Abstract
Common cause failures (CCFs) may lead to the simultaneous unavailability or failure of numerous components in the nuclear power plant because of the existence of a shared cause when an initiating event disrupts the normal functioning of nuclear power plants. The presence of common cause failures (intra-unit and inter-unit) can be recognized in a multi-unit probabilistic safety assessment (MUPSA) as a crucial dependency factor that can influence accident scenarios and the core damage frequency (CDF), as CCF may affect the availability and proper operation of mitigating systems. Since such failures are likely to significantly undermine the benefits of the concept of redundancy in nuclear power plant systems, it is necessary to identify the CCFs that contribute to the core damage in a multi-unit site and analyse their overall quantitative magnitude and qualitative proportions. In this study, a twin-unit generic pressurized water reactor (PWR) nuclear plant is modeled using the AIMS-PSA software. For the loss-of-offsite-power (LOOP) and station blackout (SBO) events, the site CDF was calculated, and the cut-sets produced by this quantification were examined for the modeled CCF basic events in the fault trees. The quantitative and qualitative contributions of the CCFs to the frequency of site core damage were examined. CCFs in the modeled fault trees contributed to 4.58% to the site CDF of the combined LOOP followed by SBO event. In the LOOP event alone that leads to core damage, the CCF contributed 4.58% to the site CDF while CCFs contributed 17.19% to the site CDF in the SBO event alone that leads to core damage. With CCF events considered in the modeling process, the site CDF estimated with CCF events increased by 7.53% in the combined LOOP followed by SBO event. In the LOOP event alone that leads to core damage, inclusion of CCF events in the modeling increased the site CDF by 7.42%. A 15.66% increase in site CDF was recorded in the SBO event alone that leads to core damage as compared to modeling without CCF events. The results show how crucial the common cause failure contribution is to site CDF. The safety of the nuclear plant at a site is impacted by an increase in site CDF when common cause failures are considered. The various CCF fundamental event compositions and their percentage contributions were explicitly examined by the minimal cut-sets which leads to core damage in the units. In conclusion, this study’s findings can help us better understand how CCFs increase multi-unit site risk and can also act as a starting point for future studies on the qualitative and quantitative categorizations of CCF effects within MUPSA.
1. Introduction
The safe operation of nuclear power plants (NPPs) has been a subject of apex concern, especially in the wake of the Fukushima Daiichi incident. This has increased the nuclear industry’s strict safety regulations, strengthening the need for a thorough assessment of risk and failure analysis to guarantee the safe operation of nuclear power plants. A well-known technique used in the nuclear business to analyse risk and failure evaluation linked with nuclear power plants is probabilistic safety assessment (PSA), which is the active process of identifying potential NPP disaster scenarios, their consequences, and probabilities [1, 2]. PSA is also an invaluable tool which can deliver information concerning the event sequences and scenarios that contribute significantly to risk in a nuclear power plant [3]. The capacity of PSA to provide crucial information during the early design phase and highlighting systems that are vulnerable to risk makes it an excellent safety assessment tool. This feature enables effective decision making with regard to the design, development, operation, and maintenance of plants and facilities [4].
Unlike the conventional single-unit PSA for individual NPPs co-located at a site, the Fukushima Daiichi nuclear station incident has outlined the probable accident progression status that can occur in a multi-unit site. Due to the fact that most sites have multiple units, PSA for single-unit NPP (SUPSA) analysis has limitations because it does not accurately represent all accident scenarios, categories, and radioactive sources to determine the radiological risk brought on by severe and/or accident events at the site [5].
With an upsurge in the attention that has been drawn to multi-unit risks as a result of the Fukushima Daiichi event, MUPSA approaches and techniques are seen as the criteria to augment the limitations that SUPSA techniques present when dealing with multi-unit risks. Multi-unit risk analysis is particularly important since it has a significant impact on the overall study of a multi-unit PSA [5].
A predominant factor considered when undertaking SUPSA is CCF. CCFs are “failures which are the direct result of a shared cause, in which two or more separate channels in a multiple channel system are in a faulty state simultaneously, leading to system fault” [6]. This phenomenon is seen as a significant contributor to SUPSA metrics such as the core damage frequency (CDF) and the large early release frequency (LERF), which are measures of the extent to which the core of a reactor experiences damage and the associated frequency of release of radioactive sources into the environment, as a result of the damage, respectively [1].
CCFs (intra-unit and inter-unit) are expected to play a significant role in MUPSA as they provide an assessment of the likelihood that events originating from one unit will have an impact on multiple units. Due to dependencies and CCFs, initiating events (events that cause NPP operation to operate in an out-of-order state) may have an impact on all units in multi-unit sites. High system reliability can be achieved by using redundancy in nuclear power plant operations, but the presence of CCFs makes it possible for a single condition or event to cause fault states to occur in more than one component or unit, regardless of the type of redundancy available in the system design [7]. The main conclusion from PSAs, which led to the non-availability of safety mechanisms for NPPs, is typically attributed to CCFs [8, 9]. Dependencies ranging from functional, physical, human interaction, component, or hardware dependencies may exist on a site with co-located units due to the presence of CCFs on the site.
