**4. Passive system unavailability model**

34 Nuclear Power – Practical Aspects

depending on the initiating event.

**Figure 8.** Example of a fault tree

(operator errors or mitigation actions).


and manage risk. Its primarily objectives are the following:




A fault tree logically combines the top event (e.g. complete failure of a support system) and the causes for that event (e.g. equipment failure, operator error etc.). An example of the fault tree is shown in Figure 8. The fault tree mainly consists of the basic events (all possible causes of the top event that are consistent with the level of detail of the study) and logical gates (OR, AND, M out of N and other logical operations). Other modelling tools, like common cause failures, house or area events are also used in the fault trees. All front-line and support systems are modelled by the fault trees and then combined in the event trees

A fault tree is capable to include rather special cases, usually identified in complex systems. These include system and components dependencies, called common cause failures (simultaneous failures of several components due to the same reason), area events (usually fire, flood etc., which damages groups of components in certain rooms), human actions

The PSA is a powerful tool that can be used in many different ways to assess, understand

The growing area of PSA use is extensive support of probabilistic results in risk management and decision-making processes. The main areas of the PSA applications are assessment of design modifications and back-fitting, risk informed optimization of the Technical Specifications, accident management, emergency planning and others. Several The reliability of a passive system refers to the ability of the system to carry out a safety function under the prevailing conditions when required and addresses mainly the related performance stability.

In general the reliability of passive systems should be seen from two main aspects:


These two kinds of system malfunction are to to be considered as ET headings, to be assessed by specific FT components, as shown in figures 9 and 10.

Reliability of Passive Systems in Nuclear Power Plants 37

unreliability figure, but the unreliability to be re evaluated for each sequence following an accident initiator, or at least for a small group of bounding accident sequences, enveloping the ones chosen upon similarity of accident progress and expected consequences: with this respect thermal hydraulic analysis of the accident is helpful to estimate the evolution of the

First step of the analysis is the identification of the failure modes affecting the natural circulation: for this scope two well structured commonly used qualitative hazard analysis, as Failure Mode and Effect Analysis (FMEA) and HAZard and OPerability analysis (HAZOP), specifically tailored on the topic, by considering the phenomenology typical of

This analysis concerns both mechanical components (e.g. valve, piping, heat exchanger) of the system and the natural circulation itself, as "virtual" component and the system under

FMEA is a bottom-up procedure conducted at component level by which each failure mode in a system is investigated in terms of failure causes, preventive actions on causes, consequences on the system, corrective/preventive actions to mitigate the effects on the system, while the HAZOP procedure considers any parameters characteristic of the system (among pressure, temperature, flow rate, heat exchanged through the HX, opening of the drain valve) and by applying a set of "guide" words, which imply a deviation from the nominal conditions as for instance undesired decrease or increase, determines the consequences of operating conditions outside the design intentions. FMEA and HAZOP

The analysis points out several factors leading to disturbances in the Isolation Condenser

Unexpected mechanical and thermal loads, challenging the primary boundary integrity

Heat exchange process reduction: surface oxidation, thermal stratification, piping

Finally a set of critical parameters direct indicators of the failure of the system is identified;

parameters during the accident progress.

investigation is the aforementioned Isolation Condenser.

analysis are shown in Table 1 and 2 respectively.

Mechanical component malfunction, i.e. drain valve

system; the list of these includes:

Non-condensable gas build-up

 Non-condensable fraction Undetected leakage

Valve closure area in the discharge line

HX plugging

layout, etc.

these include:

 Heat loss Piping layout HX plugged pipes

natural circulation, are adopted.

**Figure 9.** Event tree development

**Figure 10.** Fault tree model

The first facet calls for well-engineered safety components with at least the same level of reliability of the active ones.

The second aspect is concerned with the way the physical principle (gravity and density difference) operate and depends on the surrounding conditions related to accident development in terms of thermal hydraulic parameters evolution (i.e. characteristic parameters as flow rate and exchanged heat flux). This could require not a unique unreliability figure, but the unreliability to be re evaluated for each sequence following an accident initiator, or at least for a small group of bounding accident sequences, enveloping the ones chosen upon similarity of accident progress and expected consequences: with this respect thermal hydraulic analysis of the accident is helpful to estimate the evolution of the parameters during the accident progress.

First step of the analysis is the identification of the failure modes affecting the natural circulation: for this scope two well structured commonly used qualitative hazard analysis, as Failure Mode and Effect Analysis (FMEA) and HAZard and OPerability analysis (HAZOP), specifically tailored on the topic, by considering the phenomenology typical of natural circulation, are adopted.

