends PRA modeling techniques with computer software to create an efficient, flexible model that
358
James Koren, Blake Putney, William Parkinson
has the characteristics necessary for P R A applications. This approach is based upon the fault tree linking methodology to facilitate the manipulation and modeling of system interdependencies, augmented by the use of functional accident sequence models and top logic that can provide additional detail while reducing the number of sequences (e.g. a reduction of 1000 to 24 sequences) requiring analysis. The final improvement in the methodology involves the use of modular fault trees (fault trees simplified by introducing module events or super components). The modular fault trees have resulted in a reduction of model complexity from of the order of 3000 gates to about 1000 gates. This has reduced computer time requirements from many hours to minutes. In addition, the use of modular fault trees has the benefit of making the fault trees easier to understand and maintain, reduces the truncation values necessary to solve the models, and enhances the review of analysis results by packaging similar results together. SAIC's approach is to retain the modules as cut sets within the P R A workstation, thereby keeping the detailed models for expansion if needed. The integrated P R A methodology can be characterized as a small event tree/large fault tree approach. The basic approach, and its relationship to a full Level 3 PRA, is illustrated in Fig. 1. Figure 2 provides a diagram illustrating the flow of data through SAIC's software tools throughout a PRA. The key feature in the overall approach is fault tree linking as the integrator of the plant risk models. Fault tree linking is an engineeringoriented approach that allows one to assess risk in qualitative and quantitative terms at the appropriate level of detail. That is, one can readily identify the combination of basic hardware failures/unavailabilities and human interactions (i.e. accident sequence cut sets) that can lead to core damage and containment release. It allows the propagation of these component cut sets throughout the core damage/severe accident sequence, thus providing significant insight into the contributors to risk. Since the basic hardware failure rates, human error probabilities and initiator frequencies are propagated as well, detailed quantitative results are provided. The linked fault tree approach provides a complete framework for any PRA application; through this a comprehensive level of detail can be accommodated while still maintaining easy usability. Plant response to initiators is described using functional event trees. This method describes the events appearing in the event trees functionally; that is, loss of primary/system integrity is modeled rather than pressurized safety valve failure or RCP seal cooling as separate top events. The functional sequences relate directly to the functional sequences discussed in the NRC's generic letter on individual plant examination (GL 88-20). The software supporting this aspect of the analysis is ETA-II.
Impact of PRA workstations on PRA applications
359
2 o
2 e~
A
E
>~ u c
g t_
c 0
"o ¢1 vl
lu
m
C
>
¢1
u
James Koren, Blake Putney, William Parkinson
360
L
"4 v
8 j
e-~
,,a ' ~ ,g,
E ¢1 tn
~0
,o U ©
u
Z
o,
e.
_=
E
0
E
.t. "~
"dE
e4
Impact of PRA workstations on PRA applications
361
The more exact representation and interpretation of these system interactions is accomplished by using 'top logic' fault trees. These fault trees provide the interface between the event tree sequence logic and system top events, initiating events, human errors, and hardware failures that can cause each function to fail. This approach provides the capability to directly model all details of system interactions in a compact yet clear manner while enhancing completeness and ease of quantification. The top logic can be equivalently modeled using an event tree approach and including detailed system success/failure states in the event trees. However, if this approach is used instead of plant functional states as the basis for event tree branching, a large number of additional accident sequences will be generated, all representing similar plants, and all requiring individual quantification. The purpose of the event trees from the risk model perspective is to provide sufficient structure to allow for operational and peer review and assure that all accident scenarios have been identified. The fault tree top logic enhances the review process and by facilitating understanding of the overall plant response to initiating events, helps assure completeness. An additional enhancement to the traditional approach of event tree analysis is the inclusion of initiating events that appear in the same class (i.e. transients) within the top and system logic of the event tree. This allows one model to treat many initiating events, dramatically simplifying the accident sequence quantification process. The initiating events are represented in the model by flags which are set to True or False prior to quantification, thereby configuring the logic for a specific class of initiator. In addition to simplifying the quantification task, it means that only one system model needs to be maintained. To maintain modeling efficiency, the fault trees will be modularized during development. Modules are defined which consist of statisticallyindependent and functionally-related basic events. Test and maintenance faults and human failure events will not be included in modules because of their potential for dependencies. Note that the modular fault trees do not omit faults which may be judged to be of a lesser probability during the baseline PRA, but which could become more significant as the plant design and operation evolves. Note also that, by using the cut sets and module definitions with the project software, the results can be expanded into a complete list of cut sets containing basic events instead of modular events. The linked fault tree accident sequence logic is evaluated to obtain a list of dominant scenarios called accident sequence cut sets, which are in turn evaluated for possible recovery actions and quantified with respect to coredamage frequency and release categories. Total core-damage frequency is calculated by summing over all the cut sets and the release-category
362
James Koren, Blake Putney, William Parkinson
frequencies are obtained from the Limited-Scope Level 2 results following initial core-damage quantification. These integrated results are then manipulated to aid in interpretation and to provide risk management insights. From these evaluation results, the following are obtained: 1. 2. 3. 4.
