Software

ABSTRACT

Probabilistic Safety Assessment has become a key tool as on today to identify and

understand Nuclear Power Plant vulnerabilities. As a result of the availability of these

PSA studies, there is a desire to use them to enhance plant safety and to operate the

nuclear stations in the most efficient manner. Risk Monitor is a PC based tool, which

computes the real time safety level and assists plant personnel to manage day-to-day

activities. Risk Monitor is a PC based user friendly software tool used for modification

and re-analysis of a nuclear Power plant. Operation of Risk Monitor is based on PSA

methods for assisting in day to day applications. Risk Monitoring programs can assess the

risk profile and are used to optimize the operation of Nuclear Power Plants with respect

to a minimum risk level over the operating time. This paper presents the software

developmental aspects of Risk Monitor and its application areas. This software can be

used with the PSA model of any Nuclear Power Plant.

1. INTRODUCTION

Risk Monitor according to the IAEA defined as "A real-time analysis tool used to

determine the instantaneous risk based on actual status of Systems and Components". At

any given time, the risk monitor reflects the current plant configuration in terms of the

known status of the various systems and/or components e.g. whether there are any

components out of service for maintenance or tests. Risk Monitoring provides safety

status information for a plant and thus aids decision making about whether continued

plant operation is tolerable under certain system function outages. It may also support

operations and be of help deciding on maintenance strategies allowing immediate

assessment of different plant configurations. Besides addressing specific plant

requirements it is an on-line tool showing actual risk situation thus overcoming possibly

unnecessarily restrictive elements of requirement and point out procedures not conducive

to safety. The model used by the risk monitor is based on, and is consistent with, the

Living PSA for the facility.

1

2. PURPOSE OF RISK MONITOR

In Nuclear Power Plants, safety is the major concern. Probabilistic Safety

Assessment (PSA) analysis leads insight into plant processes and mechanisms and

possible interaction between plant systems, both for existing plants with operating

histories and for plants still in the design stage. In view of this, on-line safety assessment

has received lot of attention from operation and maintenance personnel. Plant

configuration undergoes changes due to changes in component status and/or operating /

maintenance procedures. Some components are randomly down and/or others can be

planned for test, maintenance and repair. This results in a variation of the risk level over

operating time, which is termed as risk profile, and indicates the trends which could lead

to deviation from desired CDF. PSA models can be used to quantify risk due to changes

in components status, system design and operations consequent to changes in plant

configuration.

3. SOFTWARE DEVELOPMENTAL ASPECTS OF RISK MONITOR

Risk Monitor Software has been developed in Visual Basic.. The various modules

developed in the package are as follows.

a) System Modelling Options

b) Initiating Events/Event Trees

c) Safety Systems

d) Common Cause Failures

e) Main Summary & On-Line Risk

f) Component data base

g) Component Out-of-Service & Restore

h) What-If Analysis

i) Test Times

3.1 System Modelling Options

In this module user can choose the different options like plant operation (Full power or

low power operation), initiating events frequency (Direct or through Minimal Cut Sets

(MCS)), core damage frequency (Through accident sequences or MCS) and can set the

2

risk levels (Acceptable risk, unacceptable risk, moderately safe, totally safe and design

level risk). The software uses plant specific PSA models. However, option is provided for

inclusion of PSA models for different NPP also.

3.2 Initiating Events/Event Trees

With this module user can create Initiating Events (IEs) / Event Trees (ETs) list

just by typing on the data grid control which appears in the right hand side panel of the

window. If the IE/ET list is already existed one can import the file by clicking on the

browse button in the panel. This is shown in the Figure 1. The user can select this option

even from the menu bar menu option "View".

3.3 Safety Systems

With this option user can give the information on different safety systems. This is

represented as a child node under the main node "Minimal Cut Sets" in the tree view

control. After clicking on this node user will find a data grid control in the right hand side

of the panel and one can enter the data in the corresponding fields. Option is also

provided for importing the existing files.

3.4 Common Cause Failures

In risk monitor common cause failures (CCF) are treated under two headings

CCF Groups

CCG Events

3.4.1 CCF Groups

With this option user can categorize the components which fall under some

specific CCF groups. When, the user clicks on this option a data grid will appear on the

screen and one can enter the different group names. Option is also provided for importing

the data.

3.4.2 CCG Events

This option will be activated if the user had already entered the CCF events in the

specified CCF groups. This can be done by double clicking on the CCF group's data grid.

The user interface is shown in the Figure 2. The user can also import the CCF events of

different CCF groups. There are three tab headings provided on this screen namely

3

Basic Events

CCF Events

Parameters

3.5 Main Summary & On-Line Risk

This module summarizes status of the safety systems (available, degraded or unavailable)

based on the status of the components (Available, out of service), list of components

which have been taken out from the service and risk profile (CDF vs Time) on day basis,

monthly basis or year basis. Logs on the CDF values on time basis are shown in the risk

profile module. If the user double clicks on this table it will give the status of the plant of

any day. Risk Monitor presents the graphical display of Risk profile with respect to CDF

value. Eventhough, coloured bands are defined for risk levels, standardization is required

for defining these levels. The user interface of this module is shown in the Figure 3.