A number of studies have suggested very important methods for analysing multi-unit scenarios and treating many aspects of CCF for use in MUPSA studies. Han et al. [10] developed two approaches using AIMS-PSA software to quantify PSA scenarios for a multi-unit nuclear site. The approach derived and quantified multi-unit scenarios from a large PSA model by aggregating PSA models for each unit of a six-unit site. Though other factors of MUPSA such as the shared systems, CCF between units, accident management, and organizational factors were not considered in the study, it developed the minimal cut-set approach and the Monte Carlo approach in AIMS-PSA software with additional multi-unit feature enhancements. The minimal cut-set approach created by Han et al. [10] generates the minimal cut-sets as a result of the numerous accident scenarios that are applicable in a multi-unit PSA, as opposed to a traditional PSA, where the minimal cut-sets are estimated for each scenario and the core damage frequency is quantified. To supplement cases where the minimal cut-sets cannot be generated or quantification values are in doubt, a simulation approach to generate cut-sets known as the Monte Carlo approach and the fault tree top event probability evaluation using Monte Carlo simulation (FTeMC) are used.
In order to evaluate the site CDF for a hypothetical multi-unit LOOP scenario, Kim et al. [11] used a map-up method via the impact vector approach to address risk-significant inter-unit CCFs. In this approach, when the size of the common cause component group (CCCG) in the original single-unit model was two (2) or three (3), all conceivable combinations of inter-unit CCF events were described in the dual-unit model. If there are more than four (4) CCCGs, a straightforward method is to multiply the single-unit base model by 0.1. This was utilized in the estimation of core damage frequency at multi-unit sites. For instance, multiplying the mean probability of four out of four essential chillers failing owing to a CCF (1.02E − 05) by 0.1 yields the mean likelihood of eight out of eight essential chillers failing due to an inter-unit CCF.
In recent additions to the body of quantifying inter-unit CCFs applicable to MUPSA studies, Jang and Jae [12] presented a dual approach to evaluating the inter-unit CCF by analysing the single-unit complete CCF probability and the fraction of each inter-unit CCF event using Swain’s dependency model. The inter-unit CCFs were considered for a four-unit site each unit having a dual emergency diesel generator (EDG) and a shared alternate alternating current diesel generator (AACDG). The results of the quantification with the two inter-unit CCF methods showed that the total probability of occurrence of core damage of both methods was higher than that without inter-unit CCF events because the probability of core damage in more than two units increased significantly.
Due to the significance of CCFs in the measurement of core damage in MUPSA, it is essential to thoroughly study the dynamics of these CCFs in multi-unit core damage frequency estimation. A qualitative and quantitative analysis of CCFs is crucial for multi-unit PSA in order to determine which categories of CCFs have significant quantitative contributions to core damage in the multi-unit scenario or the composition of CCFs in accident sequences and scenarios in cut-sets that lead to core damage.
The main contribution of the current study is the development and demonstration of a systematic approach to modeling both intra-unit and inter-unit CCFs of the fault trees in the mitigating systems, during both LOOP and SBO events, which was executed using the AIMS-PSA software for the hypothetical dual nuclear site. Additionally, the methodology presented assessed the qualitative importance of CCFs in terms of minimal cut-sets (MCSs) in the accident sequences of the CDF quantification in the multi-unit scenario for two initiating events. This assessment was done in a comprehensive manner in order to provide insights into the significance of CCFs on CDF of the multi-unit site. The enhanced understanding provided by the study regarding the impact of CCFs on site risk is quite novel. Overall, the quantitative evaluation techniques involve probabilistic estimation, a quantitative importance evaluation, and sensitivity analysis of the CCFs to the overall core damage on the multi-unit site. The main benefit of this approach is that it focuses on the detailed CCFs analysis in the site core damage quantification as more comprehensive failure models (fault trees and event trees) were utilized for the initiating events selected for the site.
2. Materials and Methods
Building a multi-unit PSA model by aggregating single-unit PSA models, determining all multi-unit scenarios, and quantifying the frequency of each scenario are the primary components of the methodology suggested and illustrated in this study. The event trees (ETs) and fault trees (FTs) were modeled for the occurrence of the LOOP and SBO initiating events using the typical mitigation systems of the hypothetical PWR. To depict the single-unit PSA for each plant, intra-unit CCFs (CCFs within systems) were modeled in the relevant fault trees of the system. The switch to a multi-unit model is marked by the addition of the multi-unit feature, inter-unit CCF of the EDG of each unit, and shared AACDG between the units. AIMS-PSA software was used to for the modeling of the FTs and ETs, the quantification of the site CDF, and obtaining the accident scenarios and the most significant CCFs contributing to the core damage in the twin unit. These steps are summarised in Figure 1.