the list of dominant risk contributors, the importance of systems and components to risk, the sensitivity of results to key assumptions, and an uncertainty analysis.
The C A F T A code 4 (developed by SAIC for EPRI) supports all elements of fault tree development; modularization, quantification and cut set evaluation. C A F T A also supports the use of batch and M A C R O command files that allow solution of a risk model at the touch of a button. Once the revised model, data and human error probabilities have been reintegrated and quantified, this information is automatically loaded into a scoping model that merges the cut sets for all accident sequences. This scoping model is then processed by the Risk Management Query System (RMQS). 5 The model will be stored in terms of accident sequence cut sets made up of initiating events, hardware modules, components, human errors, recoveries and plant-damage states. The scoping model allows manipulation of results down to the component level. The final integration will take place when the risk measures (release categories and source term estimates) for each plant-damage state are provided from the containment performance analysis task. RMQS will then automatically calculate and store the risk associated with each accident sequence cut set. RMQS has the capability to select and rank accident sequence cut sets, calculate system, module, human error, and component importance, and provide the capability to update any model parameters and re-calculate core-damage frequency and plant risk in a matter of seconds. The results of the proceeding task are generated automatically by RMQS. These are: 1. the list of dominant risk contributors, 2. the importance of systems and components to risk, 3. the sensitivity of analysis results to key assumptions, and 4. an uncertainty analysis. Importance analyses (with appropriate consideration for uncertainties) will be a primary tool in the investigation of vulnerabilities. Two measures will be used to evaluate the importance of a system, component or operator action in further reducing risk, and its importance in maintaining the present risk level. One importance measure, called risk-reduction worth, identifies the improvement in risk if components, subsystems, etc., were perfectly reliable, and is useful in prioritizing future improvements that can most reduce risk. The other importance measure, called risk-achievement worth,
Impact of PRA workstations on PRA applications
363
identifies the impact on risk if components were totally unreliable. This measure is useful in prioritizing features that maintain the existing risk level and that are most important in reliability assurance and maintenance activities. While other measures of importance exist, these two have the advantage of being easily understood when proposed changes based on the risk assessment are presented to management. Three items included in the models are specifically addressed. These are: 1.
2.
3.
Components and systems most important in maintaining the current level of risk will be identified, permitting maintenance and testing efforts to be prioritized from a risk standpoint. Importance components with high uncertainties in the probability estimates will be separately identified for improved data collection efforts. Potential system improvements for systems containing highimportance components will also be explored. Conditioning events (house events) in the models which present modeling uncertainties will be assessed to determine the desirability of further analyses to resolve such uncertainties. An example of such an uncertainty would be the survivability of an inverter in a nonventilated room following a station blackout. Human reliability events of high importance will be analyzed to determine which actions would most benefit from improved procedures or training.
Criteria for selection of items deserving analysis as potential improvements will be defined early in the PRA effort, and will be consistent with future requirements of the IPE. Following identification of potential improvements, the analysis process and its results will be documented in one of the final reports on the PRA.
