1 Data analysis G.V.Tokmachev LectureWorkshop on Specific Features of VVER-400 PSAs, 28 April-02 May 2003, Erevan, Armenia Level 1 probabilistic safety assessment Data analysis Lecture  G.V.Tokmachev  ! Any questions are welcome in any moment of the lecture J

2 Data analysis. Lecture outlinesData analysis process Estimated parameters Reliability models Systems of data collection Issues related to engineering treatment of raw data Estimation of reliability parameters Estimation of unavailability due to test, maintenance, and repair Estimation of common cause failure parameters Estimation of special event probabilities

3 Data analysis. DefinitionsFailure probability per demand - The probability that a component fails to perform its function when required. Failure rate - The limit value of the ratio of a component failure probability in a interval to the length of the time interval, as the latter approaches zero, given that the component is functioning at the beginning of the interval (extracted from Russian Standard GOST ). Repair time - The time spent on actual repair. Restoration time – The time during which a component is incapable of functioning, i.e. the time between fault identification and the failure end time. Restoration time covers preparation for repair (administrative time, cooldown time, or time waiting for tools and parts needed for repair), actual repair, and post-repair actions (post-repair test, re-alignment of system configuration) Test – periodical examination of availability of a component being actuated by either an operator or an automatic signal

4 Data analysis. Data analysis processData analysis process consists of successive execution of the following subtasks: 1.  Definition of a list of components, their boundaries, reliability models and their parameters for which data collection and treatment needs to be performed (requirements of PSA model) 2.  Selection of information sources and collection of “raw” data 3.  Engineering treatment of data collected 4.  Selection of estimation techniques to be applied and derivation of PSA parameters Data analysis process in PSA.doc

5 Data Analysis Process in PSA

6 Component reliability data. Estimated parametersUnavailability model of a component in the fault tree (discussed in more detail later - in lecture on system analysis) may include the following terms: Stand-by component failure on demand (pump, valve, breaker, etc.) Component failure to run (pump, diesel generator, fan, etc.) Component unavailability due to tests, repair, and maintenance Common cause failure of two or more redundant components in the system

7 Component reliability data. Estimated parametersParameters of component reliability which need to be estimated are as follows: 1) failure probability on demand or stand-by failure rate 2)  failure rate to run 3) parameters of unavailability due to scheduled or unscheduled maintenance and repair 4) parameter of unavailability due to test 5) common cause failure (CCF) probability (parameter of CCF model). Important comment. It is not allowed to collect and process reliability data apart from system analysis!

8 Requirements to data analysis task from probabilistic modelList of components Component boundaries Failure modes Unavailability models and their parameters for which data collection and processing to be carried out CCF component groups and models Non-statistical parameters (e.g., frequency of tests and preventive maintenance, staggered strategy of tests or maintenance ) Operational profile of the unit (e.g., power operation time per calendar year)

9 Reliability models Periodically tested stand-by componentsComponent failure probability : where ls is the stand-by failure rate (1/hrs), and T is the test period (hrs) Data requirements: ls <= number of observed failures Failures are discovered during periodical tests in the plant power operation mode

10 Reliability models Periodically tested stand-by componentsParameter of unavailability due to tests: where t is average test duration (hrs), Tt is the test period (hrs) Data requirements: t observed test durations

11 Reliability models Periodically tested stand-by componentsParameter of unavailability due to unscheduled (corrective) maintenance and repairs: Comment. Use of right term leads to underestimation of contribution from this type of unavailability where ti - duration of unavailability during i-th removing out of service (hrs), and T – total unit exposure for the observation period (hrs) ls - stand-be failure rate (1/hrs), and tR - mean time to repair given a failure (hrs) Data requirements : ti <= durations of unscheduled events associated with repairs and corrective maintenance Comment. All unscheduled events associated with removing components out of service need to be taken into account

12 Reliability models Periodically tested stand-by componentsParameter of unavailability due to scheduled (preventive) maintenance: where fm is the maintenance frequency (1/hrs), and tm is the average maintenance duration (hrs) Data requirements: tm <= observed maintenance duration

13 Reliability models Untested stand-by componentProbability of component failure: where ls is the stand-by failure rate (1/hrs, and tp is the fault exposure time between plant outages (hrs) Data requirements : ls <= number of observed failures Failures are discovered during plant outage for repair and refueling or due to accidents

