repair policies for standby safety systems in a nuclear power plant

repair policies for standby safety systems in a nuclear power plant

Reliability Engineering and System Safety 31 (1991) 1-30 Semi-Markov Reliability Analysis of Three Test/Repair Policies for Standby Safety Systems in...

1MB Sizes 0 Downloads 21 Views

Reliability Engineering and System Safety 31 (1991) 1-30

Semi-Markov Reliability Analysis of Three Test/Repair Policies for Standby Safety Systems in a Nuclear Power Plant Woo S. Jung & Nam Z. Cho Department of Nuclear Engineering, Korea Advanced Institute of Science and Technology, PO Box 150, Cheongryang, Seoul, Republic of South Korea (Received 30 March 1989; accepted 8 November 1989)

A BS TRA C T During the course of efforts in re-examining the technical specifications for nuclear power plants, particular attention has been paid to the "additional test' requirement on the redundant components in a standby safety system. When a .failure of one part is detected by the scheduled test, the following three test/ repair policies are considered on the other redundant parts during the allowed outage time of the first failed component: (1) Policy 1--a prompt additional test, (2) Policy 2--no additional test, and (3) Policy 3--an additional test after repairing the first failed one. For the analysis of the three test~repair policies, a computer program MARADD ( Markov Reliability Analysis for the Additional Test Requirement) was developed in the present study, based on semi-Markov reliability analysis. The allowed outage time (AOT) is usually larger than the calculation time step required by acceptable accuracy. A component can change its statefrom repair to operable state during the A 0 Taccording to the assumed Poisson repair process. However, some system states make forced transitions to other system states due to the additional test requirement, and to the plant shutdown state on exceeding the AOT that is a deterministic parameter. Thus, the three test~repair policies have semi-Markovian characteristics. The methodology was applied to the diesel generator system on which Policy I is currently performed. For the three test/repair policies, the system unavailability, the core damage frequency, and the plant shutdown probability in 1 year of plant operation were calculated for several AOTs and STIs using 1

Reliability Engineering and System Safety 0951-8320/90/$03-50 © 1990 Elsevier Science Publishers Ltd, England. Printed in Great Britain

2

Woo S. Jung, Nam Z. Cho the nominal input data and also using various input data for sensitivity studies. The current test/repair procedure, i.e. Policy 1, has no advantage over Policies 2 and 3 in a nuclear power plant with relatively large conditional core damage probability given a reactor trip and with a diesel generator system that has short repair time, and low failure rate. Furthermore, the allowed outage time could be extended to improve the core damage frequency when the plant has large conditional core damage probability given a reactor trip. However, there is significant benefit in plant availability resulting from extending the allowed outage time, independently of the magnitude of the conditional core damage probability given a reactor trip.

1 INTRODUCTION Technical specifications in a nuclear power plant are specific requirements for its day-to-clay operation, designed to protect public health and safety. Two primary aspects of the technical specifications are (1) limiting conditions of operation (LCO) with allowed outage times (AOTs) and (2) surveillance test intervals (STIs). The promulgation of the technical specifications is an important element of the existing regulatory framework which governs licensing and operation of nuclear power plants. In recent years, there has been a growing interest in re-examining the technical specifications in the nuclear community.1 One of the reasons is that a significant portion of reactor downtime (plant unavailability) is attributable to the strict technical specifications. Existing technical specifications were derived from engineering judgement based on deterministic review; they were not directly risk-based, and their efficacy in enhancing public safety is difficult to establish. However, it is generally recognized that current testing and maintenance requirements invoke many inadvertent reactor trips, and as a result, cause unnecessary transients and challenges to other safety systems as well as increase unavailability (downtime) of the plant. Therefore, significant benefits in terms of plant availability and of safety, e.g. core damage frequency, could result from revisions of the current technical specifications. 2 Recognizing the need to improve the technical specifications, both the nuclear industry and the regulatory body have embarked upon efforts to come up with specific approaches to modifying and improving the technical specifications. More specifically, these efforts are examining various approaches to developing a quantitative basis for making decisions for changing AOTs and surveillance test interval (STI) elements of the technical specifications. During the course of these efforts in re-examining the technical specifications, particular attention has been paid to the 'additional test'

Semi-Markov reliability analysis

3

requirement on the standby redundant components in the case when a failure is detected by the scheduled test on a component. The rationale for the additional test requirement is as follows: 3'4 (i)

When a component failure is detected by the scheduled testing, and if another component has been failed (e.g. due to c o m m o n cause failures) during the AOT of the first failed component, the AOT risk of the plant would be significantly high. Therefore, it would be desirable to identify the status of the other components. (ii) Which components identified above are critical, and are feasible to test during the AOT before the repair of the first failed component? What are the advantages and disadvantages of performing the additional test? Specifically, how does the AOT risk change if the additional test is performed? Should this additional test be performed before the repair is begun on the first failed component or after its repair is completed? In the evaluation of the additional test requirement, two aspects should be considered: (1) the test policies or decision alternatives regarding the additional test, and (2) the level of performance measures upon which the various test policies of the additional test are evaluated. The first aspect is related to the way the additional test requirement is specified in the technical specifications. The second aspect is related to the hierarchical levels 5 of the attributes to be evaluated, compared, and judged on the various additional test policies.

1.1 Test]repair policies of a standby system When a failure of one part is detected by the scheduled test, we can consider the following three test/repair policies on the other redundant parts during the A O T of the first failed component: Policy 1: Policy 2:

Policy 3:

An additional test is carried out promptly. No additional test on the other parts is performed. The test is carried out according to the periodic test scheme as originally scheduled. An additional test will be performed after the first failed part is repaired.