APPLICATIONS The PRA workstation attributes that help make the PRA more usable set the stage for the PRA applications. The following paragraphs describe the steps required to accomplish some example applications. A Quantitatively assess changes in core-damage risk due to: Modifications to component and system design Modifications that improve component and system performance can be categorized as those that affect the configuration of the plant, and those that improve/degrade component reliability. Changes that add redundancy to a system, improve component reliability, or slightly degrade component
364
James Koren, Blake Putney, William Parkinson
reliability can be assessed by modifying appropriate failure rates in the scoping model. RMQS will then automatically requantify the model. Changes that significantly degrade system redundancy or component reliability must be examined through a requantification of the portions of the risk model affected by the changes. Procedures would provide guidelines for probability changes requiring model requantification. The results of the requantification are then loaded automatically from CAFTA into the scoping model in RMQS for comparison to the plant baseline.
Changes to existing operation and maintenance procedures or licensing requirements Assessment of these aspects of the plant operation takes place by identifying the model elements, operator errors, maintenance unavailabilities, failure of standby components, common-cause failures, and perhaps model structures that are associated with the operation or maintenance to be assessed. As in the analysis of component and system designs, changes that reduce or slightly increase the probability of these model elements are assessed using RMQS, while changes that alter model structure to reduce redundancy, or significantly increase the probability of these events, require requantification of the affected portion of the model. Changes in safety margins Changes that alter safety margins are requantified by modifying the system fault trees or sequence top logic and recovery events to reflect the changes in safety margins reflected in success criteria. The affected portion of the model is then requantified. Changes that increase safety margins can be assessed directly in RMQS in the short term, although it is recommended that the model be updated at some point if the changes are permanent. B Assessment of alternatives
Alternatives to proposed NRC requirements can be assessed through modification of appropriate model parameters. Alternatives can be assessed by identifying specific recovery actions or procedures that reduce the likelihood of particular sequences or initiating events. These can be assessed directly by modifying the appropriate parameters in RMQS. RMQS will then automatically update risk calculations and display results, both old and new. C Enhancement of training programs
The risk model can enhance training programs in a number of ways. The dominant sequences can be used to emphasize particular scenarios in the
Impact of PRA workstations on PRA applications
365
simulator training and for use in emergency response drills. Specific scenarios can be extracted from the event sequence models, and produced for display (i.e. an operator action event tree) using the ETA program. Importance measures of model elements, operator errors, maintenance errors, component failures, and maintenance activities can be used to focus operator and maintenance training activities on the most risk-sensitive areas. Risk insights and operator actions identified during the recovery phase of the analysis can greatly benefit operator training programs.
D Integrated work package The nature of the RMQS model, comprehensive yet easy to solve, can be used for both prioritization and tracking studies involving plant changes. Most evaluations can be performed within seconds. RMQS is also suitable for tracking a variety of attributes simultaneously. Through the development and use of appropriate weighting factors in the Risk Measure Table, attributes such as personnel safety, plant availability and reliability, and public risk can be evaluated simultaneously for each plant modification. These applications are being performed on a daily basis at a number of US utilities. The PRA workstation has allowed these utilities to quickly access and update their PRAs such that the PRAs can have an impact on plant operations and decision making.
REFERENCES 1. Zion Probabilistic Safety Study. Commonwealth Edison Company, 1981. 2. Oconee Probabilistic Risk Assessment--A Probabilistic Risk Assessment of Oconee Unit 3. NSAC-60, Electric Power Research Institute and Duke Power
Company, June 1984. 3. Crystal River Unit 3 Probabilistic Risk Assessment. Florida Power Corporation
and Science Applications International Corporation, July 1987. 4. CAFTA User's Manual, Version 2.0. Science Applications International Cor-
poration (prepared for Electric Power Research Institute), Los Altos, California, 2 September 1988. 5. R M Q S User's Manual. Science Applications International Corporation, Los Altos, California, 27 July 1987.
James Koren, Blake Putney* & William Parkinson Science Applications International Corporation, 5150 E! Camino Real, Suite C-31, Los Altos, California 94022, USA
* To whom correspondenceshould be addressed.
Short Communication Impact of PRA Workstations on PRA Applications
ABSTRACT This paper briefly discusses the history of software tools for PRA and their development from the Jirst commercial PRAs to the present. The characteristics of a usable ('living') PRA are then described (i.e., accessibility, maintainability and quality). A description of the small event tree~largefault tree approach to PRA is discussed, with special attention paid to the interaction of the various PRA codes. Finally, four different applications of PRA are listed, showing the functions and interactions of SAIC's PRA workstation codes.
