Lecture 2a.

INITIATING EVENTS

El análisis del Árbol de Eventos es un procedimiento inductivo que muestra todas las posibles
consecuencias de un evento inicial, teniendo en cuenta el estado de funcionamiento de las
barreras y otros factores contribuyentes. Con el árbol de eventos puedes identificar potenciales
accidentes, debilidades del sistema y cuantificar la probabilidad de las consecuencias después
de un iniciador.

Event Trees are both a graphic and logical representation of the accident evolution.

En la columna consecuencias: arriba se sitúan las más exitosas.

An Initiating Event is defined as a significant departure from normal conditions that may lead to
undesired consequences. An initiating event may lead to one or more undesired consequences
depending on the success or failed condition of barriers.

Steps in initiating-event analysis

1. Para el Análisis de Seguridad probabilística (APS) hay que definir un conjunto de

catergorías de initiating events:

- Identificar el conjunto inicial de eventos iniciales

- Agrupar los eventos en categorías para el análisis de secuencias
- Evaluar el potencial de iniciadores especiales
2. Calcular frecuencias for initiating-event categories.

Safety functions: Initiating events can arise as a result of a loss of or disturbance to one or
more of the plant safety functions.

Sources of potential initiating events.

Enfoques complementarios utilizados para identificar eventos iniciales:

1. Examinar listas de eventos considerados en PSAs anteriores de plantas similares.

2. Compilaciones genéricas.
3. Revisar la experiencia operativa: Específica de la planta y Plantas similares en la
industria.
4. Documentos de la planta, como análisis de accidentes (por ejemplo, FSAR), EOPs/AOPs.
5. Revisión de ingeniería a través del análisis de modos y efectos de falla (FMEA).
6. Análisis deductivo: el diagrama lógico principal, revisión de diseños de sistemas.

Previous lists. El primer paso lógico es examinar las listas de eventos considerados en PSAs
anteriores de plantas similares. Los primeros PSAs de la industria (principios de la década de
1980) se basaron en WASH-1400 (1975) y NUREG-1150.

Generic compilations suggest events to consider:

- NUREG/CR-5750: Tasas de Eventos Iniciadores en las Plantas de Energía Nuclear de los

Estados Unidos: 1987-1995, febrero de 1999.
- NUREG/CR-6928: Desempeño Promedio de la Industria para Componentes y Eventos
Iniciadores en las Plantas Comerciales de Energía Nuclear de los Estados Unidos,
febrero de 2007.
- EPRI NP-2230 (ATWS: Una Reevaluación - 1982) tabuló categorías de transitorios muy
específicas para considerar.

Operating experience. Revisión de la experiencia específica de la planta,Causas de paradas del

reactor, Informes de incidentes o acciones correctivas de la planta, Informes de eventos del
licenciatario (LERs), Resúmenes de experiencia operativa, Registros de la sala de control,
Entrevistas con operadores de la planta.
Review of plant documents. Los análisis de accidentes sugieren eventos iniciadores que
presentan desafíos límite para la planta. FSAR (Informe Final de Análisis de Seguridad). La red
de EOP/AOP sugiere eventos iniciadores que ya han sido considerados para la planta

FMEAs Failure modes and effects analysis (FMEA). Examining potential failures of each
component within a system, Evaluating effects: capability of producing a (unique) reactor trip.
It is especially useful for: new plant designs, plants with limited operating experience and
plants with unique features configurations.

Deductive processes. They are also especially useful for: new plant designs, plants with limited
operating experience and plants with unique features configurations. Uso del master logic
diagram: Comenzar con el evento principal que representa "lo que puede salir mal" a un nivel
muy alto (por ejemplo, liberación fuera del sitio); Desarrollar la lógica de manera progresiva
para encontrar posibles alteraciones que podrían contribuir a la ocurrencia del evento
principal; Identificar los eventos iniciadores correspondientes para el PSA.

Reviewing system designs. Search for unique initiating events should be integral to system
failure analysis. El objetivo es identificar eventos que podrían provocar una parada de planta
(plant trip) y tener un impacto único en los sistemas encargados de responder a la parada.

Grouping of initiating events

Why group events? Plants can have literally thousand of specific initiating events. Many specific
initiators have similar, if not identical, impact on plant response. Grouping initiating events
allows PSA to be a feasible process.

Grouping is based on: • Needs of the analysis • Level of detail available for the IEs • Similarity
in terms of the effect on the plant • Bounding or subsuming • Grouping affects: • Resources
required for PSA • Level of conservatism in the PSA model.

Grouping affects: • Resources required for PSA • Level of conservatism in the PSA model.

Leture 2b. EVENT TREES

1. Event Tree Sequences, Headers and Success Criteria

Sequence Acceptance Criteria. Las condiciones bajo las cuales se considera que una secuencia
es exitosa o fallida deben establecerse:

• Éxito: Integridad del núcleo; Falla: Daño al núcleo (2200 ºF, 1204 ºC), el mismo criterio que se
define en FSAR.

• Se utilizan criterios de tiempo explícitos e implícitos.

Safety Barriers and Safety Functions. Los sistemas complejos están diseñados de manera que
una o más barreras de seguridad separen los procesos peligrosos de las consecuencias no
deseadas. Se implementan sistemas para mitigar eventos que se aparten de la operación
estable. Las barreras de seguridad también se denominan funciones de seguridad y pueden ser
de naturaleza ingenieril (sistemas, contención) o administrativa (regulaciones, procedimientos,
organización).

• Un iniciador puede dar lugar a diferentes consecuencias con diferentes probabilidades

dependiendo del estado de funcionamiento de las barreras y los sistemas de mitigación.

• Otros factores que deben considerarse son:

• Dinámica: quema de gases, evolución de variables físicas.

• Humano: personal capacitado o cerca de la escena del accidente.

• Medio ambiente: condiciones en el lugar del accidente o en las salas.

• Las funciones de seguridad se representan mediante encabezados (también llamados

eventos principales (TOP EVENTS) en los árboles de eventos.

• Las señales automáticas de los sistemas de seguridad de emergencia (Automatic ESF signals)
y los procedimientos operativos de emergencia dirigen la evolución de la secuencia.

Safety Functions Success Criteria. Cada función de seguridad es realizada por sistemas de la
planta (o partes de ellos) y acciones del operador.

• Para cada evento iniciador y cada activación de la función de seguridad, se deben determinar
los requisitos de mitigación de las funciones de seguridad.

• Se necesitan dos tipos de requisitos (criterios de éxito):

1. La capacidad del sistema para realizar la acción de protección:Flujo requerido, que será
proporcionado por uno o más trenes; Número de válvulas que deben abrirse o
cerrarse; Suministro de energía.
2. El tiempo límite en el cual la acción de protección debe ser realizada para cumplir con
los criterios de éxito de la secuencia (tiempo disponible) y el tiempo durante el cual la
acción debe estar presente (tiempo de misión): ventana de tiempo para la actuación
del sistema.

Transient Simulations.

- Es necesario para delinear el Event Tree: Muestra qué sistemas se requieren,

Determina si se alcanza o no daño al núcleo y si se puede lograr una condición estable
y controlada de la planta.
- Permite la identificación y/o verificación de los criterios de éxito de las funciones de
seguridad.
- Debe utilizarse para calcular el tiempo disponible para las acciones humanas.
- Por lo general, se requieren varias simulaciones para calcular los criterios de éxito:
Diferentes configuraciones para las funciones de seguridad, especialmente en cuanto a
caminos de flujo (desvíos), transitorios de presión, aumento de temperatura; Impacto
en el tiempo disponible para que los operadores realicen tareas de apoyo/mitigación.

Operators Actions.

• En las centrales nucleares de hoy en día, los operadores desempeñan un papel

fundamental en la respuesta general de la planta ante un evento iniciador y cualquier falla
subsiguiente del sistema.

• El desarrollo de procedimientos operativos de emergencia basados en síntomas después

del accidente en Three Mile Island ha mejorado en gran medida la capacidad de los
operadores para identificar y ejecutar acciones apropiadas.

• La incorporación de las acciones relevantes de los operadores en el desarrollo de

secuencias de accidentes requiere una comprensión de los procedimientos de operación y
la evolución física de la secuencia.
TEMA 3
ÁRBOLES DE FALLO

¿Qué es un árbol de fallo?