When a failure of one train or one component in a standby safety system is detected in normal plant operation, the plant risk would be greatly increased in case the redundant train or component has also failed. Hence, the additional test/repair is currently required on the redundant train of standby safety systems in nuclear power plants. Furthermore, the current limiting conditions of operation require that the plant be shut down if at least one of

4

Woo S. Jung, Nam Z. Cho

Pokey 1 'h'~n A

[]

0

~daB

0

[]

t

[]

r-~

0

[]

.-..

t >

Pokey 2

[]

[] []

> []

>

V

>

Pokey 3

[]

~7

[]

t

;

t

V

[]

V

[]

>

Fig. 1. Test/repair schemes of the three policies. [--],Originally scheduled tests; O, prompt additional tests when a failure of the train under original test schedule is detected; V, additional tests after the repair of the first failed train.

the detected failures is not repaired within the specified AOT. The test/repair schemes under the three policies are depicted in Fig. 1 for a standby system with two trains. It is assumed that the standby system is normally under staggered test. 1.2 P e r f o r m a n c e m e a s u r e s

A meaningful performance measure at the system level is the system availability (or equivalently system unavailability). Since a c o m m o n cause failure can be detected by the additional tests, Policy 1 is expected to improve system availability after the repair. However, the system unavailability is instantaneously increased at the beginning of the additional tests. The plant safety depends on the availabilities of the various safety systems. Since c o m m o n cause failures are easily detected by the additional tests, the system unavailability and thus the plant risk would be greatly decreased by the additional tests. Moreover, with more information on the system/plant status made available by the additional tests, plant operators and supervisors could be in a better position to cope with an accident, should such an accident occur. However, the additional tests would invoke undesirable plant transients, since the additional tests lead to increased system unavailability at the beginning of the AOT and the possibility of

Semi-Markov reliability analysis

5

human error is increased due to work load congested in a short period of time. Thus, the induced plant transients such as the reactor trip would affect the plant-level performances, e.g. increase core damage frequency and decrease plant availability.

1.3 Objectives of the present study The objectives of this study are to develop a methodology for evaluating the three test/repair policies described in Section 1.1, and then to apply the methodology to a practical problem of the diesel generator system (on which the prompt additional test is currently required) as a part of efforts in reexamining the technical specifications. Another objective of the study is to ascertain under what conditions each test/repair policy applied to the diesel generator system is beneficial with respect to the system- and plant-level risks. Thus, sensitivity studies are performed on the system- and plant-level risks with regard to the AOT and the surveillance test interval. In order to model the dynamic characteristics of the test/repair policies, semi-Markov reliability analysis is used in the present study. As discussed in Section 2.2, the three test/repair policies have the semi-Markovian characteristics. By using semi-Markov realiability analysis, the risks at two hierarchical levels, i.e. the system- and plant-level risks, are accurately evaluated for the three test/repair policies.

2 SEMI-MARKOV RELIABILITY ANALYSIS The reliability analysis based on a semi-Markov process is used in the present study in order to analyse the dynamic behavior of a system and the interdependency between the components which is induced by the additional test/repair policy. The Markov process 6'7 is characterized by: (i)

the system can be completely described at any time by specifying its state at that time, and (ii) the time until a change from one state to another occurs is an exponentially distributed random variable. A Markov process is a stochastic process whose dynamic behavior is such that the future development depends only on the present state and not on how the process arrived at the present state. If discrete-state and discretetime steps are assumed, this Markov process is called a discrete-parameter Markov chain.

6

Woo S. Jung, Nam Z. Cho

If, instead of the characteristic (ii) above, the following characteristic is applicable, then the process is called semi-Markovian: 7 (ii)' the time until a change from one state to another occurs is an arbitrary probability distribution. The three test/repair policies described in Section 1.1 exhibit the semiM a r k o v i a n characteristics due to the requirements of the technical specifications, that will be more fully discussed in Section 2.2.

2.1 Markov process during standby period During a standby period, the normal state transits to the failed state in accordance with a discrete M a r k o v chain. If gj(n) denotes the probability that the system is in the s t a t e j at the nth time step, then the system state probability vector at the nth time step can be written as n(n) = [nl(n), nz(n )..... gj(n) .... 3,

y

nj = 1

(1)

J where n(n) contains probabilities of all possible states, e.g. normal standby state, randomly failed state, test state, repair state, and plant shutdown state, etc. If Pij denotes the probability that the system in state i will transit to statej during one time step, the transition probability matrix is given by

P12 P13 p = //°21 P22 P23 [.P3I P32 P33 Pll

V

'

,/J j

Pij= 1

(2)

The transition probability matrix P is constant in all time steps, if time is identically discretized. The state probability vector at the (n + 1)th time step is then given by the relation 7r(n + 1) = n(n)P

(3)

with the initial state probability vector n(0) given. Since transitions from the standby state to the repair state do not occur during a standby period, there are no transitions a m o n g the states that are related to test/repair, i.e. the state probability 7ri(n) involving test or repair is zero during a standby period. Thus, there are only the transitions induced by the r a n d o m failure or the transitions to the plant states caused by d e m a n d on the safety system.

Semi-Markov reliability analysis

7

2.2 Semi-Markov process during AOT In a semi-Markov process, transitions occur in accordance with a M a r k o v process but the state holding time is described by an arbitrarily distributed r a n d o m variable. Once the transition occurs into state i, it will enter the next statej with probability Sij. However, the time until this i ~ j transition occurs has arbitrary distribution Ho(m). v Three test/repair policies described in Section 1.1 exhibit the following semi-Markovian characteristics: (i) (ii) (iii)

(iv)

(v)

When the scheduled test/repair time is reached, a transition occurs from the standby state i to the test state j. If test or repair is not completed within the AOT, a transition occurs from the test or repair state i to the plant s h u t d o w n state j. Because of the additional test requirement in Policy 1, as soon as failure of one c o m p o n e n t is detected by the scheduled test, the test on the other c o m p o n e n t is carried out promptly. Therefore, an instantaneous transition occurs from state i with one failed c o m p o n e n t (which has been just detected) to state j with the first failed c o m p o n e n t under repair and the other one under additional test. In Policy 1, there may be another requirement for the plant safety in the case when the additional test finds the other c o m p o n e n t also failed: if more than one failed c o m p o n e n t is not repaired within a specified time interval, the plant should be shut down. Therefore, a transition may occur from state i with two failed c o m p o n e n t s to the plant s h u t d o w n s t a t e j after the specified repair time allowed for the two failed components. In Policy 3, if failure of one c o m p o n e n t is found by the scheduled test, the additional test is performed after the first failed c o m p o n e n t is repaired. So, an instantaneous transition occurs from state i with the just repaired c o m p o n e n t to state j with the other c o m p o n e n t under additional test.