This analysis concerns both mechanical components (e.g. valve, piping, heat exchanger) of the system and the natural circulation itself, as "virtual" component and the system under investigation is the aforementioned Isolation Condenser.

FMEA is a bottom-up procedure conducted at component level by which each failure mode in a system is investigated in terms of failure causes, preventive actions on causes, consequences on the system, corrective/preventive actions to mitigate the effects on the system, while the HAZOP procedure considers any parameters characteristic of the system (among pressure, temperature, flow rate, heat exchanged through the HX, opening of the drain valve) and by applying a set of "guide" words, which imply a deviation from the nominal conditions as for instance undesired decrease or increase, determines the consequences of operating conditions outside the design intentions. FMEA and HAZOP analysis are shown in Table 1 and 2 respectively.

The analysis points out several factors leading to disturbances in the Isolation Condenser system; the list of these includes:


36 Nuclear Power – Practical Aspects

**Figure 9.** Event tree development

**Figure 10.** Fault tree model

reliability of the active ones.

The first facet calls for well-engineered safety components with at least the same level of

The second aspect is concerned with the way the physical principle (gravity and density difference) operate and depends on the surrounding conditions related to accident development in terms of thermal hydraulic parameters evolution (i.e. characteristic parameters as flow rate and exchanged heat flux). This could require not a unique


Finally a set of critical parameters direct indicators of the failure of the system is identified; these include:





Reliability of Passive Systems in Nuclear Power Plants 41

, λ failure rate, t mission time),

1 This deviation is not evaluated, even if it implies an overcooling of the system that could potentially induce to

Each of these failure mode driving parameters is examined to determine the expected failure probability by defining the range and the probability distribution function pertaining to the parameter. These failure characteristics are then used to develop a probabilistic model to

As stated before FT technique seems to be the most suitable mean to quantify the passive system unavailability, once introduced the failure modes in the form of critical parameters elementary basic events, linked following the Boolean algebra rules (AND et OR), or in the form of sub-fault trees. However the introduction of passive safety systems into an accident scenario, in the fashion of a safety or front line system, deserves particular attention. The reason is that its reliability figure depends more on the phenomenological nature of occurrence of the failure modes rather than on the classical component mechanical and electrical faults. This makes the relative assessment process different as regards the system

In fact, since the failure of the physical process is addressed, the conventional failure model

commonly used for component failure model, is not applicable: each pertinent basic event will be characterized by defined parameters driving the failure mechanisms - e.g. non-

thermal stresses on core structures and reactor components, like the heat exchanger.

model commonly adopted in the fault tree approach as depicted before.

associated with the basic events (i.e. exponential, e–λ<sup>t</sup>

**Table 2.** HAZOP Table for the Isolation Condenser System

predict the natural circulation failure.



**Table 1.** FMEA Table for the Isolation Condenser System

1 This deviation is not evaluated, even if it implies an overcooling of the system that could potentially induce to thermal stresses on core structures and reactor components, like the heat exchanger.

**Table 2.** HAZOP Table for the Isolation Condenser System

Each of these failure mode driving parameters is examined to determine the expected failure probability by defining the range and the probability distribution function pertaining to the parameter. These failure characteristics are then used to develop a probabilistic model to predict the natural circulation failure.

As stated before FT technique seems to be the most suitable mean to quantify the passive system unavailability, once introduced the failure modes in the form of critical parameters elementary basic events, linked following the Boolean algebra rules (AND et OR), or in the form of sub-fault trees. However the introduction of passive safety systems into an accident scenario, in the fashion of a safety or front line system, deserves particular attention. The reason is that its reliability figure depends more on the phenomenological nature of occurrence of the failure modes rather than on the classical component mechanical and electrical faults. This makes the relative assessment process different as regards the system model commonly adopted in the fault tree approach as depicted before.