3.6 Component Database

A Reliability Data Base is used for the management of data which is designed

using MS ACCESS which also stores the PSA models and analysis results. The package

provides database for basic events probability, initiating events frequency and human

errors probability. Different component reliability models [3] [4] such as repairable, non-

repairable, tested, mission time, probability and frequency models have been

incorporated in calculation of the component unavailability. Risk Monitor can re-evaluate

the CDF depending on the change in the value of initiating event frequency or safety

system unavailability. In case of Safety System, the unavailability will be affected when

component unavailability changes. Depending on the mode in which the component is

functioning in the safety system, parameters like failure rates, test intervals, mission time,

repair time etc. will alter its unavailability value. Risk Monitor has provided the option to

alter the necessary parameters depending on the mode of the component functioning,

thereby computes its unavailability. This change is propagated to the Core Damage

Frequency and user can see its implication on Risk profile also. The user interface of this

module is shown in the Figure 4.

4

3.7 Component Out-of-Service & Restore

This module shows all the components which are in service and out of service as

of today on system wise. In order to take any component from out of service (for

maintenance, testing or inspection) first user has to check the relevant component check

boxes provided in the side by in the in-service list and has to click the "Add" button

provided at the bottom of the grid. This will add the components to the out of service

table provided at the bottom of the window. This changes the configuration of the

systems and in turn affects the CDF. CDF is re evaluated from the minimal cut sets

provided in the database which is in the form of Initiating events and components. The

user can even set the date and time at which the component has been taken out of service

apart from the default time settings (today's date and time). The user interface of this

module is shown in the Figure 5.

3.8 What -If Analysis

This is the unique feature of the risk monitor. With this analysis user can analyse

different combinations of component states and based on the change in the CDF value

decision can be made on which combination of components can be taken for maintenance

or can be restored. User can also use this analysis for finding out the allowable outage

times and surveillance test intervals for various systems. All the cases which have been

analysed by this analysis are stored in the database so that if the user wants to do the

same analysis in the future it can be retrieved from the database and can be applied, this

will avoid the repetition of the same analysis. The user interface of this module is shown

in the Figure 6. On-line “Help” and report generation have been provided with the

software package, so as to assist the user in navigating through the software as well as to

get familiarized with the PSA terminologies.

3.9 Test Times

This module shows list of components whose model type is "Tested" model along

with the parameters of the model at the design time and the present status. Hence, the

user can have an idea about the parameters which have been changed from their design

values and can easily set the test intervals, inspection timings etc. for the components.

5

This module also shows the inspection timing of each component based on the test

interval.

4. APPLICATIONS OF RISK MONITOR

Some important applications of Risk Monitor towards Safety Issues are explained below:

4.1.1 Decision Making in operations:

Core Damage Frequency (CDF) value is an important parameter, which can

provide risk insights. If CDF value exceeds the prescribed probabilistic safety

criteria, that is termed as an unsafe condition. Also, efforts are always made to

lower the CDF through different test and maintenance policies.

4.1.2 Maintenance Strategies:

Risk achievement worth (RAW) is the best input for deciding maintenance

policies. RAW and risk reduction worth (RRW) can be evaluated system wise

and component wise. Components having higher RAW have to be maintained

immediately, in order to minimise the CDF value. Similarly, component having

higher RRW should be given attention from the design point of view, since it can

enhance the reliability of the system.

4.1.3 Risk Based In-Service Inspection:

The Risk Informed In-Service Inspection (RI-ISI) programs aims at integrating

traditional engineering evaluations with insights gained from PSA. The prime use

of PSA is to obtain an estimate of risk and relegate it to various systems and down

to components to obtain an idea of their importance in terms of contribution to the

Risk. Risk Monitor can be effectively employed for analysing the change in CDF

whenever there is a change in Inspection plans and thereby analyse for an

optimum scheduling plan. Risk importance measures such as RAW, RRW,

Fussell-Wessley etc. for various components and systems are readily evaluated in

the Risk Monitor for risk based inspection planning.

4.1.4 Review of Technical Specification:

The Technical Specifications are usually based on deterministic assessment and

engineering judgment. Based on the PSA studies, technical specifications based

6

on probabilistic considerations can be evolved to optimise the Allowable Outage

Time (AOT) and Surveillance Test Interval (STI) for various Systems.

4.1.5 Emergency Operating Procedures and Risk Management:

The Emergency Operating Procedures (EOPs) have been usually based on the

considerations of failures in process systems only. EOPs based on dominating

accident sequences as identified in PSA can be effectively used in risk

management.

5. CONCLUSIONS

Risk Monitors backed up by the results of Probabilistic Safety Assessment (PSA) are

gaining wider acceptance world over. Increasing use of Risk Monitors is being made/

contemplated in various areas related to nuclear power plant operations. Risk monitor can

be used as an efficient tool by operator to analyse the change in Risk whenever the

component parameters change. Also it can be considered as an efficient system to track

plant history. Envisaging the above scenario of application of Risk Monitor, assuring the

quality of Risk Monitor is of utmost importance. Various testing approaches have been

adopted to expose the detectable as well as undetectable errors in order to improve the

reliability of risk Monitor.

REFERENCES

[1]. IAEA-TECDOC-737; (1994), Advances in reliability analysis and probabilistic safety assessment

for nuclear power reactors.

[2]. IAEA-TECDOC-1106; (1999), Living probabilistic safety assessment (LPSA).

[3]. PSA Pack 4.2, A Code for Probabilistic Assessment Level 1, IAEA, Vienna (1993).

[4]. Risk Spectrum, PSA Professional 1.00.05: A Demo version, Relcon AB (1998).

7

Figure 1: User Interface of Initiating Events

Figure 2: User Interface of Common Cause Failures

8

Figure 3: Risk Monitor Main Summary Window

Figure 4: User interface of Component Database

9

Figure 5: User interface of Component Out-of-Service & Restore

Figure 6: What-If Analysis window

10