The state probability vector n(n + 1) at the (n + 1)th time step during A O T is obtained in the following two calculation 'stages'. In the first stage, the transitions are governed by the discrete M a r k o v process during one time step,

n(n + 1) = n(n)P

(4)

Then, in the next stage, the semi-Markov process of the transitions from the state i to the state j is considered by

8

Woo S. Jung, Nam Z. Cho

Ao~n + 1) = gi(n + 1)So~n + 1)Ho~rn) Ho~rn ) = 6(m),

m = O, 1, 2 ....

(5a) (5b)

~j(n + 1)*- ~,(n + 1) + Ao~n + 1)

(6a)

~i(n + 1 ) ~ g~(n + 1) - Ao(n + 1)

(6b)

where the states i and j are the states effected by the characteristics above [(i)-(v)] and Aij(n + 1) denotes the change of the state probability by the transition from the state i to the statej at the (n + 1)th time step. So(n + 1) is the conditional transition probability from the state i to the statej and Hi~(rn) denotes the holding time mass function. So~(n + 1) has the unit probability for the characteristics (i) and (ii). It is convenient to memorize the time dependent behavior and its quantities related to the semi-Markov characteristics above [(iii)-(v)] by using the conditional transition probability S~(n + 1) that is not necessarily equal to one. Since the transition time from the state i to the statej of the characteristics [(i)-(v)] above is very short, it is assumed that the transitions occur instantaneously, resulting in the expression of the holding time mass function as eqn (5b). As a result, the two stages of eqns (4)-(6) allow the Markovian and semi° Markovian characteristics to be considered during one time step at the beginning time of the scheduled test/repair, during the AOT, and at the ending time of the AOT. Thus the semi-Markov process considered in this study is of a special type.

2.3 Average availability and unavailability In order to reduce the system complexity, subsystems are usually lumped into 'supercomponents' and states of supercomponents are constructed. Then, possible states of the system that is composed of a number of supercomponents are determined by its component states. Transitions between the states are induced by random failures, test/repair maintenances, common cause failures, and requirements in the technical specifications. Multiple states modeled in the semi-Markov reliability analysis can be grouped into (i) available or operable system states (numbered in order of 1 to N 1), (ii) unavailable system states because of one operable component under test (numbered in order of N~ + 1 t o N2) , (iii) unavailable system states, excluding the states of (ii) (numbered in order of N 2 + 1 to N3), and (iv) plant states (numbered in order of N 3 + 1 to N4). If the probability of the test overriding capability is q~, the instantaneous

Semi-Markovreliabilityanalysis availability

A(n) and

unavailability

U(n)at

9

the nth time step are written,

r e s p e c t i v e l y , as 2 NI

N2

A(n) = ~ rci(n)+ ~ i=1

~z~n)qI

(7)

i=NI+I

and N2

U(n)= Z

N3

~zi(n)(1--ql)q- ~ ~zi(n)

i=Nl+l

(8)

N2+1

If the time horizon of interest is discretized into total NO time steps, the average availability and unavailability are expressed as NO

"4-No 1ZA(n)'+~ n=O

No

0 - U ( 1n+--)-~N~o

(9)

n=O

2.4 Computer codes For the analysis of the three test/repair policies defined in Section 1.1, a computer program M A R A D D (Markov Reliability Analysis for the Additional Test Requirement) was written in this study. M A R A D D requires as input possible system states. The system states can be obtained by, for example, the STAGEN code. 2 M A R A D D develops plant-level states to which some of the system states make transitions due to the requirements of the technical specifications, e.g. plant shutdown on exceeding the AOT. To consider the scheduled test and a relatively long AOT, M A R A D D solves recursively the relation of eqn (3) for a standby period and the relations of eqns (4), (5) and (6) during an AOT. In MARADD, the AOT can be larger than the calculational time step and can cover several time steps. Transitions occur among the system states in each time step during an AOT. Thus, it is modeled in the analysis that a component can change its state from repair to operable state during the AOT, according to the repair process (assumed Poisson process). However, as discussed in Section 2.2, some system states make forced transitions to other system states due to the additional test requirement, and to the plant shutdown state on exceeding the AOT. The incorporation of these semiMarkovian characteristics is a special feature of the M A R A D D program. The main portion of the calculational flow diagram of M A R A D D is shown in Fig. 2. The calculation schemes for Policies 2 and 3 are relatively straightforward. However, the calculation logic for Policy 1 deserves some

10

14:oo S. Jung, N a m Z. Cho

I

,.

~i(n) = 0 for characteristici) in all policies

L

I

.

Policy2 ~

r 3

r~(n+l) = ~t(n).P Ixj(n+l) = ~j(n+l)+xi(n+l).So(n+l).Hi/(m) ]xi(n+l) = ~(n+l)-~i(n+l)'Sij(n+l)'Ho(m) [ for eharact~sticsiii) and iv) in Policy1, [ for characteristicv) in Policy3 ~

~

n = n+!

,]

No

~/(n+l) n~(n+l) = ~/(n+l)+~i(n+l) 1 =0 for characteristicii) in all policies

X =

NO l----~Z A(n)

No+ I ,,=o

'

1 NO U = N---'~+IZU(n) o

A.o

1 Fig. 2.

A main portion of calculational flow diagram of MARADD.

explanation. In Policy 1, there are two situations where the plant should be shut down: (i) the additional test finds the other redundant c o m p o n e n t is operable and thus the rest of the test procedures now become the same as that of Policies 2 and 3 (with the same AOT), and (ii) the additional test finds the other r e d u n d a n t c o m p o n e n t is also failed and now a different (usually shorter) A O T is required. However, if at least one c o m p o n e n t is repaired

Semi-Markov reliability analysis

11

within this different AOT, the AOT in Policy 1 is the same as that of Policies 2 and 3. 3 MODELING 3.1 Component state transitions

A standby system is undergoing a periodic test, and failures are detected through that scheduled test. Repairs are allowed only after the failure is detected during the AOT. The additional test/repair policies introduce interdependencies among the components. In addition, human errors may be introduced during the test/repair, which may leave a failed component undetected, put a normal component under repair, or induce a failure of a normal component. The component state transition diagram is depicted in Fig. 3. Arrows

"\

\ ~ . , \

\ N

\

.,..__ ,, \

\

[

/"

I I

/---

!