In comparison to Jang and Jae [12], the methodology proposed and demonstrated in this study concentrated on investigating and performing detailed analysis of CCFs effects on site risk. Additionally, the methods developed in this study involves quantitative and qualitative analysis of the minimal cut-sets that lead to the site CDF. Finally, the initiating events considered in this study were the multi-unit LOOP, SBO, and the combined LOOP followed by SBO events.
In this study, a scenario is a combination of accident sequences that occur in multiple units, whereas a sequence is an accident event in a single unit [10]. The LOOP and SBO events were selected out of all potential initiating events that could lead to a multi-unit accident scenario (such as internal and external hazards) based on their frequency and their magnitude of effects that these initiating events have on site metrics. These initiating events, LOOP and SBO, were triggered for a hypothetical generic two-loop typical pressurized water reactor (PWR) of the Westinghouse design with a thermal output of 1000 MW and designated primary and secondary systems.
When compared to single-unit PSA scenarios, multi-unit PSA scenarios typically have different modeling and quantification characteristics. How to quantify the multi-unit aspects, such as shared systems, CCFs, accident management, organizational considerations, and the multiple situations that can result in initiating events, is one of the fundamental challenges in a multi-unit PSA. Combinations of sequences for each initiating event complicate the modeling and quantification procedure in a multi-unit PSA. Therefore, modeling and quantifying the core damage scenario in a unit, two units, three units, and so forth would necessitate a substantial number of accident sequence combinations [10]. For instance, if there are M units and N sequences per unit, then NM combinations are possible [10].
AIMS-PSA software, developed by Korea Atomic Energy Research Institute (KAERI), was used to develop fault trees and event trees for the initiating events LOOP and SBO. Two generic PWR units that make up the multi-unit site were used to carry out the accompanying safety system response to these initiating events. These triggering events place these units into transient mode, resulting in the activation of safety systems and the danger of core damage. The fault and event trees that were generated to represent the accident progression of the PWR’s mitigating systems make up the single-unit model of the CDF. When modeling these occurrences, the intra-unit CCFs of the various systems were considered. The main multiunit features that were introduced to these single-unit models are the interunit CCF of the emergency diesel generators (EDGs) and the shared alternate AC generators (AACDGs) between the units. By combining the single-unit models of each unit, the top logic for the multi-unit model was constructed using AIMS-PSA software. The investigation of the CCF inclusion in these models and the quantification of the site level CDF were simulated.
2.1. Multi-Unit Initiating Events and Accident Scenarios
This analysis considered the LOOP and SBO initiating events because their presence considerably affects the frequency of plant core damage. The functional system representation and accident scenarios were modified from [13, 14]. A reactor trip is not envisaged in the LOOP scenario that is studied in this study (see Figure 2) with the failure to regain AC power scenario. The NRAC-LOOP header in the event tree indicates that the offsite power is not recovered after 30 minutes. The primary system integrity (PSI-LOOP) header in the event tree essentially made up of the reactor coolant pumps (RCPs) and main feedwater (MFW) pumps are tripped due to the unavailability of power to run the pumps. Emergency diesel generators (EDGs) are restarted successfully to supply electrical power and to restart auxiliary feedwater system (AFW). RCPs operate properly because AFW was successfully resumed. The event tree of the hypothetical LOOP event is depicted in Figure 2 and is modeled using the AIMS-PSA program in relation to the mitigating systems and structures in the hypothetical unit 1 of the generic PWR. The event library’s %IE LOOP1 event defines the initiating event, while NRAC-LOOP, PSI-LOOP, SGI-LOOP, and AFW-LOOP define the top headers of the event tree. The event tree’s sequences 4 and 5 are regarded as causing the unit’s core damage.
Figure 3 depicts the SBO accident, which results in the loss of all AC power sources, including all EDGs. In this work, the current scenario does not have on-site or offsite power recovery for seven (7) hours. The first functional event NRAC-SBO in the station blackout event tree corresponds to the restoration of AC power to the plant safety busses before the drying of the coolant on the secondary side of the steam generators (SGs). The second functional event reactant coolant injection (RCI-SBO) in the SBO event tree corresponds to the preserving of the reactor coolant system (RCS) inventory until AC power is restored. The pressurizer power operated relief valves (PORV) must be closed in order to prevent a loss of coolant accident (LOCA). The SGI-SBO header represents the secondary side integrity functional event. The top event of the fault tree corresponding to the AFW failure is the fourth functional event, AFW-SBO. The fault tree describing the AFW failure considering various AFW system failures serves as the input to this functional event. The fifth functional event, NRAC-1HR, is the restoration of AC power to the plant safety busses and isolation by the pressurizer block valve within one hour before the start of temperature escalation in the core. The operator-initiated cooling and depressurization of the reactor coolant system during a protracted station blackout constitutes the sixth functional event DEP-SBO. The seventh functional event SLOCA-NRST corresponds to the RCP seal LOCA.