• Para modelar el modo de fallo de una función de un sistema es necesario vincular
de forma lógica todas las causas que pueden provocar el fallo del sistema.
• A cada causa se le llama evento.
• Es una representación gráfica de las ecuaciones booleanas.
• El modelo establece una relación lógica entre el top event y los otros eventos
elementarios que, individual o colectivamente, causan el fallo del top event.
• El diagrama de fallo es un modelo cualitativo.

¿Qué es un análisis de árbol de fallo?

• Tecnica analítica donde un fallo es especificado.
• Se analiza en el contexto de ambiente, funcionamiento, dependencias y
requisitos para encontrar todas las formas posibles en que el fallo se produzca.

¿Para que se usa un árbol de fallo?

• Para identificar los caminos donde un sistema, componente, función o operación
podrían fallar.
• Los modelos de árbol de fallo se usan para determinar:
o Combinaciones que generan el fallo “Minimal cut sets”
o Probabilidades de fallo “Fault tree quantification”
o Deficiencias en sistema, componente, función u operación.

Valor del árbol de fallo

• El análisis directo para descubrir fallos.
• Destaca aspectos importantes para el fallo del sistema.
• Proporciona ayuda gráfica.
• Ofrece opciones para un análisis cuantitativo de la fiabilidad del sistema.
• Permite al analista centrarse en un fallo concreto.
• Proporciona una visión interna del sistema.

Álgebra Booleano
Justificación del uso del álgebra booleano
• Es necesario para establecer la ecuación que representa el árbol de fallo del
sistema analizado.
• Cada basic event está representado por una variable lógica.
• La relación entre eventos esta representada por operadores lógicos llamados
puertas lógicas.

Variables lógicas
Pueden adoptar dos valores:

Operadores lógicos
• Disyunción (OR)
Se representa mediante el signo +
Corresponde a la unión de dos eventos, y mientras que falle uno de los dos
eventos (A o B), falla la secuencia.

En las puertas OR los fallos en la entrada no son la causa del fallo en la salida,
sino que representan especificaciones más detalladas de esta
• Conjunción (AND)
Se representa mediante el signo X, ., *
Corresponde a la intersección de dos eventos (A, B), para que se produzca el fallo
del sistema, deben fallar los dos eventos.
 La puerta AND, el fallo colectivo de los inputs representan el fallo de la salida.

• Negación (NOT)
Se representa con una barra encima de la letra del evento, No se suele usar en
los fault trees

Propiedades
Las que más se usan para simplificar puertas son:
Elementos del árbol de fallo

Eventos y puertas
• Símbolos de evento: primarios (Base de árbol, no se pueden descomponer en
más eventos) e intermedios (Se pueden descomponer en más eventos)
• Símbolos de puertas: Representan los operadores o combinaciones lógicas de los
eventos.

Estructura fundamental
• Top event: Cima del árbol, de la pirámide. Ocurre cuando se cumplen todos los
sucesos del árbol.
• Secuencia de eventos que hace fallar al sistema
• La secuencia de eventos está construida por puertas lógicas.
• Los eventos intermedios están representados mediante rectángulos.

• Basic event: No depende de otros eventos, se le da una cierta probabilidad de

fallo. Normalmente se representan con un círculo.

: Están en la base del árbol, pero la probabilidad de fallo no es

numéricamente, proviene de otro análisis, de otro árbol de fallo. (análisis de
eventos que ocurren fuera “de nuestra casa”).
 : House event: No se le da una probabilidad. Se le da un valor
del algebra booleano, coge valor de 1 o 0. Suele estar relacionado a un software
el cual da un 1 o 0 de un sistema.

: Transfer in/Transfer out: Tienes el mismo subsistema en el

mismo fault tree y para no repetirlo pones un y luego un en la rama

que se repite.

: k de n sistemas deben funcionar.

: Da una prioridad al orden (de izquierda a derecha). Primero tiene que

fallar 1 y luego 2.

: Sólo puede ocurrir un evento 1 o 2, pero no se pueden dar los dos a la

vez.
Análisis del sistema
Proceso del desarrollo del árbol de fallo
1. Definir el top event: Identificar el evento no deseado o el estado del sistema no
deseado que da resultado al fallo de un sistema.
2. Definir los sistemas y las interfases (definir los componentes, identificar las
dependencias, determinar los modos de fallo de los componentes)
3. Establecer límites.
i. Limites de sistema (Relacionado con los eventos intermedios)
ii. Limites de componente (Relacionado con los eventos básicos).

4. Construir el árbol de fallo.

5. Cuantificar el árbol de fallo.

El desarrollo del árbol de fallo es un proceso iterativo, que esta relacionado con otros
procesos PAR. Un System notebook debe ser el inicio para el desarrollo de un árbol de
fallo y debe estar actualizado periódicamente con todos los datos que se incluyen el
árbol de fallo.

Límites del sistema (System boundaries)

Definir los límites del sistema es algo arbitrario:

• Diferentes componentes pueden trabajar para diferentes tipos de sistemas.

• Definir los system boundaries puede ser una tarea iterativa.
• Los limites del sistema pueden no coincidir con los límites físicos.

Es importante definir bien estos límites para que haya compatibilidad entre el sistema
modelo y el modelo planta.

La definición de los límites del sistema se basa en:

• La información requerida del event tree.

• El nivel de resolución de los datos.
• Consideración de interfaces con todos los sistemas de apoyo.
• Consideración de los equipos compartidos.

Una clara documentación de las definiciones de los límites del sistema es esencial.

Tipos de sistema
Sistema de primera línea: sistema que se utiliza directamente para una función de
mitigación en respuesta a un suceso inicial. Generalmente, los sistemas de primera línea
se modelan como funciones en un modelo de secuencia de accidentes o de árbol de
eventos.
Ejemplos de Front Line Systems:

• Reactor Protection System (PWR, BWR)

• Main Feedwater (PWR, BWR)
• Auxiliary/Emergency Feedwater (PWR)
• High Pressure Coolant Injection (HPCI), Reactor Core Isolation Cooling (RCIC),
High Pressure Core Spray (HPCS) (BWR)
• Residual Heat Removal (PWR, BWR)
• Suppression Pool Cooling (BWR)

Muchos componentes requieren un correcto funcionamiento de otros sistemas para

funcionar, Sistemas de apoyo. Para el correcto análisis de los sistemas de primera línea,
todas las dependencias de los sistemas de apoyo deben ser consideradas.

Sistemas de apoyo: cualquier sistema necesario para el funcionamiento de un sistema

de primera línea pero que, por sí mismo, no proporciona ninguna función de mitigación
en respuesta a un suceso inicial.

Los sistemas de apoyo más importantes que deben ser considerados son:

• ELECTRICAL SYSTEMS
• INSTRUMENTATION AND CONTROL
• HVAC
• COOLING
• COMPRESSED AIR

El modelado del sistema de apoyo depende de la actuación de los componentes.

• Una válvula que falla cerrada con pérdida de energía eléctrica no necesita
energía eléctrica para cerrarse, pero sí para abrirse.
• Una bomba no necesita refrigeración ambiente para arrancar y funcionar
durante poco tiempo, pero probablemente la necesitará para funcionar
durante más tiempo.

Una forma habitual de presentar toda la información sobre los sistemas de apoyo es
dibujando una tabla de dependencia.

Límites de los componentes (Component Boundaries)

Elementos que puedes considerarlos como elemento básico o intermedios, por ejemplo,
la válvula motorizada se puede considerar como elemento básico o como un elemento
intermedio que depende de la electricidad y mecánica de la válvula.
Depende de los datos que tengas, si tienes el valor de probabilidad de fallo de toda la
válvula motorizada, se puede considerar como basic event, sino habrá que tener en
cuenta sus subelementos.

• Si se agrupan demasiadas cosas juntas, parte de información sobre el

comportamiento de un componente podría perderse.
• Si se usan demasiados basic events para describir un componente, esto puede
impactar en el resultado final porque a veces no se tienen buenos datos de los
componentes más pequeños y esto tiende a sobreestimar los fallos. También
demasiados basic events pueden desordenar innecesariamente un modelo de
árbol de fallos y requerir más tiempo de solución.

Clasificación de componentes
Pasivos: Probabilidad de fallo es de 2 o 3 veces orden menor de magnitud que los activos
(Tuberías, depósitos, cables, etc.). Transmisores de señal.

Activos: Mucha influencia en los árboles de fallo (bombas, válvulas, relés, resistencias,
etc). Generadores o modificadores de la señal.