/ /

Fig. 3. Component state transition diagram.

12

Woo S. Jung, Nam Z. Cho

shown in the diagram correspond to the possible transitions with the corresponding transition probabilities of which notations are listed in Table 1. The six c o m p o n e n t states in the figure are as follows: State State State State State State

1: 2: 3: 4: 5: 6:

normal operable standby state, periodic test state of the normal component, misjudged repair state of the normal component, failed state, periodic test state of the failed component, and repair state of the failed component.

As an example, if a c o m p o n e n t is in State 2, it may transit to: (i)

State 2, if the c o m p o n e n t is still under test (i.e. remains in the same state); (ii) State 1, if the test is completed within the A O T and no h u m a n error is induced; (iii) State 3, if the test is completed within the A O T but the normal c o m p o n e n t is misjudged as failed; (iv) State 4, if the test is completed within the A O T and there is a h u m a n error that leaves the c o m p o n e n t failed; or (v) the plant s h u t d o w n state, if the test is not completed within the AOT.

TABLE 1 Definitions of Notations in Component State Transition Diagram Notation

Definition

2 1/~

Component failure rate Mean duration of test given that component was operable Mean duration of repair given that component was operable Mean duration of test given that component failed Mean duration of repair given that component failed Probability of human error of not restoring component after repairing given that component was operable Probability of human error of not restoring component after testing given that component was operable Probability of human error of misjudging operable component as failed given that component was operable Probability of human error of not restoring component after repairing given that component failed Probability of human error of not detecting existing fault Probability of test overriding capability a

Pl

Pl p* P4

p* ql

This does not appear in Fig. 3 but is incorporated in the appropriate transitions in Fig. 4.

Semi-Markor reliability analysis

13

3.2 System and plant state transitions If it is assumed that a system with two redundant trains has a success criterion 1-out-of-2, the system and plant states can be classified into: (i) available system states with one or two available components; (ii) unavailable system states with two unavailable components; and (iii) plant shutdown state caused by exceeding AOTs or by the emergency demand on the system. Considering the three test/repair policies, possible system states and transitions during a small time step are identified in Table 2. The table explains possible transitions during the AOT of the first component, e.g. Component A. There is an interdependency between the components both in Policy 1 and in Policy 3. If C o m p o n e n t A in Policy 1 turned out to be failed, the additional test of C o m p o n e n t B is carried out promptly, e.g. from system states 54 to 65. As discussed in Section 2.2, the states 33, 36, 63 and 66 that are allowed in Policy 1 and in which two components are simultaneously under repair may make transitions to the plant shutdown state with a shorter AOT. In Policy 3, the additional test/repair of C o m p o n e n t B is performed after the failed component (Component A) is repaired, e.g. from system states 31 to 12 or 42. However, Policy 2 has no interdependency between the component states, in which test/repair is carried out according to the original schedule.

4 A P P L I C A T I O N TO T H E DIESEL G E N E R A T O R SYSTEM During normal operation of a nuclear power plant, each AC vital bus receives power from one of the two offsite power sources. Design provisions permit transfer to the other power source if the preferred source is failed. If both offsite power sources are lost, i.e. in the event of loss of offsite power, auxiliary power for safety-related loads is supplied by the onsite diesel generator system. Considering the critical role of the diesel generator system in coping with various transients and mitigating accidents following loss of offsite power, it should be assured that the reliability of the diesel generator system is maintained at an acceptable level. When failures of one or two AC power sources are detected, additional tests for the rest of the AC power sources are required by the technical specifications at the beginning of the repair. Considering the current technical specifications, the limiting conditions of operation of the diesel generator system are modeled in the three policies as in Table 3, where the AOTs in Policy 1 and 3 are alternated according to the trains under the original test schedule.

TABLE 2 P o s s i b l e S y s t e m State T r a n s i t i o n s in E a c h T e s t / R e p a i r Policy w h e n C o m p o n e n t A is in Test

System state 11 12 13 14 15 16 21 24 31

32 33" 34

35 36 ~ 41 42 43 44 45 46 51 54 61

62 63 a 64

65 66 . Impossible states

Policy 1 11 11 42 11 14 14 11 11 32 14 35 31 11 41 31 12 13 43 34 14 44 15 36 16 46 41 41 41 44 44 41 41 62 44 65 61 11 41 12 63 13 64 64 14 44 15 66 16 66

14 12

Policy 2

41 13

44 14

13 14 44 15 16 14 16 21 24 (*--31) 24 44 (*-34) 34

43

32 42 31

34 33 33

45 46 41

11

14

14

44

11 31 14 34 31 11 41

Policy 3

41

44

21

24

41

24

44

34

34 34 14 44

45

34

35

31

34

36

44 42 43

43 44

44

41

34 15 45

44

41 41 41 44 44 41 41 61 44 64 61 12 42

44 45 46 44 46 51 54 (,--61) 54 (,---64) 64

42 64 43

11 14 41 44 1! 12 13 14 42 I1 13 14 43 14 44 14 15 16 45 11 14 16 46 11 21 24 41 31 14 24 44 34 31 34 12 (*--11) 42 (*-41)

41 61 44 64 61 11 41

61

62

61

63

51

54

54 64

64 14 44 45

64

65

46

61

64

22 25 52 55 23 b 26 b 53 b 56 b

22 32 52 62 12~ 42 b

23 33 53 63 13 b 43 b

25 35 55 65 15b 45 b

26 36 56 66 16b 46 b

(*-14) (*-44)

44 42 43

43 44

45 44 51

46 46 54

44

54 64 (,---11) (+--41)

64 15 45

(,--14) (*--44)

22 32 52 62

23 33 53 63

Denotes the repair states during the specified time before plant shutdown. b Denotes the possible system states in the case that Component B is in test schedule.