14 Reliability models Monitored stand-by componentComponent failure probability: where ls is the stand-by failure rate (1/hrs), and tR is main time to repair (hrs) Data requirements : ls <= number of observed failures tR <= observed repair durations Failures are discovered by special control systems either at the moment of their start (noise or light alarm) or in a short time (from several minutes to 1-3 hours) needed for an operator to discover a signal of the control system

15 Reliability models Non-repairable component during mission timeProbability of component failure: where lO is the operating failure rate (1/hrs), and TM is mission time (hrs) Data requirements : lO <= number of observed failures Comment. Mission time usually considered in the PSA is: ТM= 24 hours

16 Reliability models Repairable component during mission timeComponent failure probability: where lO is the operating failure rate (1/hour), and tR is mean time to repair (hour) Data requirements : lO <= number of observed failures tR <= observed repair durations Comment. Time to repair in accident and normal operation environment can differ significantly

17 Component reliability data Component boundaries and failure modesDefinition of a component failure requires to define exactly failure mode and component boundary Failure mode and component boundary should be defined in a close cooperation with a system analyst - discussed in detail later in lecture on system analysis Component boundary– a list of units included in the component which is considered in the model as a discrete entity. No safety related subcomponents should be omitted or double counted. Component boundaries may be either graphically or narratively described in different data sources. Failure mode – subclass of unavailable states of a component characterized by a function failed (e.g., normally closed motor operated valve fails to open given a demand) Failure modes and component boundaries used in the data analysis should be fully consistent with definitions used in the system analysis

18 Component reliability data Component boundaries and failure modesExamples of typical errors in defining component boundaries: Example 1. PSA for NPP with VVER-440. A circuit breaker was included in the diesel generator (DG) boundary considered in the PSA model, i.e. the circuit breaker of the diesel generator was not modeled separately. When deriving DG failure probability from data collected, failures of the DG circuit breaker were not counted. Example 2. Manufacturer’s data was used for pumps in PSA for VVER-440. The manufacturer's data for "pump" failures typically includes only the mechanical parts of the pump and sometimes the pump motor because other vendors are responsible for the other subcomponents. The PSA data for a "pump" included the pump mechanical components, the pump lube oil supply, the pump motor, the motor circuit breaker, and parts of the control circuits that operate the circuit breaker. As a result, in the PSA the failure probability of the circuit breaker (subcomponent of the pump) included in the boundary of the pump was even higher than the total failure probability of the pump. Example 3. Double counting of relay failures– e.g., both in the boundary of pump and separately.

19 Component reliability data Component boundaries and failure modesPossible objective (?) causes of inconsistency between data and model: Testing mode is different from accident conditions: Partial testing, e.g., idling diesel generator, i.e. some subcomponents included in the boundary of the component are not tested Short-term testing – e.g., fuel transfer pump can be included in the boundary of the diesel generator, but not started during a test of the diesel generator Underloading testing, e.g., pump running via recirculation lines during sequencer testing, BRU-A opening without reverse, preset opening before opening of motor-operated valves during a test Pump testing using an inadequate hydraulic line Modification of NPP (data is too old or model is “behind”)

20 Data collection. What to collect?Data needs: For failures: Number of failures over time - n, Tobservation Number of failures on demands - n, Ndemands For test unavailabilities: - test frequency, test duration For repair and maintenance unavailabilities: - frequency and duration of scheduled maintenance, and - number and duration of unscheduled maintenance due to failures and degradations

21 Data collection systemsData collection possibilities: 1) “One shot” PSA-oriented collection (in practice, is usually used while performing PSA): analysis of the past experience investigating maintenance, test records, and operator logbooks, interviewing maintenance foremen, etc. in order to estimate the PSA parameters ! sometimes the available information is not complete, and results in optimistic estimations 2) Establishing component reliability data collection system for PSA needs at NPP, consisting of : personnel responsible for data collection, computerised database to record the data, and perform data assessment and calculation of PSA parameters and uncertainties 3) Establishing multipurpose reliability data collection system IAEA-TECDOC-756 Guidelines for multipurpose data systems for nuclear power plants (1994)