Categorías de fallo
Fallo primario: Fallo que ocurre a un elemento que trabaja en las condiciones (p,T,…)
especificadas. (Se considera siempre en los FT)

Fallo secundario: Fallo de elemento fuera de las condiciones especificadas (Ocurre en

ciertos eventos “especiales”), (No se considera siempre, sólo a ciertos entornos de la
central).

Fallo de comando: Fallan las señales o comandos de la electrónica de, por ejemplo, el
panel de control.

Modos de fallo
Un elemento/componente tiene varios caminos/ramas/posibilidades de fallo. Hay que
analizar que camino de fallo es el que influye en un elemento en cada árbol. Si más de
un camino debe utilizarse se debe usar una puerta OR.
Simplificación del sistema
A veces en el análisis se hacen estimaciones y simplificaciones para completar
elementos con conocimientos incompletos. La justificación de las estimaciones debe
especificarse y documentarse.

Simplificar el sistema significa eliminar:

• Todos los elementos que no son críticos para el funcionamiento del sistema.
• Todos los elementos que están dentro de los boundarie components.

Sistema en mantenimiento
Es muy importante porque pueden cambiar los arboles de fallo, cuando un sistema se
encuentra en mantenimiento cambia la configuración de la central y algunos elementos
aumentan su probabilidad de fallo.

Construcción del árbol de fallo

• Requiere la postulación paso a paso de los fallos del sistema, comenzando por el
top event y descendiendo hasta los basic events cuyos fallos contribuyen al fallo
del evento principal.
• Es empleada una simbología estandarizada.
• La postulación debe ser consistente con el nivel de resolución adecuado en los
datos y en las estimaciones analíticas.
• Es un proceso iterativo que requiere feedback con otros procesos PRA.

Nomenclatura
Es necesario establecer una nomenclatura convencional para los eventos básicos y poder
construir el árbol más fácilmente.
Solucionar el árbol de fallo
• Obtener las ecuaciones booleanas del sistema (podría ser pregunta de examen).
• Varias combinaciones de fallos de basic events (Cut Sets) que podrían causar el
fallo del top event.
• Simplificar las ecuaciones booleanas del sistema obteniendo la lista de Minimal
Cut Sets.
• La solución es aproximada.
• Se usan softwares para resolverlos.
Ecuación booleana (Boolean Equation)
La ecuación booleana o función estructural de un árbol de fallos es el resultado de
sustituir todas las puertas gráficas por sus correspondientes operadores en el álgebra
booleana hasta tener el top event en función de los basic events.

La probabilidad de un Top Event, T, puede calcularse con la probabilidad de ocurrencia

de los Basic Events (B1, B2, B3…)

AND gate
Se consideran eventos independientes.

OR gate

Se puede hacer una simplificación:

P(T’) = P(A) + P(B) + P(C)

Donde P(T) < P(T’), por tanto, es una simplificación conservadora que se acepta para los
análisis de fallo.

*Por lo general las puertas AND reducen las probabilidades, mientras que las puertas OR
incrementan la probabilidad y hacen el árbol más complejo.

*Se pueden hacer unas aproximaciones, cambiando los elementos de alta probabilidad
en las puertas AND por un 1 y las de baja probabilidad en las puertas OR por un 0:
Minimal Cut Sets
Son todas las combinaciones de basic events representadas por cada elemento en la
ecuación booleana simplificada. Es la representación del árbol cuando se simplifican
arboles mediante las ecuaciones booleanas.

Los MCS son importantes para:

• Proporcionar información cualitativa sobre los modos de fallo del del sistema,
puntos débiles (SCV de primer orden).
• Permitir la evaluación probabilística cuantitativa del Árbol de Fallos
EJEMPLO
En el PDF hay más ejemplos de simplificación booleana mirarlos por si hay ejercicio
práctico.
Conclusión
• El Árbol de Fallos es la herramienta utilizada para poder calcular la probabilidad
de ocurrencia de las averías definidas en los nodos del Árbol de Eventos.
• Para cuantificar los Árboles de Fallos es necesario traducirlos al álgebra booleana
para obtener la ecuación booleana.
• Tras la simplificación, se obtienen Minimal Cut Sets que permiten analizar el fallo
del sistema cualitativa y cuantitativamente.
 DATA ANALYSIS

Once the Fault Tree for the system/function has been develop, probability of occurrence of the Basic
Events is needed. This probability is established after the analysis of data obtained when component
reliability tests are performed.

1. Reliability functions

Reliability: is the probability to perform its function without failure, in conditions and time specified. (lo
que dura sin fallar en unas condiciones y tiempo determinado). Se aplica a componentes reparables y
no reparables.

To quantify the fault tree, it is necessary to know the probability that a component does not perform
its function. This is related to the availability of the component that depends on:

• Failure mode of the component

• Unavailability due to preventive maintenance and testing
• Unavailability due to corrective maintenance
• Common cause failures

Random variable Time to Failure: The way to analyze the probability that a component is not
available at a given time. Representa la duración o el tiempo hasta que ocurra un evento de falla.
This is:

- In the non-repairable components: survival time of the component. (Lo que dura)
- In the repairable components: time elapsed from the temporal origin to the first failure
or from last repair to next failure. (El tiempo que está sin fallar)

The behaviour of the random variable T may be adjusted by statistical models that allow to predict
the probability that a component will not be available when needed.

To study the component reliability, several functions may be used that relate to each other: reliability
function, failure probability function or unreliability function, failure density function, failure rate
function or hazard function and.

Reliability function R(t). Probability of correct operation of a component in stated conditions during
a time t, considering that it was at operating conditions at the beginning of the process. (Tiempo
que dura el componente sin fallo en un tiempo t).

R(t) = Pr(T >t) R(0)=1 (probabilidad de 1 de confiabilidad), R(∞)=0

Failure probability function or unreliability function F(t). Probability of failure of a component in

stated conditions during a time t, considering that it was at operating conditions at the beginning of
the process. (Probabilidad de que falle en un tiempo t)

F(t) = Pr(T ≤ t) F(0)=0 (probabilidad de fallo al principio es cero) F(∞)=1 (probabilidad de fallo en
infinito es 1)

R(t)+ F(t)= 1
Failure density f(t). Probability density function (pdf) of the random variable T. f(t)= dF(t)/dt.
Probabilidad instantánea de que el componente falle en un momento específico

f(t)∆t is the unconditional probability that the component will fail in the interval (t,t+ ∆t].
Calcula la probabilidad de que ocurra una falla dentro de ese intervalo de tiempo, sin tener en
cuenta el historial anterior de fallas o reparaciones.

Two interpretations:

- Probability per unit time that the component or system experiences its first failure at
time t, given that the component or system was operating at time zero
- Expected ratio of failures in a small interval ∆t after t for a population initially in
operation

Failure rate or hazard function h(t). h(t)∆t is the conditional probability that the component will
fail in the interval (t,t+ ∆t], given that it has survived until time t. Es una medida que tiene en
cuenta la información sobre la supervivencia del componente hasta el tiempo t (f(t)∆t no la tiene).

Two interpretations:

- Probability per unit time that the component experiences its first failure at time t,
given that the component or system was operating at time zero and time t
- Expected ratio of failures in a small interval ∆t after t for a population of components in
operation initially and at time t

Cumulative failure rate or cumulative hazard H(t). Number of expected failures in the temporal
interval (0,t)

Example: Calculate the values of the failure probability functions at 600 hours of a batch of 2000
components knowing that 521 have failed up to this moment and 18 will fail in the following 24
hours.

En operación a las 600 h: 2000-521= 1479

R(600)= 1479/2000= 0,74

F(600)= 521/2000= 0,26

f(600)= 18/(2000*24)= 0,0004

h(600)= 18/(1479*24)= 0,0005

Mean time to failure MTTF: First moment of the failure probability density f(t) is the expected
time to failure of a component or system. It is a useful indication of the average life for a device.
Bathtub curve. Failure rates of many components along life follows the classic “bathtub curve”.( La
curva de bañera representa gráficamente cómo la tasa de fallas de un componente varía a lo largo del
tiempo.)

Infant mortality or debugging period: Fase de "infancia temprana": En esta etapa inicial, los
componentes pueden experimentar una alta tasa de fallas. Esto se debe a defectos de fabricación,
diseño inadecuado o problemas de instalación. La tasa de fallas es más alta al comienzo de la vida
útil del componente y luego disminuye rápidamente

Useful life period: Después de la etapa de infancia temprana, la tasa de fallas del componente se
mantiene relativamente constante y baja durante la mayor parte de su vida útil. Durante esta fase,
los componentes funcionan de manera confiable y experimentan una tasa de fallas estable y baja.