In fact, since the failure of the physical process is addressed, the conventional failure model associated with the basic events (i.e. exponential, e–λ<sup>t</sup> , λ failure rate, t mission time), commonly used for component failure model, is not applicable: each pertinent basic event will be characterized by defined parameters driving the failure mechanisms - e.g. non-

condensable fraction, leak rate, partial opening of the isolation valve, heat exchanger plugged pipes, etc. - and the associated failure criterion. Thus each basic event model pertaining to the relevant failure mode requires the assignment of both the probability distribution and range of the correspondent parameter and the definition of the critical interval defining the failure (for example failure for non-condensable fraction >x%, leak rate > x gr./sec or crack size > x cm2 and so on).In order to evaluate the overall probability of failure of the system, the single failure probabilities are combined according to:

$$\text{Pe} = 1.0 \text{--} \left( (1.0 \text{--} \text{Pe}) ^\ast (1.0 \text{--} \text{Pe}) ^\ast \dots \text{\*} (1.0 \text{--} \text{Pe}) \right) \tag{1}$$

where:

Pet overall probability of failure

Pe1 through Pen individual probabilities of failure pertaining to each failure mode, assuming mutually non-exclusive independent events

The failure model relative to each single basic event is given by:

$$\mathbf{P}\mathbf{e} \equiv \int \mathbf{p}(\mathbf{x}) \, d\mathbf{x} \, \times \mathbf{x}\_0 \tag{2}$$

Reliability of Passive Systems in Nuclear Power Plants 43

of Milan and the University of Rome, that was later incorporated in the EU (European Union) RMPS (Reliability Methods for Passive Systems) project. This methodology is based on the evaluation of a failure probability of a system to carry out the desired function from the epistemic uncertainties of those physical and geometric parameters which can cause a

The RMPS methodology, described in [7], was developed to address the following problems: 1) Identification and quantification of the sources of uncertainties and determination of the important variables, 2) Propagation of the uncertainties through thermal-hydraulic (T-H) models and assessment of passive system unreliability and 3) Introduction of passive system unreliability in accident sequence analyses. In this approach, the passive system is modelled by a qualified T-H code (e.g. CATHARE, RELAP) and the reliability evaluation is based on results of code runs, whose inputs are sampled by Monte-Carlo (M-C) simulation. This approach provides realistic assessment of the passive system reliability, thanks to the flexibility of the M-C simulation, which adapts to T-H model complexity without resort to simplifying approximation. In order to limit the number of T-H code runs required by M-C simulation, alternative methods have been proposed such as variance reduction techniques, first and second order reliability methods and response surface methods. The RMPS methodology has been successfully applied to passive systems utilizing natural circulation in different types of reactors (BWR, PWR, and VVER). A complete example of application concerning the passive residual heat removal system of a CAREM reactor is presented in [8]. The RMPS methodology tackles also an important problem, which is the integration of passive system reliability in a PSA study. So far, in existing innovative nuclear reactor projects PSA's, only passive system components failure probabilities are taken into account, disregarding the physical phenomena on which the system is based, such as the natural circulation. The first attempts performed within the framework of RMPS have taken into account the failures of the components of the passive system as well as the impairment of the physical process involved like basic events in static event tree as exposed in [7]. Two other steps have been identified after the development of the RMPS methodology where an improvement was desirable: the inclusion of a formal expert judgment (EJ) protocol to estimate distributions for parameters whose values are either sparse on not available, and the use of efficient sensitivity analysis techniques to estimate the impact of changes in the input parameter distributions on the reliability

R&D in the United States on the reliability of passive safety systems has not been as active at least until mid 2000. A few published papers from the Massachusetts Institute of Technology (MIT) have demonstrated their development of approaches to the issue. Their technique has examined TH uncertainties in passive cooling systems for Generation IV-type gas-cooled reactors. The MIT research on the reliability of passive safety systems has taken a similar approach but has focused on a different set of reactor technologies. Their research has examined thermal hydraulic uncertainties in passive cooling systems for Generation IV gas-cooled reactors, as described in [9,10]. Instead of post-design probabilistic risk analysis

failure of the system.

estimates.

pi(x)probability distribution function of the parameter x xothreshold value according to the failure criterion

It's worth noting that the assumed failure criterion, based on the failure threshold for each path, implies the neglecting of the "intermediate" modes of operation of the system or equivalently the degraded performance of the system (up to the failure point): this gives credit for a passive system that "partially works" and has failed for its intended function but provides some operation. This operation could be sufficient to prolong the window for opportunity to recover a failed system, for instance through redundancy configuration, and ultimately prevent or arrest core degradation.

Once the probabilistic distributions of the parameters are assigned, the reliability of the system can be directly obtained from (1) once a failure criterion is assigned and the single failure probabilities are evaluated through (2): this point is being satisfied by assigning both the range and the probability distributions, basing on expert judgment and engineering assessment. In fact, as further illustrated, difficulties arise in assigning both the range and the probability density functions relative to the critical parameters defining the failure modes, in addition to the definition of a proper failure criterion, because of the lack of operational experience and data.