The eighth functional event NRAC-SLOCA indicates non-recovery of AC power LOCA. The last functional event NRAC-7HRS corresponds to the restoration of AC power to the plant safety busses and isolation by the pressurizer block valve in 7HRS before the start of temperature escalation in the core.
Fault trees were developed for the functional events (top headers in AIMS-PSA software) with their corresponding failure probabilities for basic events involved in the accident sequences of these headers derived from generic failure rate probabilities of systems and CCF data in the USNRC database for use in single-unit PSA [13].
2.2. Modeling for a Single Unit
The PSA model adopted for each unit consists of the sum of the accident sequences of the initiating events LOOP and SBO considered in this study. The major defining issue of concern is the incorporation of intra-unit CCF basic events into the fault trees of the functional events of these models. The top logic of unit 1 and unit 2 is shown in Figure 4. In this work, the top logic event for unit 1, CDF_UNIT_1, has two fault trees, namely, LOOP_UNIT_1 and SBO_UNIT_1. LOOP_UNIT_1 has two sequences, i.e., tag events that lead to core damage as defined in the event tree, sequences 4 and 5 labeled LOOP_UNIT_1-4! and LOOP_UNIT_1-5!, respectively, as shown in Figure 5. The SBO_UNIT_1 fault tree has twelve sequences including sequences 4, 7, 10, 13, 14, 17, 20, 21, 23, 24, 26, and 27 as shown in Figure 6. These sequences as given in the event tree lead to core damage and are present in the fault tree for the CDF top logic for the units, and thus CDF_UNIT_1 has a total of fourteen sequences. CDF_UNIT_2, which is the top event for unit 2, has the same number of sequences as unit 1.
Unit 2 models were distinguished from unit 1 models by prefixing all gates and basic events included in the base single-unit LOOP and SBO models of unit 1 by 2. Thus, the event 2-PPS-MOV-FT-1536 representing “PORV block valve 1536 fails to open” would be an event for unit 2. Regarding the initiator, the same basic event was applied equally to all dual-unit models without distinguishing between units because it was assumed in this study that the initiating events challenged all dual units simultaneously.
The model for the top event LOOP_UNIT_1-04! of LOOP_UNIT_1 composed of the events NRAC-LOOP, PSI-LOOP, SGI-LOOP, AFW-1, and the sequence 4 tag event #LOOP_UNIT_1-04! is shown in Figure 7 with expanded fault tree of the AFW-1 functional event. Consequently, all other sequences of event tree LOOP_UNIT_2 illustrated in Figure 6 had similar sequences and probabilities.
A selected model of the SBO_UNIT_1 composed of the functional events RCI-SBO, SGI-SBO, DEP-SBO, SLOCA-NRST, NRAC-SLOCA, and NRAC-7HRS with modeled intra-unit CCF shown in red is shown in Figure 8. Intra-unit CCF was modeled in the fault trees of the accident mitigation systems (event trees) for the initiating events of this study.
2.3. Development of Multi-Unit CDF Model
Given the PSA model for each unit, the site level CDF model for the multi-unit site was constructed for three different initiating event scenarios based on LOOP, SBO, and the combined events of LOOP followed by SBO events. To determine the overall impact of the two events occurring simultaneously, the site level CDF for the LOOP followed by SBO event was built. These site CDF models are presented in Figures 9–11.
2.3.1. Estimation of the Inter-Unit CCF
One of the technical difficulties for a probabilistic safety assessment for multi-unit sites is the quantification of the inter-unit CCF. The symmetric assumption of intra-unit CCF analysis becomes invalid when quantifying the inter-unit CCF, and a more systemic approach is needed to deal with the dynamics and the asymmetry that inter-unit CCFs present in PSA analysis [15].
The approach for estimating the inter-unit CCF utilized in this work is from Jang and Jae [12], which proposed two methods of estimating the inter-unit CCF using Swain’s dependency model and the CCF data in the SUPSA. Based on the approach used in Jang and Jae [12], the value of the inter-unit CCF used in this study for the twin unit considered for this study is 3.87 × .
In modeling the fault trees for the AAC unavailability, due to LOOP event, the inter-unit CCF basic event “EPDGW-CCF-DG-AB-AAC” represents the inter-unit CCF event for unit 1 and the AAC. The inter-unit CCF event for unit 2 is “2-EPDGW-CCF-DG-CD-AAC.” The fault tree for the unavailability of the AACDG is given in Figure 12.