Wear out period : A medida que los componentes envejecen, la tasa de fallas comienza a
aumentar nuevamente. Esto se debe al desgaste acumulado, la degradación de los materiales y
otros factores relacionados con el envejecimiento. La tasa de fallas se incrementa gradualmente a
medida que los componentes se acercan al final de su vida útil

2. Failure models

Discrete distributions or time-independent

Bernoulli trials. Probability of occurrence for an event (failure) with two states (failure/operation) is
p.

Example: 1430 demands. 3 failures. P=3/1430.

Binomial distribution. Models the probability of failure on demand after n demands. (La distribución
binomial permite calcular la probabilidad de obtener diferentes números de fallas dentro de un número
fijo de demandas)

Life distributions or time dependent

Exponential distribution. Distribución de probabilidad continua que se utiliza comúnmente para

modelar el tiempo que transcurre entre eventos sucesivos e independientes. It is used for components
that are not repaired or maintained.

λ : es el parámetro de tasa de fallos. Representa la tasa media de fallos por unidad de tiempo o de
ocurrencia de eventos.

Gamma distribution. La distribución gamma es una distribución de probabilidad continua que generaliza
la distribución exponencial y se utiliza para modelar variables aleatorias positivas y asimétricas. The
failure probability then depends on the number of shocks the device has undergone, i.e., its age.

K: parámetro de forma.
Example: The adjustment time T for mechanical device follows an exponential distribution, with an
average time of 150 hours. According to the manufacturer standards, some components must be
replaced after 3 consecutive adjustments. It is assumed that the substitution time T’ of the components
is a gamma distribution.

Gamma distribution parameters:

- Device adjustment failure rate λ=1/150 → Scale parameter

- Shape parameter: k=3 (después de haber sido sustituido 3 veces se debe sustituir)

Average time to substitute the components:

- MFFT (T’)= k/ λ = 450 h

Probability of needing spare parts in 400 hours.

Weibull distribution. It is defined from the cumulative failure rate. La distribución Weibull es una
distribución de probabilidad continua que se utiliza para modelar tiempos de vida, duraciones y tasas
de falla en diversos sistemas.

Therefore, if (β: shape parameter (characteristic life):

- β1<1 means that failure rate decreases with time: This happens if there exists a
significant infant mortality
- β=1 means that failure rate is constant in time: This means that random events are the
cause of failure and it is representing useful life for the component
- β>1 means that failure rate increases with time: This happens if there exists “wear-out”
of the component

This allows to build the full bathtub curve.

3. Maintainability and availability

Unavailability due to maintenance. Maintenance is necessary for the components to operate as

planned. Maintenance: preventive (considered in PRA) or corrective (not considered). The
component may not be able to perform its function during the maintenance time.

Random variable Time to Repair. The way to analyze the probability that a component, not initially
available, will be available at a given moment. This can only occur on repairable systems. (Tiempo que
tarda en reparse, pruebas y todo eso).

Maintainability function M(t). Cumulative distribution function for the random variable T.
Probabilidad de que un componente fallado sea reparado y restaurado a un estado operativo antes
del tiempo t. M(0)=0, M(infinito)=1.

Repair density m(t). m(t)∆t is the unconditional probability that the component will be repaired in
the interval (t,t+ ∆t]. Describe la probabilidad de observar un evento de reparación en un punto
específico en el tiempo.

Repair rate g(t). g(t)∆t is the conditional probability that the component will be repaired in the
interval (t,t+ ∆t] given that it was failed until time t (Esta medida representa la probabilidad de que
ocurra una reparación en el intervalo de tiempo dado, considerando que el componente estaba en
estado de falla hasta el tiempo t). La tasa de reparación representa el número promedio de
reparaciones por unidad de tiempo. Caracteriza la velocidad a la que ocurren las reparaciones.

Maintainability and repair density as a function of repair rate.

Constant repair rate. A constant repair rate μ gives an exponential repair distribution
 Repairable system. Availability of a repairable system: probability of being able to perform its
function, when required.

Availability A(t). Probability that a repairable product is operational at time t, given that it was in
operational condition at the initial time. Average availability: Proportion of time that a repairable
product is operational in the time interval.

Reliability de un product: A>R

Si es un producto que no se puede reparar A=R

Unavailability Q(t): probability that a repairable product is not operational at time t. Average
unavailability: Proportion of time that a repairable product is not operational in the time Interval.

A+Q=1

For most repairable products: Instant availability and unavailability quickly tends to asymptotic
values. Una vez que un producto reparable ha pasado por un período inicial de puesta en servicio y
posibles reparaciones, la probabilidad de que esté disponible o no disponible tiende a converger a
valores constantes a largo plazo.

Components in stand-by with surveillance. Cuando se trata de componentes en espera con

vigilancia, es necesario tener en cuenta las fallas que pueden ocurrir en estos componentes, pero que
solo se detectarán durante ciertos momentos específicos de vigilancia o inspección. En estos casos, se
requiere un modelo de falla adecuado que capture este escenario.

4. Common cause failures

Types of dependent failures:

- Certain initiating events (fires, floods..) (explicitly modeled in event and fault trees)
- Dependencies between systems. (explicitly modeled in event and fault trees)
- Intercomponent dependencies. Una falla en un componente puede tener un impacto
en el rendimiento o la confiabilidad de otros componentes interdependientes.
(common cause failure CCF)

Common Cause Failures (CCFs) are those faults that simultaneously affect more than one redundancy
of the components (same function and system).

Basic parameter model:

- Expands the failure probability (or failure rate) of a component in a common-cause

component group (CCCG) into terms involving
- Symmetry assumption: the probabilities of similar events involving similar components
(i.e., events in the same CCCG) are the same

Basic parametric model may be reformulated to calculate the basic event probabilities from a
set of parameters.

- Beta factor model. The model assumes that a constant fraction (β) of the component
failure probability can be associated with common cause events shared by other
components in that group. Another assumption is that whenever a common cause
event occurs, all components within the common cause component group fail.
- Multiple Greek Letters model. Other parameters in addition to the beta factor are
introduced to account more explicitly for higher order redundancies and to allow for
different probabilities of failures of subgroups of the common cause component group.
El modelo de múltiples letras griegas se basa en la idea de que diferentes subgrupos de
componentes dentro del grupo de causa común pueden tener características distintas
y diferentes probabilidades de fallas.
- Alpha factor model. The alpha-factor model develops CCF probabilities from a set of
failure ratios and the total component failure probability (Qt). Los factores de alfa
representan las relaciones de falla entre los componentes en un sistema y se utilizan
para ajustar la probabilidad de falla total del componente (Qt) al considerar las fallas
de causa común.
TEMA 5: HUMAN RELIABILITY
Human Reliability Analysis (HRA)
• Human Reliability Analysis (HRA): Procedure(s) for a systematic analysis of actions that perform
or may be needed to be performed by NPP personnel for accident mitigation

• HRA Objective: Quantitative analysis of human action incidence in the risk of plant operation
when dealing with core damage events

• HRA includes Identification, description, modeling, quantify and analyze the importance of
credible human errors (not including malevolent actions) that have an influence in accident
evolution.
Human reliability analysis is an integral element in several PSA aspects: Event Tree headers
quantification, System unavailability, IE frequency quantification etc.
HRA includes large uncertainties which are necessary to analize.

Main Control Room

The Main Control Room is the onsite location from which the nuclear power plant is operated.

It contains the instrumentation, controls, and displays for: • Nuclear systems, • Reactor coolant
systems, • Steam systems, • Electrical systems, • Safety systems (including engineered safety
features), and • Accident monitoring systems.

There are two types of reactor operators license:

• Reactor Operator (RO) License (Spain: licencia de operador) and

• Senior Reactor Operator (SRO) License (Spain: licencia de supervisor)

The regulation related with RO and SRO licenses depends on the country,

• USA: 10CFR55

• Spain: Instruction IS-11, revision 1, of 30th January 2019, of the Nuclear Safety Council on
nuclear power plant operating personnel licenses.

Each shift of the Main Control Room (MCR) is composed by (it depends on the country and/or
NPP, see IAEA-TECDOC-1502):

• The Shift Manager (SM) or Senior Shift Supervisor (Spain: Jefe de turno), who is licensed as a
SRO. The SM may have management authority of more than one reactor plants at the same plant
complex and their presence is not always required in the MCR. The SM functions depend on the
country (e.g.Spain: to manage emergencies with the CSN, organize evacuations, etc).