The software tools developed to support Probabilistic Risk Analyses (PRAs) have had a profound impact on the PRAs role in the utility regulatory environment. By providing the needed automation, integration and optimization, the costs of performing analyses have been greatly decreased while the timeliness of PRA results has improved. Automation and integration let the engineer focus on the analysis and not the procedures needed to perform the analysis, while optimization has allowed computations to be performed on a top-end personal computer, reducing costs. The resulting effect of the PRA workstations has been to change the nature of a PRA, from a static report that sat on a shelf to a living document which could be quickly updated, modified and analyzed. During the time of the first commercial PRAs (e.g. Zion & Oconee), 1 the only software tools supporting PRA were large mainframe fault tree quantification tools. In addition to the model quantification, there were 355 Reliability Engineering and System Safety 0951-8320/90/$03.50 © 1990 Elsevier Science Publishers Ltd, England. Printed in Great Britain
356
James Koren, Blake Putney, William Parkinson
many other tasks in a PRA that would benefit from computerization, including reliability data management, logic model editing, results interpretation and documentation generation. The advent of personal computers resulted in the perfect environment for a PRA workstation. However, the integration into a PC workstation of all these tasks could only be done practically if an appropriate methodology could be developed. The Oconee PRA 2 produced the foundation for an integrated methodology which also was compatible with a PC-based workstation. This foundation included: (1) functional event trees and top logic which reduced the number of event sequences to be quantified, and (2) human reliability screening values which allowed truncation of cut sets containing less important human errors without introduction of non-conservatisms. Later, during the Crystal River Unit 3 PRA, 3 the final critical portion of methodology was developed, namely modularization of fault trees. Modularized fault trees group component failure modes with similar effects on the plant model, thereby allowing for a substantial reduction in the number of cut sets. The new methodology was able to sufficiently reduce the number of event sequences and likely cut sets to be within the memory requirements of a PC. This paper will first describe the characteristics of a usable PRA, followed by a detailed description of an integrated methodology which provides those characteristics. Applications using these models will then be described. This provides a basis from which to judge the effectiveness of the PRA workstations and their applications to the problems facing the nuclear utilities. CHARACTERISTICS OF A USABLE PRA By usable PRA we mean that the information contained in the analysis has both accessibility and quality. Accessibility addresses the ease of both maintenance of the models and interpretation of results. Quality addresses the comprehensiveness, traceability and defensibility of the study. Another key aspect of a usable PRA is maintainability. The maintainability of the PRA model is a direct result of the integration of both methodology and supporting software tools. First, the tools must support the methodology throughout all its steps. If there are holes in the software that require manual operation and are monumental or tedious to perform, the staff will not be encouraged to maintain the models. Second, the analyst needs to be able to clearly relate each task to a given software function. If the process is complex or hidden within the software, the analysts (both new and old staff) could lose confidence in the results. A third aspect of maintainability is flexibility. The needs of users will change as current
Impact of PRA workstations on PRA applications
357
methodologies mature and are applied to new problems. If the tools are not flexible enough to meet these new needs, other approaches may be sought. One of the major benefits of a PRA as a risk management tool is that it allows the risk impacts of competing modification proposals to be evaluated and compared. That is, 'what if' questions that affect risk can be evaluated on a comparative basis. A desirable characteristic in a PRA involves the ease with which these 'what if' questions can be evaluated as to their effect on risk and cost. Any approach used should result in a PRA that minimizes the effort required to evaluate the risk/cost impacts of 'what if' questions. The software tools must provide sufficient flexibility to allow the analyst to exercise his creativity in developing and presenting results for specific problems. This has been accomplished through the use of efficient methodologies integrated with efficient computer workstations to manage models and data. The computer should (1) guide the user to the required changes, (2) perform the required Boolean reductions, requantifications, risk and cost measure evaluations, and system interaction reevaluations (all of which are mechanical manipulations not requiring operator oversight), and (3) present the results in a format that is easy to interpret and easy to present to others (i.e. graphs and tables). Another major benefit of a usable PRA is that the results, when properly displayed, can indicate cost-effective risk reduction strategies. A PRA workstation should not only identify and highlight the accident sequences that represent dominant contributors to risk, but also calculate risk importance measures that can be used to suggest possible risk reduction strategies. One type of importance measure, the risk-reduction worth, indicates a relative impact on risk from reducing the vulnerability due to a particular component or human failure mode (or from an initiating event). This measure can suggest likely candidates where increased surveillance, or design changes to increase redundancy or reduce transients, can be particularly effective in reducing risk. Another type of importance measure, the risk-achievement worth, indicates the impact on risk if the vulnerability from a component or human failure were to increase. This measure indicates where preventive maintenance should be emphasized, or where aging phenomena could have particularly adverse impacts on risk.