22 Reliability data collection systems for PSA carried out for NPP with VVER-440As a rule, there are multipurpose reliability data collection systems aimed at operational issues: Best – at NPP Dukovany, the Czech Repblic (VVER-440/213) Best among NPP with VVER-440/230 – at Kola NPP, Russia It is not recommended to use data from Kozloduy NPP, Bulgaria International reliability data collection systems : ISKO AES in MKhO «Interatomenergo», Moscow (already closed) In the framework of INSP funded by US DOE (in Russia stopped) VNIIAES, Moscow (the previous name - SSOIN) Nobody got practical results in developing an international (industrial) reliability data collection system for PSA

23 Sources of plant specific information for reliability data analysis

24 Component reliability data. Sources of generic dataThe data source categories typically available can be characterized by the quality and quantity of information. They are prioritized below: Sources which include text versions of all event records and population exposure Sources providing summary of event statistics, i.e. the number of events (failures) and an assessment of the population exposure (operating time, the number of demands) Sources providing parameter estimates, based on historical data from identified sources (NPP) Sources providing consensus estimates or compiling data from several sources Sources which can be characterized as subjective estimates

25 Component reliability data Generic sources for VVERIAEA, Survey of ranges of component reliability data for use in Probabilistic Safety Assessment, IAEA-TECDOC-508, 1989 (contains expert estimates of reliability parameters for VVER) IAEA, Component Reliability Data for Use in Probabilistic Safety Assessment, IAEA-TECDOC-478, 1988 (compilation of reliability values from many data bases over a wide range of components) Analysis of Core Damage Frequency: Internal Events Methodology, NUREG/CR-4550, SAND , Vol.1, January 1990. T-book. Reliability Data of Components in Nordic Nuclear Power Plants, 4th edition,1996 (Swedish reliability book). Contains very clear definitions of component boundaries in a graphical form Data bases of equipment manufacturer (e.g., TsKBA, Saint Petersburg – valves) Comment. Some IAEA documents are available through internet :

26 Component reliability dataComponent reliability data. Requirements of SP of GAN to PSA with respect to generic data It is not recommended to use only generic data in carrying out a Level 1 PSA for an operating NPP If generic data is used for, then source of information needs to be characterized Selection of generic data should be justified in terms of its applicability to the specific plant and equipment, component boundaries and failure modes defined in the Level 1 PSA If several sources of generic data are used then an approach to the selection of information should be presented and justified

27 Treatment of specific data.Engineering treatment of specific data includes: Allocation of events to failure modes and unavailabilities Grouping of events, which may be treated together Allocation of events to plant operating modes Definition of population exposure time (the total number of demands) Comments. If the PSA has to be carried out for power operation then the maintenance and test related information from shutdown operation should not be taken into consideration as well as the corresponding plant exposure Regarding critical failures – different approaches are possible depending on operational conditions of equipment during plant outage

28 Treatment of specific data. Event categorizationRequirement of PSA SP of GAN: Criteria for event allocation to failure modes and severity should be defined and justified Comment. Event allocation may affect dramatically the estimated values and can be associated with some problems (discussed later) Event categorization to severity: (Critical) failure Degradation (defect, incipient failure) The allocation of failure events to PSA failure modes: Fails to start Fails to run, etc.

29 Treatment of specific data. Event categorizationCritical failure – A "critical failure" means a failure such that the function of a component being considered in the PSA has been lost when operation of the component is required (usually mission time is 24 hours) The critical failures include all failures of the following types: pump fails to start or fails to run as well as circuit breaker or valve fails to open/close, etc. For running component critical failures always lead to immediate repairs and sometimes can cause unit shutdown For stand-by component critical failures can be revealed only when the component is tested or demanded to operate

30 Treatment of specific data. Event categorizationFor stand-by components the critical failures are modelled in the fault trees in the two following ways: As the average component unavailability over the test interval As a contributor to the unavailability term due to unscheduled repairs and corrective maintenance caused by both critical failures and degradations