• The Shift Supervisor (SS) or Control Room Supervisor (CRS), (Spain: Jefe de sala o supervisor de
sala o ayudante del jefe de turno), who is licensed as a SRO and is present in the MCR during the
entire shift. The CRS is responsible for reading the Emergency Operating Procedures (EOPs).

• Reactor operator (RO), who is licensed as RO. The RO has a responsibility for operations related
to the primary side (i.e. nuclear island).

• Balance of Plant (BOP) Operator or Turbine Operator (TO), who is licensed as RO. The TO has a
responsibility for operations related to the secondary or the BOP.
The responsibilities of the MCR crew include actions taken to:

• Diagnose the abnormal conditions; • Perform corrective actions; • Mitigate the abnormal
conditions; • Manage plant operations; • Manage emergency response; • Inform Federal, State,
and local officials; • Recommend public protective measures to State and local officials; • Restore
the plant to a safe condition; and • Recover from the abnormal conditions.

There are also other possible members of the shift personnel in the MCR depending on the
country and technology:

• Shift Technical Advisor (STA) whose function is to provide engineering and accident assessment
advice to the CRS/SS and not to operate the plant like the SROs and ROs. The STA function stems
from the Three Mile Island nuclear event in the USA in 1979. The STA could hold an SRO license
but this is not required. There is no STA in the Spanish MCRs.

• In some countries the shift personnel also includes mechanical and electrical attendants (AT-
M, AT-E). e.g., in Cofrentes NPP the MCR shift personnel includes an AT-E.

• Multi-module control rooms for SMRs could require that a single RO manages several SMRs.

• There are also a large number of unlicensed auxiliar operators (AO) and maintenance personnel
outside the MCR who generally depend on the operators who are in charge of setting up and
calibrating the equipment and components of the plant systems.

Human errors: types of human errors.

Operator errors: • May occur before or after or be a cause of the initiating event • Reduce the
availability of safety systems • Are the source of incidents leading to an initiator • Do not avoid
accident progression • Worsen accident conditions

• Human Error is a Significant Contributor to Risk.

• Accidents at Sea 90% Chemical Industry 80-90% Airline Industry 60-87% Commercial Nuclear
Industry 65%

• Human error has been shown to contribute from 50 to 70% of the risk at nuclear power plants.

Prevention: Education/Training • Design considerations, ergonomic • Supervision • Procedures

• Self-verification and cross-verification techniques • Human Factors Engineering • Working
Environment • Tasks analysis • Equipment needed

There are several classifications (taxonomies) of human errors, • Swain and Guttman Taxonomy
(1983) • Errors of omission: Fail to do something required • Errors of commission: Do something
you shouldn’t do • Sequence errors: Do something in wrong order • Timing errors: Do something
too slowly or too quickly.

Type (personnel involved)

Type 1 (Category A): Prior to the initiating event occurrence (maintenance personnel),
Contribute to system or component unavailability, Modeled as basic events in system Fault Trees:
Incorrect realignments of components/equipment/systems after maintenance/test/calibration;
calibration errors.

1. Instrumentation personnel error when performing the calibration of a vessel level channel,
hindering automatic initiation of the HPCS at Low Level (Level3) at a BWR.
2 Instrumentation personnel error when performing the calibration Low-Low SG Level setpoint
for AFWS startup.

3 Faulty test for the A Safety Injection pump leaving a recirculation alignment and the injection
valve closed.

4 Incorrect calibration of relays for the actuation of solenoids for PZR PORV, so that they would
not open on high pressure signal.

5 Incorrect alignment of the injection flowpath after the periodic recirculation test of AFWS MDP
“A”, making the flowpath unavailable for injection.

Type 2 (Category B): Inducing the initiating event (maintenance personnel or MCR crew):
Erroneous actuation of components; failure to avoid an initiator; out-of-time actuation; mistakes
in testing procedures.

1 Operator failure to startup and alignment of the ESW stand-by train, leading to high
temperature at the RCS main pump bearings so that they have to be tripped and has the
consequence of a reactor SCRAM.

2 Instrumentation personnel error when performing the calibration of the high neutron flux
reactor trip channel, producing a reactor trip.

3 Maintenance personnel error while making the change from A to B service air system that
provokes a loss of service air causing the closure of MFW isolation valves that in turn leads to a
reactor trip on low-low SG level.

Type 3 (Category C-1): After the occurrence of the initiating event, while following EOPs;
Performance error: omission, does not end on time or incorrectly performed actions (MCR crew):
Error to support automatic actions; error in manual actuation; errors in process control.

Procedure following errors (symptom-based) Modeled as Headers in Event Trees, Basic events
in system Fault Trees, or Basic Events in Functional Trees.

Type 4 (Category C-2): After the occurrence of the initiating event, while following EOPs;
Misdiagnosis or wrong selection of a mitigation strategy (MCR crew): Misdiagnosis; erroneous
strategy selection. Errors for non-symptom-based procedures that need diagnosis

Type 5 (Category C-3): After the occurrence of the initiating event, not foreseen in EOPs; Failure
to perform (MCR crew): non-recovery of equipment; error in system/component actuation. •
Error in performing recovery actions • Non procedural actions, or in plant procedures not part
of the EOPs • Modelled in Event Trees or in Minimal Cut Set post-processing.

Actions in response to an initiator:

1 Type 3 Operator error to perform Feed&Bleed, following FR-H.1

2 Type 3 Operator failure to complete transfer to recirculation mode because of depletion of the
Reactor Water Storage Tank, following the “unfold page” of E-1 and procedure ES-1.3

3 Type 3 Reactor operator failure to start the Auxiliary Feedwater System pumps after failure of
the auto start signal, at E-0 step 17, for a PWR.
4 Type 4 Operator mistake while reading Control Room instruments, leading to an incorrect
diagnose of a Small-Break LOCA instead of an Open Pressurizer Valve.

5 Type 5 Recovery, non proceduralized action to open Auxiliary Feedwater test valves left closed
after a maintenance.

6 Type 5 Operator failure to manually open motor operated valves that remained closed on open
signal failure. Non proceduralized action.

Systematic Human Reliability Analysis Process (SHARP):

• It is a general framework for HRA analysis

• It was developed by EPRI (Electric Power Research Institute), EPRI NP-3583 (1984).

• Later, it was updated to SHARP-1, EPRI RP-3206 (1990).

• There are other systematic HRA proccess like IDEAS, ATHEANA, SPAR-H

It does not include the dependency analysis between several human errors.

• In the screening step the HA is classified (available time, stress, procedures...) and then a first
quantification is performed.

• The detailed analysis is performed only if the human error has impact in theCDF equation.

HRA quantification methodologies

• Two types of human action processes are analyzed and quantified: • Decision processes
(cognitive part) • Actuation processes (manual part)

• Some actions are only quantified for the manual part: calibration (Type 1), control actions.

• HEP= Pc + ( 1 - Pc)Pm. Where Pm and Pc are median values

Some of the most ussual HRA quantification methodologies are:

• Screening. There are several options like NSAC/60, EPRI-3583, NUREG/CR-4772 and NUREG-
1278.

• Technique for Human Error Rate Prediction (THERP). Manual Part (+ cognitive part). It is applied
in Spain (all NPPs) for manual part.

• Human Cognitive Reliability (HCR). Cognitive part (applied in Almaraz and Trillo NPPs).

• HCR/Operator Reliability Experiments (HCR/ORE). Cognitive part (CSN has proposed to apply
this methodology instead of HCR).

• Time reliability Correlation-SAIC (TRC-SAIC). Cognitive part (applied in Asco, Cofrentes and
Vandellos-II NPPs).

• Cause Based Decision Tree (CBDT). Cognitive part.

• Standardized Plant Analysis Risk human reliability analysis (SPAR-H). Manual Part + cognitive
part. It is applied in SPAR models and L2-PSA.

• EPRI HRA Calculator (It is not a methodology, includes several ones). It is applied in USA and
also in Spain (only for dependence analysis).

• MERMOS (France). Experimental database plus operating experience.

HRA: Time definitions

• T0: start time, start of the event

• Tdelay: time delay. time interval it takes for an operator to recornize the cue (SRO arrives to
the corresponding EOP step or an alarm is produced)

• Tsw : system time window (last moment in which the action is effective).