THE I N T E G R A T E D APPROACH TO PRA In the course of ongoing work in PRA methodology development and applications, SAIC has developed a PRA style that blends PRA modeling techniques with computer software to create an efficient, flexible model that
358
James Koren, Blake Putney, William Parkinson
has the characteristics necessary for P R A applications. This approach is based upon the fault tree linking methodology to facilitate the manipulation and modeling of system interdependencies, augmented by the use of functional accident sequence models and top logic that can provide additional detail while reducing the number of sequences (e.g. a reduction of 1000 to 24 sequences) requiring analysis. The final improvement in the methodology involves the use of modular fault trees (fault trees simplified by introducing module events or super components). The modular fault trees have resulted in a reduction of model complexity from of the order of 3000 gates to about 1000 gates. This has reduced computer time requirements from many hours to minutes. In addition, the use of modular fault trees has the benefit of making the fault trees easier to understand and maintain, reduces the truncation values necessary to solve the models, and enhances the review of analysis results by packaging similar results together. SAIC's approach is to retain the modules as cut sets within the P R A workstation, thereby keeping the detailed models for expansion if needed. The integrated P R A methodology can be characterized as a small event tree/large fault tree approach. The basic approach, and its relationship to a full Level 3 PRA, is illustrated in Fig. 1. Figure 2 provides a diagram illustrating the flow of data through SAIC's software tools throughout a PRA. The key feature in the overall approach is fault tree linking as the integrator of the plant risk models. Fault tree linking is an engineeringoriented approach that allows one to assess risk in qualitative and quantitative terms at the appropriate level of detail. That is, one can readily identify the combination of basic hardware failures/unavailabilities and human interactions (i.e. accident sequence cut sets) that can lead to core damage and containment release. It allows the propagation of these component cut sets throughout the core damage/severe accident sequence, thus providing significant insight into the contributors to risk. Since the basic hardware failure rates, human error probabilities and initiator frequencies are propagated as well, detailed quantitative results are provided. The linked fault tree approach provides a complete framework for any PRA application; through this a comprehensive level of detail can be accommodated while still maintaining easy usability. Plant response to initiators is described using functional event trees. This method describes the events appearing in the event trees functionally; that is, loss of primary/system integrity is modeled rather than pressurized safety valve failure or RCP seal cooling as separate top events. The functional sequences relate directly to the functional sequences discussed in the NRC's generic letter on individual plant examination (GL 88-20). The software supporting this aspect of the analysis is ETA-II.
Impact of PRA workstations on PRA applications
359
2 o
2 e~
A
E
>~ u c
g t_
c 0
"o ¢1 vl
lu
m
C
>
¢1
u
James Koren, Blake Putney, William Parkinson
360
L
"4 v
8 j
e-~
,,a ' ~ ,g,
E ¢1 tn
~0
,o U ©
u
Z
o,
e.