2.4. Key Assumptions
The following assumptions were made for this study:(1)The two units at the site are generally identical, i.e., they have the same structures, systems, and components (SSCs) and same operating/testing/maintenance procedures.(2)A multi-unit accident may have an impact on the availability of alternative AC diesel generators (AACDGs) and emergency diesel generators (EDGs). In this study, it was presupposed that units 1 and 2 shared an AACDG, with priority given to unit 1, operating at the time of occurrence of the initiating events.(3)When an initiating event occurs, all units are affected simultaneously or almost simultaneously, and the effects are equal for each unit.
3. Results and Discussion
The analyses of the results of the quantification process using the AIMS-PSA software for the site level CDF and the single-unit CDF with respect to the LOOP and SBO initiating events modeled in this project place a focus on observations and summaries of the results involving the CCF basic events, cut-sets of importance, and the dynamics of CCF events of greater importance in the quantification process. As part of the evaluation of the qualitative and quantitative results of the CCFs relevant to the site CDF, the Fussell-Vesely (FV) importance measure was used as the metric of importance. The FV importance measure is defined as the probability that an MCS containing a discussed basic event will cause the top event [3].
3.1. Estimation of Site Level CDF due to LOOP Event
In the multi-unit scenario involving the LOOP event occurring concurrently in both units, a total of sixty eight (68) cut-sets were generated with total probability of occurrence of core damage resulting from the LOOP event for the site (dual unit) estimated to be 2.926E − 04. The risk frequency of the LOOP initiating event in the individual units is estimated to be 1.495E − 04 for %IE LOOP1 in unit 1 and 1.431E − 04 for %IE LOOP2 in unit 2. This increase in the risk value of the multi-unit scenario and the single-unit value can be attributed to the fact that in the LOOP event, risk-significant probabilities of recovering offsite power were not modeled inherently in the system and it is assumed that the mitigation systems will reduce this risk within 30 minutes of the occurrence of this event. Table 1 summarises the LOOP event analysis for the estimated site level CDF.
Referring to Table 1, unit 1 LOOP event had a slightly greater risk frequency than unit 2 contributing slightly greater than 51% of the total risk of the site CDF, though with lesser cut-set of 32, while unit 1 had risk frequency amounting to almost 49% of the total risk and minimal cut-set of 36. The LOOP initiating event in unit 1 (%IE_LOOP1) had a greater conditional core damage probability (CCDP) than unit 2 (%IE_LOOP2) as shown in Table 1. Since the CCDP expresses risk in terms of the likelihood of core damage based on the configuration and operation of the plant at a given point in time during the interest period, unit 1’s %IE LOOP1 gave rise to a higher risk in the site CDF during the occurrence of the initiating event at the site. Also, unit 1 had priority over unit 2 in terms of the shared AACDG and the assumptions provided for this study in Section 2.4, in the case of an initiating event.
Table 2 presents the first ten of the most significant minimal cut-sets (MCSs) generated by AIMS-PSA software for the multi-unit scenario involving the simultaneous occurrence of LOOP event in both units.
In this LOOP event, the event that no power from AACDG by AACDG failure is contained in each of the first 4 most significant MCSs and acts as the major contributor to the CDF occurrence in both units. Its varying occurrence with unit 1 LOOP initiating event (%IE_LOOP1), unit 2 LOOP initiating event (%IE_LOOP2), unit 1 LOOP sequence 5, and unit 2 LOOP sequence 5 has a probability of 1.4E − 04 in each of the first four most significant MCSs, contributing 23.93% each to the site CDF.
The analysis of the most significant MCS of the results shows that all of the most significant MCSs are related to the failure of the shared alternate AC DG (AACDG) and the failure of DGs A and B in unit 1 and DGs C and D in unit 2. As all the diesel generators and the shared AACDGs are alike and therefore share the same failure probability for each failure mode, the contributions of similar failure states to the site CDF are the same. In summary, the minimal cut-sets (accident scenarios) where “DGs failed to start and run” account for 95.72% of site CDF.
3.1.1. CCF Circumstances in the Multi-Unit LOOP Event
Table 3 and Figure 13 show the largest CCF contributors to the site CDF during the concurrent LOOP event in the multi-unit scenario using the FV importance measure registered during event.
The quantitative results indicate that, for site CDF, the combined contribution of the failure events “Failure to Start and Load due to CCF” for DGs in Units 1 and 2 accounts for 98.86% of the total CCF contribution. Similarly, the interunit CCF contributes 1.74% of the site CDF of the LOOP event. Nevertheless, the CCFs are contained in all the most significant MCSs.
The number of minimal cut-sets, #MCS, and a qualitative analysis of the MCS of the major CCF events significantly contributing to the site CDF based on their FV importance measure are shown in Table 3 for accident sequences. The FV importance measure is a measure of the overall percent contribution of cut-sets containing a basic event of interest to the total risk in the given initiating event.