31 Treatment of specific data. Event categorizationDegradation (defect, incipient failure) – component is available for the mission time considered (24 hours after an initiating event) Some features which do not affect the availability of the equipment function may fail The equipment degradation after detection does not cause urgent unplanned maintenance of the equipment which may be postponed till a suitable moment Examples of degradation: small external leakage via housing or seal, increased level of vibration, and failures in the indicating equipment Comment 1. Russian standard GOST provides the definition of the degradation which does not correspond the definition used in PSAs Comment 2. Unavailability due to corrective maintenance to be performed to eliminate degradation was missed in error in Procedures for conducting Level 1 PSA, №50-P-4, IAEA (1992)

32 Incipient and degraded failuresTreatment of specific data. Event categorization. Example from PSA for Novo NPP Critical failures Incipient and degraded failures Pumps Failure to start Failure to re-start Failure to run (Spurious stop) External leakage Vibrations, noise Safety/Relief valves Spurious opening Failure to open Failure to re-close Internal leakage Indication failure Heat exchangers Large leakage Small leakage, Clogging Exceptions may appear for external leakages which categorization depends on size

33 Treatment of specific data. Event categorization. Examples of failuresEvent categorization can be complicated if equipment is stopped by an operator: Example 1. Novovoronezh NPP. Trip of a diesel generator due to unwanted hammering. Cause – a break of two bearings Example 2. Kola NPP. Serial trip of two diesel generators due to surge Example 3. Frequent case. Pump trip after start due to temperature excursion in bearings For normally running components degradation is usually allocated to the critical failure in defining reliability parameters if the corresponding repair can not be postponed to the reactor outage

34 Treatment of specific dataTreatment of specific data. Allocation of component failure events to failure modes Failure to start or failure to run? Usually in Russian PSAs failures of stand-by pumps, diesel generators, and fans discovered in 30 minutes after component start are allocated to failure to start Actually such failures arise during stand-by period and are discovered with some delay, but far earlier than 24 hours Example. Pump trip in 10 minutes after start due to temperature excursion in bearings Accordingly, the first thirty minutes after each start are not taken into account in defining the population exposure time for failures to run Easily, because periodical tests are usually lasted for 30 minutes Otherwise failure rate to run – unrealistically high: there are some failure rates to run higher than 1Е-2/hrs Comment. T-book and PSA in Slovakia and the Czech republic – another approach.

35 Treatment of specific data Grouping of similar components/eventsReason – operating history of a single component does not provide the number of events which is sufficient estimation Goals of component/event grouping: Increase of statistical significance Reduction of efforts for data collection and treatment Streamlined integration with PSA model Drawbacks: Masking trends and peculiarities Extension of uncertainty due to differences in design Potential for meaningless averages (e.g., pump + valve) Group of basic events in PSA is defined as a group of events that have the same reliability parameter value This parameter is to be changed simultaneously for all events in the group when uncertainty or sensitivity analyses are performed

36 Treatment of specific data Grouping of similar components/eventsComponents assigning to the same group should have similar characteristics and these characteristics should correspond to the characteristics of the component modelled in the PSA. Ideally the following aspects should be the same: Component type Design/size/manufacturer Operating mode (standby/operating) Operating environment Frequency of demands and/or operation Maintenance/test frequency In practice some compromise is to be reached between statistical insignificance and inhomogeneity of data by ignoring the less significant criteria One of the ways – data from an adjacent unit (inapplicable to Armenia NPP)

37 Treatment of specific data. Grouping. RecommendationsPumps Stand-by pumps of safety systems fail to start Many events Correlation groups are formed on a system basis, i.e. the unique reliability parameters were assigned to each group of identical pumps belonging to a specific system Stand-by pumps of safety systems fail to run Small exposure => a few events The only common correlation group over the general population => combining data related to different types of running pumps (e.g., service water, condensate, and emergency feed water pumps) Grouping discouraged: Centrifugal, piston (normal primary make-up at Armenia NPP?) and propeller-type pumps (service water pumps at Armenia NPP?) Motor and turbine driven pumps (there are no turbine driven pumps at Armenia NPP?)