_=
E
0
E
.t. "~
"dE
e4
Impact of PRA workstations on PRA applications
361
The more exact representation and interpretation of these system interactions is accomplished by using 'top logic' fault trees. These fault trees provide the interface between the event tree sequence logic and system top events, initiating events, human errors, and hardware failures that can cause each function to fail. This approach provides the capability to directly model all details of system interactions in a compact yet clear manner while enhancing completeness and ease of quantification. The top logic can be equivalently modeled using an event tree approach and including detailed system success/failure states in the event trees. However, if this approach is used instead of plant functional states as the basis for event tree branching, a large number of additional accident sequences will be generated, all representing similar plants, and all requiring individual quantification. The purpose of the event trees from the risk model perspective is to provide sufficient structure to allow for operational and peer review and assure that all accident scenarios have been identified. The fault tree top logic enhances the review process and by facilitating understanding of the overall plant response to initiating events, helps assure completeness. An additional enhancement to the traditional approach of event tree analysis is the inclusion of initiating events that appear in the same class (i.e. transients) within the top and system logic of the event tree. This allows one model to treat many initiating events, dramatically simplifying the accident sequence quantification process. The initiating events are represented in the model by flags which are set to True or False prior to quantification, thereby configuring the logic for a specific class of initiator. In addition to simplifying the quantification task, it means that only one system model needs to be maintained. To maintain modeling efficiency, the fault trees will be modularized during development. Modules are defined which consist of statisticallyindependent and functionally-related basic events. Test and maintenance faults and human failure events will not be included in modules because of their potential for dependencies. Note that the modular fault trees do not omit faults which may be judged to be of a lesser probability during the baseline PRA, but which could become more significant as the plant design and operation evolves. Note also that, by using the cut sets and module definitions with the project software, the results can be expanded into a complete list of cut sets containing basic events instead of modular events. The linked fault tree accident sequence logic is evaluated to obtain a list of dominant scenarios called accident sequence cut sets, which are in turn evaluated for possible recovery actions and quantified with respect to coredamage frequency and release categories. Total core-damage frequency is calculated by summing over all the cut sets and the release-category
362
James Koren, Blake Putney, William Parkinson
frequencies are obtained from the Limited-Scope Level 2 results following initial core-damage quantification. These integrated results are then manipulated to aid in interpretation and to provide risk management insights. From these evaluation results, the following are obtained: 1. 2. 3. 4.
the list of dominant risk contributors, the importance of systems and components to risk, the sensitivity of results to key assumptions, and an uncertainty analysis.
The C A F T A code 4 (developed by SAIC for EPRI) supports all elements of fault tree development; modularization, quantification and cut set evaluation. C A F T A also supports the use of batch and M A C R O command files that allow solution of a risk model at the touch of a button. Once the revised model, data and human error probabilities have been reintegrated and quantified, this information is automatically loaded into a scoping model that merges the cut sets for all accident sequences. This scoping model is then processed by the Risk Management Query System (RMQS). 5 The model will be stored in terms of accident sequence cut sets made up of initiating events, hardware modules, components, human errors, recoveries and plant-damage states. The scoping model allows manipulation of results down to the component level. The final integration will take place when the risk measures (release categories and source term estimates) for each plant-damage state are provided from the containment performance analysis task. RMQS will then automatically calculate and store the risk associated with each accident sequence cut set. RMQS has the capability to select and rank accident sequence cut sets, calculate system, module, human error, and component importance, and provide the capability to update any model parameters and re-calculate core-damage frequency and plant risk in a matter of seconds. The results of the proceeding task are generated automatically by RMQS. These are: 1. the list of dominant risk contributors, 2. the importance of systems and components to risk, 3. the sensitivity of analysis results to key assumptions, and 4. an uncertainty analysis. Importance analyses (with appropriate consideration for uncertainties) will be a primary tool in the investigation of vulnerabilities. Two measures will be used to evaluate the importance of a system, component or operator action in further reducing risk, and its importance in maintaining the present risk level. One importance measure, called risk-reduction worth, identifies the improvement in risk if components, subsystems, etc., were perfectly reliable, and is useful in prioritizing future improvements that can most reduce risk. The other importance measure, called risk-achievement worth,
Impact of PRA workstations on PRA applications
363
identifies the impact on risk if components were totally unreliable. This measure is useful in prioritizing features that maintain the existing risk level and that are most important in reliability assurance and maintenance activities. While other measures of importance exist, these two have the advantage of being easily understood when proposed changes based on the risk assessment are presented to management. Three items included in the models are specifically addressed. These are: 1.
2.
3.
Components and systems most important in maintaining the current level of risk will be identified, permitting maintenance and testing efforts to be prioritized from a risk standpoint. Importance components with high uncertainties in the probability estimates will be separately identified for improved data collection efforts. Potential system improvements for systems containing highimportance components will also be explored. Conditioning events (house events) in the models which present modeling uncertainties will be assessed to determine the desirability of further analyses to resolve such uncertainties. An example of such an uncertainty would be the survivability of an inverter in a nonventilated room following a station blackout. Human reliability events of high importance will be analyzed to determine which actions would most benefit from improved procedures or training.