The dominant CCF event in the multi-unit CDF is the failure of the DGs in each unit to start and load due to CCF which primarily accounts for the CDF sequences in the LOOP event and fault tree. The loss of operation of the DGs in each unit, thus, is more severe for the CDF occurrence. Even though the contributions of the remaining CCF events, which included different combinations of the shared AAC DG and the DGs in each unit, as depicted in Figure 13, were minimal, they all had the same FV value, indicating equal contributions to the site CDF occurrence.
In summary, using the FV importance measure, the common cause failures primarily from the failure of the DGs to start and run account for 4.58% of the site CDF.
3.2. Estimation of Site Level CDF due to SBO Event
In the multi-unit scenario involving the SBO event, a total of 100 cut-sets were generated with total probability of occurrence of core damage resulting from the SBO event for the site (dual unit) estimated to be 2.083e − 9. The risk frequency for %IE_SBO1 for unit 1 and %IE_SBO2 for unit 2 was estimated to be 1.106E − 009 and 9.768E − 010, respectively. In the modeling of the SBO event tree, considerations were given to probabilities of not recovering offsite power from 30 minutes to 1 hour and extended to 7 hours given that risk-significant probabilities of not recovering offsite power were increased in these periods of not recovering the offsite power.
As seen from Table 4, SBO initiating event in unit 1 (%IE_SBO1) presented a slight greater risk to the site CDF than unit 2 (%IE_SBO1) initiating with contributions of 53.097% and 46.903% because of the assumptions made for this study in Section 2.4, Unit 1 was given greater priority than unit 2, upon the occurrence of an initiating event and the shared AACDG.
As expected, “no power from AACDG by AACDG failure” in the SBO event featured prominently in all the 100 cut-sets with EPDGS-AAC for unit 1 appearing in 54 cut-sets with an FV value of 0.530971 while 2-EPDGS-AAC for unit 2 appeared in 46 of the cut-sets with an FV value of 0.469030.
3.2.1. CCF Circumstances in the SBO Multi-Unit Event
Table 5 and Figure 14 show the largest CCF contributors to the site CDF during the concurrent SBO event in the multi-unit scenario using the FV importance measure registered during event. The quantitative results indicate that the CCF contributes 17.19% to the site CDF in the SBO event, and that the CCFs from the AFW system --specifically, the CCF of motor-driven pumps and the CCF of undetected leakage through check valves CV27, CF58, or CV89 -- accounted for 89.4% of the total CCF contribution to the site CDF. The CCF of the pressure operated relief valves (PORV) of the RCS system contributed 9.68% while CCF of DGs contributed 0.92% to the total CCF contribution to site CDF. In summary, using the FV importance measure, the common cause failures account for 17.19% of the site CDF. According to their Fussel-Vesely (FV) importance measure, the major CCF events that significantly contributed to the site CDF according to accident sequences are shown in qualitative analysis of the MCS in Table 5.
3.3. Estimation of Site Level CDF due to Combined LOOP Followed by SBO Event
In the multi-unit scenario of the LOOP followed by the SBO event, a total of 134 cut-sets were generated with total probability of occurrence of core damage resulting from the LOOP followed by the SBO event for the site (dual unit) estimated to be 2.926E − 04. The average risk frequency of both the LOOP initiating events, %IE_LOOP1 and %IE_LOOP2, in the site CDF decreased to 1.4635E − 04 as compared to the risk of 1.495E − 04 in the single-unit event as deduced from Table 6. Additionally, the average risk of both the SBO initiating events, %IE_SBO1 and %IE_SBO2, in the site CDF decreased to 1.0414E − 09 compared to the risk of 1.106E − 09 in the single-unit event as can be inferred from Table 6. It can also be gleaned from Table 6 that most of the risk contributing to the site CDF came from the LOOP events although the SBO events contributed appreciably to the site CDF. A summary of the percentage contributions of the initiating events to the site CDF of the combined LOOP followed by SBO event is also given in Table 6.
An analysis of the scenarios contributing to site CDF reveals that the LOOP initiating events %IE_LOOP1 and %IE_LOOP2 and the event that “no power from AACDG by AACDG failure” (EPDGS-AAC and 2-EPDGS-AAC) were the paramount basic events contributing to the first two scenarios with values of 49.43% for each scenario and a risk value of 1.4E − 04.
Another cut-set of concern is the failure of the DGs A and B of unit 1 and DGs C and D of unit 2 with varying contributions of 0.69%, 0.13%, and 0.1% in the various cut-sets as shown in Table 7. The analysis of the most significant MCS of the results shows that all of the most significant MCSs are related to the failure of the shared AACDG and the failure of DGs A and B in unit 1 and DGs C and D in unit 2. As all the diesel generators and the shared AACDG are alike and therefore share the same failure probability for each failure mode, the contributions of similar failure states to the site CDF are the same. In summary, the minimal cut-sets (accident scenarios) where DGs failed to start and run and/or DG was unavailable due to maintenance account for 99.91% of site CDF.