25 35 55 65

26 36 56 66

Semi-Markov reliability analysis

15

TABLE 3 A O T s o f Each Test/Repair Policy when Staggered Test is Performed on Two Trains a

Test/repair policy

A O T for the train under original test schedule b

A O T for the other train caused by additional test b

Policy 1 Policy 2 Policy 3

r ~ T

r + z,est Not applicable r --1-Ttest "{-"t'repair

° ~ denotes the originally scheduled A O T independently of additional test, and Ttestand Zr~p~ir denote average test time and average repair time, respectively. b These two A O T s start at the same reference time.

4.1 Plant dependency on diesel generator system states Figure 4 shows the system and plant state transition diagram. The current limiting conditions of operation of the diesel generator system call for a reactor trip if at least one of the failed diesel generators is not repaired within the specified time. Thus, it is expected that the reactor trip frequency depends on the test/repair policies. In the event of loss of offsite power, the availability of the diesel generator system has a very important role in mitigating undesirable transients which could result in core damage. To analyse the plant dependency on the test/repair policies of the diesel generator system, the failure of the diesel generator system following loss of offsite power, i.e. the station blackout accident, is considered. Since other transients depend on the diesel generator system to a lesser degree than the loss of offsite power event, it can be considered that the core damage frequency resulting from these other transients is relatively insensitive to the test/repair policies of the diesel generator system. Furthermore, the probabilistic risk assessments (PRAs) of many nuclear power plants have revealed that the loss of offsite power event is one of the most significant contributors to the core damage frequency. In the present study, two conditional core damage probabilities are thus considered that result from the reactor trip and from the loss of offsite power event depending on the unavailability of the diesel generator system, which correspond to the shutdown accident risk and the operating accident risk, respectively. Since the diesel generator system is one of the systems with a high test/repair frequency and the residual heat removal of the reactor after the shutdown depends on the availability of the diesel generator system, the diesel generator system has important effects on the operating and shutdown accident risks. If state i and state j denote an unavailable system state and an available

16

Woo S. Jung, Nam Z. Cho

Fig. 4. System and plant state transition diagram, r, the recovery rate of the plant and the diesel generator system to normal states; SDaor, plant shutdown caused by exceeding the AOTs; 2~.oe, loss of offsite power frequency; ProM, the conditional core damage probability given loss of offsite power when N out of M diesel generators are available, and PAor, the conditional core damage probability given a reactor trip by exceeding the AOTs (when offsite power is available). TABLE 4 Conditional Core Damage Probability Given Loss of Offsite Power

Available DG

Case

Conditional probability

2 DG available I DG available 0 DG available

Cases I and II Case III Case IV

4.62 x 10-5 2.12 x 10 -3 1.57 x 10-

Case I Case II Case III Case 1V

2 DG failed in separate time in the course of running after successful starting 2 DG failed simultaneously by the common cause failure in the course of running after successful starting 1 DG failed to start and the other DG is down in the course of running after successful starting 2 DG failed to start

Semi-Markov reliability analysis

17

system state with one operable c o m p o n e n t under test, respectively, and state k denotes a plant state resulting in core damage, transition probabilities P~k and P ik during one time step can be written respectively as

Pik = 2Lop at{(1 --ql)eo/2 + qt Px/2}

(10)

P~k = ALopAt{(1 -ql)Px/2 + qle2/2}

(11)

and

where qx is the probability o f the test overriding capability, 2LOP denotes the occurrence rate o f loss o f offsite power, and Prom denotes the conditional core damage probability given loss o f offsite power when N out of M diesel generators are available (see Fig. 4).

4.2 Data base As shown in Tables 4 and 5, the important data base (nominal values) used in the present study are as follows: (i)

The diesel generator failure rate varies from plant to plant. The following failure rate has been identified: Average failure rate = Average failure probability per d e m a n d 8 x Average demand rate s'9 = 0.02 d x 32 d/yr = 8.0 x 1 0 - S h (ii) The reported test time o f the diesel generators ranges from 15 min to 4 h with a mean o f 1.4 h. Repair o f the failed diesel generator entails times from 2 to 300h with a mean o f 21 h. 8'1° (iii) C o m m o n cause failures o f the diesel generator system such as in failure to start are considered in this study. The factor for the TABLE 5 Nominal Input Data Loss of offsite power Failure/demand Mean test time Mean repair time Human error probability Test overriding capability Common cause factor riFTS Allowed repair time of two failed components Conditional core damage probability given reactor trip

0' 1/year 0"02/day 1.4h 21h 0.02 0.9 0.02 2h 5.00x 10-6

18

Woo S. Jung, Nam Z. Cho

common cause failure to start, flFXS, was obtained by the multiple Greek letter (MGL) method as 8 flFTS = 0"02 (iv) The probability of human error introduced during test/repair ranges from 0 to 0.02. The probability of test overriding capability varies from 0.5 to 0.9 for the normal component State 2 (see Fig. 3). It is assumed that the repair rate of the component in State 3 is four times as big as that of the component in State 6. The AOT of the diesel generator system which is specified by the limting conditions of operation is nominally 72 h. In Policy 1, the allowed repair time when there is more than one failed component is 2 h. (v) The loss of offsite power event occurs with frequency of about 0.1 per reactor-year. The three conditional core damage probabilities given loss of offsite power are shown in Table 4, depending on the availability of the diesel generator system. These conditional probabilities were determined based on a probabilistic safety analysis of the Yonggwang Nuclear Power Plant Unit 1, 2. t2 The conditional core damage probability given a reactor trip was found to range from 1 x 10 - 6 to 5 X 10 - 5 . The nominal value for this conditional probability is assumed to be 5 x 10-6 in this study. 4.3 Results and discussion For the three test/repair policies, the system unavailability, the core damage frequency, and the plant shutdown probability in 1 year of plant operation were calculated for several AOTs and STIs using the nominal input data in Section 4.2 and also using various input data for sensitivity studies, t3 It is observed from the results that the ranking of the three policies depends on several parameters, e.g. the conditional core damage probability given a reactor trip, the test overriding capability of the normal component, the average repair time, and the allowed repair time of the two failed components in Policy 1, etc. Some selected results are presented in this paper. Figures 5-7 display the time behavior of the unavailability of the diesel generator system, the core damage probability induced by the reactor trip, and the total core damage probability initiated by the reactor trip and the loss of offsite power event, respectively, comparing the three policies. As shown in Fig. 5, the unavailability in Policy 1 exhibits higher peaks than that in Policies 2 and 3 at the beginning of the AOTs because of the prompt additional tests. Furthermore, the unavailability in Policy 1 shows deeper valleys in the middle of the AOTs since the current limiting conditions of operation

Semi-Markov reliability analysis

19

1O -=

.(3 0

"5 > 0¢-

10 ~05 Fig. 5.

i L 110 115 140 Plant Operation Time (Days)

S y s t e m u n a v a i l a b i l i t y versus p l a n t o p e r a t i o n time, - - - , ..... , Policy 3. S T I = 20 days.