38 Treatment of specific data. Grouping. RecommendationsValves A few events => The common correlation group for each failure mode of motor operated valves (in PSA for Novovoronezh Unit 3) In some PSA there are 3-4 groups – according to diameters Breakers Acceptable grouping: Similar design The same voltage level Similar frequency of demands The same failure modes (fails to open or fails to close)

39 Treatment of specific dataTreatment of specific data. Definition of exposure using plant specific data Population exposures within a time window observed : Total duration of stand-by periods or the total number of demands Total duration of running (operating) periods (e.g., for pumps, diesel generators, fans) Actually for some components stand-by and operating modes considered in the PSA do not differ (transformers under voltage) When defining the number of demands all demands need to be taken into account: Scheduled tests Automatic component start-ups Manual component start-ups Starts initiated by automatic load transfer algorithm or because of altering system configuration Post-repair tests Starts-up due to TechSpecs requirements (extraordinary tests, isolation, etc.)

40 Treatment of specific data. IssuesImpact of modifications The time point of the replacement should be clearly identified The use of old data – depends on a type of component replacement – by new type of component or new component of the same type Comment. A newer component does not necessarily mean higher reliability than an older one! The number of demands/exposure time can change Use of manufacturer data . It is not recommended to utilize manufacturer data in the PSA because of differences in component boundaries, failure mode definitions, and conditions of manufactory tests. Exception: “Highly reliable” components, if no other information is available. Probably the manufacturer data is better than “zero” statistics.

41 Treatment of specific data. IssuesControl components (relays, electronic components ) Frequently demanded – the number of demands is difficult to estimate. Practical way – to count carefully the number of demands for a short period and use this frequency of demands Failure record – typically is not satisfactory, but, as a rule, such components are replaced rather than repaired after detection of their unavailability. The number of unscheduled replacements => the number of failures Potential for double counting – e.g., as a pump failure although the I&C component can be beyond the boundary of the pump Event data log by different workshops Circuit breaker is typically included in the boundary of a pump, however its failures are often recorded in the electrical workshop rather than the reactor/turbine departments

42 Treatment of specific data. IssuesUnclear description of the event associated with removing out of service Consultation with foremen Extrapolation of categorized events over unclear ones. Example. There were 2 failures and 8 degradation events (i.e. ratio 1:4) as well as 3 events caused removing component out of service due to an unknown reason. In this case three unclear events are allocated to 3х0.2=0.6 failures and 3х0.8=2.4 degradation events Lack of events some component was involved in If it is known authentically that no events occurred, than the component exposure is added to the total exposure of the group Lack of information for some observation period If no documentation is available for a certain period, than this period is eliminated from the total exposure. This decision made should be documented in data analysis documentation

43 Treatment of specific data. Issues«Improving» test results The first start fails followed by a successful start => the second start only is recorded in a test report. The unsuccessful start can be recorded (?) in operating or maintenance logs Careful inspection of equipment before a test. Actions associated with recovery of a failure identified by a visual inspection can probably be documented Starts of components in turns before a complex test => consider in the number of demands, failures can be recorded and recovered Manual initiation of motor operated valves before opening by the motor => consider the number of demands in real conditions only

44 Reliability parameter estimationStatistical methods (discussed earlier in the lecture related to initiating event frequencies): Direct estimations (3 failures and more) Event combination, mainly Bayesian method Prior data can come from other NPPs or from other component groups of the NPP to be analyzed In estimating reliability parameters the simplest formulas are usually used because uncertainty is mainly associated with data treatment (event categorization) rather than statistical insignificance Example. There were 3 failures for hours. Point estimate of failure rate is 3 / = 3Е-5 1/hrs Estimation process Estimation of reliability data.doc

45 Reliability parameter estimation. Estimation process

46 Component reliability data Requirements to the results of failure analysisThe results of failure data analysis should include the following minimum of information for each failure mode: Type of component and its boundary Failure mode (fails to start, fails to open, etc.) Parameter type (failure probability, failure rate) Point (mean) estimate Uncertainty characteristics (distribution low, confidence bounds) Comment. Error factor simultaneously characterizes the distribution low (lognormal) and confidence bounds Information source •    Manufacturer (recommended) Total number of failures (recommended я) Total exposure (recommended) Comment. Data on unavailability due to test, maintenance, and repair is discussed later on.