It is important to observe that the occurrence of the LOOP event had considerable amount of impact on the CDF for each unit and the SBO event had a very small share in the overall CDF of the plant for the LOOP followed by the SBO event in each unit. This can be attributed to the fact that in the modeling of the SBO event tree, considerations were given to probabilities of not recovering offsite power from 30 minutes and 1 hour up to 7 hours given that risk-significant probabilities of not recovering offsite power were increased in these periods of not recovering the offsite power. Large decrease of the SBO risk is obtained with the introduction of functional events to mitigate the SBO risk in the time sequence (30 minutes to 1 h to 7 h) of the modeled event tree. The ability of the system to maintain proper functioning within this time frame results in the decrease of the SBO risk frequency in the overall site CDF.
It is only commensurate then that most of the risks came from the LOOP event (85.22%) while the SBO event contributed to 14.78% of the CDF for each unit.
Table 7 presents the first ten of the most significant minimal cut-sets (MCSs) generated by AIMS-PSA software for the multi-unit scenario involving the simultaneous occurrence of LOOP followed by SBO event in both units.
In terms of basic event importance for the CCF basic events for the occurrence of site CDF, for each unit, Table 7 summarises the qualitative outlook of the most significant cut-sets for the LOOP followed by SBO event.
3.3.1. CCF Circumstances in the Combined LOOP Followed by SBO Multi-Unit Event
Table 8 and Figure 15 show the largest CCF contributors to the site CDF during the LOOP followed by SBO event in the multi-unit scenario using the FV importance measure registered during the event.
The quantitative results of the cut-sets reveal that the contribution of the events DGs A and B and DGs C and D fail to start and load due to CCF of unit 1 and unit 2, respectively, contribute to 98.27% of the total CCF contribution and the inter-unit CCF contributions accounting for 1.73% of the total CCF contribution to site CDF. In terms of accident sequences, a qualitative analysis of the MCS of the major CCF events contributing significantly to the site CDF according to their Fussel-Vesely (FV) importance measure and the number of minimal cut-sets, #MCS, is shown in Table 8.
In summary, using the FV importance measure, the common cause failures primarily from the failure of the DGs to start and load account for 4.58% of the site CDF.
3.4. Percentage Contribution of CCF in the Site CDF
Regarding the percentage contribution of the CCF events to the site CDF of all the assumed initiating events, it is clearly seen that the percentage of the CCF in the SBO event is of greater magnitude than the LOOP event and the “LOOP followed by SBO” event. It must be noted that the SBO event modeled in this work includes all functional events of a representative SBO event tree for a generic Westinghouse PWR as the events of the CCF are fully captured for all the functional events in the accident sequences of the site CDF. The qualitative results from the multi-unit SBO event indicate that the MCS that contributes significantly to the site CDF contains CCF event with greater FV values, which is indicative of the overall percent contribution of the CCF basic events to the top event risk in the given initiating event as compared to the FV values of the CCF events in the LOOP event. As such, even though the site CDF of the SBO event was of lesser magnitude than that of the LOOP event, the common cause failures of the SBO event contribute to the risk to a larger extent. Also, the occurrence of LOOP event is a key event contributing to the occurrence of the SBO event. Table 9 shows the percentage contributions of the CCF events in the various initiating events in the site CDF estimation.
3.5. Site CDF Analysis with and without CCF Consideration
In the LOOP event, the site CDF without CCF consideration in any of the fault trees of the functional systems was estimated to be 2.724E − 04. Thus, with CCF events considered in the modeling process, the site CDF estimated with CCF events increases by 7.42% as compared to the site CDF without CCF events. In this LOOP event without CCF consideration, the most significant minimal cut-sets include the failure of the shared AACDG contributing 98% of the site CDF. As the assumed site share an AACDG between units, the contribution of two (2) failure modes (the CCF due to failure to start or run), is a significant cut-set to site CDF.
In the SBO event, the site CDF without consideration of the CCFs in the fault trees of the functional systems of the accident mitigation systems was estimated to be 1.801E − 09. Thus, with CCF events considered in the modeling process, the site CDF estimated with CCF events increases by 15.66% as compared to the site CDF without CCF events.
Regarding the LOOP followed by the SBO event, the site CDF without CCF consideration was estimated to be 2.721E − 04. Thus, with CCF events considered in the modeling process, the site CDF estimated with CCF events increases by 7.53% as compared to the site CDF without CCF events. Figure 16 gives a pictorial classification of the site CDF with and without CCF consideration. Table 10 gives the analysis of site CDF with and without CCF considerations.
4. Conclusion
Using AIMS-PSA software, a method for evaluating the quantitative magnitude and qualitative proportions of CCFs in the site CDF of multi-unit PSA has been demonstrated. The site CDF model was used to analyse the responses to the initiating events, LOOP and SBO, occurring simultaneously in the units of the modeled intra-unit CCFs and the inter-unit CCF, which was particularly focused on the shared AACDG and the EDGs. Depending on the type of initiating event under consideration, AIMS-PSA was used to generate cut-sets for each of the initiating event under consideration, and the findings showed variable degrees of compositions of the CCFs and different percentage contributions to the site CDF.