1:5 Policy l; . . . . .

, Policy 2;

require plant shutdown if at least one of the two failed components is not repaired within 2 h (additional shutdowns). The effects of the two core damage initiators (i.e. reactor trip and loss of offsite power) are well displayed in Figs 6 and 7. It is observed in Fig. 6 that the core damage probability in Policy 1 initiated by the reactor trip is much greater than those in Policies 2 and 3. Figure 8 shows that the average core damage frequency in Policy 1 is more rapidly increasing than that in Policies 2 and 3 in the range where the conditional core damage probability given a reactor trip is greater than approximately 1 x 10- s. Note that the conditional core damage probability given a reactor trip has an important effect on the ranking of the test/repair policies, even though the absolute value of the core damage frequency induced by the reactor trip is relatively smaller than that of the core damage frequency initiated by loss of offsite power. It is observed in Figs 9 and 10 that when repair rate is high, there is no clear difference among the three test/repair policies. Policy 1 had relatively lower average unavailability and core damage frequency if repair time is long. Since most diesel generators have short repair times, the current policy, i.e. Policy 1, has no advantage. However, the data base shows that approximately 50% of all diesel generator failures are repaired within 8 h with a median of 8 h. 8 Thus, the current policy (i.e. Policy 1) does not show a

Woo S. Jung, Nam Z. Cho

20

4.0 0 X t~

f-

! 3.0

f

I

-a °_ .a

2.0 [1_ r i" . . . . . . . . . . . . . . . . t

0

E 0 ca 1.0

tr . . . . . . . . . . . . . . . .

17"---.

I". . . . . . . . . . . . . . . . .

-_-!

0 0

0.¢

1~5

14o

14s

1~o

l~S

Plant Operation Time (Days)

Fig. 6.

1~o

1

Core damage probability induced by the reactor trip versus plant operation time , Policy 1; . . . . . , Policy 2; , Policy 3. STI = 20 days.

I

1.6

f#" f . " q, / ' J/.~ .J / s J ~

X t3.. O ...J "O tO I-r~

1.4 J

r,

.-

°~



d

J 1 J /

O .t)

o

1.2

j"

j'/ /

t7

E

t7 t:3

O

1.q

16s

140

'

Plant Operation Time (Doys)

Fig. 7. Total core damage probability induced by the reactor trip and loss o f offsite power versus plant operation time. , Policy 1; . . . . . , Policy 2; . . . . . , Policy 3. STI = 20 days.

Semi-Markov reliability analysis

21

~ 3.0 X

~_ 2.6 U O

¢-

~ 2.2 O"

II) 0

E 0 o 1.8 .

.

.

.

0 ID

iI) '

i

i

i

i

t

i

ii

i

i

10 "4 CORED/RT

i

=

i

=

=

10 ~

Fig. 8. The effect of conditional core damage probability given a reactor trip ( C O R E D / R T ) on the average core damage frequency. - - , Policy 1; . . . . . , Policy 2; , Policy 3.

3.0

............

STI = 30 days ~2.6 ×

E

D 1.8 ID

ID

ST1 = 15 days

1 .¢ 1 "~.0

Fig. 9.

. . . . . . :.-:.---:--:--:--:'-:'-:-°:--:"= --

25 t J 10.0 15.0 Average Repair ~ m e

20!0

0

(Hrs)

The effect o f average repair time on the average system , Policy l; . . . . . , Policy 2; , Policy 3.

unavailability.

22

Woo S. Jung, Nam Z. Cho 3.0 X

>-

,.. 2.6 0

STI = .30 days

"6

.............

0

tY tJ c 0"

2.2

t.~

E 0 c', 1.8 o 03

1"ko

I o'.o

I s'.o

Average Repair ~ m e

Fig. 10.

20.0 '

25.0

(Hrs)

The effect of average repair time on the average core damage frequency. - Policy 1; . . . . . , Policy 2; , Policy 3. r~

x8.0

~ 6.0 5"11 = 30 da~

p>,

~4.0 ~r

=

15

doys

b_

,7

o

~ 2.0

.,;""

a

o cl

®

i Fig. 11.

- - " ~ i = ~

10.0

I

I

15.0 20.0 Average Repair Time (Hrs)

25.0

The effect of average repair time on the average core damage frequency induced by the reactor trip. - - - , Policy 1; . . . . . , Policy 2; , Policy 3.

Semi-Markou reliability analysis

23

clear edge over the other policies. As shown in Fig. 11, average core damage frequencies of the three test/repair policies induced by the reactor trip sharply increase with average repair rate. Figure 12 shows the core damage frequency as a function of the common cause failure to start (i.e. flFTSfactor). It is observed that there is no change in the ranking of the three policies with variation of the common cause failure to start of the diesel generators. However, it is observed that the differences of the core damage probability among the three policies become slightly larger as the common cause failure to start increases. The reason is that the effect of additional tests in Policies 1 and 3, in which the common cause failure is easily detected, increases when the diesel generator system has large common cause failures. The results with variation of the surveillance test interval are depicted in Figs 13 and 14. It is observed that the surveillance test intereval should be shortened to reduce the risks in system and plant levels as the failure rate increases. The results confirm the current technical specifications which require that the surveillance test interval (on a per diesel generator basis) be no more than 31 days and that if more than one failure has occurred in the last 100 tests (on a per nuclear unit basis) the surveillance test interval be shortened in accordance with the accumulated test results. However, it is observed in Fig. 15 that the average shutdown probability (that is closely ~'4.5 X v

.'J s~

~ 4.0

)-

/ /."