• Tavail: available time for the human action = Tsw - Tdelay

• Tcog: cognition time consisting of detection, diagnosis, and decision making

• Texe: execution time including travel, collection of tools, donning of personal protection
equipment and manipulation of relevant equipment
• Treqd: time required, response time to accomplish the action. Treqd = Tcog + Texe

• Treqd and/or Texe are obtained from crew training or from questionnaires to operators.

• Tmargin = Tavail − Texe. Ussually, Tmargin ≈ Tavail − Treqd.

• The values used in different NPPs could be different because there are several
sources/references.

• There is no specific threshold value for detailed analysis to be mandatory.

Technique for Human Error Rate Prediction (THERP). Manual Part.

• It was developed by Alan Swain (SNL) for the US NRC at the beginning of the 80s.

• Human action broken down in tasks (NUREG/CR-1278)

• Standard values for the probability of error in each task

• Examples:

• Location of an indicator at the control room panels • Reading of the indicator

• Location of the handle/actuator • Operation of the handle • Control of a process

(flow control)

• Elementary tasks where quantification exists

• Sequential breakdown tree, mimicking the procedure

• Possibility of recovery:

• CRS: while reading and following procedures • SM: while performing communication
tasks

• Stress correction factor(s)

Example: Feed and Bleed.

A Step 9: Loss of heat sink criterion (Low Steam Generator Level or Pressurizer pressure)

B Step 10: Safety Injection actuation

C/D Step 11: Verification of the feed path

E Step 15: Opening of two PORVs

F Step 16: Verification of the bleed path

Breakdown into tasks

A Error of commission reading wide range SG level instruments, HEP= 6 · 10−3

B Error of commission locating the handles, HEP= 1 · 10−3

C Error of commission locating the flow meter, HEP= 1 · 10−3

D Error of commission reading the flow meter, HEP= 2 · 10−3

E Error of commission in the selection of the valves, HEP= 1 · 10−3

F Error of commission opening valves indicator lights, HEP= 1 · 10−3

The Time Reliability Correlation (TRC-SAIC) bases are:

• Two different behavior types considered: • Skill-based: • Do not require extensive thinking •
Response to known events/situations

• Knowledge-based (Hesitancy) • Require analysis • Response to unknown, new events

• Whether or not procedures exist is taken into account

• Two pairs of curves are needed (with/without procedures; with/without

hesitation)
Success Likelihood Index (SLI) is a factor affecting operator response time: in the best case (SLI=1)
response time is halved (2 minutes); for the worst case (SLI=0) it is doubled (8 minutes).

• Assigns importance (Ii) and quality (Qi) to the following Performance Shaping Factors: •
Procedures • Training/Experience • Man/Machine Interface • Relationship/Size of the Operating
Crew • Communication • Workload • Stress

• SLI is obtained as the sum over all PSFs of the products of relative importance (Ii) times quality
(Qi)

Dependency
• Several human actions may have to be performed for successful mitigation of an initiator

• Actions may need to be performed by Control Room personnel: • Simultaneously or within a

short time • Using the same instrumentation or controls • As part of the same sequence of
tasks • Sequentially and coordinated

• In this cases, failure of human actions may not be independent

• Failures coupled through a “state of mind” of the operator(s)

Process: Failure probability must be modified to account for dependency

• Such coupling can be discovered through analysis of the sequence of actions or in Minimal
Cut Sets.

• Beware of truncation: standard procedure is to set Human Reliability events to a probability /

1 and requantify

• Thus, MCS containing human errors will show up

• The combinations of human actions have to be analyzed to set new probability values for the
dependent action failure conditional on the failure of the preceding action

• Through MCS post-process, modify human action error probability

Conclusion
Modelled in PRAs • Operating crew structure • Tasks distribution • Training and experience •
Workload and stress level • Quality of man-machine interface (tools, control room design) •
Quality of procedures • Operation aids (alarms, parameter display systems, communication
systems etc.)

• Classification of important actions in a Nuclear Power Pant • Detailed, systematic analysis of

human actions: breakdown in tasks • Factors having an influence on human behavior • Model
for actuation (Rule-based/Knowledge/Skill) • Stress • Quality of procedures • Training and
experience • Possibility of recovery • Available time • Quantification of human error
probabilities
TEMA 6
Quantification approaches

Objetivo: Obtener la ecuación del Core Damage (CD).

El objetivo de la cuantificación de secuencias de accidentes es proporcionar información

cualitativa y cuantitativa sobre los top events y las combinaciones asociadas de fallos de
equipos y/o errores operativos que contribuyen de forma dominante a la frecuencia del
Core Damage.

Etapas básicas
1. Identificar secuencias.
2. Simplificar secuencias insignificantes o contribuidores insignificantes.
3. Resolver los modelos lógicos de la planta (Truncacion, Análisis (incertidumbre,
sensibilidad) de la solución aprox)

Arboles de fallo de secuencias

Camino de una rama del event tree, para llegar a la cuantificación final del “core damage”

¿Cómo hacer la cuantificación?

Hay dos opciones:

1. Fault Tree Linking: trata en combinar el FT con las ramas que fallan de ET hasta
llegar al CD. Los sistemas de apoyo están incluidos en los ET.
 2. Boundarie Conditions: Te crea probabilidades condicionadas. Hace los FT más
simples, pero mas difíciles y largos los event trees.

Event Tree con Boundary Conditions

• Más detallados los ET y, por lo tanto, más simples los FT.
• Los sistemas de apoyo considerados importantes se consideran como top events
en los ET.
• Las dependencias importantes entre los eventos principales se muestran
explícitamente en el árbol de sucesos en lugar de estar contenidas en los árboles
de fallos subyacentes a los top events.

ET más complicados porque basa los ET en probabilidades condicionadas.

Fracciones de división: probabilidad condicionada del evento al camino a través del ET

por el que se alcanza ese top event.

Frecuencia de cada trayectoria de accidente-secuencia: se puede calcular como el

producto de la frecuencia del top event y todas las fracciones de división a lo largo de la
trayectoria de la secuencia.

Fault Tree Linking

Requiere el desarrollo de los FT. Se va a cuantificar cada FT por separado y luego se unirán
“Linking” (intersección de FT) a los eventos del ET, formando finalmente una ecuación
booleana como la del:
1. Independent headers event tree
Si consideramos las cabeceras como eventos independientes la frecuencia de secuencia
se obtiene multiplicando las probabilidades de cada rama por la frecuencia iniciadora.

Si las probabilidades son bajas se hace la siguiente aproximación:

2. Sequence quantification when dependencias
Si hay dependencias entre cabeceras (Top events).

En sec2 se puede asumir que Head1(negado)=1 porque se sabe que

Head1=Basic1+Basic2, si Basic1 ocurre, entonces ocurre Head1 y no tendríamos seq2,
por tanto, se pueden borrar los términos que contengan basic1.
Truncation and Minimal Cut Sets
Truncation consiste en eliminar los MCS con menor probabilidad del valor de truncación.
En España el valor de truncación es de 10^-10

Resultados de la cuantificación
Los resultados de la cuantificación de secuencias de accidentes requieren un estudio
cuidadoso para garantizar que no se han cometido errores en el análisis:

• Cut Sets o secuencias que violen la lógica de la secuencia o que no reflejen la

respuesta esperada de la planta.
• Cut Sets o secuencias que contengan combinaciones de eventos excluidas por las
especificaciones técnicas.
• Errores en la introducción de datos.
• Otros errores.

Medidas de riesgo
Frecuencia de daños en el núcleo (FDN) Core Damage Frequency (CDF): valor de la
frecuencia anual de daños en el núcleo calculada como la suma de todas las
contribuciones a los daños en el núcleo del nivel 1 del PRA: es decir, la correspondiente
a los en funcionamiento a potencia y modos distintos de plena potencia.

Large Early Releases Frequency (LERF): suma de las frecuencias de los accidentes que
provocan una emisión de volátiles al exterior superior al 3% del inventario del núcleo en
el intervalo de 12 horas contadas desde el inicio del accidente.
Importancia del análisis
Objetivo
Determinar la importancia de los basic events en el resultado.

Se usan como guía en las aplicaciones del PRA: reducción de riesgos y archivo de riesgos.

De problemas tiene que requiere conocimientos del modelo y solo da valores medios.

Características
• Proporciona una estimación sencilla de la sensibilidad a valores extremos de los
parámetros del modelo.
• Proporciona una clasificación simple y no detallada de eventos en relación con
su importancia en la seguridad o el riesgo.
• Puede utilizarse para descubrir la necesidad de revisiones o estudios de
sensibilidad.
• Es un complemento del análisis detallado.