Criteria for selection of items deserving analysis as potential improvements will be defined early in the PRA effort, and will be consistent with future requirements of the IPE. Following identification of potential improvements, the analysis process and its results will be documented in one of the final reports on the PRA.
APPLICATIONS The PRA workstation attributes that help make the PRA more usable set the stage for the PRA applications. The following paragraphs describe the steps required to accomplish some example applications. A Quantitatively assess changes in core-damage risk due to: Modifications to component and system design Modifications that improve component and system performance can be categorized as those that affect the configuration of the plant, and those that improve/degrade component reliability. Changes that add redundancy to a system, improve component reliability, or slightly degrade component
364
James Koren, Blake Putney, William Parkinson
reliability can be assessed by modifying appropriate failure rates in the scoping model. RMQS will then automatically requantify the model. Changes that significantly degrade system redundancy or component reliability must be examined through a requantification of the portions of the risk model affected by the changes. Procedures would provide guidelines for probability changes requiring model requantification. The results of the requantification are then loaded automatically from CAFTA into the scoping model in RMQS for comparison to the plant baseline.
Changes to existing operation and maintenance procedures or licensing requirements Assessment of these aspects of the plant operation takes place by identifying the model elements, operator errors, maintenance unavailabilities, failure of standby components, common-cause failures, and perhaps model structures that are associated with the operation or maintenance to be assessed. As in the analysis of component and system designs, changes that reduce or slightly increase the probability of these model elements are assessed using RMQS, while changes that alter model structure to reduce redundancy, or significantly increase the probability of these events, require requantification of the affected portion of the model. Changes in safety margins Changes that alter safety margins are requantified by modifying the system fault trees or sequence top logic and recovery events to reflect the changes in safety margins reflected in success criteria. The affected portion of the model is then requantified. Changes that increase safety margins can be assessed directly in RMQS in the short term, although it is recommended that the model be updated at some point if the changes are permanent. B Assessment of alternatives
Alternatives to proposed NRC requirements can be assessed through modification of appropriate model parameters. Alternatives can be assessed by identifying specific recovery actions or procedures that reduce the likelihood of particular sequences or initiating events. These can be assessed directly by modifying the appropriate parameters in RMQS. RMQS will then automatically update risk calculations and display results, both old and new. C Enhancement of training programs
The risk model can enhance training programs in a number of ways. The dominant sequences can be used to emphasize particular scenarios in the
Impact of PRA workstations on PRA applications
365
simulator training and for use in emergency response drills. Specific scenarios can be extracted from the event sequence models, and produced for display (i.e. an operator action event tree) using the ETA program. Importance measures of model elements, operator errors, maintenance errors, component failures, and maintenance activities can be used to focus operator and maintenance training activities on the most risk-sensitive areas. Risk insights and operator actions identified during the recovery phase of the analysis can greatly benefit operator training programs.
D Integrated work package The nature of the RMQS model, comprehensive yet easy to solve, can be used for both prioritization and tracking studies involving plant changes. Most evaluations can be performed within seconds. RMQS is also suitable for tracking a variety of attributes simultaneously. Through the development and use of appropriate weighting factors in the Risk Measure Table, attributes such as personnel safety, plant availability and reliability, and public risk can be evaluated simultaneously for each plant modification. These applications are being performed on a daily basis at a number of US utilities. The PRA workstation has allowed these utilities to quickly access and update their PRAs such that the PRAs can have an impact on plant operations and decision making.
REFERENCES 1. Zion Probabilistic Safety Study. Commonwealth Edison Company, 1981. 2. Oconee Probabilistic Risk Assessment--A Probabilistic Risk Assessment of Oconee Unit 3. NSAC-60, Electric Power Research Institute and Duke Power
Company, June 1984. 3. Crystal River Unit 3 Probabilistic Risk Assessment. Florida Power Corporation
and Science Applications International Corporation, July 1987. 4. CAFTA User's Manual, Version 2.0. Science Applications International Cor-
poration (prepared for Electric Power Research Institute), Los Altos, California, 2 September 1988. 5. R M Q S User's Manual. Science Applications International Corporation, Los Altos, California, 27 July 1987.
James Koren, Blake Putney* & William Parkinson Science Applications International Corporation, 5150 E! Camino Real, Suite C-31, Los Altos, California 94022, USA
* To whom correspondenceshould be addressed.