~.3.5

/

/

/

/ i

f

/



i

i

i

i

i

i

e-i

8 LIlID

/

i



/

3.0

#/

i

i

1

U

E /

P 2.5

/

f

i

/

i

i

0

0

g 0.~5 i t 0.10 0.15 Common Couse Foilure to Stort ([3 Factor)

Fig. 12.

0.: 0

The effect of c o m m o n cause failure to start on the average core damage frequency. , Policy 1; . . . . . , Policy 2; , Policy 3. STI = 30 days.

Woo S. Jung, Nam Z. Cho

24

1.7 X

,.. 1.5 2o o

tY \

o

t-

=

5xlO -S

LL

g E

r~ 1.1 0

"

0

. . . . . . . .

~l;i~/~

= 5xlo-~

g o.gj. b Fig. 13.

151.0 I 25.0 Surveillance Test Interval (Doys)

35.0

A v e r a g e core d a m a g e frequency versus surveillance test interval (STI). - Policy l; - - - , - , Policy 2; , Policy 3. Failure to start = 0.005/d.

O

3.0 st'

×

,/ /

~ 2.5 o

o"

g /t' / •

/ / / // / / i / f // f f tt/ / / / / / / •, / / • •• / tl/~ / / f• / / •t • / / re/ / / /• / /

ID >-

g

/

CORED/RT =

5x10 .,¢

//

o 2.0

E o

g 8

@

~ 1.~. c

.~x10_62510 Test Interval (Days)

35

Surveillance

Fig. 14.

A v e r a g e core d a m a g e frequency versus surveillance test interval (STI). - Policy 1; . . . . . , Policy 2, . . . . . , Policy 3, Failure to start = 0.02/d.

Semi-Markov reliability analysis

25

10 -~

o_ JO O .g)

o

Q.

-,",~.

/sD e

,x

o

"-" ID Ca

""::';2.2..._ _ _ ...... --_y---_2.2 "

10 ~.0

Fig. 15.

SD by LC~

J I 15.0 25.0 Surveillance Test Interval (Days)

35 I 0

Average shutdown frequency versus surveillance test interval (STI). . . . . . , Policy 2; , Policy 3. C O R E D / R T = 5 x 10 -6

, Policy 1;

related to reactor downtime) in all policies increases as the surveillance test interval is reduced. As shown in the figures, the shutdown probability, especially the shutdown probability induced by the reactor trip, is much higher in Policy 1 than in the other policies. In Figs 16-19, the results of the average system unavailability and the core damage frequency are plotted as a function of the AOT. In all policies, the average unavailability of the diesel generator system increases with the AOT, but it saturates at a large AOT. It is recalled that in M A R A D D the unavailable states of each diesel generator are not counted into the system average unavailability when the plant is in shutdown state. Also note that the A O T cannot be extrapolated too largely because the model in M A R A D D does not handle the situation that the A O T of a component overlaps with the originally-scheduled AOT of the other component in the redundant train (AOT should be less than one half of STI). When the conditional core damage probability given a reactor trip is greater than approximately 1 x 10-6, the average core damage frequency decreases with the AOT, but it saturates at a large AOT. As shown in Figs 18 and 19, the reason that the core damage frequency decreases with the A O T is due to the fact that a significant contributor to the shape of the total core damage as a function of the AOT is the core damage induced by the reactor trips caused. by exceeding the AOT. This effect of the reactor trips is accentuated when

Woo S. Jung, Nam Z. Cho

26

2.0

~" 1.9 I

X /P

1.8

/

/ i /

0 0 c

D 1.7

CORED/RT = 5x10 -6

1.6

1.,250.0 Fig. 16.

I 60.0 10(~.0 Allowed Outage Time (Hrs)

144 .0

Average system unavailability versus allowed outage time (AOT). . . . . . , Policy 2; , Policy 3. STI = 20 days.

, Policy 1;

~4.5 X

5xlO_S

3.5 ¢-

Io

~ 2.5 0

....~ / m " ~ "

0

- 5xlO~'~'~"~'~-~ ..... ~""---" ~ ~ -'--" "--" "-"='~ ~ . ~ - ' ~ - ; ~ ' ~ ' 4 = = "

g 1.z~o . Fig. 17.

m 60.0

IOC~.0

Allowed Outage Ume (Hrs)

I

Average core damage frequency versus allowed outage time (AOT). . . . . . , Policy 2; , Policy 3. STI = 20 days.

.0 , Policy 1;

Semi-Markov reliability analysis

27

2.5

" X

..

Total

CORED

)~2.0 CORED

by

LOP

U 0

o

n~

~

1.5

cID

b_

1.0

0 E 0

80

0.5

g ~

~

0"~0'.0 Fig. 18.

.......

J.

60.0 100.0 Allowed Outage Time (Hrs)

140.0

Average core damage frequency versus allowed outage time (AOT). , Policy 1; . . . . . , Policy 2; . . . . . , Policy 3. C O R E D / R T = 5 x 10 -6. S T I = 20days.

~'~5.0 X v

~4-.0 rw

"~3.0 ¢-

\~~... ® 2.0

Total CORED

~ , ~ m , l u . :~r s~- s*- :g- ~.- m.-=,- =-- =." g6" : . - =.- =:" ~-aN- - -

0

E

O

0

1.0

o Fig. 19.

'

6o'.o" Allowed Outage Time (Hrs)

140.0

Average core damage frequency versus allowed outage time ( A O T ) . .....

, P o l i c y 2; . . . . .

, P o l i c y 3. C O R E D / R T - - 5

, P o l i c y 1; x 1 0 - s . S T I = 20days.