47 Reliability data derived in PSA for VVER-440/230

48 Unavailability due to repair (maintenance) and testsScheduled (preventive) activity during unit power operation Periodical scheduled tests Maintenance Certifying of equipment Such events need to be modeled. Their contribution to unavailability should be estimated if the activity is accompanied with equipment isolation or power supply disconnection or I&C cutoff. Comment. Only those components (trains) which can not override test & maintenance given an accident signal are modeled and evaluated

49 Unavailability due to repair (maintenance) and testsPoint estimate for test or scheduled maintenance duration for each component or subsystem is calculated by the following formulae: where N - number of tests or scheduled maintenance actions Ti - duration of i-th test or scheduled maintenance action N S T t i = i = 1 T N M

50 Unavailability due to repair (maintenance) and testsExample of unavailability calculation. At Kozloduy-1,2 NPP test of the spray system was accompanied the disconnection of power supply to motor operated valves on injection lines into confinement: Start of the pumps via the recirculation line – every month Mean duration each month - 2 hours, i.e. a test of each pump for half an hour plus a total of half an hour for preparation to the test and post-test actions to re-align the system Unavailability of the spray system due to periodic tests is given: u = test duration * test frequency u = 2 hours * 1/(720 hours) = 2/720 = 0.003

51 Unavailability due to repair (maintenance) and testsUnscheduled (corrective) activity during unit power operation Usually all events of removing equipment out of service for corrective maintenance and repair are modeled by a single basic event The duration of unavailability due to a critical failure includes all the time the component/system is inoperable, starting from the failure discovery time and ending by the time to return component to service. It includes time to diagnostics, time waiting for repair, actual repair time, post-repair system re-alignment, etc. Maintenance contributors may be introduced on the train level. In this case the train unavailability is evaluated by adding the unavailabilities of each components which can be maintained (provided that there is no internal redundancy) Recommendation. Use specific data from Armenia NPP.

52 Unavailability due to repair (maintenance) and testsPoint estimation of train unavailability due to repair/corrective maintenance: where: -   N – the number of components of considered types in a system; -   Т – the total operating time (hours); -    ri – the number of unavailability cases of i-th components; -   tij- out of service time for considered component at j-th case (hours). Recommendation. It is not recommended to use plant outage periods for estimation of unavailability in the plant power operation state and vice versa

53 Unavailability due to repair (maintenance) and testsUnscheduled unavailability of several redundant components Can be permitted by TechSpecs Given evidence of such events unavailability is evaluated in the same way as unavailability of a single component event. In this case overlapping periods are not considered in estimating single unavailabilities If there was no event of removing two or more redundant components out of service => conservative approach to calculation of multiple unavailability: a value of single component unavalability is multiplied by a screening factor of 0.1 that is a conditional probability of the second component being unavailable given unavailability of the first one

54 Unavailability due to repair (maintenance) and testsExample of unavailability calculation. There were three events of removing a pump out of service for 10,000 hours of unit power operation: for 10 hours to repair the circuit breaker, for 2 hours to replace oil, and for 28 hours to weld a crack in the recirculation pipe. Point estimate of unavailability due to unscheduled corrective maintenance (repair) is given: u = total duration of outage times / unit power operation time observed u = ( )/(10Е5) = 40/100,000 = 4. Data Preparation and Analysis (Cont.)

55 Unavailability due to repair (maintenance) and testsWhen generic data are used for a component (it is undesirable), the unavailability factor due to tests, maintenance and repairs can be calculated basing on the following algorithm: If allowed outage time (AOT) is specified for a component by the Technical Specification or procedures => the unavailability factor due to tests, maintenance and repairs is to be equal to tenfold value of the failure rate, multiplied by the AOT If AOT is not defined => the train unavailability factor due to tests, maintenance and repairs has to be considered equal to This value is recommended basing on the practical PSA experience. Uncertainty of this value should be taken into account by setting a high error factor (EF=10).

56 Common cause failure dataIt is usually recommended to use the Alpha factor model (discuss later in the lecture on dependency analysis) Methods exist for estimating alpha factors from historical experience : Labor intensive process For a single NPP, data is sparse Analysis is (highly) subjective => Use industry-wide experience At the current time, generic data must be used to estimate the probabilities of CCF events Two main steps for converting of a raw event description to the item of a pseudo "plant-specific" database: (1) Detailed analysis of each event (2) Reinterpretation of an event impact vector for the target plant

57 Common cause failure dataGeneric parameters should be consistent with the model: Component type Failure mode CCF component group size Testing strategy (staggered or non-staggered)

58 Common cause failure data Generic Alpha factorsFor failure rates in function performance mode (e.g. pump failure to operate, etc.) values α2, α3 and α4 should be reduced by factor of two . Common cause failure parameter values are characterized by significant uncertainty, with an error factor of 10 .