Medidas de importancia de los Basic Events

Reducción del riesgo (Risk Reduction): permiten obtener la frecuencia de ocurrencia del
top event si el basic event que se analiza no se produce. (Reducción del riesgo RRW (Es
el valor por el que se dividiría la frecuencia de la ecuación si el suceso se suprimiera
(nunca ocurriera), Fussell- Vesely FV (Contribución del suceso a la frecuencia de la
ecuación; es la contribución porcentual global de los Cut Sets que contienen un basic
event de interés al riesgo total))

Consecución del riesgo (Risk achievment): permiten obtener la frecuencia de ocurrencia

del top event si el basic event analizado ocurre con seguridad. (Archivo del riesgo RAW
(es el valor por la que se multiplicaría la frecuencia de la ecuación multiplicada si el
suceso se produjera seguro).

Ver ejemplos a partir de diapositiva 37

TEMA 7 FAR: PRA Applications
How PSA has been introduced in licensing and operation of NPP?

• At different stages from Individual Plant Examinations to Full Range PSA

Actual applications include from operation support and modifications to new plants design.

Outline
Milestones in PSA applications

Risk Informed Regulation

Applications: Support design; Support operation and design modifications: Configuration risk
management, Modification of in-service inspection or testing programs, Modification of
Technical Specifications.

Milestones in PSA application

Plant-specific PRAs and Applications Guide:

Development of Plant-specific PRAs (1988): •Individual Plan Examinations (IPE) and IPE for
External Events (IPEEE). Request to the utilities to assess for each plant:

– Develop an appreciation of severe accident phenomenology

– Understand the most likely plant-specific severe accident sequences

– Gain better understanding of plant risk (frequency of core damage and containment releases)

First, to cover internally initiated events, including internal floods, but excluding internal fires
(IPE). After that, including external events, viz. seismic, fire, high winds, floods (IPEEE).

• PSA Applications Guide development (1972)

Technical basis for using risk results and insights

Key elements included:1. Application planning, 2. Analysis 3. Results interpretation 4. PRA

maintenance and update.

Use of importance measures: Use of core damage frequency (CDF) & large early release
frequency (LERF) as risk metrics; Graded approach to quantitative acceptance guidelines.

Introduction of the Risk Informed Regulation

Concepts of Risk-informed, Performance-based Regulation:

• Maintenance rule (1991): Monitoring the effectiveness of maintenance at nuclear power

plants; Assess and manage the increase in risk that may result from the proposed maintenance
activities

• Introduction to Online Maintenance: By moving elective maintenance from outages to at-

power, the scope and complexity of outages was reduced, thereby allowing them to be
shortened; The challenge was to demonstrate that the online maintenance was being done
safely; Risk monitors were developed.

Regulatory acceptance and first applications

Regulatory Acceptance of PRA (1995):

• PRA Policy Statement: Include PRA to support regulatory rules and decisions; Purpose: improve
regulatory process for safety decision-making enhancement by use PRA insights

• Regulatory Guide 1.174: Provides the high-level framework and guidance on the use of PRA

findings and risk insights in support of changes to a plant's; Licensing Basis.

Early PRA Applications (∼ 2000)

• AOT extension and other RIR applications

Current and future

Current Status & Future Vision

• PSA quality and standards: Increasing application of PRAs has led to a desire to assure the
underlying technical quality of the PRA; Initially the industry established a peer review process;
Regulatory bodies encouraged the development standards to govern the various scopes of
typical PRAs.

• Full range PRA and integrated standards: All modes (Power, Low Power, Shutdown), all hazards
(Internal and external Events) PRAs; PRA quality demonstrated by meeting all applicable PRA
Standards

Risk Informed Regulation (RIR)

Deterministic analysis: Focused on damage calculation for verification of safety limits; Use of
simulation tools; Verification of the integrity of the barriers.

Probabilistic analysis: Focused on calculating the frequency of severe core damage; Limited use
of simulation tools; Changes in plant configuration or probability of failure.

The insights derived from probabilistic risk assessments are used in combination with traditional
deterministic engineering analyzes to focus the operator and regulatory body on those matters
of safety importance.

The application may have two approaches: Analysis of new designs and Modification of current
plant designs.

New designs
Integration of methodologies

A new design of the plant based on RIR is proposed must: Verify the entire risk range of the
installation; Explicitly incorporate probabilistic elements in transient analyzes; Incorporate
transient simulation elements in the evaluation of PRA; Complement the two types of analysis
to support decision making in the regulatory process and ensure the consistency of the two
types of analysis.

Subjects to analyze.

Verification of the operation of the protections (SSC): Structures: containment, primary;

Systems: safeguards; Components: pumps, valves.

Operation in automatic mode or with human support (procedures).

Stages of design, construction, start-up, operation, closure, and dismantling tests.

Normal and abnormal operation

Modifications
Analysis process

A change in the plant is proposed that may affect the safety of the facility.

Steps similar to evaluating facility safety: 1. Assessment of the affected elements 2. Analyze to
which transients, initiating events, sequences etc. it affects. 3. Reconsideration (repeat) of safety
analyzes 4. Use of particular (perhaps less restrictive) conditions or compensatory measures not
contemplated in the general analysis.

Principles for risk-based decision making.

NRC Regulatory Guide 1.174, “An Approach For Using Probabilistic Risk Assessment In Risk-
informed Decisions On Plant-specific Changes To The Licensing Basis”

CDF increment quantification

Base risk: represents the risk of global damage to the installation at the current time before
implementing the modification, obtained in terms of CDF and LERF.

• CDFbase: CDF before the proposed modification (Base risk)

Impact on risk: estimation of the variation that occurs on the base risk after the implementation
of the modification.
• CDFmod: CDF with modification ( Calculation of this value depends on the application)

• CDF Increment (∆CDF) ∆CDF= CDFmod− CDFbase

• Equivalent with LERF

Key Issues in PRA Quality

Ensure that, within scope, PRA analysis is complete and has appropriate level of detail:

• Consideration of relevant initiating events, plant systems, and operator actions

• Analysis reflects plant-specific operating experience, design features, and accident response

• All calculations are documented

PRA methodology and associated input

• Influence of models, input data, and assumptions on results and conclusions

Licensee review and QA process: Peer review, Standards, Certification.

Objectives of the PRA use

Improve NPP safety as a complement to deterministic analyzes.

Optimize the use of the resources of the NPP prioritizing the most important issues for risk.

Improve the effectiveness and efficiency of regulatory bodies in their control and inspection
tasks.

Outline
Use of PSA to

1. Support design

2. Support operation and design modifications: Configuration risk management, Modification of

in-service inspection or testing programs and modification of Technical Specifications.

Support design
Search for a design optimized against risk

Applicable only to new designs

Integration of methodologies: deterministic and probabilistic

Uses and benefits: Identification and resolution of plant vulnerabilities; Identification of

important intersystem dependencies and potential CCFs; Examination of risk benefits from
different design options; Identification of accident scenarios and operator actions with a high
sensitivity to human error; Balance between preventive and mitigative measures; Optimization
of systems and components for safety and availability; Qualitative knowledge and understanding
of the contribution of components and systems to accident sequences.

Support operation and design modifications

The very first natural PSA application

One of the most important applications for PSAs of operating nuclear power plants is to identify
potential safety improvements and to support the selection, design, installation, and licensing of
plant upgrades.

Applications: Configuration risk management; Modification of in-service inspection or testing

programs; Modification of Technical Specifications.

Configuration risk management

Needs:

NPP’s are moving towards increased maintenance while at power (on-line), to reduce outage
durations since it supposes an economic saving.

On-line maintenance may mean an increase in risk due to the new configuration.

Traditional maintenance management approaches do not quantify the risk of new

configurations.

Configuration risk management: one element of risk-based regulation.

Traditional approaches based on:

Technical Specifications and Limiting Conditions for Operation: Identify systems/components
important to safety based on traditional engineering approach; Limit component out-of-service
times for individual and combinations of component outages (not based on formal risk analysis)

Maintenance planning guidelines such as 12-week rolling schedule, etc: Provide guidance to
work week planners on allowable maintenance/testing; Based on train protection concept and
Technical Specifications.

Operator judgment.

Weaknesses: Generally based on and limited to Technical Specification equipment; No limit on

frequencies of equipment outages - only on duration of each outage.

Is the traditional approach good enough, given the increased emphasis on on-line maintenance?

How can PRA help? = Risk Monitor

Objectives

Controls configuration risk

Involves taking measures to avoid risk-significant configurations.