Woo S. Jung, Nam Z. Cho

28 1 0 -2

Total SD

10 -~ 55

o ..a

s0 by ,oP

2

""-.,. -

.~ 10-'

" .

o

co

~

\

""'~'"~'"~'.',, N ~

SD by RT

""""~""~"-'-..~.~..~.~. ",~.<

®10

10,

I

60.0 10(~.0 Allowed Outoge Time (Hrs)

14 1.0

Fig. 20. A v e r a g e s h u t d o w n f r e q u e n c y versus a l l o w e d o u t a g e time (AOT). - - - , Policy 1; . . . . . , Policy 2; . . . . . , Policy 3. C O R E D / R T = 1 x 10 - 6 to 5 x 10 -5. STI = 2 0 days.

the conditional core damage given a reactor trip is large and when the diesel generator system is under Policy 1. However, it is shown in Fig. 17 that the effect of exceeding the AOT on the total core damage frequency is negligible when the conditional core damage probability given a reactor trip is low. Even though the ranking of the three policies changes when the conditional core damage probability given a reactor trip becomes large, the variation of the average core damage frequency with the AOT is quite large only if the conditional core damage probability given a reactor trip is large. It is shown in Fig. 20 that the average shutdown probability greatly decreases with extending the AOT. In all policies, the difference of the average shutdown probability as a function of the conditional probabilities given a reactor trip is not observed. It is noted that there are significant benefits in terms of plant availability, i.e. plant uptime, at negligible expense of the core damage frequency or even at improved core damage frequency, when the AOT is extended.

5 CONCLUSIONS In the present study, a semi-Markov reliability model was developed for the analysis of the three test/repair policies to consider the dynamic interdependency between the diesel generators and the plant. The semi-

Semi-Markov reliability analysis

29

Markov reliability model allows accurate assessment of the three policies by providing the risks at both the system and plant levels. The results of the application to the diesel generator system show that the ranking of the three test/repair policies is sensitive to several key parameters. Since the prompt additional test requirement of Policy 1 leads to both diesel generators out-of-service, the ranking of Policy 1 in terms of system- and plant-level risks is more sensitive to the parameters that are related to test and repair of the diesel generators (e.g. the test overriding capability, the repair rate, or the failure rate of the diesel generators, etc). Policy 1 leads to the higher core damage frequency if the shutdown risk, i.e. the conditional core damage probability given reactor trip, is high. Furthermore, in all cases of parametric studies performed, the plant unavailability in Policy 1 is much greater than that in the other two policies, since Policy 1 invokes too many inadvertent reactor trips due to the requirement of the plant shutdown in the case that at least one of the two failed diesel generators cannot be repaired within the specified AOT. Since Policy 2 and Policy 3 put only one diesel generator out-of-service, the two policies show mixed results. Although Policy 2 gives slightly higher core damage frequency but lower plant unavailability than Policy 3, the differences are very minor. However, the unquantified impacts such as manpower requirement and equipment wear would be higher in Policy 3 than in Policy 2 due to the additional tests. If the AOT of the diesel generators is extended, there is significant benefit in terms of plant availability at negligible expense of the system unavailability and the core damage frequency, when the contribution of the core damage induced by the reactor trip to the total core damage frequency is small. Moreover, both the plant unavailability and the core damage frequency are reduced by extending the AOT in a plant with a large shutdown risk due to reactor trip. In all policies, the surveillance test interval (STI) should be shortened to reduce the system unavailability and the core damage frequency as the failure rate of the diesel generators increases. However, the plant unavailability (i.e. plant downtime) increases in all policies as the STI is reduced. In summary, the current test/repair procedure, i.e. Policy 1, has no advantage over Policies 2 and 3 in a nuclear power plant with relatively large conditional core damage probability given a reactor trip and with a diesel generator system that has short repair time and low failure rate. Furthermore, the AOT could be extended to improve the core damage frequency when the plant has large conditional core damage probability given a reactor trip. However, there is significant benefit in plant availability resulting from extending the AOT, independently of the magnitude of the conditional core damage probability given a reactor trip.

30

Woo S. Jung, Nam Z. Cho

ACKNOWLEDGEMENTS This work was supported in part by the Korea Science and Engineering Foundation. We are also grateful to R. A. Bari of Brookhaven National Laboratory, who reviewed the draft report of the work and provided us with valuable suggestions. We also like to express gratitude to the a n o n y m o u s referees whose comments contributed to a better presentation of the paper.

REFERENCES 1. Technical Specifications--Enhancing the Safety Impact, US Nuclear Regulatory Commission, NUREG/CR-1024, November 1983. 2. Papazoglou, I. A. & Cho, Nam Z., Review and assessment of evaluation of surveillance frequencies and out of service times for the reactor protection instrumentation system. Brookhaven National Laboratory, BNL-NUREG51780, April 1984. 3. Vesely, W. E. & Boccio, J. L., The use of risk analysis for determining tech specs: issues and review considerations. Brookhaven National Laboratory, Interim Report, December 1984. 4. Mankamo, T., Is it beneficial to test/start up the remaining pairs of standby safety systems in a failure situation? Proceedings of the International Topical Conference on Probabilistic Safety Assessment and Risk Management, Zurich, August 30-September 4, 1987, pp. 765-70. 5. Sung, Song K. & Cho, Nam Z., Determination of performance criteria at hierarchical levels in a nuclear power plant. Reliability Engineering and System Safety, 24 (1989) 231. 6. Ross, S. M., Introduction to Probabilistic Models. Academic Press, New York, 1973. 7. Howard, R. A., Dynamic Probabilistic Systems Volume II: Semi-Markov and Decision Processes. John Wiley, New York, 1971. 8. Battle, R. E. & Campbell, D. J., Reliability of emergency AC power systems at nuclear power plants. Oak Ridge National Laboratory, NUREG/CR-2989, July 1983. 9. Baranowsky, P. W., Evaluation of station blackout accidents at nuclear power plants. US Nuclear Regulatory Commission, NUREG-1032. May 1985. 10. Papazoglou, I. A. & Gyftopoulos, E., Markov processes for reliability analysis of large systems. IEEE Transactions on Reliability, R-26(3) (August 1977). 11. Sun, Yang H. & Papazoglou, I. A., Risk evaluation to electric power supplies to safety-related loads. Brookhaven National Laboratory, Informal Report, August 1983. 12. Park, Y. et al., Design Improvement Studies on the Standardization of Nuclear Power Plants, Vol. 9. Korea Power Engineering Company, Inc., August 1987. 13. Jung, W. S., Semi-Markov reliability analysis of three test/repair policies in a standby safety system. MS Thesis, Department of Nuclear Engineering, Korea Advanced Institute of Science and Technology, Seoul, Korea, December 1988.