59 Data bases of Common Cause failuresCommon-Cause Failure Parameter estimations NUREG/CR-5497 (1998) - Presented parameter values for the MGL and alpha factor models for CCF component groups of different size (up to 6) calculated for different failure modes of different component types belonging to different systems. Presented definitions of component boundaries and failure modes. Procedure for Analysis of Common-Cause Failures in Probabilistic Safety Analysis NUREG/CR-5801 (1993) - Presented parameter values for the MGL and alpha factor models (CCF group size – up to 4), which can be used for screening A Database of Common-Cause Events for Risk and Reliability Applications, EPRI TR (1982) - Presented descriptions of real events occurred at US NPPs Hirschberg, S. (Ed.) (1987) NKA-project "Risk Analysis" (RAS-470): Summary Report on Common Cause Failure Data Benchmark Exercise, Final Report RAS-470 (86) 14 (ABB Atom Report RFA ) - Presented data base on motor operated valves collected at Swedish NPPs (four-component CCF groups)

60 Data analysis Special event probabilitiesSpecial events: Typically, apart from initiating events, failures, unavailabilities, human errors Included in the probabilistic model Characterized by probabilities Define possibility of some special conditions Define system configuration Component failures which can not be quantified using direct statistical approach

61 Data analysis Special event probabilitiesExamples of some special events: Clogging of the confinement sump (safety injection pumps) by primary thermal insulation following a break of a reactor coolant pipe Recovery of the connection to the grid in case of loss of off-site power Reactor pressure vessel rupture given an overcooling System configuration: Grid breakdown due to unit disconnection Break of a specific primary loop (possibility of a dependent failure of the safety injection system) Break in the non-isolable part of the primary circuit (use of MIVs) Specific cause of a scram actuation (signal structure for different IEs) State of an adjacent unit (inessential for Armenia NPP) Impact of steam floods, etc.

62 Data analysis. Probability estimation of confinement sump cloggingBasic factors affecting the probability to plug the sump given a LOCA are as follows: - Design of primary thermal insulation - Location of a primary break - Size of a damaged primary pipe - Design characteristics of sump strainers used to prevent suction lines of the safety injection pumps from clogging by thermal insulation - Availability and efficiency of thermal insulation pre-catchers protecting the confinement sump - Assumptions and limitations of a numerical technique

63 Data analysis Probability estimation of confinement sump cloggingDesign of primary thermal insulation At advanced NPPs с VVER-1000 (Balakovo-5, Bushehr NPP) primary thermal insulation has a module type design. Insulating material is enveloped in a metal enclosure. Following a primary break the primary thermal insulation is split into one-peace modules. This decision made is assumed to prevent a sump from clogging Location of a primary break Confinement clogging is impossible in case of a primary-to-secondary leak or interfacing LOCA A volume of thermal insulation flushed by water flow depends essentially on a potential for targeting another pipe equipped with thermal insulation

64 Data analysis Probability estimation of confinement sump cloggingSize of a damaged primary pipe The larger diameter of a pipe, the larger volume of thermal insulation to be flushed from The larger diameter of a broken pipe, the larger area (more other pipes) is targeted by jet blast impingement The major part of the small LOCA group, which is related to I&C tube breaks does not cause the removal of a significant amount of thermal insulation A bounding probability value of 1E-4 was assumed to represent the hypothetical sump plugging in case of the small LOCA (PSA for Unit 3 of Novovoronezh NPP) It does not make sense to consider sump clogging in case of a large LOCA at Armenia NPP, because this BDBA leads to core damage independently of sump availability