Using the FV importance measure, CCFs in the modeled fault trees contributed to 4.58% to the site CDF of the combined LOOP followed by SBO event. In the LOOP event alone that leads to core damage, the CCF contributed 4.58% to the site CDF while CCFs contributed 17.19% to the site CDF in the SBO event alone that leads to core damage. With CCF events considered in the modeling process, the site CDF estimated with CCF events increased by 7.53% in the combined LOOP followed by SBO event. In the LOOP event alone that leads to core damage, inclusion of CCF events in the modeling increased the site CDF by 7.42%. A 15.66% increase in site CDF was recorded in the SBO event alone that leads to core damage as compared to modeling without CCF events.
In the case of the LOOP event, the CCF event of all the DGs in the units DGs A and B for unit 1 and DGs C and D for unit 2 was the greatest CCF contributor to the site CDF. In the SBO incident, the CCF of UNDETECT LKAGETHRU CHK VLV CV27, CF58, or CV89 and the common cause failure of the motor driven pump, all of the AFW system, were the major CCF contributors to the site CDF. Finally, due to the significant influence the occurrence of the LOOP event has on the site CDF, the CCF event of all the DGs in the units DGs A and B for unit 1 and DGs C and D for unit 2 was the highest CCF contributor in the case of the combined LOOP followed by SBO event.
The importance of these CCFs to the security of multiple units is evident by the dominance of the CCFs of the DGs and the AACDG in the CCF composition of the cut-set generated for the site CDF. To reduce the site CDF risk to the NPP, it is necessary to carefully examine the failure to start and run as well as the unavailability of DGs due to maintenance.
The results obtained in this study provide insight into analysing the contributions of functional systems of nuclear plants to site CDF in response to an initiating event. Each of the initiating events assumed for this work also shows that the site CDF is sensitive to the occurrence of the LOOP event with the CCFs of the shared AACDG being the main contributor to the MCS leading to site CDF.
In summary, the results obtained in this work can enhance the understanding of the impact of CCFs on multi-unit site risk as well as serve as a baseline for further studies regarding the qualitative and quantitative categorization of effects of CCFs within MUPSA.
Abbreviations
| AACDG: | Alternate alternating current diesel generator |
| AFW: | Auxiliary feedwater |
| CCCG: | Common cause component group |
| CCDP: | Conditional core damage probability |
| CCF: | Common cause failure |
| CDF: | Core damage frequency |
| CHKVLV: | Check valve |
| DEP: | Depressurizer |
| DG: | Diesel generator |
| DGAB: | Failure to start diesel generators A and B |
| DGAC: | Failure to start diesel generators C and D |
| EDG: | Emergency diesel generator |
| EPDGS: | No power due to DG failure to start |
| EPDGW: | Diesel generator failure to start and load |
| ET: | Event tree |
| Fs: | Failure to start |
| Ft: | Failure to open |
| FT: | Fault tree |
| IE: | Initiating event |
| KAERI: | Korea Atomic Energy Research Institute |
| LERF: | Large early release frequency |
| LK: | Leakage |
| LOCA: | Loss of coolant accident |
| LOOP: | Loss-of-offsite-power |
| MCS: | Minimal cut-set |
| MFW: | Main feedwater |
| MOV: | Motor operated valve |
| MUPSA: | Multi-unit PSA |
| NPP: | Nuclear power plant |
| NRAC: | Failure to regain AC power |
| OEP: | Unavailability of emergency protection |
| PORV: | Power operated relief valves |
| PPS: | Pipe segment |
| PSA: | Probabilistic safety assessment |
| PSI: | Primary system integrity |
| PWR: | Pressurized water reactor |
| RCI: | Reactor coolant injection |
| RCP: | Reactor coolant pump |
| SBO: | Station blackout |
| SCDF: | Site CDF |
| SG: | Steam generator |
| SGI: | Steam generator integrity |
| SLOCA: | Seal LOCA |
| SSCs: | Structures, systems, and components |
| STMBD: | Check valve description |
| SUPSA: | Single-unit PSA. |
Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Acknowledgments
The authors acknowledge the support of the International Atomic Energy Agency (IAEA) for initiating the coordinated research project (CRP) on “Probabilistic Safety Assessment (PSA) Benchmark for Multi-Unit/Multi-Reactor Sites” in 2018, which provided great insight into MUPSA studies. The authors also acknowledge the support of the Ghana Atomic Energy Commission and KAERI for their assistance in obtaining the AIMS-PSA software and its license for use in this work. This study was supported by the International Atomic Energy Agency through a coordinated research project with contract no. 22980/R0.