Based on the following definitions: Plant configuration: state of the plant as defined by status of
plant components; Configuration risk: the risk associated with specific configurations that occur
during plant operations.

Quantification

Configuration risk considers different measures: Core damage frequency (instantaneous); Core
damage probability (CDP): baseline core damage probability in the nominal plant configuration;
Conditional core damage probability (CCDP): core damage probability at a not nominal
configuration; Configuration importance: CCDP – CDP

On-line risk monitors

Real time application of the PSA to evaluate configuration risk

Can be used to evaluate plant configurations for a variety of purposes: To provide current plant
risk profile to plant operators; As a forward-looking scheduling tool to allow decisions about test
and maintenance actions weeks or months in advance of planned outages; As a backward-
looking tool to evaluate the risk of past plant configurations.

Risk monitor characteristics

Analysis of the plant in the instantaneous configuration it is in real time.

It generates a temporary risk profile that must be submitted to the regulatory body.

Software modes: Test mode, Real mode (it is registered).

Risk monitor figures of merit

The risk monitor can be used to generate a set of important parameters to use in RIR: Annual
CDP, Maximum CDF during the year, Time interval in defined CDF bands, CDF associated to
unavailability of a safety system, Others…

Modification of in-service inspection or testing programs

Example: Piping Inservice Inspection:

Methodology: Segment definition, Identification of consequences of the failure, Assessment of

failure potential, Categorization of segments in relation to risk criteria, Integrated decision
making, Definition of an Inspection Program, Risk Impact Assessment, License Report.

Identification of consequences of the failure:

Direct consequences: Initiating events, Loss of function of trains or systems that suffer
breakdown or are supported by them, Combinations of the above.

Indirect consequences: Floods, Jet effect, Whip effect.

Selection of the sample:

Calculation of the failure potential: Mechanical fracture codes; Types of calculations: Without
giving credit to inspection, giving credit to current inspection, Giving credit to risk-regulated
inspection; Importance measures (risk reduction)
Risk impact assessment:

CDF / LERF calculation giving credit to the current inspection program.

CDF / LERF calculation giving credit to the risk informed inspection program.

Assessment of the impact on risk according to the PRA application guides

Feedback

Modification of Technical Specifications

Examples: Extension of Allowed Outage Time (AOT):

AOT is the time that the plant can be in a Limiting Condition for Operation (LCO) at most before
going to plant shutdown or taking other measures in the event of the unavailability of a system.

The intent of an AOT is to provide adequate time to repair a failed component without incurring
undue risk because of loss of function of the component.

A long AOT implies a relatively larger risk to be incurred, but a shorter AOT may result in
inadequate repair and/or unnecessary plant shutdown, both of which have risk implications.

PRA allows to stablish the adequate time for AOT based on risk measures.

Extension of Surveillance Test Intervals (STI)

The primary purpose of surveillance testing is to assure that the standby components of the
safety systems will be operable when they are needed in an accident.

Surveillance tests are required by NPP Technical Specifications to be performed periodically (e.g.,
monthly or quarterly).

However, the number of surveillance tests required by Technical Specifications is enormous.

Optimization of this test considering RIR may reduce operation costs without reduction of safety.

Summary
PRA can be applied to analyze plant risk at the already built plants or to drive the design of new
ones.

Both approaches have to be applied based on the concept of Risk Informed Regulation (RIR) in
order to assure maintenance or reduction of the risk measure figures CDF and LERF.
TEMA 8 FAR: INTERNAL AND EXTERNAL HAZARDS
Internal and external HAZARDS (sometimes referred to as internal/external events) often create
extreme environments common to several plant systems.

They often lead to initiating events (as understood in the PSA) thus they are core damage
sequence initiators

Internal hazards include: Internal fires, Internal floods and Missiles

External hazards include: Earthquakes, external floods, external fires, high winds, aircraft crash,
transportation accidents, etc.

Important Considerations
The treatment of dependent failures may cause difficulties if the failure correlation is not
understood: The analysis needs to consider both, externally induced failures as well as related
failures caused by internal plant faults.

Another important issue is the treatment of human actions: Stress levels and conditions in the
plant may differ considerably from the ones after an internal initiating event.

Because of the complexity and scope of these analyses, screening techniques may be used: The
screening criteria needs to be adequate so that important scenarios are not excluded from the
analyses.

Hazard analyses need to be supported by local plant walk-downs in order to obtain site and plant
specific information: Since plant walk-downs can be significant inputs to the analyses, it is
necessary that these walk-downs are well planned and thoroughly documented.

Steps of the Hazard Analyses for PSA

Hazard identification and calculation of its frequency and impact

Calculation of the risk: Definition of Initiating Events, Modifications to the existing event trees
and fault trees, Specific CCF (Common Cause Failure) analysis, Specific data analysis, Specific HRA
(Human reliability analysis) under pressure.

Quantification. Results of the analysis. Sensitivity, uncertainty, and importance analyses.

Documentation (with special attention to assumptions and references used in the analysis).
Initial plant information: Fire Compartments/Zones
Plant is divided into fire zones which consist of one or more rooms in various structures

Cable/equipment associated with each division are located usually in separate fire zones

Fire zones are physically separated from one another by fire rated floors, walls, and ceilings

Correspondingly rated doors and penetration seals, HVAC ducts usually equipped by flaps

Fire rating of the boundaries is XX minutes.

Fire suppression systems in the fire zones.

Other Fire Related Phenomena that Need to be Considered

Electrical faults (open circuits, shorts to ground, short circuits…) which can lead to: loss of
equipment function; spurious actuation of equipment (e.g., undesired reconfiguration of valves
or actuation of inactive systems); loss and/or false signals and indications, secondary fires, etc;
Explosions; Collapse of structures; Missiles (components expelled at high speed that may
damage other components or systems).

Methodology
Qualitative screening, Fire frequency analysis, Quantitative screening, Quantitative detailed
analysis, Interpretation of Results, Sensitivity, Uncertainty Analysis.
Qualitative Screening
MAIN TASKS: Define and locate independent fire zones, Define post fire stable states and
functions/systems required for such states, Define fire initiating events in each zone, Identify
equipment/cables in each fire zone, Screen out fire zones based on the minimal quantitative
impact (using conservative assumptions), i.e. CDF < 1E-7/year

Examples of Fire Initiating Events for Each Fire Zone

Examples of initiators caused by a fire:

• Total or Partial Loss of Off-Site Power

• LOCAs (PORV, RPV Head Vent and Pressurizer Vent spurious opening, etc.)

• Transient without Loss of Auxiliary Feed Water (AFW)/Main Feed Water (MFW) (Scram due to
I&C malfunction, etc.)

• Transient with Loss of AFW/MFW (Valves opening)

• Steam Line Breaks (Turbine Bypass Valve (TBV), Atmospheric Bypass Valve (ADV) opening).

Example of Fire Assumptions Used for Screening Process: Given a fire, all equipment in the fire
zone (compartment) is assumed to fail, 2 Lack of credit for manual fire suppression, 3 Credit for
fire propagation pathways 4 Assumed standard fire protection program to be implemented to
prevent inter-zone fire propagation.
Steps of the Fire Analysis
For each compartment not screened out:

• Identification of potential fire sources and targets, fire loads, detection and suppression
equipment, passive protections, fire spreading paths, equipment located in the compartment,
cable routings.

• Fire barriers and propagation analysis

• Evaluation of fire frequency

• Analysis of fire growth, including consideration of automatic/manual fire fighting actions, and
effects of fire heat and smoke (including propagation to neighboring compartments).

• Identification of initiating events which can be caused by fire in each compartment

• Analysis of the impact of fires on equipment (mechanical, I/C, electrical) with special emphasis
on cables and hence system functions which may be affected by fires.

• Analysis of the impact of fires on human performance (modification of existing Level 1 internal
IE HRA)

• Modification of existing PSA models to reflect the identified fire scenarios

• Quantification and analysis of results.

CDF Calculation
CDF contribution is calculated for each fire zone, IEi frequency established for given fire zone (i)
is multiplied by CCDP to obtain CDFi associated with that zone (i).

CDFi = IEi · CCDP

• CCDP (Conditional Core Damage Probability): CDP taking into account the effect of a fire on the
PSA related equipment (with cables) located in the compartments involved in the scenario. IE
PSA model is used for these calculations. Assumptions:

All the PSA related equipment involved in the fire damage situation is unavailable

No recovery actions are taken into account