65 Data analysis Probability estimation of confinement sump cloggingDesign of sump strainers used for catching thermal insulation (cell size and total area) Affects sump capacity to take up a load in terms of a volume of flushed thermal insulation Example. There are two cell-type strainers at Novovoronezh Unit 3: The outside (larger) strainer has cells of 20mm*20mm and its geometry is 1400*1400*420 mm3. The inside (smaller) strainer has cells of 6mm*6mm and a geometry of 600*600*320 mm3. There is a potential for the insulation particles to pass both strainers => damage of pump internals and plugging of heat exchangers If almost the whole area of a strainer is plugged by thermal insulation => failure of pumps Pre-catchers of thermal insulation Designed at Novovoronezh NPP

66 Data analysis Probability estimation of confinement sump cloggingAssumptions and limitations of a numerical method used (PSA for Novovoronezh unit 3) The jet blast force affects a zone of ten pipe diameters from the break location The insulation is removed from the damaged pipe (Guillotine break is assumed) – for the length of a pipe diameter, in each direction from the break location) All thermal insulation is caught by strainers Two cases were considered: 1) Conservative - due to fragmentation all insulation particles pass through the first (outside) strainer => plug the second strainer 2) Optimistic - a considerable amount of the total insulation load (about 50 %) is caught by the external strainer => the total amount of insulation would be distributed over both strainers in equal portions, and there would still be the potential for plugging only the inside strainer because of the big difference in the total surfaces of the strainers

67 Data analysis Probability estimation of confinement sump cloggingEstimation method For the calculation of the sump plugging probability a so-called “load - capacity interference” approach can be applied that assumes a log-normal distribution of the values V and C, where V denotes the load and C denotes the capacity, expressed in terms of volume of insulation. The amount of insulation, the geometry of strainers, and empirical factors are taken into account Available source of information: L.Lubarsky, I.Kuzmina, The approach for the estimation of the probability of sump filter clogging at LOCAS in level I PSA of unit of Novovoronezh NPP. International Information Exchange Forum Obninsk, Russia, October 1998. Document is available in PhEI institute (Obninsk, Russia) and probably via internet

68 Data analysis Probability estimation of confinement sump clogging Estimation results for Novovoronezh Unit 3 Initiating event Optimistic case Conservative case Mean value Error factor 5th percentile 95th percentile LOCA mm 2.07 E-3 1.64E-2 5.83Е-3 2.81 LOCA mm 7.53 E-2 1.91E-1 1.12Е-1 1.59

69 Data analysis Special event probabilitiesBreak of a specific primary loop (possibility of dependent failure of safety injection system) Affects capacity of safety injection Conditional probability of a break in a specific primary loop at VVER-440 can be defined as 1/6 <= an assumption of equiprobability break locations in any loop Surge pipe of the pressurizer needs to be considered Break of non-isolable part of primary circuit Conditional probability of a break in different locations: Split fractions according to the length of pipes Partial ruptures need to be considered Connected pipes need to be considered Split fractions according to pipe exterior surface area The use of “penalty factors” Segment method (Electric Power Research Institute, “Pipe Failure Study Update,” EPRI TR , Final Report, April 1993)

70 Data analysis Special event probabilitiesReactor pressure vessel rupture given an overcooling PSA for Novovoronezh NPP-3: it was assumed conservatively that primary overcooling conditions below an acceptable inlet reactor coolant temperature (depends on pressure) definitely lead to the reactor pressure vessel rupture with a conditional probability of unity. Recoverable loss of a unit reserve line due to grid instability Statistically. Example from PSA for Novovoronezh NPP-3. There were 2 scrams followed by LOOP last 20 years: Kalinin NPP and Smolensk NPP – Both events lasted less 10 minutes. About 1500 scrams are supposed to be during this period (expert judgment): P=2/1500=1.3E-3

71 Data analysis Special event probabilities Non-recovery of power supply from the gridCalculated: based on statistics Source: 44 units of VVER and RBMK in the former USSR Period: 1985 –1994 29 loss of off-site power events Function of time to non-recover power supply from the grid 1.00E-04 1.00E-03 1.00E-02 1.00E-01 1.00E+00 Log-Normal Veibull Gamma Exponent E-Mixt V. Morozov and G. Tokmachev. «Derivation of Frequency and Recovery Probabilities for Loss of Off-Site Power Accident.» ESREL’97, Lisbon, 1997. 0.02 0.05 0.1 0.25 0.5 1 2 4 10 16 24 hrs